Home Affairs denies Microsoft in breach of Signals Directorate conditions

Senators are concerned that Microsoft has emerged with protected-level ASD certification, despite being located outside of Australia, with Alastair MacGibbon labelling the company a 'trusted' partner of government for many years.
Written by Asha Barbaschow, Contributor

Australia's Cyber Coordinator Alastair MacGibbon, facing Senate Estimates in his policy capacity that reports to the Secretary of the Department of Home Affairs, has said he is confident the data on Australians is safe in the hands of Microsoft, despite the Washington headquartered company having staff scattered around the globe.

Microsoft in April received accreditation from the Australian Signals Directorate (ASD), allowing it to store highly classified government information up to "protected" level on its Office 365 platform and specific Azure services.

Protected-level certification for cloud services is currently the highest security level approved by the ASD on its Certified Cloud Services List (CCSL).

Microsoft became the second international player awarded the certification, and the fifth on the CCSL, with Sliced Tech and Vault Systems receiving the certification in March last year, followed by Macquarie Government, part of the Macquarie Telecom Group, receiving accreditation in September, and NTT-owned Dimension Data in February.

Prior to this, Microsoft in June received accreditation from the ASD that saw Australia's intelligence agency formally certify 50 of the company's services on the ASD CCSL across Azure and Office 365.

At the time, Microsoft Azure engineering lead for Australia James Kavanagh, as the company's Australian national technology officer, was asked by ZDNet how the local arm of the company intended to receive protected-level certification as one of the requirements of such accreditation requires the company have all staff and datacentres located within Australian boundaries.

Kavanagh said there were services "coming downstream" to allow government organisations to "go beyond" just the unclassified data route.

Redmond's classification, in part, comes via a loophole in the form of a partnership with Canberra Data Centres.

Facing Senate Estimates on Tuesday, MacGibbon was asked by Australian Greens Senator Jordon Steele-John whether the information stored on the Australian instance of the Microsoft Azure Cloud will be able to be accessed by overseas staff.

"I am satisfied that Microsoft Azure, in its protected form as certified by the Signals Directorate -- or the Australian Cyber Security Centre within the Signals Directorate -- will be stored in Australia," MacGibbon told the Senate Legal and Constitutional Affairs Legislation Committee on Tuesday.

"Data can reside anywhere in the world, you can demand data stay in Australia but it doesn't always make it more secure that it's in a particular geography ... it's good that we hold data in Australia, that means that data comes under Australian law, that means that agencies and others have more access to it and other country's agencies theoretically don't have access to that data."

MacGibbon, refusing to answer specifically if Microsoft staff overseas could access data located in Australia, said he is satisfied that the Microsoft staff that will have access to data will be "appropriately cleared".

"I'm satisfied that Microsoft will be storing data in Australia but just because data is stored in Australia doesn't necessarily make it secure," he continued.

"There are confidential discussions between the Australian Cyber Security Centre and a private company that has been worked with for years by the Signals Directorate and the Cyber Security Centre, as it does with all companies that eventually receive protected status."

When asked specifically if the ASD requires the provider to be based in Australia to be CSSL approved, MacGibbon said "not necessarily".

"It depends on the architecture and it depends on the mitigations in place in an architecture, and the policies and procedures -- it's important that I clarify it -- therefore it's not as black and white as some people would portray it," he said.

"I am satisfied that for all intents and purposes the Microsoft Azure Cloud as certified meets all of the standards required, that are met by the other companies.

"There is no particular prescribed way to meet those standards, so long as the risk is mitigated, I'm satisfied. And I'm very satisfied that the risk to the Australian government, in relation to the particular cloud provider you're referring to, is well-met."


Editorial standards