Australian government agencies and critical industries should look closer at data sovereignty in light of new frameworks and legislation and COVID-related challenges, says AUCloud Managing Director, Phil Dawson.
This year, AUCloud became the first "authorised" organisation to provide secure Phase 2 cloud services under the Australian Cyber Security Centre’s Cloud Assessment and Authorisation Framework (CAAF).
Dawson says there is a heightened awareness of risk and how to manage it within government and critical national industries in the wake of the CAAF, introduced in July 2020, and the Hosting Certification Framework (HCF) introduced in March this year.
The CAAF mandate requires detailed information on company ownership and data movement and access across all data types, such as metadata, analytics and support data, not just customer data.
The HCF - applied to government-facing data centre providers and cloud providers - is designed to ensure all "direct and indirect" providers meet strict ownership and control conditions. For classified or whole-of-government data sets, this limits the use to providers of data centres or cloud services that are either owned by entities that are Australian or by one of Australia’s Strategic Five Eyes partners: Canada, New Zealand, the United Kingdom or United States, and with management controlled by individuals that meet Australian security vetting standards.
Together, the new standards are designed to prevent the transmission of government data overseas, and access by unknown or unauthorised personnel.
“The pendulum of globalisation has swung back towards localisation because of the growing recognition and understanding about the criticality of data in all its forms and the importance of having some sovereign control and determination over that,” says Dawson.
“Because if that data is transmitted overseas, if somebody is accessing it, that's a privacy issue. If they’re changing it, that's an integrity issue. If they’re doing something that makes it unavailable to you at a point in time, that becomes a service delivery issue.
“When you're dealing with services that are government related, whether it’s Centrelink or your vaccination status - it could be a whole range of things - then you've got to be concerned about that.”
According to Dawson, the three biggest hurdles for government pertain to procurement, security and an understanding of privacy.
“Few people understood the privacy one until the CovidSafe app came out, then everybody understood what privacy meant, at that point,” he says.
Amendments to the Security Legislation Critical Infrastructure Bill 2020 will bring security into even sharper focus. The amendments will increase from four to eleven the number of industries deemed critical under the legislation.
“If you get ransomwared and you haven't got immutable storage to read to recover from that, then you could find that two or three weeks of that is going to put you out of business. One of the reasons for the new legislation is to give government the authority to step into that situation in critical sectors,” Dawson says.
Organisations should consider the risk that the integrity of their critical data could be compromised without anyone ever knowing, he adds.
“For example, what if somebody came in and just changed all the genomic records in a database,” says Dawson. “So the entire basis on which we're medicating people is completely erroneous now, but the system is telling us it's accurate.”
Preparing for tomorrow
Deploying government-approved infrastructure that meets evolving Australian data sovereignty and security requirements is “one of the easiest ways to remove the bulk of the challenge”, Dawson says. “This leaves you to focus on the secondary element piece, which is what the software and analytics are doing.”
He recommends they follow the CAAF. “Every company should look to meet the standards of the Cloud Assessment and Authorisation Framework because actually I genuinely believe that it is the best practice to mitigate risk of your data,” says Dawson.
AUCloud works with government, defence, and public sector agencies to develop and execute security strategies that are both CAAF and HCF compliant.
Dawson encourages government agencies to think about data more holistically. To him, there is no such thing as ‘government data’. Either directly or indirectly, that data is ours, he says. He calls it “citizen data”, and regards government as merely a custodian.
“It's our data,” he says. “And on our behalf, they should care. And in most cases they do care and they do think about it, and though they may have different motivations as to why, they are guided by these frameworks.
“AUCloud has built its business model around meeting and in-fact exceeding those standards because our view of it is that what's good enough today is probably not going to be good enough tomorrow.”
Talk to AUCloud, Australia's sovereign cloud Infrastructure as a Service provider supporting Australian government, defence and critical national industry organisations.