Microsoft Azure gets security tick from Australian government

Microsoft has announced that Microsoft Azure has been recognised to be compliant with the Australian government's information security manual and protective security policy framework.

In the lead up to the public availability of Microsoft Azure in Australia at the end of the year, Microsoft has announced that its cloud platform has been recognised for being compliant with the Australian government's security requirements.

A four-month assessment of the Microsoft Azure service was conducted from June to September 2014 by Foresight Consulting. The industry security-registered assessors program compliance assessment is consistent with processes prescribed in the Australian government information security manual (ISM) and protective security policy framework.

James Kavanagh, Microsoft Australia chief security advisor, said that receiving a letter of compliance is "one of the last milestones" for the company before Australian Microsoft Azure geo is released for general availability, and it demonstrates the company's commitment to protecting customer data "to the very highest level".

"There are certainly a lot of focus across commercial enterprises, as well as federal and state government around what is the appropriate evidence we can provide to them to actually back up the claims we make around secure processes we have," he said.

"There are some existing practices in place that are federal- and state-level approved, and they vary a little in different territories and jurisdiction, but the high bar is being regarded by the federal government information security manual."

Foresight conducted the assessment in two stages, which was dictated by the government's ISM. The first stage determined whether the system architecture, including information security documentation, was based on security principles and addressed all applicable controls from the ISM.

The second stage, which Kavanagh described as being much more "onerous", looked at verifying that the controls — which were reviewed during the first stage — were implemented and operating effectively. Validations included onsite inspections, personnel reviews, process demonstrations, configuration reviews, and reviews of existing certification reports and evidence.

The assessment will also simplify security processes for government agencies if they choose to implement Azure, Kavanagh said.

"There's an expectation that as government agencies move into a cloud environment or implement any new system, they should be careful around the compliance to existing standards or requirements, such as privacy, records, security requirements ... and that they've gone through that diligent process of making that assessment," he said.

"Every agency has to do that complex and long process. What we've tried to do is take many of those issues and perform the assessments once with an independent assessor and did it at a very deep level, and we'll provide agencies that are evaluating our technologies and make that information available to them. So it really cuts a lot of their efforts."

According to Kavanagh, Microsoft has put its Microsoft Azure product through similar government-based security assessments in other countries, including the US, the UK, Singapore, the Netherlands, and Ireland.