Business Continuity

in a Box
Overview Document

Content Complexity
ADVANCED
 Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Why use Business Continuity in a Box? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Is Business Continuity in a Box right for your organisation?. . . . . . . . . . 5

How does Business Continuity in a Box fit into a cyber incident

response?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Continuity of Communications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Continuity of Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Disclaimer
The information herein is being provided “as is” for information purposes only. The authors
do not endorse or favour any commercial entity, product, company, or service, including any
entities, products, or services linked or otherwise referenced within this document.

2 ASD’s ACSC | Business Continuity in a Box - Overview

Overview
Business Continuity in a Box – developed by the
Australian Signals Directorate’s Australian Cyber
Security Centre (ASD’s ACSC), with contributions from
the United States Cybersecurity and Infrastructure
Security Agency (CISA) – assists organisations with
swiftly and securely standing up critical business
functions during or following a cyber incident. By
using Business Continuity in a Box, organisations
can maintain or re-establish the basic functions
needed to operate a business while responding
to the issues affecting their existing systems.
Business Continuity in a Box is an interim solution to
be deployed by either the organisation or its Managed
Service Provider (MSP). These guidance materials
provide step-by-step instructions on how to determine
and then set up the required interim solution.
NOTE: If you are an existing Microsoft 365 or Google Workspace customer, we do not
i recommend use of Business Continuity in a Box. In these instances, we suggest contacting
the relevant hosting provider for support.
Why use Business
Continuity in a Box?
Business Continuity in a Box is designed for situations
where the availability or integrity of an organisation’s
data and/or systems has been compromised.
When organisations experience a cyber
incident, they often do not have the capacity
or resources to continue to undertake minimal
business operations securely while incident
investigation and remediation takes place.
Whilst a Business Continuity Plan (BCP) remains
the most effective way for organisations to
achieve business continuity, BCPs are not always
developed, updated or regularly tested.
Business Continuity in a Box consists
of two components:
• Continuity of Communications – focuses on
keeping communications flowing during a
cyber incident by assisting organisations to
establish basic communications functionality.
• Continuity of Applications – focuses on establishing
interim business-critical applications during a cyber
incident by assisting organisations to deploy an
interim cloud solution for hosting core applications.
Importantly, individual organisations will need to
independently assess whether Business Continuity in
a Box is the right tool for their unique circumstances,
considering their needs and capacity to implement.
To assist organisations who do not have
access to a relevant or recent BCP, Business
Continuity in a Box provides an immediate,
interim solution for establishing business-
critical functions in a timely and secure manner.
Business Continuity in a Box focuses on:
• Email Communications (Continuity
of Communications)
• Business-Critical Applications
(Continuity of Applications)
For organisations looking to better prepare for a
potential cyber incident, Business Continuity in a
cyber.gov.au 3
 Box can be integrated into an existing BCP. However, • ASD’s ACSC Cyber Incident Response Plan
due to its targeted focus on email communications at cyber.gov.au/resources-business-and-
and critical applications, Business Continuity in a government/essential-cyber-security/
Box cannot replace a BCP in its entirety. We strongly publications/cyber-incident-response-plan
encourage organisations to invest in a comprehensive
• CISA Federal Government Cybersecurity
BCP tailored to their unique business needs. For
Incident and Vulnerability Response Playbooks -
more guidance on how to prepare your organisation
Although tailored to U.S. federal civilian branch
for a cyber incident, see the following resources:
agencies, these playbooks provide operational
• ASD’s ACSC Preparing for and Responding procedures for planning and conducting
to Cyber Security Incidents at cyber.gov.au/ cybersecurity incident response activities and
resources-business-and-government/governance- detail each step for incident response.
and-user-education/governance/preparing-
and-responding-cyber-security-incidents

Is Business Continuity
in a Box right for your
organisation?
In the event of a cyber incident, Business Continuity in • the Continuity of Communications package requires
a Box assists small to medium-sized organisations (10- a basic level of computing knowledge; and
300 people) who require an interim Information and
• the Continuity of Applications package requires an
Communication Technology (ICT) solution to deliver
intermediate level of knowledge of cloud services.
minimal services. Larger enterprises and government
departments can also use this guidance. However, Business Continuity in a Box includes some
they may need to apply additional configuration technical implementation details (where
steps. It is recommended that larger organisations appropriate). However, due to the unique
consult with an MSP and carry out appropriate needs of individual organisations, it is not
independent risk and business impact assessments. possible to provide specific technical details
for all types of technologies and software that
Whilst Business Continuity in a Box has been designed
consumers of this guidance may require.
to maximise ease of use, implementation of:

NOTE: If you are an existing Microsoft 365 or Google Workspace customer, we do not
i recommend use of Business Continuity in a Box. In these instances, we suggest contacting
the relevant hosting provider for support.

4 ASD’s ACSC | Business Continuity in a Box - Overview

How does Business
Continuity in a Box fit
into a cyber incident
response?
Business Continuity in a Box is designed to complement a broader cyber incident response timeline:

Incident
Incident Recover
Incident containment Operate Learn &
investigation data &
realised & evidence normally improve
& analysis systems
collection

Keep communication flowing

Establish interim core applications

Business Continuity in a Box

Continuity of • Written guidance on provisioning a

Communications
It is critical that organisations have effective means
of internal and external communication, especially
when responding to a cyber incident. As an interim
solution, Business Continuity in a Box provides
organisations with the ability to re-establish basic
communications functionality quickly and securely.
This includes guidance on how to set up a catch-
all mailbox so that critical communications sent
to the organisation are not lost during the period
when usual email systems are unavailable.
The Continuity of Communications
package includes the following:
Microsoft 365 Business Standard tenant.
• A tool for automated configuration of the
Microsoft 365 Business Standard tenant.
This package has been developed using
Microsoft 365 as the core technology stack
due to its prevalent usage across business and
government organisations. The package has
been designed to accommodate interoperability,
functionality, compatibility, and security.
The Continuity of Communications package has
been designed based on the Microsoft 365 Business
Standard subscription, which offers comprehensive
security and management features within the
Microsoft 365 ecosystem. The configuration is based

cyber.gov.au 5
 on better practice security configuration advice
from ASD’s ACSC, as well as recent guidance from
CISA and the Center for Internet Security (CIS).
Further guidance on better practice security
configuration is detailed below:
• ASD’s ACSC Cloud Computing Security
Considerations at cyber.gov.au/resources-
business-and-government/maintaining-
devices-and-systems/cloud-security-guidance/
cloud-computing-security-considerations
• ASD’s ACSC Guidelines for System Hardening at
cyber.gov.au/resources-business-and-government/
essential-cyber-security/ism/cyber-security-
guidelines/guidelines-system-hardening
• CISA Secure Cloud Business Applications (SCuBA)
Project at cisa.gov/resources-tools/services/secure-
cloud-business-applications-scuba-project
• CISA Microsoft 365 Secure Configuration Baseline
Assessment (SCuBAGear) Tool at cisecurity.org/
benchmark/microsoft_windows_desktop
• CIS Secure Configuration Guidelines at cisecurity.
org/benchmark/microsoft_windows_desktop
• CIS Microsoft 365 Benchmark at cisecurity.
org/benchmark/microsoft_365
• Microsoft Entra Verified ID – Manage Emergency
Access Accounts at learn.microsoft.com/
en-us/entra/identity/role-based-access-
control/security-emergency-access
Continuity of Applications
Communications flow, while important, is not
the only functionality that an organisation
needs in order to continue basic operations.
Other critical functionalities may include
office productivity suites, accounting, human
resource management and payroll systems.
6 ASD’s ACSC | Business Continuity in a Box - Overview
The Continuity of Applications
package includes guidance on:
• Determining critical functions and requirements
to ensure continued business operations.
• Determining an appropriate platform for
each required interim application.
• Deploying a secure cloud-hosted Infrastructure-
as-a-Service (IaaS) solution for each major cloud
hosting provider, enabling organisations to
take advantage of existing software licenses as
well as organisational knowledge and skills.
Contact
For any enquiries concerning this guidance or
to provide feedback, please navigate to cyber.
gov.au/about-us/about-asd-acsc/contact-us.
Select ‘General enquiry or feedback’, and choose
‘Business Continuity in a Box’ from the drop-down
menu under ‘Your enquiry/feedback type’.
If you or your organisation are victim of a data breach
or cyber incident, follow relevant cyber incident
response and communication plans, as appropriate.
• Australian organisations impacted by, or
requiring assistance relating to, a cyber incident
can contact ASD’s ACSC via 1300 CYBER1
(1300 292 371), or by using ReportCyber at
cyber.gov.au/report-and-recover/report.
• United States organisations may report cyber
incidents to CISA’s 24/7 Operations Center at
report@cisa.dhs.gov, cisa.gov/report, or (888)
282-0870. When available, please include
information regarding the incident: date, time and
location of the incident; type of activity; number of
people affected; type of equipment used for the
activity; the name of the submitting company or
organisation; and a designated point of contact.
 Disclaimer
The material in this guide is of a general nature and should not be regarded
as legal advice or relied on for assistance in any particular circumstance or
emergency situation. In any important matter, you should seek appropriate
independent professional advice in relation to your own circumstances.

