Defence backs extra security for protected Azure cloud use

Defence is standing by advice to agencies hoping to consume Azure cloud for protected workloads, saying it will “continue” to work with Microsoft to “prepare” the services for government use.

iTnews revealed on Monday that despite Microsoft becoming the first hyperscale cloud to be allowed to carry protected-level data, “additional configuration and security controls” were needed to address “residual risks attached to this delivery model”.

These controls are to be “developed by Microsoft in conjunction with the Australian Cyber Security Centre”, and used by agencies when configuring a protected-level Azure instance.

Microsoft Australia disputed the advice, arguing in comments to iTnews that it did not need to develop additional controls.

"The development here refers to configuration guides and blueprints for controls that Microsoft has already built into the services but that need to be turned on and configured by the government customer, not additional controls needed to be added to Microsoft's services,” a Microsoft spokesperson said.

But Defence is standing by the advice given to agencies, confirming more work is required on Microsoft’s side before Azure reaches an appropriate comfort level.

“The Australian Cyber Security Centre (ACSC) engages regularly with providers of protected level cloud services to ensure their products remain fit for purpose,” a Defence spokesperson told iTnews.

“The ACSC will continue to work with Microsoft on its products as these are prepared for potential use by government agencies.”

In a “consumer guide” designed for agencies wanting to use protected-level Azure services that was released at the end of last week, the Australian Signals Directorate said that both blueprints and additional security controls were needed before Azure landed its first protected government work.

“General compensating security control blueprints” - believed to be weeks away - would help agencies begin planning any shift of protected workloads or data to Azure.

The controls appeared to be more specific and deal with actual configuration for production use.

The spokesperson noted - as Microsoft and the Australian Signals Directorate also had - that agencies adopting cloud were ultimately responsible for securely configuring their instances.

“The ACSC works with providers to ensure guidance is provided to government agencies on how to consume the services in a more secure manner to meet business and risk objectives,” Defence’s spokesperson said.

“Protected level cloud certification is a foundational step, but not the only one agencies will need take to secure their data online.

“The blueprints will assist potential customers to configure the cloud solution in the most secure way.”

Defence noted Microsoft’s addition to protected status meant more choice when it came to cloud adoption.

“The choice of which cloud solution to adopt is a matter for agencies, based on their requirements and their own assessment process,” it said.

Defence also said that the release of a consumer guide was not unprecedented, although it is a first for any cloud service on the government’s Certified Cloud Services List (CCSL).

“This is not the first time ASD has produced consumer guides,” Defence said.

“ASD released a consumer guide for Apple iOS devices at protected [level] to aid secure configuration by government consumers.”