The department which houses Prime Minister Julia Gillard and the Cabinet yesterday signalled it would bow to a request from the Federal Auditor-General and block access to public email services such as Hotmail and Gmail from 1 July, with the auditor seeing the platforms as an inherent security risk.
In a report on the security of information held by government agencies, the Auditor-General Ian McPhee recommended that "agencies should not allow personnel to send and receive emails on agency ICT systems using public web-based email services", specifically calling out Hotmail and Gmail as examples of such platforms.
The problem with such services, according to McPhee, is that they provide "an easily accessible point of entry for an external attack" and they subject departments and agencies to "the potential for intended or unintended information disclosure".
The auditor's examination of the information security of several agencies — including the Department of Prime Minister and Cabinet (PMC), Medicare, ComSuper and the Australian Office of Financial Management — found that webmail accounts were accessible by staff in PMC, with logs showing that some staff were using the accounts "on a regular basis". The auditor recorded over one million hits on webmail accounts in a two-month period from PMC.
If staff do require access to webmail accounts, the auditor has suggested the use of an "internet cafe" approach, wherein single stand-alone desktops within these agencies can allow access to these websites.
In response to the auditor's recommendation, PMC said it would shut down access to the webmail platforms.
"Current access arrangements for web-based email will cease on 1 July 2011," the department wrote. "While access to web-based email was in response to business requirements, there were control measures in place. However, we accept the threat and risk assessment has changed and access will no longer be permitted from departmental systems."
The move raises questions about the technical differences between what the auditor's office deems to be public webmail services, and corporate-focused email platforms such as Microsoft's Business Productivity Online Suite and Google's Apps platform.
Microsoft's BPOS platform uses much of the same underlying technology as its Windows Live platform (including Hotmail), and is based on its Global Foundation Services infrastructure spanning datacentres around the world. The same is true of Google's Apps platform, which is targeted at business and government use but shares the same infrastructure with its public Gmail offering.
Several large Australian organisations have recently shifted to cloud-based email solutions from either Microsoft or Google as part of a wave of interest in the area spanning the past several years. In addition, some organisations are even recommending some workers use private email services for professional purposes — such as Qantas with its flight attendants — to simplify administration of staff who might not need daily access to email.
Microsoft and Google have not yet responded to requests for comment.
In general, the auditor's report found that agencies had implemented government security requirements well. "The agencies had established information security frameworks, had implemented controls to safeguard information, to protect network infrastructure and prevent and detect unauthorised access to information; and had controls in place to reduced loss, damage or compromise to ICT assets," the auditor wrote. However, it noted some areas, such as the complexity of passwords, regular patching of software, could be improved.
Josh Taylor contributed to this article.