Microsoft has welcomed a move by the government to introduce a certification scheme that will confine the hosting of classified data to data centres that meet certain ownership criteria.
The government’s Digital Transformation Agency (DTA) last week unveiled its hosting strategy. A key component of it is a two-level certification system.
To be certified as a ‘Sovereign Data Centre’ a facility’s owner will have to allow the government to set out certain ownership criteria for it. Certification as an ‘Assured Data Centre’ will require agreement to yet-to-be-specified financial penalties or incentives if there is a change in ownership or control of a facility.
The aim of the strategy, the government said, is to address supply chain risks as well as minimise the costs incurred if a change in ownership requires an agency to transition to a new facility.
In 2017 the ABC reported that the Department of Defence intended to stop using Global Switch’s Sydney facilities after a Chinese consortium took a significant stake in the company. The Defence decision was despite the government allegedly imposing a number of conditions on the data centre operator as part of the deal, the ABC reported.
Under the new strategy, data centres that host data classified at the PROTECTED level or host whole-of-government systems will be required to be Certified Sovereign or Certified Assured. The hosting requirements will also apply to managed services providers used by government agencies.
“We’re very much welcoming this announcement,” said Microsoft Azure engineering lead for Australia and New Zealand, James Kavanagh. The strategy recognises “data and data centres as having critical importance to national security and to critical infrastructure,” he said.
The announcement provides “clarity” by recognising supply chain vulnerabilities as potentially having serious consequences, he added.
“We believe it’s important to be very transparent and have a lot of accountability in the supply chain right the way from the ground-up — from the data centre upwards into cloud services.”
The new strategy, which will be overseen by a new Digital Infrastructure Service within DTA, “fills a gap that has previously existed in terms of policy and requirements.”
Microsoft last year launched two Canberra Azure regions that cater exclusively to government entities (at all levels) and their partners. A range of the company’s cloud services have been listed on the Australian Cyber Security Centre’s Certified Cloud Services List (CCSL) for use with PROTECTED data.
Microsoft’s Australia Central and Australia Central 2 regions are based in facilities owned by Canberra Data Centres (CDC).
CDC CEO Greg Boorer said that the company had for a long time anticipated increased scrutiny of data centre ownership.
CDC, which as well as Microsoft plays host to three of the other five CCSL-listed cloud providers that offer PROTECTED services, in 2016 was jointly acquired by Commonwealth Superannuation Corporation and New Zealand’s Infratil. That process involved extensive engagement with the government, including the Foreign Investment Review Board, Boorer said.
“We understood that there were a number of significant sensitives around the ownership of data centres emerging, which have really accelerated in recent years with the proliferation of cloud services and more government workloads going in that direction, as well as managed services,” he said.
“It’s one thing to have all of that new platform layer over the top being certified, but the missing link was always the foundation layer which supports those platforms and the huge amounts of data that are beginning to flow across them.”
“There was nothing really that protected that foundation from being swapped out or sold out from underneath cloud service providers or managed service providers that deliver services to government,” Boorer said.
Two years ago as part of the sale process, CDC “preemptively and voluntarily” put change of control provisions in place.
As a result, the data centre operator needs to keep the government informed of any potential or actual change of control events. The government can approve or veto a change of control event if it feels it is not in the national interest, the CEO said.
“It’s put us in a very healthy position with regards to doing business with government but also for partnering with the likes of Microsoft,” he said.
It has “given everybody a lot of confidence the significant investment in time, money and effort to transform services onto these modern platforms couldn’t be negatively impacted by something outside of their control.”
Previously engagement with government around data centre ownership “happened in the background” but the new certification framework will mean it’s “all transparent and front and centre.”
CDC will still have to undergo a formal certification process as part of the new framework, and the details of the requirements to achieve Certified Sovereign and Certified Assured have not yet been released by the government. Boorer is confident, however, that Certified Sovereign will be aligned closely with the work CDC has already done.
Kavanagh told Computerworld that although Azure’s PROTECTED certification extends beyond the two Canberra regions, Microsoft has always expected to see the most sensitive government systems and whole-of-government systems deployed in the ACT data centres.
Although the detail of the new certification scheme is not yet available, he said Microsoft is “very confident” that the Canberra facilities will meet the Certified Sovereign requirements.
“We have to really wait for the detail to see how we will address those requirements in Sydney and Melbourne,” he said. However he said that Microsoft takes confidence from the DTA deployment of Office 365 and the uptake by government of Azure across the service’s Australian regions.
“We’re confident we can address the requirements but we’re extremely confident and quite sure of the ability to address the highest tier of sovereign requirements here in Canberra,” he said
CDC expands to Sydney
Boorer said that CDC, which until now has only operated in the ACT, is “making significant investments” in Sydney. CDC has purchased the site of the former HP Aurora data centre at Eastern Creek. The site includes 15 hectares of land and CDC is developing more than 40 megawatts of data centres on it, with room to expand to 120MW.
“We are getting in front of this with regards to providing optionality to our existing clients outside of our historical geography in Canberra,” the CEO said.
The first tranche of capacity — 13MW — will come online next month, based on a brand new fitout of half of the Aurora facility. CDC will then build a series of 25-30MW data centres on the site. The first one is already under construction and expected to come online in around 12 months.
Boorer said the expansion was “very, very exciting”.
“There’s already an incredible amount of interest because there’s nothing like CDC in the Sydney geography — but there are a lot of organisations both in Canberra and in Sydney that have welcomed our extension of the secure, sovereign CDC ecosystem that government has enjoyed and experienced for so long into Sydney,” he said.