Federal agencies have a new guiding document to look at when they make decisions about paying companies to store data for them.
The new whole-of-government hosting strategy was announced on Friday, superseding the older data centre strategy that was published by the Department of Finance in 2010 with a nominal end-point of 2025.
Its centrepiece is a new “Digital Infrastructure Service” to be provided by the DTA, which involves security certification, advice to help agency leaders determine their risk appetite, management of procurement panels, development of “secure communication links for transfer of data across facilities” and central coordination.
Minister for Digital Transformation Michael Keenan said key aims were to improve security, privacy and the “resilience of data infrastructure” while also highlighting new certification standards that will apply to data hosting providers working with federal agencies.
In future, facilities that host “high-value government data” will need to be certified as either “sovereign” — the higher level — or “assured” data centres, depending on the needs of the agencies contracting their services. The new certification framework is still to be “developed in collaboration with agencies” according to the document.
“Certified Sovereign Data Centre represents the highest level of assurance and is only available to providers that allow the government to specify ownership and control conditions.
“Certified Assured Data Centre arrangements safeguard against the risks of change of ownership or control through financial penalties or incentives, aimed at minimising transition costs borne by the Commonwealth should a data centre provider alter their profile.”
The new strategy is based around five principles:
- Hosting arrangements must be designed to ensure resilience and business continuity;
- Hosting arrangements must be founded on robust, risk-based assessments to ensure data sovereignty and supply chain integrity;
- Existing policies and certification processes should be used where appropriate;
- Where common hosting requirements are identified across the APS, centralised arrangements should be accessible and leveraged by agencies; and
- Government agencies continue to have the autonomy to select the best hosting arrangements for their requirements.
The DTA says agencies were on track to save taxpayers about $1 billion over the 15-year span of the old data centre strategy, as intended, but the following “emerging set of challenges” led to it being replaced several years early:
- emerging risks to the sovereignty of data held in Australian Government data centres;
- increasing risks to the sovereignty and security of the hosting supply chain;
- reducing transition costs associated with data centre ownership changes;
- encouraging innovative solutions from industry and agencies in a cost-constrained environment;
- delivering investment certainty to stakeholder agencies and industry partners; and
- taking advantage of emerging Software-as-a-Service (SaaS) solutions while simultaneously managing non-cloud ICT operations.
“The immediate issues to be addressed by the [new] strategy include the risks to data sovereignty, data centre ownership and the supply chain,” explains to an overview from the DTA.
“This strategy provides clear policy guidance for agencies and industry and aims to create whole-of-government efficiencies. In the medium term, the strategy better positions government agencies and industry to adopt new technologies and services, fosters innovation and reduces the barriers and cost created by legacy systems.”
The minister said the DTA would also “work with industry to develop a genuine strategic partnership that recognises government as a single customer” for data hosting services.
“This is the first time the Australian Government has had a clear and coordinated approach to hosting of Government data that recognises data security and sovereignty are key enablers for delivering services digitally,” Keenan said.
“Having these standards in place will build greater confidence in the quality of infrastructure and cloud hosting service investment decisions.”