Microsoft Cloud Services and UK Security Markings

Many UK Public Sector customers want to adopt Cloud-based IT services but there is often confusion around which services can be consumed depending on the information that is held. This blog post is intended to provide clarification on what is allowed on Microsoft Cloud services.


UK Government security classifications changed to a new, simplified model which came into force on 2 April 2014. These new classifications now include three levels:

  • Top Secret
  • Secret
  • Official

In order to manage OFFICIAL information/data which should only be shared on a need to know basis, a handling caveat OFFICIAL-SENSITIVE can be applied to OFFICIAL information. Data that is considered to be OFFICIAL SENSITIVE must be marked accordingly but there is a degree of confusion surrounding OFFICIAL-SENSITIVE information and how it should be treated. To clarify:

  • OFFICIAL –SENSITIVE is not a separate classification, the same broad controls are used with OFFICIAL- SENSITIVE as with OFFICIAL.
  • Unlike OFFICIAL, OFFICIAL-SENSITIVE material must be marked
  • OFFICIAL – SENSITIVE is to be used in a very narrow set of exceptional cases where there is a “need to know”

Personnel, physical and information security controls for OFFICIAL are based on commercial good practice, with an emphasis on staff to respect the confidentiality of all information. In some instances a more limited need to know must be enforced and assured.  A single handling caveat ‘OFFICIAL-SENSITIVE’ provides for this.

Additionally, there is no specific guidance on how the old “IL” markings (or Impact Levels) map to the new classifications. Information needs to be re-evaluated and classified using the new markings. As a general rule, most data using the old IL2 marking would expect to be classified as OFFICIAL. For any data classified as IL3 where a new classification of SECRET would be too restrictive and inappropriate, a marking of OFFICIAL-SENSITIVE is expected.

Microsoft Cloud Services

Microsoft Office 365 and the Azure platform was accredited to hold OFFICIAL information in the middle of 2014. This means that any information within the OFFICIAL classification (which includes OFFICIAL-SENSITIVE) can be stored on these services. Additionally, if it is deemed necessary to provide additional controls or security, perhaps to support the “need-to-know” elements of OFFICIAL-SENSITIVE data, then Microsoft services such as Access Control Lists, encryption in transit or Azure Rights Management can provide these extra layers of security.


Public sector customers who are operating with OFFICIAL data (which includes OFFICIAL-SENSITIVE data) can consume services from Microsoft cloud-based services and store this data on these platforms. This includes Office 365 services such as Exchange, Lync, SharePoint online as well as Azure Infrastructure as a Service, and other Azure services. Utilising Microsoft Cloud Services is revolutionising IT Service provision across all customer sectors whether as a hybrid service or as a full cloud-based service. Hopefully this blog will help Public sector customers understand that they too can enjoy the many benefits that come with these new ways of delivering IT services.

About the author