DTA shows Microsoft cloud is ready for 'protected' govt data

The Digital Transformation Agency’s pilot of a protected-level Office 365 environment confirms Microsoft’s cloud certification was warranted and that security concerns can be mitigated.

The pilot - announced last week - is set to open the floodgates on protected-level uses of Office 365 and Azure, backed by a raft of security controls and blueprints nutted out by Microsoft, its partners and early adopters like DTA over the past couple of months.

“A lot of agencies were waiting on one agency to get it done so they could say ‘well, they’re doing it [so we can, too]’,” DQA chief technology officer and director of federal services Jean-Pierre Simonis told iTnews.

DQA - a Microsoft gold cloud platform partner - worked closely with DTA to put in place security controls to manage risks with shifting its protected-level communications into Office 365.

Together with a handful of other mostly Canberra-based Microsoft partners, they have largely come up with the security mitigations that will allow agencies to move fast into Microsoft public cloud.

A large number of agencies are likely to make imminent moves or have kicked off pilots of their own, buoyed by the existence of templates for how to approach it.

In one of many largely-overlooked missives from Microsoft employees this month, Azure customer acquisition lead Alex de Gruiter said that “over the past three months, I personally met with more than 50 government agencies in Canberra to talk about the implications of adopting the new Azure regions, and how they could ... move as quickly as possible.”

Also overlooked was that the DTA deal was announced during a major customer acquisition drive by Microsoft.

The company ran a parliamentary showcase as well as an oversubscribed two-day ‘secure cloud summit’ in Canberra, in conjunction with Canberra Data Centres (CDC), which hosts the Azure Central regions designated for government use.

Attendees of the summit told iTnews that a large number of federal agencies were represented.

Agencies' ability to safely negotiate the risks of public cloud - and to link it back into legacy infrastructure - paves the way for Azure and O365 to spread quickly in Canberra.

In understanding how DTA met its security requirements to proceed with a pilot and beyond, there are also likely to be lessons applicable to a broad range of cloud users beyond simply those in government.

Security controls, templates and blueprints that are good enough for the federal government could become much like the ASD Top Four or Essential Eight - minimum standards or guidance for a range of public and private sector organisations to live by.

“This is not just a federal thing,” Simonis said.

“All levels of government [and the private sector] are interested in better securing their cloud use with all the controls being developed.”

The trash talk is over

Since April, when Microsoft was given the tick of approval by the Australian Signals Directorate (ASD) to host protected-level datasets of government agencies in its public cloud, the vendor has faced criticism that its certification - and technology capability - was premature, that it got the jump on rivals like AWS and Google through some sort of special treatment.

This, in large part, stemmed from a “consumer guide” that the ASD appended to its protected certification, warning that agencies needed to put in place “extra security controls” before they could begin to consume Azure or Office 365 services for protected-level data.

While the politics of the first protected level public cloud to be certified by ASD dominated public talk, behind the scenes was a very different story.

With the DTA pilot now in the public domain, much of this behind the scenes work is now also out in the open.

Blueprints and templates are openly available

For a start, ASD killed the “consumer guide” that led to much grief for Microsoft as well as the Defence agency itself.

It was able to in part because Microsoft finally published a series of promised blueprints and templates that laid out which controls within the government’s information security manual (ISM) apply and don’t apply to Azure and O365, and the areas where Microsoft is able to shoulder some risks - versus those left to the agency to mitigate.

It’s worth noting that the DTA pilot doesn’t specifically use these blueprints, although some of the learnings from the project are being incorporated into them by DQA and other Microsoft partners.

The work done by DQA at DTA is essentially a template in its own right for agencies wanting to go down the protected O365 path.

Microsoft said as much in its announcement of the DTA pilot: “The solution being deployed at the DTA provides a template for other agencies that need to collaborate, communicate, and work on protected documents and data from within a secure cloud environment.”

The key learnings from the DTA are also likely to be made available within government via another document being put together.

“One of the things I’m working with Microsoft on at the moment is some generic documentation that can be handed out post-pilot so DTA will have some stuff available to the other agencies for O365 if they want to see how theirs was configured,” Simonis said.

“It won’t be a step by step build guide but it will cover the architectural things we’ve done and how we’ve mitigated some of the [ISM] controls.”

Outside of the DTA pilot and the Microsoft blueprints, other templates and tools have emerged that are also designed to get agencies into protected Azure and O365.

Canberra-based Microsoft gold cloud partner oobe is shopping ‘Perimeta’, which it said acts as a “secure, controlled and dedicated connection between an on-premises environment and Australia's Azure regions”, including those for protected workloads.

The company said Perimeta “addresses all of the required network security, identification, authentication and authorisation, and privileged access controls required by the ASD ISM, which is a key deliverable in organisations achieving protected-level accreditation for their systems in Microsoft Azure.”

