Home Affairs denies Microsoft in breach of Signals Directorate conditions

Australia's Cyber Coordinator Alastair MacGibbon, facing Senate Estimates in his policy capacity that reports to the Secretary of the Department of Home Affairs, has said he is confident the data on Australians is safe in the hands of Microsoft, despite the Washington headquartered company having staff scattered around the globe.

Microsoft in April received accreditation from the Australian Signals Directorate (ASD), allowing it to store highly classified government information up to "protected" level on its Office 365 platform and specific Azure services.

Protected-level certification for cloud services is currently the highest security level approved by the ASD on its Certified Cloud Services List (CCSL).

Microsoft became the second international player awarded the certification, and the fifth on the CCSL, with Sliced Tech and Vault Systems receiving the certification in March last year, followed by Macquarie Government, part of the Macquarie Telecom Group, receiving accreditation in September, and NTT-owned Dimension Data in February.

Prior to this, Microsoft in June received accreditation from the ASD that saw Australia's intelligence agency formally certify 50 of the company's services on the ASD CCSL across Azure and Office 365.

At the time, Microsoft Azure engineering lead for Australia James Kavanagh, as the company's Australian national technology officer, was asked by ZDNet how the local arm of the company intended to receive protected-level certification as one of the requirements of such accreditation requires the company have all staff and datacentres located within Australian boundaries.

Kavanagh said there were services "coming downstream" to allow government organisations to "go beyond" just the unclassified data route.

Redmond's classification, in part, comes via a loophole in the form of a partnership with Canberra Data Centres.

Facing Senate Estimates on Tuesday, MacGibbon was asked by Australian Greens Senator Jordon Steele-John whether the information stored on the Australian instance of the Microsoft Azure Cloud will be able to be accessed by overseas staff.

"I am satisfied that Microsoft Azure, in its protected form as certified by the Signals Directorate -- or the Australian Cyber Security Centre within the Signals Directorate -- will be stored in Australia," MacGibbon told the Senate Legal and Constitutional Affairs Legislation Committee on Tuesday.

"Data can reside anywhere in the world, you can demand data stay in Australia but it doesn't always make it more secure that it's in a particular geography ... it's good that we hold data in Australia, that means that data comes under Australian law, that means that agencies and others have more access to it and other country's agencies theoretically don't have access to that data."

MacGibbon, refusing to answer specifically if Microsoft staff overseas could access data located in Australia, said he is satisfied that the Microsoft staff that will have access to data will be "appropriately cleared".

"I'm satisfied that Microsoft will be storing data in Australia but just because data is stored in Australia doesn't necessarily make it secure," he continued.

"There are confidential discussions between the Australian Cyber Security Centre and a private company that has been worked with for years by the Signals Directorate and the Cyber Security Centre, as it does with all companies that eventually receive protected status."

When asked specifically if the ASD requires the provider to be based in Australia to be CSSL approved, MacGibbon said "not necessarily".

"It depends on the architecture and it depends on the mitigations in place in an architecture, and the policies and procedures -- it's important that I clarify it -- therefore it's not as black and white as some people would portray it," he said.

"I am satisfied that for all intents and purposes the Microsoft Azure Cloud as certified meets all of the standards required, that are met by the other companies.

"There is no particular prescribed way to meet those standards, so long as the risk is mitigated, I'm satisfied. And I'm very satisfied that the risk to the Australian government, in relation to the particular cloud provider you're referring to, is well-met."

RELATED COVERAGE

• Canberra gives Microsoft protected-level cloud classification
• Microsoft looks to fix multi-cloud mess with Azure Australia Central
• Microsoft partners with Canberra Data Centres to cash in on government IT spend
• Microsoft claims ASD cloud certification for 50 Azure, Office 365 services
• AWS scores IRAP protected-level government security tick
• ASD hands out government-protected cloud certification to two local players
• Macquarie Government claims protected-level cloud accreditation from ASD
• ASD gives Dimension Data protected-level cloud certification
• TechnologyOne clarifies IRAP certification about dedication to 'continuous improvement'
• ServiceNow receives unclassified DLM status from Australian government
• ASD refuses to take backward step in wake of DTA cloud strategy
• Australian ministers to meet with Google, Apple in the name of cybersecurity
• Australian government considers approach to cybersecurity 'world-leading'
• Why are companies moving to the cloud? 81% simply fear 'missing out' (TechRepublic)