Office 365 is now certified by the Australian Government DLM Documents

If you work in with government departments in Australia. Office 365 has great news for you. Office 365 is now certified by the Australian government to handle and store Federal documents.

Before we go a bit deeper in what this represents and ramifications, bear with me while we set the baseline for the discussion.

Let me introduce to you the Australian Signals Directorate (ASD). This is a Federal agency that collect and analyses intelligence sources  and provide services for data security and advice for the Australian government and Defence Force. We are talking here about highly capable and focused security IT people in the matters of data protection and data handling. Storing Australian government data in the cloud needs to be assessed by these folks. And they just certified Office 365 for that matter.


Quick comment: have a look at how cool is their logo: “Reveal their secrets…Protect Our Own”.

That's very cool. And there is more...The same certification is also extended to Windows Azure. If you’re keen to see how ASD assesses the Cloud providers for regulations suitability, here’s the guide. If you work with data compliance and regulation in the cloud this *is important* !

What it means?

it means they have certified the Office 365 existing document controls as qualified for storing Government data. Which means, they just gave their OK that "Office 365 Controls are good for our Government. If you have documents and you plan to store them in the cloud, Microsoft is OK with us."

Now that does not apply to *all* kinds of documents. Which takes us to the next point.

Unclassified DLM Documents

Let's talk now about a document type called "Dissemination Limiting Markers", or DLM. Every time you go to a governmental agency and fill up forms (such as driver's licence or REGO renewal forms) you see that they have a section called 'for official use only'. These type of documents are deemed *not highly classified* but require controls over sharing capabilities or fully prohibited by legislation or require special handling are classified as DLM. These are the ones you can use with Office 365 in Australia.

Now...Something needs to be said about Data Classification, which is a bit of a grey area and up for discussion (I am not a lawyer so take this with a grain of salt).

The catch with data classification is that each agency is responsible for classifying their own documents, including what is and what's not DLM. There is not a blanket rule addressing that.

If you are an IT professional

This matters for you. While the competition is using "blanket solutions" (one size fits all) to address cloud data regulation, privacy and protection, Microsoft is actually taking the time to sit down with legislators, policy makers and so on and is addressing each one of their concerns in their legislation. By doing this Microsoft solutions aims to offer a much better granularity, item by item. An Office 365 solution will likely fit perfectly the requirements because it will address each one of them individually. We should expect to see more progress and more classification types arising very soon.

If you are a Business Executive

This matters for you. I know how busy and how focused you are trying to close the deals and selling the solution to the customer. So here's a quick list of things that are sellable projects:

  • Archiving in the cloud: This certification from the Australian authorities now offers a possibility for you to engage (sell a project) directly with agencies with a pre-approved template. Show them how to move their forms to the cloud.
  • Document classification transformation: Help them with document classification to match the cloud approved regulations.
  • Electronic forms: Help agencies to convert their documents to eFormat, so people can fill them BYOD-style.
  • Codeword Discovery: Deliver a codeword discovery and implementation on metadata to ensure automatic Office 365 data leakage protection controls and compliance to the Australian standards. An stretched goal on this can be and to implement a document classification rule suah as FYEO ("for your eyes only"), where only a group of people can open certain document types. Even in the case of forward this document or it's link to someone else they will not be able to read it.
  • Accountable Material: Setup an "accountable material", where restrictions are applied across the dissemination and distribution of a document and to make the forward originators accountable and identifiable following the new Australian metadata retention laws. (eDiscovery)
  • Electronic Seal: Deliver a solution that allows sealing electronically emails in Exchange following the Australian ISM requirements.

One more thing before you go

Now, all this is a great deal of Legal/IT/Cloud stuff. I mean, this is touchy subject. I really do! So before anyone starts saying "we can't do this!" or "such ideas are not possible because XYS" I just to make it clear that this landscape clearly needs engagement from a Legal representative across the board. This is not an IT  project, this is likely a business transformation project where IT plays a great role offering the right controls.
I dare to say that, soon in the Government-focused cloud projects:
- We will see more and more cross-discipline collaboration involving Legal, Business and IT departments...a type of the Avengers Assemble for delivery :)
- Also the expectation that things will move slow. Government regulations are massive engines and its advances are really done at their own pace and liking. Their ramifications affect nations and the way markets operate.

And these were my 2 cents.

If you're involved in data protection, regulation, compliance cloud projects feel free to share your experiences.

No comments:

Post a Comment