Microsoft is relying on a different architecture and mitigations to other homegrown cloud providers for its approval to carry protected Australian government data, but received no special treatment to become certified.
The head of the Australian Cyber Security Centre, Alastair MacGibbon, repeatedly told a Senate estimates committee yesterday he was “satisfied” with the way Azure met the standards for hosting protected-level federal data.
MacGibbon was forced to defend the April decision to certify Azure to carry protected government data.
Microsoft is the first hyperscale operator to achieve that level of certification.
But the Australian Signals Directorate (ASD) later published guidance that additional - yet to be developed - security controls were needed before agencies could push such workloads into Azure.
Such guidance is missing from other similarly classified products on the government’s Certified Cloud Services List (CCSL) - and has led to concerns over whether a different set of rules was used to certify Microsoft versus other cloud providers.
MacGibbon said he would “vigorously defend” against such suggestions.
While he said that Microsoft’s certification was dependent on it creating mitigations that were specific to Azure, he argued that every protected-level cloud provider on the CCSL met the standard differently.
“There is no particular prescribed way to meet those standards,” MacGibbon said.
“The ACSC has certified five providers [to protected status], four of whom may look very similar from the outside but when you pop the bonnet you’ll find they have all architected themselves differently depending on the hardware and software they’ve used.”
MacGibbon said that the other protected clouds - run by Macquarie Government, Dimension Data, Vault Systems and Sliced Tech - had all approached certification differently, with their own independent set of controls and mitigations.
However, it remained unclear why Azure’s controls and mitigations - or at least the status of their development - was separately called out.
One reason may be that Azure effectively introduces a new operating model for protected data.
Greens senator Jordon Steele-John confirmed with MacGibbon that the use of Azure is a departure from previous practice within government “to keep protected classified data on completely physically separate systems and infrastructure”.
Asked if it was true that Azure “will have protected and less sensitive data on the same physical infrastructure, separated only by software controls”, MacGibbon eventually confirmed that to be the case.
“This is the first time we are moving from what’s known as a community cloud - where it’s a government community and only government data held on what you would loosely call bits of tin - to a true hyperscale public cloud in the case of Microsoft Azure,” he said.
It was one of very few admissions on how Azure has been architected to meet the ASD standards.
MacGibbon largely claimed confidentiality over architectural and security control specifics, arguing the details were between the ACSC and Microsoft.
“There are confidential discussions between the ACSC and a private company that has been worked with for years by the ASD and ACSC, as it does with all companies that eventually receive protected status,” MacGibbon said.
“It’s not for me to go into each company’s architecture. That wouldn’t be appropriate for me to do.”
He eventually confirmed that Microsoft staff that worked with the protected instance of Azure would need to have appropriate Australian government clearances.
“I’m not wanting to go into the negotiation between the ACSC and a private company, [but] I’m satisfied the Microsoft staff that will have access to data - and all cloud providers by their nature, by the way cloud operates, are going to have potentially at least some access - will receive clearance,” he said.
Those clearances would be managed by the Australian Government Security Vetting Agency (AGSVA), as is standard practice.
But even so, MacGibbon noted there was some ambiguity around the issue of the clearances required.
“It’s a complex question,” he said.
“There’s a difference between access to data and access to systems. You might do something to a system but not gain access to data.
“I’m satisfied that people that will have access to data in Australia, and that the Microsoft staff who [work with the system will be vetted].”