Microsoft Azure and Microsoft Office 365 now hold the UK Government’s recently launched “OFFICIAL” accreditation.
What does that mean?
It means that Microsoft Azure, an Infrastructure-as-a-Service and Platform-as-a-Service cloud computing platform, and Office 365, Microsoft’s public cloud productivity suite for e-mail, collaboration and unified communications, are now accredited to hold or transact public sector data for business conducted at the OFFICIAL level of Security Classification.
What data is considered “OFFICIAL”?
As defined by the documentation, ALL routine public sector business, operations and services and the data they involve should be treated as OFFICIAL - many departments and agencies will operate substantially or exclusively at this level.
Examples of OFFICIAL business include:
Are these services available via G-Cloud?
Microsoft Office 365 and Microsoft Azure are just part of our offerings on the G-Cloud Framework, available through the CloudStore, demonstrating Microsoft’s commitment to supporting the UK government’s Cloud First policy, helping to reduce the cost of ICT and to achieve the aim of moving 50% of new ICT services to the cloud by 2015.
What services does Microsoft Office 365 include?
Microsoft Office 365 includes cloud-based versions of all your favourite productivity tools, including Outlook, Word, Excel and PowerPoint, and integrates them with Exchange Email, SharePoint collaboration (including content management and social networking), and Lync unified communications. SharePoint now includes OneDrive for Business, offering 1TB of storage per user and Lync includes instant messaging, presence and high-definition audio and video conferencing. Learn more about what you can accomplish with Office 365.
Does it matter what device or platform I use to access those programs?
Microsoft Office 365 works happily in most common and modern browsers and is accredited to handle all OFFICIAL level work on a wide range of connected devices including laptops, tablets and smartphones when managed in line with the Government’sEnd User Device Guidance.
What does Microsoft Azure do?
Microsoft Azure supports the Government’s Digital-by-Default agenda and enables public sector organisations to develop and run applications for citizen-facing services, or departmental applications for internal users. It provides both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) compute and storage capability on a pay-as-you-go basis, avoiding capital expenditure and the cost of running and maintaining expensive systems on-premise. It also offers a substantially more cost effective approach to data storage and backup, due to the massive economies of scale Microsoft can pass on to its customers.
What if my organisation prefers a private cloud solution?
Fortunately, Microsoft has also achieved Foundation Level Commercial Product Assurance for Windows Hyper-V, the first and, at the time of writing, only virtualisation product to do so. This means that Windows Hyper-V is suitable to operate at multiple levels of threat and risk for OFFICIAL information inside UK government; facilitating its deployment for customers and partners delivering private cloud solutions inside government.
Where are Microsoft’s data centres?
Microsoft’s EU datacentres are based in Dublin and Amsterdam and Microsoft Office 365 and Microsoft Azure services comply with ISO 27001 standards and provide comprehensive data processing provisions to UK customers, incorporating EU Model Clauses – Europe’s data protection regulations. Microsoft is the first – and so far only – company to receive this approval, which followed an extensive review by the Article 29 Working Party. You can read more in Microsoft’s Official Blog on this topic.
My organisation already uses Microsoft Azure and Microsoft Office 365. What does the accreditation mean for me?
Adding the “OFFICIAL” accreditation provides additional peace of mind for public sector organisations, and the citizens they serve. It will deliver confidence that information will continue to stay within the parameters defined by CESG.
I want my organisation’s IT needs to be met by a small- or medium-sized enterprise. What does this accreditation mean for SMEs?
The Microsoft Office 365 and Microsoft Azure platforms create a great opportunity for Microsoft’s SME Partner community, of which over 150 are already assured on the G-Cloud CloudStore marketplace. These skilled and experienced partners can provide specialist cloud consultancy services or develop cost effective innovative apps for government users or citizen-facing services that exploit the scalability and reliability of a world-class cloud platform. A great example is the Environment Agency’s FloodAlerts application, hosted by Azure, and developed by UK SME Shoothill Ltd. This really put Azure to the test during the recent winter floods when millions of citizens were checking river levels. Learn more about the Environment Agency's story.
I’m interested in cloud tools, but I want to learn more before I make decisions.
