Data centre ownership faces heightened scrutiny from government

The federal government’s Digital Transformation Agency plans to develop a new certification framework that will assess the risk presented by hosting providers that handle government data.

A new Digital Infrastructure Service will sit within the DTA and have as part of its mandate reducing risks relating to data sovereignty and the ownership of data centres, including the cost to government if changes in ownership alter the risk profile of a hosting provider.

Data centre providers that are part of whole-of-government panel arrangements will have to be certified “based on the degree of sovereignty assurance they provide to government,” according to a new hosting strategy published today by the DTA.

There will be two levels of certification relating to ownership and control assurances.

“Certified Sovereign Data Centre” will be the highest level of assurance and will be granted to providers that allow the federal government to specify ownership and control conditions.

The second level — “Certified Assured Data Centre” — will “safeguard against the risks of change of ownership or control through financial penalties or incentives, aimed at minimising transition costs borne by the Commonwealth should a data centre provider alter their profile.”

“Depending on their business requirements, agencies will stipulate their preference for certified sovereign or certified assured facilities when going to market for hosting services,” the strategy states.

“Agencies must ensure that services hosted by third parties, such as managed services providers, also comply with the above assurances.”

The strategy says that whole-of-government systems or those that handle data classified at the Protected level “must be hosted in a certified sovereign or certified assured data centre.”

“This strategy will ensure that we have a trusted, secure hosting ecosystem, including data centre and network infrastructure, and our services can rely on data being safe and secure throughout the supply chain,” said human services and digital transformation minister Michael Keenan.

“This is the first time the Australian government has had a clear and coordinated approach to hosting of government data that recognises data security and sovereignty are key enablers for delivering services digitally,” the minister said.

“Having these standards in place will build greater confidence in the quality of infrastructure and cloud hosting service investment decisions.”

When an agency “is using a hosting provider and the hosting service is provided over telecommunications infrastructure leased from a third party”, the agency cannot control whether the infrastructure “becomes wholly or partially foreign-owned/controlled”, “is governed by a contract subject to elements of foreign law”, or “is re-located to a physical location outside Australia,” the strategy states.

The announcement was welcomed by Vault Cloud, an Australian cloud services provider that operates solely in the government market.

“Mandating Australian cloud infrastructure sovereignty requirements is an important step in stopping overseas countries accessing sensitive government data” CEO Rupert Taylor-Price said.

“Unless a government cloud is fully Australian owned and operated it can be subject to the laws of other countries,” the CEO said.

“The new policy strengthens the Australian Signals Directorate’s mandate that clouds must be located in Australia for security reasons.”

The Certified Cloud Services List established by the Australian Signals Directorate includes both local companies and a number of international cloud service providers with local data centres.

Microsoft and Amazon Web Services were two of the original members of the CCSL, and both cloud service providers now have a number of offerings certified for use with classified government data.