New rules protecting data centres
The Australian Government is making tough calls around the technology supply chain.
Trust within a technology supply chain is built from the ground up with transparency, accountability and assured capability. And the process of assuring that trust has become critical to the functioning of our governments and our enterprises, all of whom rely on technologies that are increasingly deployed in vast data centres and cloud services.
Data centres and the cloud services that run within them are quickly becoming the platforms for Australian Government and national critical infrastructure. They underpin the systems that we trust daily for essential activities from border protection to banking, from medical records to social welfare payments. Without the secure, reliable operation of these systems, the health and safety, economic prosperity, productivity and the national security of Australia could suffer.
Last week, with the introduction of the whole of government Hosting Strategy, the Australian government created a new bar for how trust is assured in those systems by requiring Australian ownership and sovereign controls for facilities holding sensitive Australian government data.
This is a positive development that fills a gap in the existing requirements and addresses a risk that has been highlighted by security experts. That is the risk of computer systems and services handling highly private and security sensitive data being stored within data centres that cannot be assured to remain under Australian sovereign control. The government has recognised these data centres have become in effect national critical infrastructure and risks of their compromise have become a matter of national security.
In 2018, in the Weekend Australian, Peter Jennings, Executive Director of the Australian Strategic Policy Institute, said: “the only definitive way to deal with these risks is to make the tough calls as to who can and can’t own the assets. Legal restrictions on how data is used and stored and who has access to operating systems won’t be all that effective in a national security crisis or stop a hostile intelligence service — the damage will have been done by then.”
The Australian Government is making those tough calls.
The Hosting Strategy announced by Minister Keenan establishes a Digital Infrastructure Service and Certification Framework to recognise two classes of data centres: Sovereign and Assured. Sovereign data centres have the highest level of assurance and enable the government to specify ownership and control. A lower tier of Assured data centres have safeguards against transfer of control, with penalties or incentives that would minimise transition costs if the data centre ownership was transferred.
This policy is not only about the physical facilities of data centres, it also relates to the managed services and cloud services deployed within those facilities. In December 2018, the Australian Signals Directorate along with security agencies in the Five Eyes intelligence community took the unusual step of attributing a global hacking campaign that specifically targeted the managed service provider supply chain of government.
That is why under these new requirements, government organisations and their suppliers handling protected data in a government system, managed service or cloud service must assure themselves of both the information security certification of the cloud service and the data centre certification. Trust must be demonstrated in the whole supply chain from the foundations up.
As Australian governments work to build trusted markets for digital innovation and drive programs of digital transformation, this parallel focus of strengthening the security and resilience of technology foundations is vital. Innovation on trusted platforms can lower the barrier to entry into Government business for many technology small and medium businesses, as they receive the flow on benefits of the investments in assurance and security of the cloud service and the data centre provider.
In 2018, recognising the growing need for this supply chain assurance, Microsoft and CDC formed a strategic partnership to deliver Microsoft Azure hyperscale cloud from highly secure, sovereign data centres in Canberra. From within these sovereign facilities in Canberra on the Microsoft Azure cloud, an ecosystem of Australian companies are building and delivering applications to Australian government first and then growing into a global market.
Greg Boorer is CEO, Canberra Data Centres and James Kavanagh is Azure Government Engineering Lead, Microsoft
Collaborate to lure skilled migrants
Navigating Australia’s new immigration system, introduced in March 2018, has been challenging for business.
People key to digital evolution
Australian organisations are leaning too heavily on the technology when they should be focused on people.