The Commonwealth accepts no responsibility or liability for any damage, loss or

expense incurred as a result of the reliance on information contained in this guide.

Copyright.
© Commonwealth of Australia 2023.
With the exception of the Coat of Arms and where otherwise stated, all material
presented in this publication is provided under a Creative Commons Attribution
4.0 International licence (www.creativecommons.org/licenses).

For the avoidance of doubt, this means this licence only applies to material
as set out in this document.

The details of the relevant licence conditions are available on the Creative
Commons website as is the full legal code for the CC BY 4.0 licence
(www.creativecommons.org/licenses).

Use of the Coat of Arms.

The terms under which the Coat of Arms can be used are detailed
on the Department of the Prime Minister and Cabinet website
(www.pmc.gov.au/government/commonwealth-coat-arms).

For more information, or to report a cyber security incident, contact us:

cyber.gov.au | 1300 CYBER1 (1300 292 371).

cyber.gov.au 7
Business Continuity
in a Box
Guidance:
Continuity of Communications
Content Complexity
SIMPLE
 Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

How to use this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Stage 1: Review Pack and Verify Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Stage 2: Provision Microsoft 365 Business Standard Tenant . . . . . . . . . . . . . . . . . . . . . 7

Stage 3: Configure Organisation Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Stage 4: Run Automated Configuration of Environment. . . . . . . . . . . . . . . . . . . . . . . 19

Stage 5: Validate Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Appendix A: acronyms, abbreviations and definitions . . . . . . . . . . . . . 23

Disclaimer
The information herein is being provided “as is” for information purposes only. The authors
do not endorse or favour any commercial entity, product, company, or service, including any
entities, products, or services linked or otherwise referenced within this document.

2 ASD’s ACSC | Business Continuity in a Box - Communications

Introduction
Purpose
In modern organisations, email is the most common function for internal and external communications. In the
case of a systems outage during a cyber incident, email (and other communications) functionality is often lost.
To ensure business continuity and coordinate an effective response to the incident, organisations must rapidly
re-establish basic internal and external communications.

Continuity of Communications focuses on keeping communications flowing during a cyber incident by assisting
organisations to establish basic communications functions quickly and securely. It provides guidance to
organisations on how to deploy a Microsoft 365 tenant and Exchange Online configuration when core systems,
such as user directory and email, become unusable or unavailable.

NOTE: If you are an existing Microsoft 365 or Google Workspace customer, we do not
i recommend use of Business Continuity in a Box. In these instances, we suggest contacting
the relevant hosting provider for support.

Overview
Business Continuity in a Box – developed by the Australian Signals Directorate’s Australian Cyber Security Centre
(ASD’s ACSC) with contributions from the United States Cybersecurity and Infrastructure Security Agency (CISA) –
is an interim solution to be deployed by either the organisation or its Managed Service Provider (MSP). Successful
implementation of Continuity of Communications entails provisioning and configuring of a Microsoft 365
Business Standard tenant and requires a basic level of computing knowledge.

The implementation steps within this guidance will enable an organisation to provision a trial Microsoft 365
Business Standard tenant which includes Microsoft Entra ID (formerly Azure Active Directory), Exchange Online,
and associated security services. The guidance also steps through the establishment of a ‘catch-all’ email inbox,
established as a priority to ensure critical communications sent to an organisation can continue to be received
while other communications systems are unavailable.

Once the Microsoft 365 tenant has been provisioned, the guidance steps through how to deploy the
accompanying automation tool – preconfigured security settings and system configurations via PowerShell
scripts.

The tool provides a mechanism to automatically configure the Microsoft 365 tenant so that it is secure and
functional. This reduces the workload on system administrators, allowing them to better focus on other recovery
efforts for the organisation.

The tool automates the configuration of the Microsoft 365 tenant by:

• Applying settings to the Microsoft 365 tenant to secure the organisation and its users.

• Securely configuring Exchange Online and Microsoft Defender to protect the organisation from malicious and spam
emails and attachments.

• Creating a temporary ‘catch-all’ mailbox to ensure all emails sent to the organisation’s email address are captured.

cyber.gov.au 3
 Creating an emergency account which should be used in situations where existing administrators are unable
to log into their accounts. The configuration provides a secure foundation for organisations to expand on
as needed. This may include enabling additional Microsoft 365 services or provisioning additional cloud
capabilities to enable restoration of other business services such as financial management or human resource
management (see: Business Continuity in a Box - Guidance: Continuity of Applications).

What is Microsoft 365?

Microsoft 365 is a suite of cloud-based productivity tools and services. It includes several online services and
capabilities required for business activities. Access to these services and capabilities is dependent on the licence
type. This guidance focuses on the Microsoft 365 Business Standard plan. Microsoft offers a range of other plans
depending on an organisation’s requirements, size and type. For a comprehensive comparison of all Microsoft
365 plans see:

• Microsoft 365 and Office 365 Plan Options at learn.microsoft.com/en-au/office365/

servicedescriptions/office-365-platform-service-description/office-365-plan-options

The Continuity of Communications package uses the following Microsoft 365 services:

• Microsoft Entra ID provides centralised Identity and Access Management

capabilities for an organisation to secure systems, identities, and data.

• Exchange Online provides an organisation with enterprise email and calendar capabilities. Access to Exchange
Online can be via a traditional desktop email client or via Outlook Web Access through the user’s internet browser.

• Microsoft Defender is an integrated security solution across the Microsoft 365 suite, which
offers protection against phishing emails, malware and other threats across Office 365
applications, Exchange Online, SharePoint Online and managed devices.

The following Microsoft 365 services are out of scope of the Continuity of Communications package:

• Office Applications are the online versions of the equivalent desktop

applications. These include Word, Excel, PowerPoint and OneNote.

• SharePoint Online and OneDrive for Business offer document management and collaboration capabilities.

• Teams provides a platform for unified communications and collaboration.

How to use this document

This document is divided into five consecutive stages. It is recommended that the reader reviews the document
in its entirety before commencing Stage 1.

This document uses the below callout boxes to highlight various information.

NOTE: Information to assist the reader in understanding the document, including

i
justification for a particular decision, key considerations, and other important details.

WARNING: Highlights information that requires careful attention, such as implementation

! of a change or configuration that may impact users or the organisation’s information
technology operations.

4 ASD’s ACSC | Business Continuity in a Box - Communications

Guidance
Stage 1: Review Pack and Verify Prerequisites
This document forms one component of the Continuity of Communications implementation guidance. An
additional repository containing the automation tool and associated configuration files is also required to make
full use of the guidance. Before continuing with this guidance, review all the content in this document, ensuring
to prepare and verify additional prerequisites for each stage.

This document is divided into five consecutive stages. The term ‘operator’ refers to the person responsible
for implementation of the Business Continuity in a Box solution within their organisation. The below diagram
represents the staged process and the prerequisites for each stage.

STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5

Review pack Provision Configure Run automated Validate

and verify Microsoft organisation configuation of environment
prerequisites 365 Business settings environment
Standard Tenant

Computer
This guidance assumes the operator will use a Microsoft Windows-based personal computer (PC) running
Windows 10 or Windows 11 using the Microsoft Edge browser to perform the steps. Instructions within this
guidance can be completed using alternative solutions. However, the operator will need to interpret the steps for
the specific operating system and browser.

