Insights

17/04/19

Long-awaited security certification introduced for data centres

The Australian government has announced its the ‘Whole-of-government Hosting Strategy’ (the hosting strategy) which introduces a certification framework for data centres. Once implemented, it is envisaged that the hosting of Australian government classified data will only be permitted in data centres that meet certain certification requirements.

Background

To date, cloud service providers who host government data classified as PROTECTED, are required to meet particular security standards and certifications. However, that certification regime does not address data sovereignty concerns, where such data is hosted by those cloud service providers in third party data centres. In particular, the data sovereignty risk that potentially arises where the location or control over the data centre changes.

This kind of situation arose in 2017, when the parent company of data centre Global Switch, was taken over by a Chinese consortium. At the time, Global Switch hosted classified data belonging to the Australian Department of Defence. Following the takeover, the Department of Defence terminated its contract with Global Switch and set out a plan to move its data into a government-owned facility by 2020. This move was estimated at the time to cost the government up to $200 million.

A new certification framework for data centres

The new certification framework will require data centres to comply with particular standards, measures and timelines to achieve the government’s desired hosting standards. It will require providers to provide assurances (which will cover entities in its supply chain) on matters relating to foreign ownership, being subject to foreign law and relocation outside Australia.

Data centres that host data classified at the PROTECTED level or who are part of whole-of-government panel arrangements, will be certified based on the degree of sovereignty assurance they provide to the government. Two levels of certification will be available:

(1) a “certified sovereign” facility: this is a higher level of assurance as it allows the government to specify ownership and control conditions within a data centre; and

(2) a “certified assured” facility: implements financial penalties or incentives, aimed at minimising transition costs borne by the government in the event of a change of control or ownership by the data centre.

Government agencies will nominate which level of certification will be required, when going to market for hosting services.

Next steps

The new certification framework is currently being developed by the Digital Transformation Agency, in collaboration with other agencies. It will form part of a wider set of reforms being developed by the Australian government to improve the way that data, including “high-value” data, is stored and managed by the government.

Article authors: Technology + Digital Partner Andrew Hii and lawyer Rosalind Moffatt