wondering IRAPWhat is IRAP? How is this connected to Microsoft Dynamics CRM? Microsoft Azure, Office 365 and Dynamics CRM Online in Australian Data Centres. That’s good, but how does it matter to our organisation? ISM compliant and trust Microsoft, how?

If you have these or more questions in your mind regarding Microsoft online services, the following should answer some of those questions.

ISM, IRAP and ASD

On 31st March 2015, Microsoft Australia announced that Office 365 and Dynamics CRM Online are available from Australian Data Centres. This was great news for various customers and partners who have been wanting to jump on the cloud bandwagon for quite some time now.

However, just having data centres in Australia doesn’t mean that Organisations are compliant with strict security guidelines released by the Australian Signals Directorate (ASD) intelligence agency in the Department of Defence. These guidelines are detailed in Information Security Manual (ISM) here.

data centre security

Figure 1: ISM – Information Security Manual

 

By law, every Australian Government agency should be ISM compliant and should only utilize ASD certified cloud services. The certification is provided at various classification levels and is assessed by an IRAP (Information Security Registered Assessors Program) assessor. The process of going through this security assessment and certification is called IRAP assessment.

Microsoft Azure and Office 365 are ASD Certified Cloud Services under Unclassified DLM classification level.

Please note, IRAP assessment for Microsoft Dynamics CRM Online is currently underway.

For a complete list of ASD Certified Cloud Services, please refer to the list here. ASD certification benefits all Federal Government agencies, State Government, education, healthcare, and commercial enterprises in Australia.

 

Methods by which Microsoft Keeps the Customer Data and Content Secured

Data Centre security

Microsoft is working hard to keep data secure by enabling security at various levels including infrastructure, network, data, identity and access. For a comprehensive white paper on Microsoft Azure, please refer here.

Security at data level

  • Default Data encryption

Data encryption is turned on by default for a set of entities and attributes that contain sensitive information such as Usernames and Passwords for all Microsoft Dynamics CRM Online organisations, and it cannot be turned off.

  • Full Data Encryption on request and encryption keys

In addition, Microsoft can encrypt full Customer Data and Content upon request by the customer. However, encryption keys will be securely held by Microsoft and will not be available to the customer or any other organisation. A customer can be provided with an undertaking from Microsoft about the safety of the encryption keys and an advanced notification from Microsoft if either the encryption keys or the data is leaving Australian shores for any reason.

 

Cloud Offerings and Adoption

Interestingly, it’s clearly quoted on the ASD website here

While ASD Certification will assist agencies to understand the information security risks when contracting cloud computing services, agencies are urged to perform due diligence reviews of the financial, privacy, data ownership, data sovereignty and legal risks associated with contracting cloud computing services.

This means that Organisations will still need a legal binding document from Microsoft when signing a cloud offering acceptance agreement that their data will not leave Australian borders and that data privacy is guaranteed.

However in my recent experiences, even after convincing the customer of the above undertakings, getting this over the line in a legal binding document could be at times difficult, time consuming and a painstaking discussion between the Partners, Customers, and Microsoft.

But after a few hoops and making sure the right people (from Microsoft) are involved in the communication, this agreement is realized.

 

Building Trust over Time

I guess it’s like trusting secure bank vaults for keeping our precious belongings outside of our own house safe from burglary and theft, and believing that our possessions are more secure behind their thick concrete walls rather than the fragile brick-laden walls of our homes.

Similarly, it’s just an initial regulation before we grow in our thinking, and understand and trust an outside organization to keep our data in a safe outside of our own offices, knowing that it’s more secure to keep it there.

 

References

Microsoft Dynamics CRM Trust Centre provides complete information about the principles on which it keeps Microsoft Dynamics CRM data secure.

In order to understand the difference between Customer Content and Customer Data, please refer to What is “customer data” and “customer content”?.

Further reading