Monday, 28 May 2018 09:13

Overseas Microsoft staff to have access to servers storing secret Australian data Featured


Microsoft staff based overseas will have access to servers in Australia where top-secret government data is stored on the company's Azure cloud service.

But they will not have direct access to the data. Additionally, different classes of government data will be stored on the same server, separated only by software controls.

This much has emerged from a Senate Estimates hearing last week, during which Greens digital affairs spokesman Senator Jordon Steele-John grilled National Cyber Security Adviser, Alastair MacGibbon, at length, about aspects of security surrounding the Microsoft Azure cloud service.

Last month, Microsoft was announced as having gained Protected cloud status for its Azure and Office 365 services. Questions were raised about the certification after the Australian Signals Directorate issued a consumer guide containing a number of fiats about the services. Both Labor and the Greens, when approached, said they would seek further information about the certification.

Senator Steele-John's questions were asked in this context, but MacGibbon did not answer any of his rather pointed queries directly.

In response to a query as to whether top-secret government data would be able to be accessed by Microsoft staff overseas, MacGibbon went round in circles, before finally indirectly answering the question.

"Not necessarily", was his take when Senator Steele-John pressed him on whether all Microsoft staff accessing these systems would have to be physically located in Australia. And he added, "It depends on the architecture and it depends on the mitigations in place in an architecture, and the policies and procedures."

MacGibbon, who has staunchly defended Microsoft's being awarded Protected status from the time it was announced, drew a distinction between having access to physical systems and the data they stored.

After another exchange, MacGibbon said all Microsoft staff who had access to top-secret Australian Government data would need to be cleared by the Security Vetting Agency.

At one stage, Senator Steele-John asked: "Have all standards been removed and replaced by what you personally consider to be satisfactory, Mr MacGibbon?" to which MacGibbon responded: "Not at all."

Senator Steele-John pointed to the case of the other four cloud providers - Dimension Data, Sliced Tech, Vault Systems and Macquarie Government - and said any staff of these companies that had access to systems that stored this class of data would need to be physically present in Australia.

He asked whether, if he was contacted by a company that was seeking to gain Protected cloud status, he should tell the entity: "...that the goal is to meet the standard or to satisfy yourself (MacGibbon)?"

MacGibbon said the way that risks were mitigated by the different companies that had gained Protected status differed, depending on the technology they used, on the architecture and on the mitigations in place in an architecture, and policies and procedures.

Later, MacGibbon was marginally clearer with his response, when Senator Steele-John asked again whether Microsoft staff who had access to top-secret government data would need security clearance from the Australian Government Security Vetting Agency.

To this, MacGibbon replied: "Yes, but can I say that the 'yes' is a simple answer to what is a more complex question. The line of questioning you were pursuing related to access to data. And there is a difference between access to data and access to systems. You might do something to a system but not gain access to data.

"I'm satisfied that people who will have access to data in Australia, and the Microsoft staff — again, without going into the way Microsoft has architected its infrastructure, because each of the ways in which these now five companies and 11 companies in the unclassified space have certified is a matter between the cyber security centre and those companies, and I don't want to breach that confidentiality —but I'm satisfied that the staff who will have access to data are cleared by AGSVA, yes."

Later Senator Steele-John asked about the physical separation of unclassified and classified data. "...The practice inside the government has been for protected classified data to be kept on completely physically separate systems and infrastructure. So I'd like to ask you if it is true that Microsoft cloud will have protected and less-sensitive data on the same physical infrastructure separated only by software controls?"

MacGibbon responded: "This the first time that we are moving from what's known as a community cloud, where it's a government community and only government data, held on what you would loosely call bits of tin, and a true hyperscale public cloud in the case of Microsoft, yes."

This had to be clarified again, with Senator Steele-John asking, " Right. So the answer to that question is yes?" and MacGibbon responding "Yes."

When Senator Steele-John then ventured to ask about processor vulnerabilities which made it possible for data to be exfiltrated across software boundaries, MacGibbon said this would pertain to his other role, as head of the Australian Cyber Security Centre, and that the ongoing hearing was not the right place to raise this issue.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments