Like socks, shoes and gloves… IRAP assessments can also come in pairs!
TL;DR – The latest 2020 Azure and Office 365 IRAP assessments based on the July 2020 Australian Government Information Security Manual (ISM) are available for download on the Australian-specific page of the Service Trust Portal; covering a total of 20 new services ranging across Azure Security, Office 365 productivity, Dynamics 365 and Microsoft Managed Desktop.
Before you go and download the assessments and get stuck into the 200+ pages of each of the reports, I thought it may be a good idea to provide you some cliff notes on some of the changes and the services which have been added.
As I have previously noted, as part of our continued commitment to Australian Government customers we continue to invest in IRAP assessments of our platform and services to ensure they meet the required standards by Australian Government for hosting data at the classification of up to and including the level of PROTECTED. These most recent IRAP assessments are significant in that they are the first reports we have released post the cessation of the CCSL and the introduction of the new Cloud Security Guidance by the Australian Cyber Security Centre (ACSC).
As such, in alignment with the new assessment guidelines, the new reports both start with a focus on Microsoft as a Cloud Solution Provider (CSP), that is to say a deeper dive into Microsoft as a company, for me this is an important part of your risk assessment activity, because, as stated by the ACSC:
“Cloud Consumers need to consider all aspects of a CSP to make an informed decision about its use and not rely on a single factor to determine a CSP’s suitability”
Moreover, I welcome this addition because the Microsoft story is much deeper than the surface level of the services with which you interact. This deeper dive is even more crucial when you consider that performing risk assessments of cloud platforms such as Azure and Office 365, requires you to adopt a ‘Trust-but-Verify’ model. That is to say that there will be controls which are out of your reach which are the responsibility of the cloud provider and you will not be able to directly assess them yourself; you must therefore trust the CSP is implementing and operating them effectively for you. However, as any good risk assessment professional will attest to, you shouldn’t just blindly trust, you need to verify, which is exactly what these IRAP assessments provide as a 3rd party independent verification of the platform against the controls of the ISM, in this case performed by the highly reputable team at CyberCX.
(Side Note: In case you missed it - a few months back we released a paper written by CyberCX on assessing cloud risk)
Before we get into some of the detail behind the services which were included in these most recent assessments, it is important to note that these two reports are incremental to the 2019 Azure and Office 365 assessments. As per the 24-month reassessment guidelines from the ACSC, while these latest reports have adopted the new reporting approach in areas such as the focus on the CSP, they do not contain a reassessment of the services themselves which were covered in the 2019 assessments as those findings are still valid.
Let’s dive into the detail…
Office 365
While the Office 365 assessment only covers four additional services, for many this will provide the final piece of the puzzle in terms of a PROTECTED level risk assessment for the full Office 365 suite of applications, including Microsoft Whiteboard which is a key use-case for organisations that have invested in Surface Hub:
- Microsoft Forms
- Microsoft Planner
- Microsoft Whiteboard
- Yammer
Even though the report only covers four services, it is still in excess of 200 pages and provides a great level of transparency in terms of platform operation in alignment with the new Cloud Security Guidance.
Azure and Online Services
Azure IRAP assessments usually cover in excess of a hundred services and therefore I would not normally spend time listing them all. However, given this is an incremental set of services for this IRAP cycle, and the fact that I received many enquiries asking about each and every one of them… ok, maybe with the exception of one… (sorry Microsoft Stream, we still love you), I thought it was worth calling them out in this post.
The first cohort of services were those in our range of security services, with Azure Sentinel as the most requested service by far, with many organisations itching to take advantage of our cloud base SIEM/SOAR. (Sidebar : As I was writing this post, Azure Sentinel was also announced as a “Leader” in the Forrester Wave for Security Analytics Platform Providers.
