Trust but Verify – 2021 IRAP Assessment Reports for Azure, Dynamics 365 and Office 365 now available

It’s that time again! – The TL;DR version of this article, is that we have just released to the Australian-specific page of the Service Trust Portal the latest 2021 IRAP assessment reports for Azure, Dynamics 365 and Office 365 for operating up to and including at the level of PROTECTED. In addition, ICYMI, all 3 Microsoft regions were recently Certified Strategic under the Digital Transformation Agency Hosting Certification Framework.

If at this point you are still reading then you are looking for the details, so let’s dig into them!

Between the Azure report (which includes Dynamics 365) and the Office 365 report, there are over 1,250+ pages of content. ?Before we get to the juicy bit regarding which services are in the reports, I wanted to provide some details regarding the report contents and structure.

“Transparency is a building block of Trust”

Trust is a difficult thing to gain, and even easier to lose! – As I have noted in previous posts, when you move to a public cloud provider such as Microsoft there is always an element of trust required, because you can only see so far into the service, you cannot see what is behind the scenes. For you, your virtual machine is up and running in your Azure Portal and you can see statistics and information about it, but you have no idea beyond that aperture what is happening from the hypervisor layer down, as this is the responsibility of the cloud provider. But how do you know that the cloud provider is doing what they say they are doing? This is one of the reasons why, at a global level, we invest in 3rd party attestation, assessment and certification, and why we have continued to invest in IRAP assessments in Australia to provide a local assessment against local government standards. Since the publication of our first IRAP report back in 2015, unlike other providers, we made the conscious decision from the start to make our reports publicly accessible on our Service Trust Portal because Transparency is a building block of Trust.

As part of this process, the IRAP assessors have unfettered access to the engineering teams and internal documentation which they require for making their assessments and reporting on findings, the evidence and artefacts they have reviewed for areas such as operational procedures and architectures do not always make their way into the published report, be that for reasons of operational security, intellectual property or a number of other commercially sensitive reasons.?

So while I want to set an expectation from the outset that we have not opened up the entire inner workings of our platform in public documentation, we have worked closely with the assessors to enable them to include details in this report which we have previously not shared, again without compromising operational security, intellectual property or for any other commercial reasons (this is also one of the reasons why this report is a couple of months later than I hoped as we worked through approvals).

Last point to note is that these new reports supersede the previously published 2019 and 2020 versions of the reports. All services from previous reports, including those only recently assessed in 2020 have been reassessed to create a single Azure/Dynamics 365 report and a single Office 365 report.?

Azure, Dynamics 365 & Office 365 Services

These reports are only getting larger as we introduce new services and capabilities into the 3 Microsoft cloud environments. As mentioned, it is important to note that these new reports have reassessed all 2019 and 2020 services as well as new services, and that both reports have been assessed against the June 2021 version of the Government Information Security Manual (ISM). While the assessment was taking place, the September 2021 ISM was released, and while the assessors did not reset the assessment against the new version of the ISM (which would mean restarting the entire assessment), for your convenience they did however make notes in the report against controls which were removed in September (they still assessed and provided commentary against June 2021 guidelines but put a mini note in the description text so you know it was later removed). Please note the assessment did not reassess against controls which were changed or introduced in the September ISM.

In the Azure report there are 14 new services making a total of 159 Azure and Dynamics 365 services assessed to the level of PROTECTED, of which, some of the most sought after new ones include:?

• Azure Red Hat OpenShift
• Azure VMware Solution
• Azure Synapse Analytics
• Power Virtual Agents
• Dynamics 365 - Supply Chain Management
• Dynamics 365 - Customer Voice
• Dynamics 365 - Fraud Protection Solution

.. and if you have been desperate to move your print queues into the cloud, Universal Print is also in there!

On the Office 365 side we have assessed the entire Office 365 suite. As a side note, related to my previous points on transparency, when reading the report you will also see references to internal services which support the Office 365 environment which you will never see in your portal or on docs.microsoft.com.?These services have been called out due to the integral role they play in the overall Office 365 ecosystem, and the assessor has explicitly called them out as internal in the report, so don’t go looking in your portal trying to find and deploy one of them!

As part of the Office 365 assessment, we also included the Windows 365 Cloud PC service, which if you haven’t heard of this service and are a user of, or have a requirement for running virtual desktops in the cloud and securely streaming them, then this is a service which you must check out, especially given it has been assessed to PROTECTED!?

One minor point to note when reading both these reports is that in some cases product names may have changed since the assessment started, for consistency it was decided to keep the names as they were when the assessment started, therefore you may find that the service you are looking for could be referred to by its old name (sorry marketing teams!), this however does not change the assessment itself.

That’s it for the 2021 reports!

So that is the latest round of 2021 assessments for Azure, Dynamics and Office 365 for operating at the level of PROTECTED. My last piece of advice for you before reading these reports; if you have not kept up to date with the latest ACSC guidance on how cloud assessments are now performed and the changes to areas such the introduction of new implementation statuses (for example ‘Ineffective’ replaced ‘Partially Implemented’, and there is now a ‘No Visibility’ category) then I highly advise you head over to cyber.gov.au and read the updated ‘Anatomy of a Cloud Assessment and Authorisation’ guidance.

Thanks for taking the time to read this post, now pour yourself that large cup of coffee and go download the reports!