Government cyber security —is it a level playing field?
The recent accreditation (April 2018) of Microsoft’s Azure to handle government data to Protected level was the first for a hyperscale public cloud provider. While the Protected stamp is reason for celebration for Microsoft, and will certainly lead to an acceleration in cloud adoption by federal, state and territory agencies in line with the DTA’s mandate to create modernised services, not all players/participants/consumers are convinced. Questions regarding the specific process used in the Azure accreditation point to a change in the security playing field for Azure compared to other providers who achieved Protected-level accreditation prior to Azure. In fact the fabric of cyber security in government, the Information Service Manual (ISM) — which represents the cyber security playing field — is presently in flux resulting in market confusion, subjectivity and some cynicism. The playing field is not level...or at least once was, but is now different.
Is this a bad thing? Probably not. Notwithstanding the need for transparency of process and confidence/quality of service, particularly for sensitive data, perhaps the barrier is now lower for other mainstream public cloud providers to achieve Protected-level accreditation.
Microsoft Azure achieving Protected level
Azure has joined Vault Systems, Sliced , Macquarie and Dimension on the Australian Signals Directorate (ASD) Certified Cloud Services (CCSL) at Protected level. This is significant as Azure solutions can now host/manage sensitive data. Azure-based solutions are now poised to capitalise on millions of dollars worth of government cloud services contracts the likes of which other mainstream cloud providers such as AWS and Google can’t touch (yet).
Hot off the press is an article on reporting the plight of senior government officials defending the process used for the Azure accreditation. The degree of change in leadership at the nexus of government cyber security is highlighted, with: Angus Taylor becoming the Minister for Law Enforcement and Cyber Security; Mike Burgess becoming the head of the ASD; and Alastair MacGibbon appointed to run the Cyber Security Centre. Indeed it was Alastair MacGibbon who defended the Azure process through Senate estimates. He pointed to a change in philosophy from rules-based compliance (ISM) to one of managed Commonwealth risk — with speculation that a major re-work of ISM will manifest in the release of a re-badged version under the moniker, Cyber Security Manual. Was this just great luck/timing for Azure?
The article is combative in nature making the following assertion:
“At its core this accreditation process has applied one set of requirements to the Australian companies that successfully gained Protected certification, and a different set of requirements to Microsoft.”
I’ll leave it to you to read the article in its entirety if/as required. It’s interesting reading and insightful.
Salsa Digital’s take
While the politics are a bit messy, cyber security is serious and paramount. The nature of Protected-level government data (rather than unclassified data) makes it so. We see the other mainstream cloud providers achieving the Protected-level accreditation via this altered cyber playing field. The focus on risk management, rather than rigid rules compliance, is appropriate and a refreshing new perspective. The DTA’s vision to create low-barrier, modernised services based on cloud will also be better fulfilled by these developments.
Ultimately, once the cyber security playing field is level, and mainstream offerings have all achieved Protected-level accreditation, the likes of Salsa Digital can more easily design cloud-agnostic solutions. Solutions that are more interoperable for agencies and appropriately secure for all.
