Microsoft staff based overseas will have access to servers in Australia where top-secret government data is stored on the company's Azure cloud service.

But they will not have direct access to the data. Additionally, different classes of government data will be stored on the same server, separated only by software controls.

This much has emerged from a Senate Estimates hearing last week, during which Greens digital affairs spokesman Senator Jordon Steele-John grilled National Cyber Security Adviser, Alastair MacGibbon, at length, about aspects of security surrounding the Microsoft Azure cloud service.

Last month, Microsoft was announced as having gained Protected cloud status for its Azure and Office 365 services. Questions were raised about the certification after the Australian Signals Directorate issued a consumer guide containing a number of fiats about the services. Both Labor and the Greens, when approached, said they would seek further information about the certification.

Senator Steele-John's questions were asked in this context, but MacGibbon did not answer any of his rather pointed queries directly.

In response to a query as to whether top-secret government data would be able to be accessed by Microsoft staff overseas, MacGibbon went round in circles, before finally indirectly answering the question.

"Not necessarily", was his take when Senator Steele-John pressed him on whether all Microsoft staff accessing these systems would have to be physically located in Australia. And he added, "It depends on the architecture and it depends on the mitigations in place in an architecture, and the policies and procedures."

MacGibbon, who has staunchly defended Microsoft's being awarded Protected status from the time it was announced, drew a distinction between having access to physical systems and the data they stored.

After another exchange, MacGibbon said all Microsoft staff who had access to top-secret Australian Government data would need to be cleared by the Security Vetting Agency.

At one stage, Senator Steele-John asked: "Have all standards been removed and replaced by what you personally consider to be satisfactory, Mr MacGibbon?" to which MacGibbon responded: "Not at all."

Senator Steele-John pointed to the case of the other four cloud providers - Dimension Data, Sliced Tech, Vault Systems and Macquarie Government - and said any staff of these companies that had access to systems that stored this class of data would need to be physically present in Australia.

He asked whether, if he was contacted by a company that was seeking to gain Protected cloud status, he should tell the entity: "...that the goal is to meet the standard or to satisfy yourself (MacGibbon)?"

MacGibbon said the way that risks were mitigated by the different companies that had gained Protected status differed, depending on the technology they used, on the architecture and on the mitigations in place in an architecture, and policies and procedures.

Later, MacGibbon was marginally clearer with his response, when Senator Steele-John asked again whether Microsoft staff who had access to top-secret government data would need security clearance from the Australian Government Security Vetting Agency.

To this, MacGibbon replied: "Yes, but can I say that the 'yes' is a simple answer to what is a more complex question. The line of questioning you were pursuing related to access to data. And there is a difference between access to data and access to systems. You might do something to a system but not gain access to data.

"I'm satisfied that people who will have access to data in Australia, and the Microsoft staff — again, without going into the way Microsoft has architected its infrastructure, because each of the ways in which these now five companies and 11 companies in the unclassified space have certified is a matter between the cyber security centre and those companies, and I don't want to breach that confidentiality —but I'm satisfied that the staff who will have access to data are cleared by AGSVA, yes."

Later Senator Steele-John asked about the physical separation of unclassified and classified data. "...The practice inside the government has been for protected classified data to be kept on completely physically separate systems and infrastructure. So I'd like to ask you if it is true that Microsoft cloud will have protected and less-sensitive data on the same physical infrastructure separated only by software controls?"

MacGibbon responded: "This the first time that we are moving from what's known as a community cloud, where it's a government community and only government data, held on what you would loosely call bits of tin, and a true hyperscale public cloud in the case of Microsoft, yes."

This had to be clarified again, with Senator Steele-John asking, " Right. So the answer to that question is yes?" and MacGibbon responding "Yes."

When Senator Steele-John then ventured to ask about processor vulnerabilities which made it possible for data to be exfiltrated across software boundaries, MacGibbon said this would pertain to his other role, as head of the Australian Cyber Security Centre, and that the ongoing hearing was not the right place to raise this issue.