Govt puts its outsourced data handlers on notice

Data centre and managed services providers that handle government data will be subject to more stringent assessment under a new strategy released by the Digital Transformation Agency.

The hosting strategy, released on Friday after more than a year of development, reveals a new certification framework will be introduced to mitigate data sovereignty, supply chain and data centre ownership risks.

The hosting certification framework will be developed and administered by a new Digital Infrastructure Service to be established within the DTA, which will oversee data centre certification and network infrastructure management across government.

It will allow the Service to “assess and measure supply chain risks presented by hosting providers, and outline standards, measures and timelines to achieve the government’s desired hosting standards”.

As part of the framework, data centre providers on whole-of-government panels will be split into two camps “based on the degree of sovereignty assurance they provide to government”.

‘Certified Sovereign Data Centre­’ will be the highest level of assurance, requiring providers to “allow the government to specify ownership and control conditions”.

‘Certified Assured Data Centre’, on the other hand, will “safeguard against the risks of change of ownership or control through financial penalties or incentives, aimed at minimising transition costs borne by the Commonwealth should a data centre provider alter their profile”.

“Depending on their business requirements, agencies will stipulate their preference for certified sovereign or certified assured facilities when going to market for hosting services,” the strategy states.

“Agencies must ensure that services hosted by third parties, such as managed services providers, also comply with the above assurances.”

The DTA has also stipulated that protected-level and whole-of-government systems must be hosted in a data centre with either of the two certifications.

The intention here is to give agencies and industry the “confidence” that hosting arrangements in each part of what is often a complex ecosystem of technology services meet government criteria.

“The more complex the supply chain, the more difficult it becomes for agencies to manage risks,” the strategy states, using the example of a hosting provider that provides a hosting service to an agency over telco infrastructure leased from a third party.

Minister for Human Services and Digital Transformation Michael Keenan said the strategy and new framework provided a "clear and coordinated approach to hosting of government data" for the first time.

“Having these standards in place will build greater confidence in the quality of infrastructure and cloud hosting service investment decisions,” he said.

Digital Infrastructure Service

In addition to administering the framework, the DTA’s Digital Infrastructure Service will provide advice to agencies around assessing “risk appetite” and implementing “appropriate data protection controls”.

This includes creating new procurement guidelines to help agencies procure products and services faster.

“Agencies will be able to order network, compute and storage services through these arrangements,” the strategy states, adding that centralised arrangements will be leveraged where this makes sense.

But the strategy also indicates that agencies will “continue to have the autonomy to select the best hosting arrangements for their requirements”.

ICON

The hosting strategy also foreshadows expansion of the Intra-government Communications Network (ICON) to “enable data in transit to logically reside within a broader security boundary”.

The Digital Infrastructure Services will look at the network as part of its investigation of “telecommunication networks connecting certified data centres”.

“Certified data centres should have a capacity to be connected through a telecommunication connection with an ICON-like costing model,” the strategy states.

“This model would decrease telecommunication costs associated with data transmission.”