'

​Seven cloud vendors lining up for government security clearance

After Microsoft's contentious addition to the Certified Cloud Services List, the Australian Signals Directorate has revealed it is working with another seven companies interested in providing cloud services to government.

The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) have revealed there are currently seven cloud providers undertaking certification that would allow them to provide cloud services to federal government entities.

special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

In response to a question taken on notice by Australia's Cyber Coordinator Alastair MacGibbon from Senate Estimates in May, the ASD and ACSC also said there are 10 companies waiting for certification to commence, having already completed the Information Security Registered Assessor Program (IRAP) Security Assessments, as well as a further 12 companies conducting IRAP assessments before starting the certification process.

Currently, there are 18 secure clouds, from 11 vendors, on the ASD's Certified Cloud Services List (CCSL).

The CCSL is comprised of clouds certified at unclassified dissemination limiting marker (DLM) level, and also protected level, which is currently the highest security level approved by the ASD.

Local vendors Sliced Tech and Vault Systems were the first to receive protected status and were shortly followed by Macquarie Government, part of the Macquarie Telecom Group.

NTT-owned Dimension Data was then accredited to provide protected-level cloud services to Australian government entities, despite being an international company and one with datacentres outside of the country.

Microsoft was the fifth and final vendor to appear on the CCSL in a protected capacity, receiving accreditation in April for its "government-configured" clouds to be used for Australian government data classified up to that level. But unlike all previous such certifications, Microsoft's certifications were provisional, and came with what the ASD called "consumer guides".

The questions asked of MacGibbon by the committee were in response to concerns over the legitimacy of Microsoft's accreditation. During Estimates he was asked if there had been any negative feedback received regarding Microsoft's accreditation.

"There'd be some suppliers, I'm sure, that don't like the thought of another supplier in a marketplace, and there'd be some who think it's a really good idea. I'm sure a lot of government departments think it's fantastic," MacGibbon said at the time.

Initially taking the question on notice, the ACSC since confirmed it had received written and verbal feedback via its general advice and assistance mechanism on the Microsoft decision.

"This feedback largely comes from government and industry representatives," the ACSC wrote. "Overwhelmingly the questions posed sought clarification on technical aspects of the decision, particularly around security controls."

MacGibbon in May defended the government's decision to hand conditional protected-level certification out to Microsoft, saying he was confident the data on Australians is safe in the hands of Microsoft, despite the Washington-headquartered company having staff scattered around the globe.

It was reported last week that the ASD executive who declined to sign off on Microsoft's Azure and Office365 cloud services being granted the highest certification has since left the agency.

The certifications were subsequently signed off by MacGibbon.

RELATED COVERAGE

Home Affairs denies Microsoft in breach of Signals Directorate conditions

Senators are concerned that Microsoft has emerged with protected-level ASD certification, despite being located outside of Australia, with Alastair MacGibbon labelling the company a 'trusted' partner of government for many years.

ASD and ACSC looking beyond list compliance approach to security

The National Audit Office can make adverse findings against departments, but ASD head Mike Burgess is satisfied agencies are taking security seriously.

ASD calls on government chief executives to up their cybersecurity game

The Australian Signals Directorate's newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there's a need to ensure the people at the top of government departments are aware of the threats they face.

ASD restructure: Trouble at t' cyber mill?

Differing views within the recently restructured Australian Signals Directorate, described in one media report as an 'internal brawl' and 'internal frictions', could highlight a deeper, more challenging division.

Microsoft cloud cybersecurity attacks up 300% in last year, report says (TechRepublic)

In volume 22 of Microsoft's Security Intelligence Report, the Redmond giant outlined some of the biggest cyberthreats facing its users.