back to article Azure needs extra security controls before it's fit for government use, says Australia

So this is awkward: last week Microsoft trumpeted its new Australian Azure regions for government clients. But three days later Australian authorities said the new regions Australian government organisations need extra security controls before they're sufficiently secure before using any Azure services. The “can do better” …

  1. Pascal Monett Silver badge

    "additional configuration and security controls"

    I won't be surprised to learn that said safety controls will be entirely cloud-based, under MS control and with the regular, can-change-at-MS's-whim EULA.

    I will be surprised if I learn that the rollout is suspended until said safety controls are in place.

    1. Paul Crawford Silver badge

      Re: "additional configuration and security controls"

      I wondered if this has anything to do with the odious CLOUD act and the Aussies wanting to be damn sure Uncle Sam can't extract data without them knowing.

      1. Anonymous Coward
        Big Brother

        Re: "additional configuration and security controls"

        "Uncle Sam can't extract data without them knowing."

        I don''t know why Uncle Sam would want the information twice or the trouble of getting it a second..third time.

        Probably had it for years, more's the pity.

        1. Milton Silver badge

          Re: "additional configuration and security controls"

          "Uncle Sam can't extract data without them knowing."

          I don''t know why Uncle Sam would want the information twice or the trouble of getting it a second..third time. Probably had it for years, more's the pity.

          Undoubtedly. I think Uncle Sam got the Aus-Gov.zip file (12.2Tb) as part of a "Beijing BOGOF Month" promo being run in October 2016: Lockheed Martin had burned a server, lost the 27Tb master blueprints and code for the F-35, so the US government forked out $370k for a backup which the Chinese, bless them, had made a few years before.

    2. Anonymous Coward
      Anonymous Coward

      Re: "additional configuration and security controls"

      >>That the region is not entirely ready for government users is therefore not a great look for Microsoft. ®

      Where does it say it's not ready? Clearly it's certified so it IS ready at least as far as the standard that Microsoft was told to design for.

      1. Sir Runcible Spoon Silver badge

        Re: "additional configuration and security controls"

        MS initially designed this for the US government market, it's not surprising that it doesn't necessarily meet more stringent requirements of other governments.

    3. Doctor Syntax Silver badge

      Re: "additional configuration and security controls"

      and with the regular, can-changeread-at-MUS's-whim EULACLOUD Act

      FTFY

  2. Tim99 Silver badge
    Big Brother

    Can we slurp?

    Please allow all other Departments information available to be available to us for "checking". Love, The Department of Defence Home Affairs.

  3. HAL900

    I think the correct headline for this was "Microsoft's new gov cloud provides protected-level Security controls. ASD suggest that you use them"

    1. Anonymous Coward
      Anonymous Coward

      "I think the correct headline for this was "Microsoft's new gov cloud provides protected-level Security controls. ASD suggest that you use them""

      Quite. There is no failing by MS here.

      1. Sir Runcible Spoon Silver badge

        Considering that MS staff will have access to the data stored there, perhaps additional measures are required to ensure confidentiality etc.

    2. Trixr

      Yeah, I don't mind El Reg going for the tabloidy headlines when it's amusing, but this really is a misleading spin on the situation.

      Also, since I was at the presentation, MS clearly had a matrix of services that were going to be approved for Protected status (in conjunction with the appropriate controls as implemented by the relevant agency - they have responsibility too). There were at least a dozen or so services that were excluded.

  4. Anonymous Coward
    Anonymous Coward

    Nothing to see here

    The Australian Government's information security policies (applicable to all agencies) require accreditation of any system storing, communicating or processing government information. Inclusion of Microsoft's Azure services on the Certified Cloud Services List does not preclude separate accreditation of any business solution using those services; it just makes it less complicated as Microsoft can provide relevant supporting documentation. Note that accreditation is a specific term referring to the process by which the risks associated with a system are understood and managed appropriately -- compensating controls are a standard part of that process.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019