Business Continuity in a Box is designed for use during a cyber incident that has affected access to or trust of an
organisation’s systems. The selected PC must therefore be independent from the organisation’s IT environment,
including network and Internet connection.

The automation tool within this guidance uses the command-line shell scripting language and configuration
management framework called PowerShell. Configuration of the automation tool is done via supplied
configuration files which have the ‘.config’ file extension.

Phone
During the setup process, Microsoft will either text or call a verification code to a phone. Voice over internet
protocol (VOIP) systems generally do not allow the receiving of the verification phone call. Microsoft
recommends not using a VOIP phone number for the verification process.

Email
During the setup process, Microsoft will email an account confirmation to the email address provided during the
setup process. To receive the confirmation email, the operator must have access to the email account.

cyber.gov.au 5
 NOTE: Whilst ordinarily it would be preferred to avoid use of a personal email account, the
nature of the cyber incident may restrict alternatives. If the operator does not have access
i
to an appropriate email account, the operator could choose to sign up for a new email
account using providers such as Microsoft Outlook or Google Mail.

! WARNING: Do not use an email address associated with the affected organisation.

Organisation Information
Continuity of Communications will provision and configure Exchange Online to enable an organisation to
capture all incoming emails to their existing domain name. To redirect emails to Exchange Online, the operator
will require access to the organisation’s public Domain Name Service (DNS) hosting provider in order to modify
the text (TXT) and mail exchange (MX) records.

NOTE: Given the scenario in which Business Continuity in a Box should be used, we do
not recommend creating new domain records. To receive email messages sent to the
i
organisation’s existing email addresses, only the relevant domain(s) for those email
addresses should be modified to update the TXT and MX records.

WARNING: Incorrectly configuring, adding or removing an organisation’s DNS records can

!
result in further impacts to the availability of a system.

Configuration steps for modifying DNS records vary depending on the hosting provider. The organisation
will be required to supply the operator with the appropriate credentials to access the hosting platform. If
the organisation cannot provide the necessary credentials, they must contact their hosting provider prior to
proceeding further. If the hosting provider cannot be located, a DNS lookup using a free service such as www.
mxtoolbox.com depicted in the image below may assist.

6 ASD’s ACSC | Business Continuity in a Box - Communications

Financial Delegation
The Microsoft 365 Business Standard plan is valid as a free trial for 30 days. Registration requires an
organisation to provide valid credit card credentials. Microsoft will automatically bill the credit card after the
trial period if the organisation does not cancel the subscription beforehand. For full terms and conditions
regarding Microsoft billing, please refer to:

• Microsoft Business Subscriptions and Billing Documentation at learn.microsoft.com/en-au/microsoft-365/commerce

Stage 2: Provision Microsoft 365 Business Standard Tenant

Overview
This stage walks through the process for setting up a trial Microsoft 365 Business Standard tenant and
redirecting emails to the new tenant.

NOTE:
This stage of the guidance provisions a trial Microsoft 365 Business Standard tenant.

The trial provides up to 25 user licences for 30 days.

Microsoft allows a one-time extension of the trial period for an additional 30 days within 15
days of the trial expiry date.
i
A paid Microsoft 365 Business Standard plan allows for the provision of up to 300 user
licences.

If the 25-user license limit offered by the trial plan is insufficient for an organisation’s needs,
the organisation can, at any time, convert the trial to a paid subscription to gain access to
the full user license allowance.

Stage Prerequisites
The operator completing this stage will require:

1. PC with a connection to the Internet

2. Up-to-date web browser

3. Valid email address to use during the registration process (must not be
associated with or hosted on the network experiencing disruption)

4. Phone that can receive a phone call or a SMS verification code (non-VOIP)

5. Valid credit card

cyber.gov.au 7
 Process
1. Navigate to the Microsoft 365 Business Standard Sales Portal at microsoft.com/en-au/microsoft-365/business/
microsoft-365-business-standard

2. Select ‘Try free for one month’.

3. In the next screen, ensure that only one person is selected and click ‘Next’.

NOTE: Selecting one user at this stage does not restrict the number of users that an
organisation can add to the tenant. The trial allows for an additional 24 users. Selecting one
i
user at this stage will simplify the setup and configuration process until the organisation has
configured the remainder of the Microsoft 365 tenant.

8 ASD’s ACSC | Business Continuity in a Box - Communications

4. In the next screen, enter an email address to use for account verification and click ‘Next’.

5. Click ‘Set up account’.

cyber.gov.au 9
 6. Enter the required information and click ‘Next’.

NOTE: The country or region selected on this screen will determine the data centre region
i for data storage. Set this entry to the appropriate country or region to meet your data
storage requirements.

7. Enter a phone number that can receive a phone call or SMS verification code and click ‘Send verification code’.

10 ASD’s ACSC | Business Continuity in a Box - Communications

8. Enter the code received into the text box and click ‘Verify’.

9. Enter a username, domain name and password, and then click ‘Next’. This will create a ‘Global Administrator’
account with the chosen username and password required in later stages of this guidance.

NOTE: Username: The username on this screen will be the primary administrator account to
gain access to the Microsoft 365 administration portal.
i
Domain Name: Microsoft requires initial use of ‘.onmicrosoft.com’. After setup, the
organisation’s own domain name can replace this.

cyber.gov.au 11
 WARNING:
Ensure to record the username, domain name and password in a secure location (location
! must not be associated with or hosted on the network experiencing disruption). Until
additional users are added to the tenant with appropriate access permissions, loss of the
credentials will result in an inability to access the Microsoft 365 environment.

10. Microsoft requires a valid credit card to register a Business Standard subscription, click
‘Add Payment method’, complete the payment information, and click ‘Save’.

NOTE: Microsoft will not bill the credit card within the trial period. However, Microsoft will
verify the validity of the card and create a billing account. The billing account is used to
manage account settings, invoices, update payment methods and purchases. For more
information about billing accounts, see:

• Understand Billing Accounts at learn.microsoft.com/en-us/

i microsoft-365/commerce/manage-billing-accounts

At the end of the free trial period, the trial subscription will automatically convert to a paid
subscription, defaulting to the same plan selected for the trial period. Charges to the credit
card will not be incurred if the trial subscription is cancelled prior to the end of the free trial
period. The trial will automatically expire at the end of the 30-day period and the credit card
will not be charged.

12 ASD’s ACSC | Business Continuity in a Box - Communications

11. Review the information and click ‘Start trial’.

12. After a short period, the screen will update to show a confirmation that the Microsoft 365 Business
Standard subscription process is active. Ensure the information is saved to a location where it
can be accessed in the future (location must not be associated with or hosted on the network
experiencing disruption), and then click ‘Start using Microsoft 365 Business Standard’.

13. The Microsoft 365 Business Standard trial is now active.

cyber.gov.au 13
 Stage 3: Configure Organisation Settings
Overview
This step configures the organisation’s existing DNS information to point to the new Microsoft 365 Business
Standard tenant, enabling email routing.

Stage Prerequisites
The operator completing this stage will require:

1. PC with a connection to the Internet

2. Up-to-date web browser

3. Access to and ability to edit the organisation’s DNS settings in the provider portal

Process
1. Continuing from Stage 2, the operator will have the opportunity to install Microsoft 365 desktop applications.
Installation and operation of the desktop applications are not in scope for this guidance, so click ‘Continue’.

14 ASD’s ACSC | Business Continuity in a Box - Communications

2. To enable creation of the catch-all mailbox, the organisation’s existing DNS records need to be
updated to point to the new Microsoft 365 Exchange Online endpoints for the organisation. In
the available text box enter the organisation’s domain name and click ‘Use this domain’.

3. To verify ownership of the domain, Microsoft requires the addition of a TXT record or an MX record to
the DNS settings. This guidance uses the first option, ‘Add a TXT record to the domain’s DNS records’, but
the processes for adding an MX record is similar. Click ‘Continue’ after selecting the desired option.

NOTE: Microsoft allows for the upload of a text file to the organisation’s website.
i
However, this guidance assumes that the website is not available.

cyber.gov.au 15
 4. Microsoft will attempt to identify the DNS hosting provider. If known, they will provide the steps to edit the DNS
records or a link to the DNS provider’s guidance documentation. To continue with this step, in a separate internet
browser window or tab, go to the organisation’s DNS hosting provider portal and add the identified TXT record
information. After editing the DNS record information on the hosting provider portal, return to the Microsoft 365
page and click ‘Verify’.