The full list of security services is as follows:
- Azure Sentinel
- Azure Advanced Threat Protection
- Microsoft Threat Protection
- Microsoft Defender Advanced Threat Protection
- Microsoft Threat Experts
- Azure Bastion
(Some of you reading this will be thinking “but these are the old names for the products as they recently changed”, and you are correct, but since not everyone may be across that information yet and given this is how they appear in the report, and at great personal risk of feeling the wrath from marketing I will continue to use their old names for now! )
The second group of services related to our end user desktop/mobile experiences with Microsoft Managed Desktop (MMD) and Windows Virtual Desktop (WVD) both assessed to the level of PROTECTED. MMD was a little unique in this assessment in that it involved more than assessing a single cloud service as MMD not only brings together the technology of multiple Microsoft cloud services, but also the end-user device and people processes in relation to end-user support, all of which were assessed.
Next, we included two key data related services, Azure Data Factory (ADF) and Azure Data Explorer (ADE). ADF is a cloud based ETL and data integration service which allows you to create complex data flows connecting services such as Azure Databricks, Hadoop, Azure SQL Database and many others, all of which can be integrated into your CI/CD data pipelines using Azure DevOps and GitHub. ADE is ideal for analysing large volumes of diverse data (both structured and unstructured) from any data source, such as websites, applications and IoT devices, and scales quickly to terabytes of data.
If you already use NetApp Files or are looking for the ability to run highly scalable, high performance file-based applications in the cloud using protocols such as SMB and NFS with no code refactoring, then you will love the fact that Azure NetApp Files (ANF) was also included as part of this assessment. ANF is provided as a native Azure service that is built on NetApp’s ONTAP storage operating system, allowing you to build file-based applications in Azure without the need to refactor or rearchitect your applications.
Lastly, and certainly not for any other reason than my colleague Angela Hughes has created a great LinkedIn write -up on this topic, our last cohort of services all relate to our Business Apps suite and the Finance & Operations aspects of Dynamics 365. These 4 services join the other Dynamics services in the 2019 Azure report creating the most comprehensive end-to-end suite of Business Applications assessed to the level of PROTECTED.
- Dynamics 365 Finance
- Dynamics 365 Supply Chain Management
- Dynamics 365 Commerce
- Dynamics 365 Customer Insights
That's all folks!
So that is it for the round of 2020 IRAP assessments! A great set of additions to the family of PROTECTED assessed services covering everything from Office 365 to Azure security services, managed desktop, data services, NetApp Files and Dynamics 365… and of course, Microsoft Stream.
As noted above, both assessment reports are available for download on the Australian-specific page of the Service Trust Portal, and for those of you that like to import the control set and findings from the report into your own risk management solutions, we have also included a bonus Excel spreadsheet of all the controls and findings.
In closing, as I have said in previous posts, while we heavily invest at a global level in cloud assessment, accreditation, and certification schemes, we will continue to be committed to providing independent local 3rd party IRAP assessments of our platform and services such that both Australian government and commercial customers can be confident in our abilities to design, build and operate a global hyper-scale cloud platform which they can trust.
G2G/G2B/B2B-ready encrypted communication tools. Dekko is sovereign, verified, independent and accessible.
3 年Hi Mark, are you able to confirm if the August 2019 Shearwater Azure services IRAP assessment is still valid? Optimistically the reference to a 24 month reassessment cycle means that validity is current until August 2021, but new messaging from the ACSC has made it difficult to ascertain which services remain to be certified after changes have been made to the scheme in the last 12 months. Dekko leverages Azure PaaS and such certifications are pertinent to the work we do in the Australian government space.
Principal Product Manager Lead at Microsoft
3 年Fantastic!
Cyber | Security | Compliance | Risk | Governance | Privacy | Regulatory Standards | Control Implementation
3 年Great work Mark! and keep the blogs coming!
Principal Transformation Architect at Zscaler
3 年This is a great benefit for Microsoft customers Mark. Zscaler has also recently achieved an IRAP assessment for both our ZIA and ZPA services as well, so we understand the amount of work you needed to do. Considering the tight partnership Zscaler have with Microsoft and the many integration points, completion of all this work should be of great value to our customers.
Consultant at Chamonix IT
3 年Ramesh Waghmare Steffan Borrie