FAQ: What Microsoft Azure and Microsoft Office 365 OFFICIAL accreditation means for your organisation

Microsoft Azure and Microsoft Office 365 now hold the UK Government’s recently launched “OFFICIAL” accreditation.

What does that mean?

It means that Microsoft Azure, an Infrastructure-as-a-Service and Platform-as-a-Service cloud computing platform, and Office 365, Microsoft’s public cloud productivity suite for e-mail, collaboration and unified communications, are now accredited to hold or transact public sector data for business conducted at the OFFICIAL level of Security Classification.

What data is considered “OFFICIAL”?

As defined by the documentation, ALL routine public sector business, operations and services and the data they involve should be treated as OFFICIAL - many departments and agencies will operate substantially or exclusively at this level.  

Examples of OFFICIAL business include:

  • The day-to-day business of government, service delivery and public finances.
  • Routine international relations and diplomatic activities.
  • Public safety, criminal justice and enforcement activities. 
  • Many aspects of defence, security and resilience.
  • Commercial interests, including information provided in confidence and intellectual property.
  • Personal information which falls under the protection of the Data Protection Act (1998) (which includes, for example, data such as health records).

Are these services available via G-Cloud?

Microsoft Office 365 and Microsoft Azure are just part of our offerings on the G-Cloud Framework, available through the CloudStore, demonstrating Microsoft’s commitment to supporting the UK government’s Cloud First policy, helping to reduce the cost of ICT and to achieve the aim of moving 50% of new ICT services to the cloud by 2015.

What services does Microsoft Office 365 include?

Microsoft Office 365 includes cloud-based versions of all your favourite productivity tools, including Outlook, Word, Excel and PowerPoint, and integrates them with Exchange Email, SharePoint collaboration (including content management and social networking), and Lync unified communications. SharePoint now includes OneDrive for Business, offering 1TB of storage per user and Lync includes instant messaging, presence and high-definition audio and video conferencing.  Learn more about what you can accomplish with Office 365.

Does it matter what device or platform I use to access those programs?

Microsoft Office 365 works happily in most common and modern browsers and is accredited to handle all OFFICIAL level work on a wide range of connected devices including laptops, tablets and smartphones when managed in line with the Government’sEnd User Device Guidance.

What does Microsoft Azure do?

Microsoft Azure supports the Government’s Digital-by-Default agenda and enables public sector organisations to develop and run applications for citizen-facing services, or departmental applications for internal users. It provides both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) compute and storage capability on a pay-as-you-go basis, avoiding capital expenditure and the cost of running and maintaining expensive systems on-premise. It also offers a substantially more cost effective approach to data storage and backup, due to the massive economies of scale Microsoft can pass on to its customers.

What if my organisation prefers a private cloud solution?

Fortunately, Microsoft has also achieved Foundation Level Commercial Product Assurance for Windows Hyper-V, the first and, at the time of writing, only virtualisation product to do so.  This means that Windows Hyper-V is suitable to operate at multiple levels of threat and risk for OFFICIAL information inside UK government; facilitating its deployment for customers and partners delivering private cloud solutions inside government.

Where are Microsoft’s data centres?

Microsoft’s EU datacentres are based in Dublin and Amsterdam and Microsoft Office 365 and Microsoft Azure services comply with ISO 27001 standards and provide comprehensive data processing provisions to UK customers, incorporating EU Model Clauses – Europe’s data protection regulations.  Microsoft is the first – and so far only – company to receive this approval, which followed an extensive review by the Article 29 Working Party.  You can read more in Microsoft’s Official Blog on this topic.

My organisation already uses Microsoft Azure and Microsoft Office 365. What does the accreditation mean for me?

Adding the “OFFICIAL” accreditation provides additional peace of mind for public sector organisations, and the citizens they serve.  It will deliver confidence that information will continue to stay within the parameters defined by CESG.

I want my organisation’s IT needs to be met by a small- or medium-sized enterprise. What does this accreditation mean for SMEs?

The Microsoft Office 365 and Microsoft Azure platforms create a great opportunity for Microsoft’s SME Partner community, of which over 150 are already assured on the G-Cloud CloudStore marketplace.  These skilled and experienced partners can provide specialist cloud consultancy services or develop cost effective innovative apps for government users or citizen-facing services that exploit the scalability and reliability of a world-class cloud platform.  A great example is the Environment Agency’s FloodAlerts application,  hosted by Azure, and developed by UK SME Shoothill Ltd. This really put Azure to the test during the recent winter floods when millions of citizens were checking river levels. Learn more about the Environment Agency's story.

I’m interested in cloud tools, but I want to learn more before I make decisions.

This free ebook on getting started with cloud tools was written especially with the public sector in mind. It answers many common questions and provides concrete first steps to getting started with your journey to the cloud.

Comments

  • Anonymous
    June 11, 2014
    This is good news!   How do you control access to Office 365 from non corporate  devices?  I.E if it is not a device configured as per End User Device Guidance just someone's home PC.

