Microsoft addresses NZ Government questions on cloud security

Microsoft has this week become the first cloud service provider in New Zealand to publicly demonstrate how its cloud platform, Microsoft Azure, meets the requirements set out in the New Zealand Government CIO's 105 question due-diligence framework.

The NZ Government Chief Information Officer (GCIO), who is based within the NZ Department of Internal Affairs, has responsibility for providing guidance on how NZ government organisations should adopt cloud computing via a framework called ‘Requirements for Cloud Computing’.

As part of this effort, the GCIO has published a document entitled “NZ Government Cloud Computing: Security and Privacy Considerations”, which comprises 105 questions focused on security and privacy aspects of cloud services that are fundamentally related to data sovereignty.

Organisations that fall under the scope of the GCIO’s mandate for providing Ministers with government ICT System Assurance must apply this framework when they are deciding on the use of a cloud service. Other NZ State sector organisations are encouraged to use this framework as good practice guidance.

Microsoft NZ’s National Technology Office, Russell Craig, says that to assist NZ Government organisations in meeting these requirements and expectations, Microsoft has proactively provided a comprehensive document of information showing how Azure meets the requirements set out in the 105-question government framework.

“This is a great step forward for us in being able to show both public and private sector customers how Microsoft addresses important security, privacy and sovereignty issues. None of our competitors have done anything like this” says Mr Craig.

“If you represent a NZ government organisation that is considering adopting Azure, this information will assist your analysis. If you work outside of NZ government, and are interested in the security, privacy, and sovereignty aspects of Azure, you also may find both the questions set out in this framework and the responses from Microsoft to be helpful when evaluating different cloud service providers.

“We would like to think that our responses set the benchmark for the level of detail and transparency that cloud providers can and should offer their customers about these vital matters,” says Craig.

Craig notes that this framework is not, and does not, define a NZ government standard against which cloud service providers must demonstrate formal compliance.

“Many of the questions in the framework do, however, point customers toward the importance of understanding cloud service providers’ compliance with a wide array of relevant standards, the approach they take to security and data privacy, and what they do and don’t do with their customers’ data,” he says.