WARNING: It is important not to edit existing records at this stage. The DNS record entry is
to be added to existing entries only.
! Changes to DNS record information can take some time for Microsoft to find. If Microsoft
cannot find the new DNS record after clicking ‘Verify’, keep retrying. Depending on the DNS
hosting provider, changes can generally take anywhere from a few minutes to 48 hours.

16 ASD’s ACSC | Business Continuity in a Box - Communications

5. Once Microsoft successfully verifies the domain, the page will automatically update to enable
the adding of users and assigning of licenses. By default, the initial account created during Stage
2 will have all relevant licences assigned and will be assigned the role of Global Administrator,
see learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles. It is not
necessary to create any additional users at this stage of the setup. Click ‘Do this later’.

6. To connect Microsoft 365 to the organisation’s domain, the DNS records require modification in the
DNS hosting provider portal. Click the default option ‘Add your own DNS records’. Click ‘Continue’.

cyber.gov.au 17
 7. The next screen provides the DNS record information to implement in the DNS hosting provider portal. Follow
the guidance provided on this page and within the organisation DNS hosting provider guidance to add the DNS
records. Once complete click ‘Continue’.

WARNING: The changes made at this stage will cause all emails sent to the
organisation domain to be re-routed to the new Microsoft 365 tenant. Ensure a
backup of the DNS information in the hosting provider portal is made to enable the
organisation to switch back to the enterprise email solution when possible.

If the organisation can receive emails during the cyber security incident, it is
!
recommended not to proceed with this step until the catch-all mailbox is configured
within Exchange Online to minimise the risk of lost email messages during the change.

As with Step 4, changes to DNS record information can take some time for Microsoft
to verify. If Microsoft cannot find the new DNS record, keep retrying. Depending on the
DNS hosting provider, changes can take anywhere from a few minutes to 48 hours.

8. Once the DNS record information is configured and Microsoft can verify the updates, the setup will finish. The DNS
record information is now pointing to the new Microsoft 365 Business Standard tenant.

18 ASD’s ACSC | Business Continuity in a Box - Communications

Stage 4: Run Automated Configuration of Environment
Overview
This stage applies configuration settings to the newly provisioned Microsoft 365 tenant via the automation tool,
which comprises a collection of PowerShell scripts that apply a secure baseline.

The automation tool will perform the following actions:

1. Install required Microsoft modules from the PowerShell gallery

2. Create a connection to the Microsoft 365 tenant

3. Apply the specified settings to the Microsoft 365 tenant and associated Exchange Online instance

4. Create a ‘catch-all’ mailbox, associated group, and mail transport rules

5. Create an emergency ‘break glass’ administration account

6. Close the connection to the Microsoft 365 tenant

WARNING: The ‘catch-all’ mailbox created by the automation tool is not supported by
Microsoft due to its lesser filtering capability and resultant increased risk of spam and
undetected phishing attempts.

Access to the catch-all mailbox should therefore be restricted and closely monitored to
reduce the likelihood of an unskilled operator accessing a potentially malicious email
message.

Where practical, the catch-all mailbox should be provisioned for as short a period as possible.
Once all users have been created within the new Microsoft 365 tenant, or business operations
are restored, the mailbox should be removed.
!
To minimise the impact to the Microsoft 365 tenant in the event of accessing a malicious
email message held within the catch-all mailbox, a separate user account should be created
with minimal access permissions to the remainder of the Microsoft 365 tenant. Ideally, this
user should be the only user to access the catch-all mailbox. However, given the limited
availability of user licenses within the trial tenant and the cost of an additional user licence,
this is something organisations will need to individually determine based on their own risk
assessment.

Additionally, the Microsoft 365 Business Standard subscription only allows each user up to 50
GB of mailbox storage per user. Given the nature of the catch-all mailbox, once this size limit is
reached, additional mail may be rejected.

Stage Prerequisites
The operator completing this stage will require:

1. PC with a connection to the Internet

2. Up-to-date web browser
3. The Business Continuity in a Box PowerShell module available from: cyber.gov.au/resources-
business-and-government/essential-cyber-security/smallbusiness/business-continuity-box
4. Username and password of an account with the Global Administrator role

NOTE: If continuing from previous stages within this guidance, the account created
i
in Stage 2 of the document has the necessary Global Administrator permissions.

cyber.gov.au 19
 Process
Step 1: Preparation

1. Navigate to cyber.gov.au/resources-business-and-government/essential-cyber-security/
smallbusiness/business-continuity-box and download the automation tool compressed
folder, then open File Explorer and navigate to the download location of the folder.
a. Press the Windows Key on the keyboard or click the Windows button on the Taskbar.
b. In the “Search for apps, settings and documents” textbox, type “File Explorer” and click ‘Open’.
c. Navigate to the folder where the automation tool folder was extracted (e.g., Downloads).
2. Extract the contents of the package to a nominated location.

WARNING: Before performing the following steps, ensure the downloaded automation tool
! folder is from cyber.gov.au/resources-business-and-government/essential-cyber-security/
smallbusiness/business-continuity-box.

a. Right click on the file and select ‘Properties’.

b. In the pop-up window that appears locate the ‘Unblock’ checkbox in the bottom
right corner and place a tick in the checkbox to select the item.

c. Click ‘OK’ to return to Windows Explorer.

d. Right click on the file again and select ‘Extract All...’.
e. In the pop-up window that appears select the desired location to extract the files.
f. Click ‘Extract’.

NOTE: Access to the Microsoft 365 tenant is dependent on the account that is used to
sign in. As such, there is no configuration required for the script to apply the default
configuration settings.
i
More specific configuration of the Microsoft 365 tenant is possible by editing the
configuration settings within the associated configuration files. This guidance does not
cover customised tenant configuration.

20 ASD’s ACSC | Business Continuity in a Box - Communications

Step 2: Run the Automation Tool

1. The automation tool can be run using either a Windows Normal User or Windows Administrator account.

2. To run the automation tool with the currently logged-in user, open the extracted package in File Explorer.
a. Press the Windows Key on the keyboard or click the Windows button on the Taskbar.
b. In the ‘Search for apps, settings, and documents’ textbox, type ‘File Explorer’ and then click ‘Open’.
c. Navigate to the folder where the automation tool folder was extracted and open the folder.
3. Locate the file BCiaB.bat and double click the file to begin implementation.

4. A window will appear.

5. Early in the implementation, the operator will be presented with a prompt to enter the username and password for
a Microsoft 365 Global Administrator account. This is the username and password created within Stage 2 of the
setup process. Enter the username and password details of the user created during Stage 2 and click ‘Sign In’.

6. The automation tool will provide feedback to the operator on the process currently running. Do
not exit the open applications or shutdown the computer until the tool has finished.

7. Once the automation tool has finished, the user will be presented with a completion screen with a report
summarising the process and the changes, which can be used to troubleshoot any unexpected issues.

8. The new Microsoft 365 Business Standard trial tenant is now configured.

NOTE: Some settings may take time to be activated by background Microsoft processes.
i Microsoft advises that configuration can take up to 24 hours for certain features
and capabilities.

cyber.gov.au 21
 Stage 5: Validate Environment
Overview
This stage walks through the process of verifying that the previous stages have been implemented correctly.
The operator will log into the new Microsoft 365 tenant, send an email from an external email service to the new
tenant, and then send an email from the new tenant to an external email address.

Process
1. Open an internet browser and navigate to Microsoft Outlook https://outlook.com.

2. Click ‘Sign in’, using the username and password of the Global Administrator account created in Stage 2.

3. Microsoft Outlook will open to the user mailbox.

4. Add the catch-all mailbox to the available folders:

a. Right click ‘Folders’ in the left-hand navigation pane.
b. Click ‘Add shared folder or mailbox’.
c. Type the email address of the catch-all mailbox in the dialog box and select ‘Add’.
The catch-all mailbox email address will be ‘catch-all@<domain>’ where <domain>
is the organisation domain not the initial ‘onmicrosoft.com’ domain.
5. Open a new internet browser tab and navigate to the email account used for account verification
in Stage 1 or another email account not associated with the new Microsoft 365 tenant.

