The department which houses Prime Minister Julia Gillard, her staff and the Cabinet yesterday signalled it would bow to a request from the Federal Auditor-General and block access to public web-based email services such as Hotmail and Gmail from 1 July, with the auditor seeing the platforms as an inherent security risk.
In a report on the security of information held by government agencies first reported by iTNews, the Auditor-General Ian McPhee recommended that “agencies should not allow personnel to send and receive emails on agency ICT systems using public web-based email services”, specifically calling out ‘hotmail’ and ‘gmail’ as examples of such platforms.
The problem with such services, according to McPhee, was that they provided “an easily accessible point of entry for an external attack”, and subjected departments and agencies to “the potential for intended or unintended information disclosure”.
The auditor’s examination of the information security of a number of agencies — including the Department of Prime Minister and Cabinet, but also Medicare, ComSuper and the Australian Office of Financial Management, found that webmail accounts were accessible by staff in the Prime Minister’s department, with logs showing that some staff were using the accounts “on a regular basis”.
In response to the auditor’s recommendation, PMC agreed it would shut down access to the webmail platforms.
“Current access arrangements for web-based email will cease on 1 July 2011,” the department wrote. “While access to web-based email was in response to business requirements, there were control measures in place. However, we accept the threat and risk assessment has changed and access will no longer be permitted from departmental systems.”
The move raises questions about the technical differences between what the auditor’s office deems to be public webmail services, and corporate-focused email platforms such as Microsoft’s Business Productivity Online Suite and Google’s Apps platform.
Like all of what Microsoft terms its ‘software plus service’ offerings, the vendor’s BPOS platform uses much of the same underlying technology as its Windows Live platform (including Hotmail), and is based on its Global Foundation Services infrastructure spanning datacentres around the world. The same is true of Google’s Apps platform, which is targeted at business and government use but shares the same infrastructure with its public Gmail offering.
A number of large Australian organisations have recently shifted to cloud-based email solutions from either Microsoft or Google, as part of a wave of interest in the area over the past several years. In addition, some organisations — such as Qantas with its flight attendants — are even recommending some workers use private email services for professional purposes, to simplify administration of staff who might not need daily access to email.
Microsoft and Google will be contacted this morning and asked for comment on the matter.
In general, the auditor’s report found agencies had implemented government security requirements well. “The agencies had established information security frameworks, had implemented controls to safeguard information, to protect network infrastructure and prevent and detect unauthorised access to information; and had controls in place to reduced loss, damage or compromise to ICT assets,” the auditor wrote. However, it noted some areas — such as the complexity of passwords, regular patching of software and so on — could be improved.