An oobe representative did not return iTnews request for comment.

Another Canberra-based gold partner, Veritec, is also making a name for itself in getting agencies over the line with secure workloads.

Veritec CEO Keiran Mott said in a Microsoft video in July that the controls and blueprints being developed were breaking down traditional barriers to agencies moving into public cloud.

“There’s a lot of restrictions in government that we need to pay attention to - security classifications being one of those,” Mott said.

“Azure Central [region] - with the security controls that Microsoft has invested in, with accreditation from ASD around protected, and IRAP assessments - means that there’s a lot of red tape that government have to comply with that starts to drop away.

“We can start to have a conversation around how we can drive innovation and changes inside of government using public cloud.”

How DTA got over the line

DQA’s work with DTA on preparing to run in a protected-level instance of O365 actually predates the ASD protected certification, though not by much.

“Even though the protected certification hadn’t been released from Microsoft yet, [DTA] were running under the assumption that it would eventually come in parallel to when their project launched/went live,” Simonis told iTnews.

“That’s why [the project] was so quick to come out after the release of the protected certification.”

In total, DQA spent about six weeks over a three-month period getting DTA to the point where it is now: with an initial pilot involving 20 users doubling to 40 users. Ultimately, about 200 people will use the protected O365 instance.

At first, DTA just wanted to see proof that O365 “had the controls available to comply with protected” data.

“I was engaged for a short period of time to build some functionality out,” Simonis said.

“One of those pieces of functionality was Customer Key to give the agency control of the encryption within the platform.”

Customer Key is a service within O365 that controls the keys that are used to encrypt data at rest in the cloud.

In addition, work around security controls focused on areas including identity management, BYOD and administration of the environment.

“A control that we needed to implement [was] a local on-premises AD [Active Directory] with federation to keep identity data within Australia,” Simonis said.

O365 also had to be able to interconnect with GovLink - a secure virtual private network (VPN) service used by agencies to exchange data up to protected level.

“We needed to connect O365 to GovLink - which is the new FedLink - so we’re pushing O365 through ExpressRoute to an accredited gateway service to get us into GovLink.”

Microsoft’s de Gruiter highlighted the role and importance of ExpressRoute to protected level Azure and O365 use earlier this month.

“An ExpressRoute circuit represents a logical connection between an agency’s on-premises infrastructure and Microsoft cloud services through a connectivity provider,” de Gruiter said. That connectivity provider is Canberra Data Centres, which hosts both the Azure Central Region instance as well as government equipment as well.

“What agencies told me is that in Canberra, ExpressRoute is important; really important,” de Gruiter said.

Further work on security controls extended to how DTA staff with BYO devices would be able to interact with the protected level O365 instance.

“That was really challenging,” Simonis said.

“We were trying to use Microsoft InTune to manage BYOD devices in a similar way to locked down services, giving both BYOD users and contractors a very limited experience to the environment, but it was a struggle to make that work.

“We ended up deploying effectively a remote desktop services solution hosted in the CDC - inside Azure Central - to give the BYOD devices access to the O365 environment in a secure way.”

Other work around controls focused on secure administration of the O365 protected environment.

“General day to day administration on the protected environment has to be done through a jumpbox in the CDC, which is one of the controls in the ISM for protected, so that’s how we manage that requirement as well,” Simonis added.

The work around security controls also drew lines around what was and wasn’t applicable to cloud services.

“There are a lot of legacy controls in the ISM that we had to risk manage - so identify which bits didn’t specifically apply, or if they did apply, how we could actually implement those controls,” Simonis said.

After the DTA assessed that available security controls were sufficient to meet protected rules, the agency elected to progress to a pilot project.

Microsoft modern workplace specialist Aaron Dinnage called the DTA example a “textbook implementation” of the kind of vetting and risk mitigation required of agencies before they take up services listed on the ASD’s certified cloud services list (CCSL).

“The fact that this was all performed within four months, and created a repeatable pattern for others to follow, is a credit to the diligence and efforts of all involved,” Dinnage said. “Whatever they are doing over at DTA, it's working”.

For DQA’s Simonis personally, the DTA project was “great to be involved in because the agency was really excited and driven to try to come up with a solution they knew other people were waiting on.”

“It was just exciting to be part of an environment where everyone was committed to trying to get to the end and make it successful,” he said.

On a business level, it has elevated DQA’s status as a front-runner for resolving the kinds of challenges that might crop up for government departments wanting to beef up their public cloud security postures.

“I’ve had other agencies and systems integrators reach out around capability and availability to discuss how we did this,” Simonis said.

Above all else, the project proves public cloud is capable of carrying more than unclassified data.

“The controls for protected are very achievable,” he said.

“Agencies don’t need lots of on-premises infrastructure. A lot of the time it’s a license or process they could apply [to mitigate risk].

“They just don’t know what they need to turn on.”