Cloud computing for government, an IRAP-aligned Azure data platform

The data a government agency holds but can’t safely join up

A state government agency runs on data that lives in systems built across three decades. A grants system here, a licensing register there, a case-management application that has outlived two restructures, and a finance platform nobody wants to touch. Each holds part of the picture. None was designed to share it. When a minister asks a question that spans them, the answer means someone exporting spreadsheets, reconciling them by hand, and hoping the versions match.

The pressure to join that data up keeps growing. Agencies are expected to report faster, share data between programs, and answer freedom-of-information and parliamentary requests with current numbers. At the same time the bar for protecting that data has risen sharply. The Australian Signals Directorate’s ACSC Essential Eight sets baseline mitigations, the Information Security Manual (ISM) sets the controls, and an IRAP assessment checks the system against them. Personal information sits under the Privacy Act 1988 and the relevant state privacy legislation, and the public expects records to stay in Australia.

That is the bind. The quick way to join the data up is to open the old systems and pull everything into one place, which is exactly the move that weakens security. The secure way looks harder and slower, so it gets deferred. Meanwhile the manual reconciliation continues, errors creep in, and the agency makes decisions on data it cannot fully trust.

Why Microsoft Azure, and the security built into it

The right platform here is Microsoft Azure, and the reason is the combination of an Australian footprint and the security tooling an agency must satisfy anyway. Azure runs in Australian regions, so the data stays onshore and data sovereignty holds. It carries the certifications and controls that map onto the ISM, and its identity, networking and logging services are the raw material of an Essential Eight-aligned build. We headline Azure because it lets us meet the security bar with the platform’s own tools rather than bolt protection on afterwards.

Security is designed in, not added later. Identities and access run through Microsoft Entra ID with multi-factor authentication and role-based access, so each person sees only the data their role allows. Data is encrypted in transit and at rest. Environments are segregated, with development kept apart from the data that matters, and network access is locked down to private pathways rather than the open internet. Power BI delivers the reporting on top, governed by row-level security so the same controls follow the data into every report. SQL Server, whether the agency’s existing instances or Azure SQL, holds the modelled, governed data the platform reports from.

We build this way over a quick lift-and-shift on purpose. Copying legacy systems straight into the cloud carries their old weaknesses with them and passes an IRAP assessment by luck rather than design. A platform built to the Essential Eight and the ISM from the first diagram has the controls, the logging and the segregation already in place, which is the difference between a system that is secure and one that merely runs in a secure-sounding place.

Building it, and where it got hard

The architecture is the easy part to draw. The friction lives where the new platform meets the old systems, and one problem stands in for the rest. The legacy systems.

Several of the agency’s systems pre-dated modern security entirely. They spoke old protocols, or they offered no real interface at all and only produced nightly flat-file exports onto a shared drive. The tempting fix is the dangerous one. Open a port, expose the old database directly, or drop the export files somewhere the new platform can read them, and the data flows in days. It also turns the integration into the weakest point in an otherwise secure platform, which is precisely what an IRAP assessor is looking for.

We did not expose the legacy systems. The fix was an integration layer that brokered their data through controlled, logged, least-privilege pathways. Each connection used a dedicated account with read-only access to only what it needed, every read was logged, and the data was encrypted in transit and landed in a segregated environment before anything touched it. The flat-file exports were collected over a secured, monitored channel rather than an open share, validated, then ingested. The old systems were never opened to the broader network. The result is that the agency got its data without the integration becoming the breach waiting to happen.

Two constraints shaped the rest. Change in a government environment is controlled, so deployments ran through reviewed, repeatable pipelines rather than manual edits, which also produced the evidence trail a later IRAP reassessment needs. And because some cloud services default to storing or processing data outside Australia, we confirmed the data residency of every service before it was used, and held backups and failover within Australian regions too.

What changed

In a representative build the agency moved from a patchwork of exports and manual reconciliation to one governed Azure platform that several legacy systems fed into. Reports that had taken days of manual extraction were available within hours of a refresh, on data the agency could trust as current and consistent rather than stitched together by hand. Every access to sensitive data was logged and tied to a named role, giving the agency an audit trail it never had when the data lived in scattered spreadsheets.

These figures are illustrative. They describe the pattern we see rather than a published result for a named agency. The shape is what matters. The data the agency already held becomes usable and shareable, the security and data sovereignty are built in rather than promised, and the platform is ready to stand in front of an IRAP assessor rather than hoping not to be asked.

Where this fits

A secure Azure data platform is one application of our Cloud Solutions and Integration service, built on Microsoft Azure, for the realities of Australian government. It suits an agency that holds valuable data across legacy systems and needs to join it up without weakening security or moving it offshore. If your reporting still runs on hand-reconciled exports and your old systems make integration feel like a security risk, the place to start is to map those systems and decide how their data can be brokered safely into one governed, IRAP-aligned platform.