The nation’s National Cyber Security Adviser and deputy director-general of the Australian Signals Directorate Alastair MacGibbon says he is “very, very satisfied” with risk mitigation measures deployed by Microsoft in relation to its just-announced Azure and Office 365 ‘Protected’ services.
The seemingly radical change in government cyber policy in relation to its cloud accreditation program has been a hotly discussed topic at the Australian Cyber Security Centre conference in Canberra this week.
Both users and service providers are waiting to see specific instructions in the ASD ‘Consumer Guides’ for government to better understand the changes.
It is understood that the Microsoft arrangement would allow non-citizens who do not have the relevant Australian Government security clearance to work on systems government Protected data for the first time – and from outside of Australia.
It is similarly understood that Microsoft’s Protected level services would not need to be housed on physically separate, air-gapped servers.
The accreditation and subsequent ‘Consumer Guide’ has shocked other Protected level cloud service providers. At least one is seeking clarification from the ASD about the new measures, and says if there are now two standards for ‘Protected’ status will seek to start offering a less expensive service with less stringent security requirements.
But Mr MacGibbon says government is satisfied with the mitigation measures put in place by Microsoft, and flatly rejected the suggestion that security standards had been lowered to accommodate the company – a suggestion being openly made on the ACSC conference exhibition floor.
Mr MacGibbon would not discuss what measures Microsoft had put forward to mitigate the offshore dev-ops access issue, but said he had been satisfied that particular risk had been mitigated.
“Without going into detail – and I want to make very, very clear that we will not go into the details [publicly] of the arrangements we have with any company in terms of risk mitigation – what I will say is that I am satisfied that that risk has been mitigated,” Mr MacGibbon told InnovationAus.com.
“I am not going to say whether those [Microsoft] employees have access or not. What I am saying is that risk has been mitigated. That’s a very important thing.”
“I come from a background where insider threats can come from inside a jurisdiction or outside a jurisdiction, and we would be naïve to think that you can mitigate all risk through one single control … that there are a series of controls,” he said.
“I am very, very satisfied that the controls are in place to mitigate the risks associated with Microsoft.”
“The [government] data associated with Azure and Office 365 resides in Australia. It’s that simple. That’s where the servers are.
“Now you can store data in one place and access it in another, that’s a different question. The data associated with the Australian Government is in Australia. I am satisfied that there are mitigations in place on a whole range of threat vectors, one of which is where staff are located.”
Mr MacGibbon flatly rejected the suggestion that the government had sought “a big player” to join the four local ‘Protected’-level cloud service providers. Until Microsoft was given ‘Protected’ status ten days ago, the only providers were Macquarie Government, Vault Systems, Dimension Data and Sliced Tech.
“My job and the job of my team is to de-risk as best we can while allowing government businesses to undertake their activities,” Mr MacGibbon told InnovationAus.com.
“I don’t care how big the player is. I care about what risk mitigations they can put in place,” he says. “There is no risk trade-off that says ‘we want a really big player and therefore we will lower standards’.”
“Big player or small player, I don’t care, show me the mitigations of the various threat vectors. Any implication – and I hear these implications – that because [Microsoft] is a big player that we’ll take a detour in terms of madness. Because our whole job is to mitigate risk.”
Mr MacGibbon said the significant changes to the structure of the Australian Government’s cyber security infrastructure would ultimately make it more responsive to threats, enabling government users to be more flexible in service delivery.
Under the changes, the Australian Cyber Security Centre and the CERT move into ASD, which becomes an independent agency within Defence, with Mr MacGibbon the deputy director-general as Head of the ACSC.
Politically, the cyber portfolio was given a promotion to a full ministry level under Minister for Law Enforcement and Cyber Security under Angus Taylor. It was previously a parliamentary secretary role, albeit within the Prime Minister’s portfolio.
“The government has made its intent really clear, that it wants to move operationally much faster and to be way more ambitious in terms of what we can do to protect Australia.”