Australian government agencies have been told to use “additional configuration and security controls” before committing workloads to Microsoft's new protected-level public cloud instances.
The guidance, published late Friday, appears to treat Microsoft’s protected-level cloud services differently from similarly classified products on the government’s Certified Cloud Services List (CCSL).
Microsoft’s protected classification - for both Azure and Office 365 - is a first for a hyperscale public cloud operator in Australia.
It was touted last week as “a clear path for government agencies to host higher classified data sets in Microsoft cloud services”.
But in another first for any service listed on the CCSL, the Australian Signals Directorate (ASD) has appended a “consumer guide” advising users they will need extra security controls in place before they start to take up the protected-level Microsoft services.
Importantly, some of these controls are yet to be developed, and there is no indication of the timeframe in which that activity is to occur.
“Additional compensating controls are to be implemented on a risk-managed basis by individual agencies prior to agency accreditation and subsequent use of these cloud services,” the ASD said.
“The ACSC [Australian Cyber Security Centre] is working with Microsoft to ensure general compensating security control blueprints are made available in the coming weeks.
“Residual risks attached to this delivery model can be reduced through agency implementation of additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC.
“This will provide agencies with a pragmatic level of assurance and confidence in Microsoft’s public cloud offering to the Australian government.”
Further comment is being sought from a Defence spokesperson.
The development of additional controls was absent from last week’s announcement by Microsoft Australia and federal cybersecurity minister Angus Taylor.
Microsoft had said in a statement that agencies could proceed “confident in the knowledge that Azure and Office 365 have undergone this very high level of assurance”.
Taylor was similarly quoted, adding that the assurance level afforded by the CCSL listing was “rigorous” and should similarly inspire departmental adoption.
Though Microsoft is the first of the hyperscale public cloud providers to achieve protected classification status, its ability to de-risk its products to an acceptable point will likely be instructive for the likes of AWS and Google in pursuing their own addition to the list.
Update, 2.30pm AEST: In a statement, a Microsoft Australia spokesperson disputed the guidelines, saying the "additional configuration and security controls to be developed by Microsoft in conjunction with the ACSC" is complete, and that it did not need to develop extra controls.
"The development here refers to configuration guides and blueprints for controls that Microsoft has already built into the services but that need to be turned on and configured by the government customer, not additional controls needed to be added to Microsoft's services.
"Under the Microsoft shared responsibility model, there are controls that Microsoft handles for all customers, controls where responsibility is shared (i.e Microsoft implements a control in the service but the customer controls its activation and configuration) and controls that are solely the responsibility of the customer. The focus of the guides is the latter two categories."
Additional information is being sought.