Monday, 28 May 2018 09:13

Overseas Microsoft staff to have access to servers storing secret Australian data Featured

By

Microsoft staff based overseas will have access to servers in Australia where top-secret government data is stored on the company's Azure cloud service.

But they will not have direct access to the data. Additionally, different classes of government data will be stored on the same server, separated only by software controls.

This much has emerged from a Senate Estimates hearing last week, during which Greens digital affairs spokesman Senator Jordon Steele-John grilled National Cyber Security Adviser, Alastair MacGibbon, at length, about aspects of security surrounding the Microsoft Azure cloud service.

Last month, Microsoft was announced as having gained Protected cloud status for its Azure and Office 365 services. Questions were raised about the certification after the Australian Signals Directorate issued a consumer guide containing a number of fiats about the services. Both Labor and the Greens, when approached, said they would seek further information about the certification.

Senator Steele-John's questions were asked in this context, but MacGibbon did not answer any of his rather pointed queries directly.

In response to a query as to whether top-secret government data would be able to be accessed by Microsoft staff overseas, MacGibbon went round in circles, before finally indirectly answering the question.

"Not necessarily", was his take when Senator Steele-John pressed him on whether all Microsoft staff accessing these systems would have to be physically located in Australia. And he added, "It depends on the architecture and it depends on the mitigations in place in an architecture, and the policies and procedures."

MacGibbon, who has staunchly defended Microsoft's being awarded Protected status from the time it was announced, drew a distinction between having access to physical systems and the data they stored.

After another exchange, MacGibbon said all Microsoft staff who had access to top-secret Australian Government data would need to be cleared by the Security Vetting Agency.

At one stage, Senator Steele-John asked: "Have all standards been removed and replaced by what you personally consider to be satisfactory, Mr MacGibbon?" to which MacGibbon responded: "Not at all."

Senator Steele-John pointed to the case of the other four cloud providers - Dimension Data, Sliced Tech, Vault Systems and Macquarie Government - and said any staff of these companies that had access to systems that stored this class of data would need to be physically present in Australia.

He asked whether, if he was contacted by a company that was seeking to gain Protected cloud status, he should tell the entity: "...that the goal is to meet the standard or to satisfy yourself (MacGibbon)?"

MacGibbon said the way that risks were mitigated by the different companies that had gained Protected status differed, depending on the technology they used, on the architecture and on the mitigations in place in an architecture, and policies and procedures.

Later, MacGibbon was marginally clearer with his response, when Senator Steele-John asked again whether Microsoft staff who had access to top-secret government data would need security clearance from the Australian Government Security Vetting Agency.

To this, MacGibbon replied: "Yes, but can I say that the 'yes' is a simple answer to what is a more complex question. The line of questioning you were pursuing related to access to data. And there is a difference between access to data and access to systems. You might do something to a system but not gain access to data.

"I'm satisfied that people who will have access to data in Australia, and the Microsoft staff — again, without going into the way Microsoft has architected its infrastructure, because each of the ways in which these now five companies and 11 companies in the unclassified space have certified is a matter between the cyber security centre and those companies, and I don't want to breach that confidentiality —but I'm satisfied that the staff who will have access to data are cleared by AGSVA, yes."

Later Senator Steele-John asked about the physical separation of unclassified and classified data. "...The practice inside the government has been for protected classified data to be kept on completely physically separate systems and infrastructure. So I'd like to ask you if it is true that Microsoft cloud will have protected and less-sensitive data on the same physical infrastructure separated only by software controls?"

MacGibbon responded: "This the first time that we are moving from what's known as a community cloud, where it's a government community and only government data, held on what you would loosely call bits of tin, and a true hyperscale public cloud in the case of Microsoft, yes."

This had to be clarified again, with Senator Steele-John asking, " Right. So the answer to that question is yes?" and MacGibbon responding "Yes."

When Senator Steele-John then ventured to ask about processor vulnerabilities which made it possible for data to be exfiltrated across software boundaries, MacGibbon said this would pertain to his other role, as head of the Australian Cyber Security Centre, and that the ongoing hearing was not the right place to raise this issue.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments