Microsoft’s Commitment to Trust in Australia: Introducing 2024 Azure, Dynamics 365, and Microsoft 365 IRAP Assessments

At Microsoft, our cloud services are underpinned by a foundation of trust and as the psychology Professor Jeffry A. Simpson writes “Trust involves the juxtaposition of people’s loftiest hopes and aspirations with their deepest worries and fears.”. While Professor Simpson was talking about human emotions, I think this is also very applicable to the adoption of cloud services. We all want the benefits of cloud services such as security, scale, resilience and agility, however our ability to adopt them can be shadowed by the fear of the unknown, including what is truly happening behind the scenes in the areas of cloud which you cannot see or touch? This is an area for me where I strongly believe 3^rd party verification and attestation is vital, which is why I am excited to announce our new 2024 Azure, Dynamics 365 and Microsoft 365 IRAP assessments.

These latest assessments look at the Microsoft cloud platform against the Australian Cyber Security Centre’s (ACSC) Cloud Assessment and Authorisation Framework.  It also addresses guidance from the Department of Home Affairs’ Protective Security Policy Framework (PSPF), the Australian Government Information Security Manual (ISM), and the Digital Transformation Agency’s (DTA) Secure Cloud Strategy for hosting and processing data at the classification up to, and including the level of Protected.

These latest releases mark a continuation of Microsoft’s long-standing commitment to the IRAP program and the provision of reports since 2015 where we were the first hyper-scale cloud platform to achieve certification for Unclassified level workloads on Office 365. Fast forward to 2018, and another first, as Microsoft became the first hyperscale cloud provider to gain Protected certification under the Certified Cloud Services List (CCSL) for Azure and Office 365.

Since then, we have continued to invest in reassessing Microsoft’s cloud platform every 18 to 24 months, in line with IRAP’s requirements.

Our assessments are more than just a security checklist

It’s a common misconception to regard an IRAP assessment as a mere ‘certification’ or binary pass/fail (side note: an IRAP ‘certification’ process hasn’t existed for at least 4 years!). It is a comprehensive, risk-based framework that allows organisations to make informed decisions about system deployment. When the ASD announced the discontinuation of the CCSL in 2020, I welcomed the move in a blog post because it now empowered organisations to make their own risk-based decisions on technology.

With organisations now empowered to make their own risk-based decisions, it is now more important than ever that a comprehensive IRAP assessment goes beyond simply aligning with the ISM and PSPF. Our approach is to enable the assessors to spend much of their time examining Microsoft’s Secure Development Lifecycle (SDL) and the uniform standards governing our services for onboarding and maintenance. This is a process that every service must follow to be part of the Microsoft cloud family.  In addition, noting that cloud moves at an incredible pace, and an IRAP assessment is a view of a moment in time, what happens if you want to use the latest security solution, data platform capability or new Dynamics CRM module that has been released post the latest IRAP assessment?

Well, you can still deploy a cloud service that has not been through the latest IRAP cycle because it is a risk-based decision which the business makes. This is why I believe it is important for the reports to cover the approach and ‘how’ of Microsoft’s security controls which are consistent and required for all service onboarding. With this knowledge, you can be assured that any new services are aligned to the controls and processes assessed in the reports, and you are empowered to make the decision to adopt that new capability or service outside of the IRAP cycle.

Microsoft continues our commitment to building and using sovereign capability by once again working with independent Australian company CyberCX to conduct our 2024 IRAP assessments.

Generative AI – Another first for hyper-scale AI assessed to Protected

Generative AI has exploded over the past 12 months, and our 2024 IRAP assessments reflect this by including the new, AI-powered Copilot for Microsoft 365 and Azure OpenAI Service, which are being used by more organisations every day to accelerate innovation and boost productivity. Having these services assessed to Protected offers many possibilities within Government for the adoption of generative AI, with the confidence and trust in the underlying AI and data platform.

Finally, it’s important to remember that IRAP is just one of the 100+ different certifications and assessments that Microsoft participates in globally. These span countries and industries, ensuring that our solutions have been extensively reviewed for a wide range of situations.

You can access Microsoft’s 2024 IRAP reports via our Service Trust Portal. I encourage you to review the reports, and to appreciate the comprehensive security posture that underpins every Microsoft offering.