  • Anonymous
    June 11, 2014
    Phil, Great question! At present you have to restrict access by IP. You can find a guide to doing this in different scenarios here: technet.microsoft.com/.../hh526961(v=ws.10).aspx

  • Anonymous
    June 12, 2014
    Stuart, I assume that since OFFICIAL SENSITIVE is part of OFFICIAL I could safely process and store information classified as OFFICIAL SENSITIVE within o365 and Azure?

  • Anonymous
    June 12, 2014
    The comment has been removed

  • Anonymous
    June 19, 2014
    The comment has been removed

  • Anonymous
    June 19, 2014
    Hello, great article, but I can't fine on the Cloudstore any reference to this. Are you sure it has gone through PGA accreditation, because it is not listed as being. Hope to hear back from you soon, Regards, Rob

  • Anonymous
    June 19, 2014
    The comment has been removed

  • Anonymous
    June 19, 2014
    Hi Robert, Thanks for asking. Yes, we're completely sure about the PGA accreditation. Sorry that Cloudstore page hasn't been updated yet. Hopefully the Cloudstore site will reflect the change soon, but we have no control over the updating of government websites. Jesse

  • Anonymous
    June 25, 2014
    Good news. How does Office 365 interact with the Public Sector Network? In particular, can Exchange Online be configured to route via the PSN Secure Mail Gateway, or would this require a hybrid environment?

  • Anonymous
    June 30, 2014
    Hello everyone, Just to add Microsoft Azure is the way to go in terms of Office 365. IAM Cloud has a solution that means there is no ADFS required and no single point of failure. Currently 2.3 million identities worldwide and Microsoft themselves are promoting the IAM Cloud platform solution as well. To learn more please visit www.iamcloud.com and if people need to know more please contact me on Jason Ewbank Senior Partner Manager Phone: +44 118 324 0000 or +1 914 495 1298 DDI: +44 118 324 1002 Mobile: +44 7881 309571 Jason.ewbank@iamcloud.com www.iamcloud.com

  • Anonymous
    July 07, 2014
    Hi Tim Lewis York, Office 365 is not a PSN service; it runs over the Internet. Most customers use a hybrid environment solution to get around this, routing their e-mail via on-premise Exchange servers first, then out to Office 365. Hope that's helpful! Jesse

  • Anonymous
    July 16, 2014
    Working in Local Govt we are being asked to collaborate with other authorities such as the NHS and Police on Social Care initiatives, MASH, Troubled Families etc. Please can you confirm that DWP,the Home Office and the Dept of Health have agreed that OFFICIAL (SENSITIVE) data such as Medical Records Benefits information and information sourced from the Police can be shared on this platform.

  • Anonymous
    July 17, 2014
    Hi Peter, Thanks for writing. The service is PGA accredited to hold OFFICIAL data, OFFICIAL – SENSITIVE is a handling caveat within OFFICIAL. Jesse

  • Anonymous
    August 17, 2014
    CESG has published a set of guidance centred on 14 Cloud Security Principles - How many of these, and which ones, have Microsoft aligned to?

  • Anonymous
    August 19, 2014
    Hi Graham, In many, if not most cases, we align to the cloud security principles; as these were largely what was tested before as part of the accreditation process via the PGA.

  • Anonymous
    September 07, 2014
    The comment has been removed

  • Anonymous
    October 28, 2014
    Jessie As regards the questions regarding OFFICIAL-SENSITIVE data, your 18/07/14 post seems to imply that as OFFICIAL-SENSITIVE is a 'handling caveat' of the SENSITIVE classification, that it would therefore be permissible to use this service for storing OS data.  However, I have been advised locally that Office365 is accedited to IL2(OFFICIAL), whereas use for OFFICIAL-SENSITIVE data requires IL3 accreditation. Please can you clarify? Thanks Russ

  • Anonymous
    November 12, 2014
    Hi Russ, You can store Official-Sensitive data on Azure/Office 365 with a few technical handling caveats, as I mentioned. You can't really map the new 3-tiered security system (OFFICIAL, SECRET and TOP SECRET) to the old Impact Level (IL) system. If you'd like to have a longer conversation about the correct ways to make sure your data is stored properly in the cloud, you can e-mail ukps@microsoft.com and we can put you in touch with an expert.

  • Anonymous
    December 14, 2014
    Hi, We are a company that uses 365 as a buisness, ordered online direct via Microsoft. How do we transfer (as such) to the official version? Regards Stuart

  • Anonymous
    December 18, 2014
    Sorry to harp on about the OFFICIAL-SENSITIVE thing but I have heard that O365 is only cleared for OS if the servers used are only those in Dublin and the Netherlands. Is there anything formal from the Cabinet Office to this effect.

  • Anonymous
    March 04, 2015
    Does this mean Azure can store IL3 data? Or is it still just IL2?

  • Anonymous
    March 08, 2015
    The comment has been removed

  • Anonymous
    October 15, 2015
    Hi Jessie, Would it be possible to provide or publish a copy of your Accreditation Certificate. Thanks Paul