This free ebook on getting started with cloud tools was written especially with the public sector in mind. It answers many common questions and provides concrete first steps to getting started with your journey to the cloud.
This is good news!
How do you control access to Office 365 from non corporate devices? I.E if it is not a device configured as per End User Device Guidance just someone's home PC.
Great question! At present you have to restrict access by IP. You can find a guide to doing this in different scenarios here: technet.microsoft.com/.../hh526961(v=ws.10).aspx
I assume that since OFFICIAL SENSITIVE is part of OFFICIAL I could safely process and store information classified as OFFICIAL SENSITIVE within o365 and Azure?
I can think of no higher authority to point to than the official classification guidelines, specifically:
‘A limited subset of OFFICIAL information could have more damaging consequences (for individuals, an organisation or government generally) if it were lost, stolen or published in the media. This subset of information should still be managed within the ‘OFFICIAL’ classification tier, but may attract additional measures (generally procedural or personnel) to reinforce the ‘need to know’. In such cases where there is a clear and justifiable requirement to reinforce the ‘need to know', assets should be conspicuously marked: ‘OFFICIAL–SENSITIVE’
Hope that's helpful to you.
How do you deal with housing the data in Ireland (outside of the UK). Also, will you be offering this service over the PSN?
Hello, great article, but I can't fine on the Cloudstore any reference to this.
Are you sure it has gone through PGA accreditation, because it is not listed as being.
Hope to hear back from you soon,
That's a great question. Thanks for writing. I've got your answer below -- excuse the formal language but these things require precise wording.
Off-shoring of OFFICIAL information is permitted, however organisations should be aware of the following:
• There are certain information types (e.g. information relating to national security or sensitive international issues) where off-shoring may not be a suitable option
• Personal data held off-shore should be kept within the EEA, Safe Harbor or the limited number of countries with positive findings of adequacy from the European Commission. Organisations may conduct their own assessments of adequacy, however this approach carries the inherent risk that in the event of a breach, the Information Commissioner may not agree with their findings.
• It is important that you can satisfy your security requirements in the locations chosen to off-shore to. The local political, legislative or cultural environment may make satisfaction of your normal security requirements challenging.
• The Office of the Government SIRO will review and advise on off-shoring proposals for HMG information.
The above guidance can be found at the following source: www.gov.uk/.../FAQ2_-_Managing_Information_Risk_at_OFFICIAL_v2_-_March_2014.pdf
Thanks for asking. Yes, we're completely sure about the PGA accreditation. Sorry that Cloudstore page hasn't been updated yet. Hopefully the Cloudstore site will reflect the change soon, but we have no control over the updating of government websites.
How does Office 365 interact with the Public Sector Network? In particular, can Exchange Online be configured to route via the PSN Secure Mail Gateway, or would this require a hybrid environment?
Just to add Microsoft Azure is the way to go in terms of Office 365. IAM Cloud has a solution that means there is no ADFS required and no single point of failure. Currently 2.3 million identities worldwide and Microsoft themselves are promoting the IAM Cloud platform solution as well. To learn more please visit www.iamcloud.com and if people need to know more please contact me on
Senior Partner Manager
Phone: +44 118 324 0000 or +1 914 495 1298
DDI: +44 118 324 1002
Mobile: +44 7881 309571
Hi Tim Lewis York,
Office 365 is not a PSN service; it runs over the Internet. Most customers use a hybrid environment solution to get around this, routing their e-mail via on-premise Exchange servers first, then out to Office 365. Hope that's helpful!
Working in Local Govt we are being asked to collaborate with other authorities such as the NHS and Police on Social Care initiatives, MASH, Troubled Families etc.
Please can you confirm that DWP,the Home Office and the Dept of Health have agreed that OFFICIAL (SENSITIVE) data such as Medical Records Benefits information and information sourced from the Police can be shared on this platform.
Thanks for writing. The service is PGA accredited to hold OFFICIAL data, OFFICIAL – SENSITIVE is a handling caveat within OFFICIAL.
CESG has published a set of guidance centred on 14 Cloud Security Principles - How many of these, and which ones, have Microsoft aligned to?
In many, if not most cases, we align to the cloud security principles; as these were largely what was tested before as part of the accreditation process via the PGA.