6. Send an email to the Global Administrator email address.

7. Send an email to ‘info@<domain>’ where <domain> is the organisation domain not the ‘onmicrosoft.com’ domain.

NOTE: It is recommended you do not setup any email addresses before this stage,
as doing so may potentially create a new mailbox within Exchange Online. If the
i Microsoft 365 tenant already has an ‘info’ mailbox, replace ‘info@<domain>’ with
an alternative email address that does not exist to test that all email messages
sent to the organisation are captured within the catch-all mailbox.

8. Return to the tab opened in step 1 of this Stage.

9. Verify receipt of the email from step 6 within the Global Administrator mailbox.

10. Verify receipt of the email sent to ‘info@<domain>’ from step 7 by

selecting the catch-all mailbox in the available folders.

11. Create a new email within Outlook and send to the email account used in step 5 of this Stage.

12. Return to the email account in step 5 and verify receipt of the email from the Global Administrator.

22 ASD’s ACSC | Business Continuity in a Box - Communications

Contact
For any enquiries concerning this guidance or to
provide feedback, please navigate to cyber.gov.au/
about-us/about-asd-acsc/contact-us. Select ‘General
enquiry or feedback’, and choose ‘Business Continuity
in a Box’ from the drop-down menu under ‘Your
enquiry/feedback type’.
If you or your organisation are victim of a data breach
or cyber incident, follow relevant cyber incident
response and communication plans, as appropriate.
Australian organisations impacted by, or requiring
assistance relating to, a cyber incident can contact
ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by using
ReportCyber at cyber.gov.au/report-and-recover/
report.
United States organisations may report cyber
incidents to CISA’s 24/7 Operations Center at report@
cisa.dhs.gov, cisa.gov/report, or (888) 282-0870.
When available, please include information regarding
the incident: date, time and location of the incident;
type of activity; number of people affected; type
of equipment used for the activity; the name of
the submitting company or organisation; and a
designated point of contact.

Appendix A: acronyms,
abbreviations and
definitions
This document uses the following acronyms and abbreviations:

Acronym or Abbreviation Definition

DNS Domain Name Service

Microsoft Entra ID Formerly Azure Active Directory

MX Mail Exchange DNS record

The person responsible for implementation of the Business

Operator
Continuity in a Box solution for an organisation.

PC Personal Computer

TXT Text DNS record

VOIP Voice over Internet Protocol

cyber.gov.au 23
 Disclaimer
The material in this guide is of a general nature and should not be regarded
as legal advice or relied on for assistance in any particular circumstance or
emergency situation. In any important matter, you should seek appropriate
independent professional advice in relation to your own circumstances.

The Commonwealth accepts no responsibility or liability for any damage, loss or

expense incurred as a result of the reliance on information contained in this guide.

Copyright.
© Commonwealth of Australia 2023.
With the exception of the Coat of Arms and where otherwise stated, all material
presented in this publication is provided under a Creative Commons Attribution
4.0 International licence (www.creativecommons.org/licenses).

For the avoidance of doubt, this means this licence only applies to material
as set out in this document.

The details of the relevant licence conditions are available on the Creative
Commons website as is the full legal code for the CC BY 4.0 licence
(www.creativecommons.org/licenses).

Use of the Coat of Arms.

The terms under which the Coat of Arms can be used are detailed
on the Department of the Prime Minister and Cabinet website
(www.pmc.gov.au/government/commonwealth-coat-arms).

For more information, or to report a cyber security incident, contact us:

cyber.gov.au | 1300 CYBER1 (1300 292 371).

24 ASD’s ACSC | Business Continuity in a Box - Communications

Business Continuity
in a Box
Guidance:
Continuity of Applications
Content Complexity
MODERATE
 Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

How to use this document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Stage 1: Determine your critical applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Stage 2: Determine your continuity path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Stage 3: Deploying an IaaS application environment. . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Appendix A: acronyms, abbreviations and definitions . . . . . . . . . . . . . . 14

Disclaimer
The information herein is being provided “as is” for information purposes only. The authors
do not endorse or favour any commercial entity, product, company, or service, including any
entities, products, or services linked or otherwise referenced within this document.

2 ASD’s ACSC | Business Continuity in a Box - Applications

Introduction
Purpose
Application continuity is critical to any organisation
in maintaining service availability and integrity.
To reduce downtime, costs and business impact
of incidents, organisations should quickly stand
up interim solutions if their normal operating
environment is lost, unavailable or compromised.
Depending on an organisation’s business
requirements, this may include internal services
such as payroll or file sharing, or more expansive
requirements such as engagements with
external providers, customers or the public.
Continuity of Applications focuses on establishing
interim business-critical applications during a cyber
incident. The package assists organisations to
quickly and securely design and deploy an interim
cloud solution for hosting core applications.
Before deploying the interim cloud solution,
organisations must assess any risks associated
with organisational data being stored on an
interim cloud solution, including any additional
security controls that may be required.
For guidance on how to assess and manage risk, see:
The concepts and examples in this document
use relevant cloud hosting providers’
‘rehosting’ guidance – also known as ‘lift and
shift’ – for interim system deployment.
How to use this document
This document provides guidance for deploying
an interim cloud-based business continuity
solution that leverages the benefits of a cloud-
hosted system or applications. Implementation
of this guidance requires an intermediate level of
knowledge of cloud services. This guidance is not
for systems and services currently undergoing
redevelopment or redesign to leverage the benefits
of cloud hosting, nor new systems and services
provisioned directly to a cloud environment.
This document is divided into three consecutive
stages. It is recommended the reader review the
document in its entirety before commencing
Stage 1. It is possible some organisations will not need
to implement all three stages of this guidance. This
will depend on an individual organisation’s needs
and requirements established in Stages 1 and 2.

• Assess and Manage Risk at business.gov.au/risk-

management/risk-assessment-and-planning/
assess-and-manage-risk

Overview
Options for Software-as-a-Service (SaaS),
Platform-as-a-Service (PaaS) and Infrastructure-
as-a-Service (IaaS) are discussed within this
guidance, with a primary focus on IaaS.

This guidance – developed by the Australian Signals

Directorate’s Australian Cyber Security Centre (ASD’s
ACSC) with contributions from the United States
Cybersecurity and Infrastructure Security Agency
(CISA) – does not provide prescriptive or long-term
architectures. Instead, it provides an interim solution
for the deployment and operation of critical business
applications where an organisation’s systems
may have been affected by a cyber incident.

