Microsoft recently announced that its cloud program Microsoft Azure has been accepted and recognized as fully compliant with the manual and protective security policy of the Australian government. The service of Microsoft Azure has undergone a four-month assessment of its service, in the period June – September 2014, and was done by Foresight Consulting company.
According to the industry security-registered assessors, the program is consistent with the information security manual provided by the Australian government and its protective security policy framework. The chief security advisor of Microsoft Australia, Mr. James Kavanagh, confirmed that the company has received a letter of compliance before the Australian Microsoft Azure geo has been released for general availability. This is a further confirmation about the commitment of the company to protect the data of the customers.
According to Mr. James Kavanagh, commercial enterprises, federal and state government have questions concerning the appropriate evidence that can be provided to support the claims made concerning the secure processes the company has. The chief security advisor confirmed that some of the practices are approved by the federals and the state laws; however, the highest bar is set by the federal government information security manual.
The assessment was implemented in two stages, according to the information security manual of the government. The first stage revealed if the system architecture and the information security documentation rely on security principles and if all the ISM applicable controls are taken into account. The second stage verified that the controls are implemented and operating in an effective manner. The validation process included onsite inspections with personnel reviews and process demonstrations, reviews of existing certification reports and configuration reviews. This assessment simplified the security processes for the government agencies, in case they decide to implement Azure.
Mr. James Kavanagh commented that there is an expectation that when the government agencies move to the cloud environment, they should be careful and act in compliance with the existing standards or requirements including privacy, records, security requirements. The agencies, usually, have to go through a complex process of making the assessment. In this case though, Microsoft has taken many of these issues and has performed the assessments with an independent assessor and now the company can offer the agencies the reports about the evaluation of its technologies. This will reduce a lot of their efforts.
The product Microsoft Azure has already been put through similar government security assessments in other countries, including the United States and the United Kingdom, Ireland and the Netherlands, as well as Singapore.