[LINK] itN: MS Oz-Azure Not Oz-Assured

Roger Clarke Roger.Clarke at xamax.com.au
Mon Apr 9 14:00:33 AEST 2018

[Read what you like into this one:  Microsoft incompetence, ASD pernicketiness, suspected contingent leakage of instances outside geographical area, known backdoor entry by NSA to MS Azure and O365, ...

[I did all of my work on cloud risk management back in 2009-13:
and I've not been practising in the area much since.  

[But back then I'd never come across any provider who had a clue how to even detect the geographical and/or jurisdictional location of an instance, far less how to prevent an instance being run up in a jurisdictional location that was on a blacklist, or missing from a whitelist.

[Can anyone on the list who's up-to-date on such things enlighten me?]

Microsoft must add 'controls' for protected Aussie govt cloud
To address "residual risks".
Ry Crozier
Apr 9, 2018 12:10PM

Australian government agencies have been told to wait for "additional configuration and security controls" from Microsoft before committing workloads to its new protected-level public cloud instances.

The guidance, published late Friday, appears to treat Microsoft's protected-level cloud services differently from similarly classified products on the government's Certified Cloud Services List (CCSL).

Microsoft's protected certification - for both Azure and Office 365 - is a first for a hyperscale public cloud operator in Australia.

It was touted last week as "a clear path for government agencies to host higher classified data sets in Microsoft cloud services".

But in another first for any service listed on the CCSL, the Australian Signals Directorate (ASD) has appended a "consumer guide" advising users they will need extra security controls in place before they start to take up the protected-level Microsoft services.

Importantly, some of these controls are yet to be developed, and there is no indication of the timeframe in which that activity is to occur.

"Additional compensating controls are to be implemented on a risk-managed basis by individual agencies prior to agency accreditation and subsequent use of these cloud services," the ASD said.

"The ACSC [Australian Cyber Security Centre] is working with Microsoft to ensure general compensating security control blueprints are made available in the coming weeks.

"Residual risks attached to this delivery model can be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC.

"This will provide agencies with a pragmatic level of assurance and confidence in Microsoft's public cloud offering to the Australian government."

Further comment is being sought from a Defence spokesperson.

The development of additional controls was absent from last week's announcement by Microsoft Australia and federal cybersecurity minister Angus Taylor.

Microsoft had said in a statement that agencies could proceed "confident in the knowledge that Azure and Office 365 have undergone this very high level of assurance".

Taylor was similarly quoted, adding that the assurance level afforded by the CCSL listing was "rigorous" and should similarly inspire departmental adoption.

Though Microsoft is the first of the hyperscale public cloud providers to achieve protected certification status, its ability to de-risk its products to an acceptable point will likely be instructive for the likes of AWS and Google in pursuing their own certifications.

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/ 

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list