cyber.gov.au 3
 Guidance
Stage 1: Determine your
critical applications
Identifying critical business functions and their
associated applications is integral to resuming
operations. Critical business functions are those
activities that are vital to an organisation’s survival
and to the resumption of business operations
Typically, critical business functions are those that:
1. Are most impacted by downtime or unavailability
2. Play a key role in maintaining business
operations and deliverables
3. Fulfill legislative and/or regulatory obligations
4. Safeguard an irreplaceable asset
Identification and classification of functions:
1. Identify the critical business functions
of your organisation.
2. Classify these critical business functions
into the following categories:
iii. High (most critical)
iv. Medium
v. Low (least critical)
Based on the above factors, decide
which functions are to be prioritised and
included in the following stages.
Stage 2: Determine
your continuity path
When deciding on the best interim solution for an
organisation, key factors may include cost, and ease
of deployment and operation. SaaS, PaaS and IaaS
are the three main cloud computing services with
each providing different features, functionalities and
benefits. The most appropriate offering is dependent
on an organisation’s requirements for hosting, storing,
managing and processing information and data.
4 ASD’s ACSC | Business Continuity in a Box - Applications
Software as a service
To ensure ease of deployment across many
corporate applications, one of the most common
cloud services is SaaS – it offers both consumers
and businesses cloud-based tools and applications
for everyday use. Common examples include
the Microsoft 365 suite of productivity software,
and MYOB or Xero for financial management.
SaaS services are readily available as an off-
the-shelf solution for most users. In many cases
companies offer a trial period followed by a
monthly pay-as-you-go service, though they
tend to create a lock in effect that means it
can be difficult to export data. Organisations
should generally consider the use of SaaS when
looking for a more permanent cloud solution.
Platform as a service
PaaS allows developers to host, build and deploy
their consumer-facing apps on a platform. Generally,
PaaS management and ownership stays with
the developers, affording little to no control to
organisations regarding patching and updates of
the underlying host infrastructure. PaaS can also
be slower to deploy than IaaS and SaaS, due to the
development time.
Infrastructure as a service
IaaS platforms allow an organisation to manage their
business resources such as their network, servers and
data storage on the cloud. IaaS is a pay-as-you-go
service, which allows for cancellation any time after
the initial 30-day trial period. This makes it beneficial
as a short-term business continuity solution.
As an interim solution, an IaaS platform will most
closely mimic the existing computing infrastructure
that would normally be hosted locally on an
organisation’s premises. As IaaS can offer the ability
to replicate and recover core services in a rapid
and straightforward manner, the remainder of this
guidance concentrates on the deployment of an IaaS
cloud solution.
Stage 3: Deploying an IaaS
application environment
This section provides a high-level implementation
framework for deploying IaaS as a solution. This
guidance includes a list of steps to follow, along with
a set of assumptions and constraints that should be
considered before starting the deployment.
Assumptions
This guidance assumes personnel implementing the
interim IaaS solution have:
• An understanding of cloud computing concepts
and architectures, including IaaS
• Access to the necessary cloud hosting provider
services and tools to deploy the solution
• A good understanding of any organisation-specific
configuration settings that need to be applied to the
IaaS solution
Constraints
The following constraints should be considered before
deploying the interim IaaS architecture:
• The IaaS solution must adhere to the security and
compliance requirements of the organisation
• The IaaS solution must meet any performance and
availability requirements set by the organisation
• The IaaS solution must be scalable for the
organisation’s requirements and easily maintainable
Architecture principles
Cloud-based IaaS and PaaS deployments are
subject to several additional threats not commonly
addressed in an on-premises architecture. This
is typically due to the presence of compensating
features for on-premises systems, which include single
network entry points, trusted user base, and limited
physical server access. As such, directly migrating an
on-premises system to a cloud-based IaaS solution
could immediately expose the rehosted system and
potentially the organisation to unaddressed risks.
To minimise these risks, this guidance introduces
several architecture principles to allow the rapid
migration of a system, effecting minimal changes
to the system and increasing security by leveraging
additional security capabilities available within
various cloud platforms. The principles within this
guidance each have key considerations, which
often in themselves can be broken into architecture
principles. For simplicity, only the high-level principles
are defined, with additional information in the
details of each principle. An overview of the three (3)
principles is provided.
Maintain security boundaries
The principle of maintaining security boundaries
emphasises the need to preserve the existing
security boundaries established in the on-
premises hosted system during the migration to
a cloud IaaS platform. For example, databases
residing on a server for the on-premises hosted
solution will remain on an equivalent IaaS host
rather than being migrated to an SQL PaaS.
By maintaining existing security boundaries, the
organisation can retain the same level of control
and visibility over its critical business systems,
ensuring a consistent security posture. This principle
allows for a smoother migration process, as it
minimises the need for significant architectural
changes whilst still taking advantage of the
benefits provided by cloud IaaS platforms.
Enhance security controls
The principle of enhancing security controls
highlights the importance of leveraging additional
security capabilities available within cloud IaaS
platforms to strengthen the overall security posture
of the migrated system. Cloud platforms offer
various security features, such as network security
groups, security services, and identity and access
management tools.
During the migration process, it is essential to identify
gaps with the on-premises hosted system and design
appropriate controls or compensating controls using
the available cloud platform features. By taking
advantage of these enhanced security controls, the
organisation can address the additional threats
introduced by cloud deployments and mitigate the
associated risks effectively.
Ensure compliance and governance
This principle emphasises the need to maintain
regulatory compliance and adhere to the
organisation’s governance requirements. Moving to a
cloud IaaS platform introduces additional compliance
considerations such as data sovereignty, data
protection, and other industry-specific regulations.
cyber.gov.au 5
 To ensure appropriate compliance and governance
arrangements, it is crucial to fully understand
the applicable regulations and requirements of
the organisation before migrating the system
to the cloud. This assessment should inform the
design and implementation of security controls
and processes that align with organisation and
regulatory compliance needs. Additionally,
organisations should establish proper monitoring
and auditing mechanisms to maintain
compliance in a cloud-hosted environment.
Process
Planning
1. Select the cloud service provider (CSP) based on
your organisation’s operational requirements
2. Define the target architecture for the system
3. Develop a plan for preparation, migration, security
and compliance, and review and optimisation
Infrastructure deployment
4. Procure a subscription from the selected CSP
5. Set up and configure necessary resources to meet
operational needs
6. Implement additional security features to address
any new threats resulting from the interim cloud
implementation
Data migration
7. If possible, restore data from available backups
8. If necessary, ensure systems are connected to a
centralised user directory
Security and compliance
9. Implement security controls suggested within the
examples and patterns, including encryption,
privileged administration workstations, gateway,
and federated identity security patterns
10. Validate the security controls through testing and
auditing from within the cloud service provider
portals and tools
11. Implement additional compliance measures, such
as implementing applicable security controls,
logging and monitoring, and reporting
6 ASD’s ACSC | Business Continuity in a Box - Applications
Review and optimisation
12. Particularly in the initial stages of deployment,
perform regular reviews of the migrated systems to
determine where resources can be optimised, and
costs reduced
13. Document the new architecture and additional
changes made to accommodate for the change to
a cloud hosting provider
Components
IaaS implementations, regardless of selected CSP
are comprised of several components or resources.
When migrating on-premises systems to IaaS
platforms, it is essential to understand the differences
in components and their corresponding security
controls to ensure secure operation of the system.
By understanding and addressing the unique
security considerations for each component
and the system, organisations can implement
effective security controls and measures
to protect their cloud IaaS solutions.
Virtual infrastructure
Virtual machines (VM) are the primary compute
resources in a cloud IaaS environment. They host
operating systems, applications, and services
required for system functionality. When migrating on-
premises hosted systems, equivalent VMs should be
provisioned to maintain system architecture.
Implement security controls for VMs, such as:
• Hardened Images: Utilise hardened VM images or
templates that follow security best practices for the
specific operating system and application stack.
• Patch Management: Consistently apply
security patches and updates to VMs
to address known vulnerabilities.
• Anti-Malware/Antivirus: Install and configure
anti-malware or antivirus software on VMs
to detect and prevent malicious activities.
• Least Privilege: Assign appropriate permissions
and access controls to VMs to restrict access
to only approved administrators and users.
Storage
Cloud platforms offer several types of storage services
to store and manage data, such as:
 • Object Storage: Object storage services,
such as Amazon S3, Azure Blob Storage,
or Google Cloud Storage, allow storage
and retrieval of unstructured data, such as
documents, images and multimedia files.
• Block Storage: Block storage is suitable for VMs
requiring persistent storage. This provides low-
latency access and is suitable for hosting data,
such as operating system disks and databases.
• File Storage: Leverage file storage services,
such as Amazon EFS, Azure Files, or Google
Cloud File store to provide shared file
systems accessible by multiple VMs.
• Backup and Recovery: Implement regular backup
and recovery mechanisms for critical data
and configurations. Leverage snapshotting,
replication, or cloud-native backup solutions
provided by the CSP and if possible, copy
the backups to a separate location.
• Encryption: Enable encryption for data at
rest in storage services to protect sensitive
information from unauthorised access.
Identity and access management
Identity and access management (IAM) is a critical
component for controlling user access and managing
authentication and authorisation in a cloud
environment.
User and Access Management
• User Provisioning: Implement a centralised
user management system or integrate with an
existing identity provider to enable user account
management, authentication, and authorisation.
• Multi-Factor Authentication (MFA): Enforce the
use of MFA for user and administrator accounts to
add an extra layer of security beyond passwords.
• Role-Based Access Control (RBAC): Define
roles with granular permissions and assign
to users based on job responsibilities.
• Access Reviews: Conduct regular access reviews
to ensure user permissions are up to date
and aligned with business requirements.
• Privileged Access Management
• Privileged Account Management: Implement
a privileged access management solution to
control and monitor privileged account usage.
Utilise just-in-time access and session recording to
limit the exposure of administrative privileges.
• Privileged Access Reviews: Regularly review and
recertify privileged accounts and permissions
to maintain appropriate access controls.
Security
Implementing robust security measures is crucial to
protect the cloud environment and the hosted system
from potential threats and vulnerabilities.
Network Security
• Virtual Private Cloud (VPC): Utilise VPCs to quickly
isolate the cloud environment and establish
network segmentations. Configure subnets,
network access control lists (ACLs), and security
groups to control inbound and outbound traffic.
• Firewalls: Implement virtual firewalls to filter
internet traffic and network and server firewalls
to filter and control traffic flow between network
components. If the on-premises environment
separated the network into zones, ensure the
architecture is maintained through use of subnets
and additional virtual firewalls if needed.
• Intrusion Detection and Prevention Systems (IDS/
IPS): Deploy IDS/IPS solutions to detect and prevent
network-based attacks, anomalous traffic, and
known attack signatures. Unless an IDS/IPS solution
existed for the on-premises system, implementation
of this capability should at minimum, be deployed
between the internet and hosted network.
Data Protection
• Encryption: Utilise encryption mechanisms, such
as transport layer security (TLS) to protect data
in transit between components and applications.
Implement encryption for data at rest for sensitive
data stored in storage services or databases.
• Data Loss Prevention (DLP): Deploy DLP controls
to detect and prevent the unauthorised
transmission or storage of sensitive data.
Use predefined policies or custom rules to
identify and mitigate data leakage risks.
• Data Backup and Recovery: Establish a
regular backup and recovery strategy for
critical data to ensure business continuity in
the event of data loss or system failure.
cyber.gov.au 7
 Endpoints
Endpoints refer to the devices or client systems
used to access the cloud-hosted system.
• Endpoint Security: Implement endpoint protection
measures, including antivirus software, host-
based firewalls, and secure configurations, on
devices used to access the cloud environment.
• Secure Remote Access: Utilise secure remote access
technologies, such as virtual private networks (VPNs)
or bastion hosts, to establish secure connections
between client systems and the cloud environment.
Presented after this high-level guidance, are examples
of deployments for an n-tier architecture within Azure,
Amazon Web Services (AWS), and Google Cloud to
demonstrate the additional services that should be
considered to secure the system.
Single-tier architecture
A single-tier architecture is a simple, standalone
setup where the client, server and data storage
components are all combined in a single server. This
model is typically implemented for small applications.
Advantages

