Microsoft’s Azure cloud services have received the greenlight to store federal government data classified at the Protected level, the government announced today.
Twenty five of the company’s Azure services and 10 services within Office 365 have been awarded Protected level certification by the Australian Signals Directorate, which maintains the Certified Cloud Services List (CCSL).
Today’s announcement coincides with the official launch of Microsoft’s new Azure regions, which are based out of Secret-accredited facilities in the ACT operated by Canberra Data Centres. Use of the new Azure regions, designed to store and process Protected data, is restricted to Australian and New Zealand government customers, operators of critical national infrastructure and a number of vetted technology partners.
The government’s announcement “makes Microsoft the first, the only, global cloud provider to have been awarded Protected certification,” said Microsoft Australia’s Azure engineering lead, James Kavanagh.
The certification of Azure and Office 365 services is not restricted to the new Canberra regions but also covers Microsoft’s cloud regions in NSW and Victoria.
Macquarie Telecom, Dimension Data, Sliced Tech and Vault Systems also have services listed on the CCSL for use with Protected data. Amazon Web Services announced last month that it had completed the IRAP assessment necessary for being listed at Protected level but it has not yet had its certification accepted by the ASD.
The Protected listing is the culmination of years of work by Microsoft, Kavanagh said. “It opens up quite a broad range of possibilities for government to be able to accelerate and move faster on their adoption of cloud,” he added.
Protected data is data that if its security is compromised it would have an impact on Australia’s national security and can include a range of Defence and public safety data. Microsoft already had a range of Azure services certified for use with unclassified but sensitive data. The company estimates that, combined, unclassified and Protected covers 85 to 90 per cent of government data.
Microsoft performed the necessary IRAP assessments for Protected certification more than two years ago and submitted them to the government more than a year ago. Over a year and a half period the company has boosted physical security and personnel security at its data centres and made software changes with the aim of achieving Protected certification, Kavanagh said.
“It has never been more important for government and Australian enterprises to strategically manage cyber security risks,” minister for law enforcement and cyber security Angus Taylor said in a statement.
“Australia is under increasing cyber security threat and as government and critical infrastructure innovate and transform, it is imperative that we remove risk in our existing systems and use modern, secure cloud technology.”
The government’s recently released Secure Cloud Strategy called for increased use of cloud by agencies.