The Federal Government has announced a new whole of government hosting strategy covering data centre facilities, infrastructure and data transmission.
The strategy, which will be carried out by the Digital Transformation Agency (DTA) as part of a larger digital transformation strategy, will first address "risks to data sovereignty, data centre ownership and the supply chain".
In order to reduce the risks, a new certification of facilities will be rolled out for data centre providers participating on whole-of-government panels, with the certification being based on the degree of sovereignty assurance they provide to government.
The strategy states that the more complex the supply chain, the more difficult it becomes for agencies to manage risks.
"Where an agency is using a hosting provider and the hosting service is provided over telecommunications infrastructure leased from a third party, the agency cannot control whether the infrastructure becomes wholly or partially foreign-owned/controlled; is governed by a contract subject to elements of foreign law; is re-located to a physical location outside Australia."
Two new certifications will be developed: the first will be the Certified Sovereign Data Centre, which will represent the highest level of assurance and is only available to providers that allow the government to specify ownership and control conditions.
The next will be the Certified Assured Data Centre, which is designated to safeguard against risks of change of ownership or control through financial penalties or incentives.
The strategy also revealed that Protected and whole-of-government systems must be hosted in a certified sovereign or certified-assured data centre.
Vault Cloud CEO Rupert Taylor-Price, who was one of the first providers to receive the Australian Signals Directorate Protected level of certification for cloud services, said the new strategy will benefit Australian-owned providers.
"Mandating Australian cloud infrastructure sovereignty requirements is an important step in stopping overseas countries accessing sensitive government data,” Taylor-Price said. "Unless a Government cloud is fully Australian-owned and operated it can be subject to the laws of other countries."
"The new policy strengthens the Australian Signals Directorate’s mandate that clouds must be located in Australia for security reasons."
"It is timely and important that Government is formally acknowledging the criticality of data and information systems that underpin the security, productivity and social cohesion of this country," Greg Boorer, CEO of CDC Data Centres told ARN via a statement.
"This strategy will go some way to improving the protection of data and systems that are critical to the safe and secure functioning of the foundational elements that underpin the sovereignty of the country now and into the future."
The DTA is already updating data centre panel contracts with ownership and control assurances. It is also investigating and developing relevant business cases for telecommunications networks that connect data centres, which can usually mean bigger costs for the Government.
It plans to between now and 2020 to develop the Hosting Certification Framework and undertake assessments including initial certification of data centre providers and initial supply chain assessments.
From 2020 to 2022, it plans to mature the hosting certification processes along with the supply chain assessment processes and identify further opportunities for a centralised hosting service.
The whole-of-government hosting strategy can be found here.