Azure needs extra security controls before it's fit for government use
Last week Microsoft trumpeted its new Australian Azure regions for government clients. But three days later Australian authorities said the new regions Australian government organisations need extra security controls before they're sufficiently secure before using any Azure services.
The “can do better” guidance (PDF) from the Australian Signals Directorate (ASD) was released on Friday April 6th, three days after Microsoft announced the new “Australia Central” region.
The guidance notes that while the Australian Cyber Security Centre (ACSC) certified Azure to handle “Protected” data under the Australian Government security classification system, “Additional compensating controls are to be implemented on a risk-managed basis by individual agencies prior to agency accreditation and subsequent use of these cloud services.”
“The ACSC is working with Microsoft to ensure general compensating security control blueprints are made available in the coming weeks.”
There’s no suggestion that Azure Australia is leaky in any way, as the guidance warns of the risks of cloud in general, stating “The ACSC advises that as part of pre-existing accreditation activities, agencies consult the ACSC before moving PROTECTED information into public cloud services.”
But there’s also confirmation that Microsoft and the ACSC are still working together on “additional configuration and security controls” for Microsoft’s cloud.
The Register has asked Microsoft if it was aware of this guidance before it launched the new region last week, because in presentations to media and customers no mention was made of the need for additional controls, or that they are yet to be developed. That the region is not entirely ready for government users is therefore not a great look for Microsoft. ®
UPDATE April 11th: Microsoft's sent us a statement that says the ASD's guide "refers to configuration guides and blueprints for controls that Microsoft has already built into the services but that need to be turned on and configured by the Government customers."
"Under the Microsoft shared responsibility model there are controls that Microsoft handles for all customers, controls where responsibility is shared (i.e. Microsoft implements a control in the Service but the customer controls it's activation and configuration) and controls that are solely the responsibility of the customer. The focus of the guides is the latter two categories."
The statement also points out that such guidance is not unusual, or confined to Microsoft services. Indeed, Microsoft pointed out that ASD offers a guide for hardening Apple devices for use by government agencies. Microsoft did not directly address our question on whether it knew of the ASD and ACSC's position before the launch of the new Australia Central Azure regions.