Pentagon starts testing “secret” Office 365 at IL6
The US Department of Defense has started user testing for a new “Office 365 classified cloud”, days after Microsoft took its new Office 365 Government Secret cloud to general availability (GA).
Tests at this high classification level coms months after the US Army decommissioned a legacy email system with four million+ addresses, swapping to the world’s largest M365 implementation “Army365”
The new service this week makes Exchange, Outlook and other Office 365 applications available at the US’s IL6 or “secret” security level; an achievement also reached by Azure over summer 2022.
(AWS achieved IL6 back in 2018, making it the first hyperscaler to offer regions to serve government workloads across the full range of data classifications: Unclassified, Sensitive, Secret, and Top Secret.)
The urgent need to pivot to remote work during the pandemic was a wakeup call to the national security estate in both the US and the UK, where physical access to on-premises networks and laptops has been the norm – with staff also chafing at the poor user experience of heavily locked down systems.
Office 365 classified cloud testing is “major milestone”
“The Defense Information System Agency has reached a major milestone in the development of DOD365-Secret, or DOD365-Sec — the Department of Defense’s first Office 365 classified cloud” DISA (the Pentagon’s IT combat support agency) said, adding that it was beginning “limited user testing with DOD military services… of [the] classified platform to communicate and share information and data.”
“We’re ready to assist the United States Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and United States government partners working within the Secret domain with our foremost… SaaS capabilities” Paul Lorimer, Corporate VP, Office 365 Enterprise and Cloud Engineering said.
In September 2022 the US Army also started testing of bring-your-own-device (BYOD).
US Army also testing broader BYOD software
That is being underpinned by an app from Hypori, whose CEO Jared Shepard earlier explained to The Stack that the application helps stream “a fully independent OS from the cloud to the edge device [that] by only streaming rolling encrypted ‘change pixels’ to the edge [ensures] the users experience is far more bandwidth and battery efficient/consistent and never presenting a full ‘screen scrape’ from the server to the edge device.
“Asynchronously, Hypori Halo collects, hashes and encrypts user telemetry (think touch, type, swipe, click) and transports (over TCP using TLS) the telemetry back into the secure, isolated environment where it is then translated into an user action, just as it would if you had the same mobile application on your Smartphone, Tablet, or PC. Some of the unique technology of Hypori Halo is by giving the streaming OS the sense that it is native on the edge device and therefore the OS believes it is interacting directly with the hardware, not with middleware or software. This prevents many attacks and treats every accessing edge device as an ‘aggressor’ platform, never exposing raw data to the edge, or to the transport mechanism,” he added at the time.
Similar technology is also reportedly being tested in the UK, albeit MOD is a little more coy about it than DOD.
On December 6, 2022 meanwhile, DISA also gave Google authorization up to the slightly lower IL5 security classification for services including BigQuery, Cloud Hardware Security Module, Cloud Key Management Service, Google Cloud Storage, Google Compute Engine, Persistent Disk, Identity and Access Management, and Virtual Private Cloud. Oracle also achieved IL5 for a range of additional workloads in OCI in 2022.