​Microsoft Dynamics CRM becomes IRAP certified

Microsoft Dynamics CRM is the seventh cloud service to be certified under the Australian government's Information Security Registered Assessors Program (IRAP) to handle unclassified sensitive data.

Microsoft Dynamics CRM has been certified by the Australian Signals Directorate under the Australian government's Information Security Registered Assessors Program (IRAP).

The certification highlights that the security control Microsoft Dynamics CRM has in place is effective enough to handle unclassified sensitive data, which is a vast majority of data at federal, state, and local government levels.

Over the course of six months from February, Microsoft went through two phases of "onerous" assessment, which involved independent assessors working with the company's engineering team. Together they assessed the broad security controls Microsoft had and how appropriate they were to the ones set by the federal government. More specifically, this included checking line by line all the control measures the government recommended in terms of physical, software, and operational security measures; on-site inspection by assessors; engineers being interviewed and asked the same questions to ensure consistency; and carrying out technical tests.

James Kavanagh, Microsoft Australia chief technology officer, said this announcement signals the company's commitment to providing partners and customers a completed trusted cloud environment.

"If you look across our different services: Azure for Infrastructure-as-a-Service, Platform-as-a-Service, Database-as-a-service, Identity-as-a-Service; if you look across our productivity platform Office 365 -- so Exchange, SharePoint, and Skype for Business -- we're certified in all of those, and now we're certified with CRM," he said.

"The range of services we have launched in Australia are all fully certified, and we're the first and only cloud provider to have those certifications; no other cloud provider has been able to be certified beyond Infrastructure-as-a-Service."

Dynamics CRM will be the seventh cloud service to be included on the IRAP certified list. Other cloud providers included on the list include Amazon Web Services, Macquarie Telecom, Sliced Tech, and Vault Systems.

As part of certification, Microsoft will share the results and full details of the assessment report with customers. Kavanagh highlighted that by doing this, it's part of the company's ongoing commitment to remain transparent, adding that customers will no longer have to concern themselves with meeting these security standards.

"The main aim is for our customers and partners to be confident that the assessment has been done and they can just build on top, and focus on the value and innovation and don't have to go deep into all of this," he said.

Microsoft expects to undertake the IRAP every two years.

On Tuesday, Microsoft revised its global privacy statement to stamp out any "spying" concerns. For example, critics had fretted Microsoft was automatically backing up BitLocker encryption keys to OneDrive to allow recovery on personal devices. However, in the updated privacy statement, Microsoft said: "Microsoft doesn't use your individual recovery keys for any purpose".