IaaS architectural patterns
The following guidance provides three high-level
architectural patterns that can be utilised in planning
the organisation’s interim IaaS cloud solution. The
patterns provide details of common architectures
for systems, which are deployed in on-premises
environments, and can be rehosted to an equivalent
cloud-hosted solution. Each architecture represents
an approach to structuring a system within the cloud
environment.
• Easy to set up and manage due to its simplicity.
• Cost-effective for small-scale applications.
Disadvantages
• As the application grows, scalability
can become a challenge.
• Since all components reside in a single
location, security and fault tolerance
is sacrificed or significantly reduced
compared with other architectures.

Single-tier

A single-tier provides a combination of user

interface, business processing logic, and data
store in the form of a file system or database.
All system and user actions are processed here.

Figure 1 - Single tier system architecture

8 ASD’s ACSC | Business Continuity in a Box - Applications

Two-tier architecture

In a two-tier architecture, the client and server components are separated, typically by a client tier (user
interface) that communicates directly with the data tier (database or file store).

Advantages

• Better performance and scalability than single tier, as the client and server are separated.

• Enables scalability of each tier or independent management, potentially

resulting in lower cost for greater performance gains.

Disadvantages

• Lack of separation between the application logic and database can

lead to slower performance as the application grows.

• Greater likelihood of security issues as there is a direct link between the client and database.

Client tier

This tier provides a combination of user

interface and business processing logic.
Actions from the user are evaluated,
logic decisions made, and calculations
performed. Information is sent to and
retrieved from the data tier. Presentation to
a user is typically done via a web page.

Data tier

This tier is responsible for the storage

and retrieval of information using a
database or file system. The information
is sent to the logic tier for processing.

Figure 2 - Two-tier system architecture

cyber.gov.au 9
 N-tier architecture

An n-tier architecture (also known as multi-tier architecture) divides a system into three or more separate tiers.
A common model for this architecture is a system consisting of a presentation layer (client/user interface), an
application layer (business logic), and a data layer (database or file store).

Advantages

• High scalability and flexibility, as each tier can be managed, scaled, and updated independently.

• Provides increased security as each tier acts as a boundary, making it more

difficult for an attacker to compromise the entire system.

Disadvantages

• More complex to design, deploy and manage due to the separation of components.

• Requires careful design to ensure performance and responsiveness,

particularly as network latency can become a factor.

Presentation tier

Top level of an N-Tier architecture, providing the

user interface. The main function of this tier is to
translate users actions into system processes, and
system processing results into user understandable
information. Typicaly user interfaces may be in the
form of web pages or mobile device applications.

Logic / business processing tier

The system or service middle layer provides a

coordination function. Processes commands and
makes logic decisions and evaluations, including
performing calculations and processing and
movement of data between the presentation layer
and data layer.

Data tier

This tier is responsible for the storage and retrieval

of information using a database or file system. The
information is sent tot the logic tier for processing.

