Security has superseded data centre consolidation as the primary focus of the Federal government’s hosting strategy.
Alongside the recently released Sourcing, Platforms and Digital Capability Strategies, the Digital Transformation Agency’s (DTA’s) new whole-of-government (WofG) Hosting Strategy is intended to supplement the 2010-2025 Australian Government Data Centre Strategy in light of the explosion of the cloud market and cyber security threats.
The former strategy, released by then Minister for Finance Lindsay Tanner, focussed on consolidation of the data centre ecosystem with the goal of driving down costs.
The new Strategy addresses several themes emergent in the contemporary public sector ICT environment, noting the adoption of hybrid cloud, the need to reduce duplication, “leveraging” WofG panels through economies of scale, and attempting to foster a proactive attitude towards cyber security risk assessments within agencies.
The establishment of a “Digital Infrastructure Service” (DIS) within the DTA will be tasked with assessing supply chain, data centre location, ICON or dark fibre security.
The DIS will assess data centres through the establishment of a Hosting Certification Framework. The framework will allow for foreign ownership and control of data hosting and in the supply chain after a risk assessment. As many cloud and data centre technologies are embedded within the global digital economy this is to ensure “business continuity”, thus the Hosting Strategy will reuse existing policies wherever possible.
The Hosting Strategy is to be delivered in three ‘Horizons’, with Horizon 1 beginning immediately to “establish strategic governance” and re-evaluate data centre contracting arrangements. Horizon 2 (2019-2020) will establish the DIS and formalise a framework to address risk in supply chains, and third-party suppliers. Horizon 3 (2020-2022) will focus on expanding the remit of the DIS and maturing framework certification processes.
However, the major difference appears to lie in the introduction of two data centre categories. “Certified Sovereign Data Centre” will allow the federal government to “specify ownership and control conditions” for centres in this category. The lesser-rated “Certified Assured Data Centre” will be subject to financial penalties if sovereignty of data is to be compromised through a change of ownership or supply chain control. These fines are intended to reimburse the agency cost of transitioning sensitive data if required in such a case.
Canberra’s data centre market is dominated by local provider, Canberra Data Centres (CDC), who host a number of federal agency cloud and data needs, including PROTECTED level information. Intermedium’s data shows that CDC has received the largest share of contracts over the last five years through the two WofG data centre services panel - Data Centre Facilities Supplies Panel (Panel 2) (SON2402841) and SON38369.
CDC CEO Greg Boorer told Computerworld that its current operations would likely be rated Certified Sovereign, the highest level of governmental assurance.
Hyperscale cloud offerings for government have grown significantly in recent years, with Microsoft Azure and Office 365, and Amazon’s AWS platforms now approved for dealing with PROTECTED-level information on the Australian Signals Directorate’s Certified Cloud Services List. As more agencies move towards cloud systems hosting sensitive information, the more necessary it will become for clear guidelines on hosting data on systems which may contain foreign-owned or controlled components.