Figure 3 - N-tier system architecture

10 ASD’s ACSC | Business Continuity in a Box - Applications

Example IaaS solutions
The following solution designs provide details of a
system rehosted from an on-premises environment
to Azure, AWS, and Google Cloud. The details within
these examples provide information on the various
technologies available within each platform.
Solution design example for Azure
Azure IaaS is a cloud computing service
that offers essential computing, storage
and networking resources on demand,
through a pay-as-you-go service.
Migration of your organisation’s infrastructure to an
IaaS solution provides a reduction in maintenance
of the on-premises data centre, savings on
hardware costs, and gains real-time business
insights. IaaS solutions allow the organisation
to scale IT resources up and down with business
demands. IaaS also helps the organisation to
quickly provision new applications and increase
the reliability of the underlying infrastructure.
Azure manages the infrastructure, while organisations
purchase, install, configure and manage their
software, including operating systems, middleware
and applications. Tiers are a way to separate
responsibilities and manage dependencies – each
layer has a specific responsibility. A higher tier can use
services in a lower tier, but not the other way around.
Tiers are physically separated, running on separate
machines. A tier can call another tier directly or
use asynchronous messaging (message queue).
Although each layer might be hosted in its tier, it is
not required. Several layers might be hosted on the
same tier. Physically separating the tiers improves
scalability and resilience but also adds latency
from the additional network communication.
Dev Ops Azure portal Bastian host
Load
balancer
Internet WAF
Figure 4 – typical Azure N-tier IaaS system architecture
A traditional three-tier application has a presentation
tier, a middle or application tier, and a database
tier. The middle tier is optional. More complex
applications can have more than three tiers.
The diagram below shows a typical 3-tier IaaS,
encapsulating different areas of functionality.
Each tier consists of two or more VMs, placed in
an availability set or virtual machine scale set.
Multiple VMs provide resiliency in case one VM fails.
Load balancers are used to distribute requests
across the VMs in a tier. A tier can be scaled
horizontally by adding more VMs to the pool.
Each tier is also placed inside its own subnet, meaning
its internal IP addresses fall within the same address
range. That makes it easy to apply network security
group rules and route tables to individual tiers.
The web and application tiers are stateless. Any
VM can handle any request for that tier. The data
tier should consist of a replicated database.
For Windows, we recommend SQL Server, using
Always On availability groups for high availability.
For Linux, choose a database that supports
replication, such as Apache Cassandra.
Network security groups restrict access to
each tier. For example, the database tier only
allows access from the application tier.
For secure administration of the system, it is
recommended to deploy an Azure Bastion service.
Bastion provides secure remote desktop protocol
(RDP) and secure socket shell (SSH) connectivity
to all the VMs in the virtual network in which it is
provisioned. Azure Bastion protects your virtual
machines from exposing RDP/SSH ports to the outside
world while providing secure access using RDP/SSH.
Web tier Business tier Data tier
Primary SQL
Load Load
balancer balancer
Secondary SQL
Virtual network
cyber.gov.au 11
 Solution design example for AWS
Amazon Elastic Compute Cloud (Amazon EC2)
provides scalable computing capacity in the AWS
Cloud. Using Amazon EC2 eliminates the need
for organisations to invest in hardware upfront
to develop and deploy applications faster.
Amazon EC2 can be used to launch as many
or as few virtual servers as required, configure
security and networking, and manage
storage. Amazon EC2 enables an organisation
to scale up or down to handle changes in
requirements or spikes in the required resources,
reducing the need to forecast traffic.
Amazon EC2 provides a web-based user interface, the
Amazon EC2 console. Administrators can access the
privileged user interface after signing up for an AWS
account, signing into the AWS Management Console,
and selecting EC2 from the console home page.
Amazon EC2 supports creating resources using AWS
CloudFormation. Developers can create a template
in JSON or YAML that describes the organisation’s
AWS resources, AWS CloudFormation provisions,
and configures those resources. Organisations
can reuse the developed CloudFormation
templates to provision the same resources
Dev Ops Bastian host
Application
WAF load balancer
Figure 5 – typical Amazon Web Services N-Tier IaaS system architecture
12 ASD’s ACSC | Business Continuity in a Box - Applications
multiple times, whether in the same region and
account or multiple regions and accounts.
Amazon EC2 provides a Query API. These requests
are HTTP or HTTPS requests that use the HTTP
verbs GET or POST and a query parameter
named Action. Developers may prefer to build
applications using language-specific APIs instead
of submitting a request over HTTP or HTTPS.
AWS provides libraries, sample code, tutorials,
and other resources for software developers.
When administering the EC2 platform, AWS strongly
suggests using SSH access to further secure the
services and their instances by implementing
a Bastion host, also known as a ‘Jump Box’.
A bastion host is a special-purpose machine
utilised for privileged access that is configured and
hardened to work against attacks. The machine
contains a single application, which it hosts.
Bastion hosts are accessed with the help of SSH
or RDP protocols. After connectivity (remotely) is
established with the bastion host, it allows using
SSH or RDP to log in to other instances (thereby
behaving like a ‘jump server’) that are present within
the private network/subnet. The diagram below
shows a typical AWS EC2 3-tier IaaS architecture.
Availability zone A
Web subnet 01 Application subnet 01 Database subnet 01
Web server EC2 App server EC2 Database master
Auto Auto
Scaling Scaling
Synchronous
Network replication
load balancer
Web server EC2 App server EC2 Database replica
Web subnet 02 Application subnet 02 Database subnet 02
Availability zone B
Solution design example for Google Cloud Platform
Google Cloud Platform (GCP) is a suite of cloud
computing resources for developing, deploying and
operating applications on the web. GCP utilises the
same infrastructure that Google uses internally for
its end-user products. GCP IaaS provides a series of
modular cloud services, including computing, data
storage, data analytics and machine learning.
GCP provides whole infrastructure for business
applications and assures security and reliability.
GCP provides many APIs such as YouTube,
Gmail, maps etc. It includes the options to
create projects and work on specific projects,
thus creating isolation. GCP is widely used in
app development, as it provides several APIs.
When applications, websites or other cloud services
are run on GCP, Google tracks the resources being
used, such as processing power, storage and
network connections. Unlike most conventional
services that charge by the month, GCP charges
by the minute to keep customer costs low. When
using GCP to build and deliver your services,
organisations can leverage the power of hyperscale
in data centres or borrow sophisticated analytics
and AI functions to reach users worldwide.
The GCP Virtual Private Cloud (VPC) network is a
virtual version of a physical network implemented
inside Google’s production network using Andromeda.
VPC networks, along with their associated routes
Dev Ops Bastian host
Cloud load balancer
& Cloud DNS
Figure 6 – typical Google Cloud Platform N-tier IaaS system architecture
and firewall rules, are global resources and are
not associated with any distinct region or zone.
A VPC network provides the following benefits:
• Connectivity to your Compute Engine VM instances,
including Google Kubernetes Engine (GKE) clusters,
App Engine flexible environment instances, and
other GCP products built on Compute Engine VMs.
• Native Internal TCP/UDP Load Balancing and proxy
systems for Internal HTTP(S) Load Balancing.
• Connection to on-premises networks using Cloud
VPN tunnels and Cloud Interconnect attachments.
• Distributes traffic from Google Cloud
external load balancers to back ends.
Google recommends that the management of the
GCP be conducted by a bastion host, providing
an external facing point of entry into a network
containing private network instances. Bastion
host offers a single point of fortification or audit
and can be started and stopped to enable or
disable inbound SSH. By using a bastion host,
privileged users can connect to a VM that does
not have an external IP address. This approach
allows administrators to connect to a development
environment or manage the database instance – at
times without configuring additional firewall rules
– for an external application. The below diagram
represents typical GCP N-Tier architecture.
Cloud NAT
Managed Cloud firewall Cloud SQL
instance group rules
cyber.gov.au 13
 Contact
For any enquiries concerning this guidance or to
provide feedback, please navigate to cyber.gov.au/
about-us/about-asd-acsc/contact-us. Select ‘General
enquiry or feedback’, and choose ‘Business Continuity
in a Box’ from the drop-down menu under ‘Your
enquiry/feedback type’.
If you or your organisation are victim of a data breach
or cyber incident, follow relevant cyber incident
response and communication plans, as appropriate.
Australian organisations impacted by, or requiring
assistance relating to, a cyber incident can contact
ASD’s ACSC via 1300 CYBER1 (1300 292 371), or by using
ReportCyber at cyber.gov.au/report-and-recover/
report.
United States organisations may report cyber
incidents to CISA’s 24/7 Operations Center at report@
cisa.dhs.gov, cisa.gov/report, or (888) 282-0870.
When available, please include information regarding
the incident: date, time and location of the incident;
type of activity; number of people affected; type
of equipment used for the activity; the name of
the submitting company or organisation; and a
designated point of contact.

Appendix A: acronyms,
abbreviations and
definitions
This document uses the following acronyms and abbreviations:

Acronym or Abbreviation Definition

ACL Access Control Lists

Amazon EC2 Amazon Elastic Compute Cloud

API Application Programming Interface

AWS Amazon Web Services

CSP Cloud Service Provider

DLP Data Loss Prevention

EFS Elastic File System

GCP Google Cloud Platform

14 ASD’s ACSC | Business Continuity in a Box - Applications

GKE Google Kubernetes Engine

HTTP(S) Hyper Text Transfer Protocol (Secure)

IaaS Infrastructure-as-a-Service

IDS/IPS Intrusion Detection and Prevention Systems

IP Internet Protocol

JSON JavaScript Object Notation

MFA Multifactor Authentication

PaaS Platform-as-a-Service

RBAC Role based Access Control

RDP Remote Desktop Protocol

SaaS Software-as-a-Service

SQL Structured Query Language

SSH Secure Socket Shell

TCP Transmission Control Protocol

TLS Transport Layer Security

UDP User Datagram Protocol

VM Virtual Machine

VPC Virtual Private Cloud

VPN Virtual Private Network

YAML A Human-Readable Data Serialisation Language

cyber.gov.au 15
 Disclaimer
The material in this guide is of a general nature and should not be regarded
as legal advice or relied on for assistance in any particular circumstance or
emergency situation. In any important matter, you should seek appropriate
independent professional advice in relation to your own circumstances.

The Commonwealth accepts no responsibility or liability for any damage, loss or

expense incurred as a result of the reliance on information contained in this guide.

Copyright.
© Commonwealth of Australia 2023.
With the exception of the Coat of Arms and where otherwise stated, all material
presented in this publication is provided under a Creative Commons Attribution
4.0 International licence (www.creativecommons.org/licenses).

For the avoidance of doubt, this means this licence only applies to material
as set out in this document.

The details of the relevant licence conditions are available on the Creative
Commons website as is the full legal code for the CC BY 4.0 licence
(www.creativecommons.org/licenses).

Use of the Coat of Arms.

The terms under which the Coat of Arms can be used are detailed
on the Department of the Prime Minister and Cabinet website
(www.pmc.gov.au/government/commonwealth-coat-arms).

For more information, or to report a cyber security incident, contact us:

cyber.gov.au | 1300 CYBER1 (1300 292 371).

16 ASD’s ACSC | Business Continuity in a Box - Applications