Following the announcement this month, confirming the first three data centre providers to be awarded Certified Strategic Hosting Provider status and indication that an equivalent process will be initiated with cloud providers from September this year, now is perfect timing for a discussion on the meaning and relevance of sovereignty to the nation.
In a geo-political sense, we have begun to see the seemingly unfettered pace of globalisation slow and the pendulum swing back to more local considerations. This this has been driven in part, by national imperatives to protect citizens from the impacts of covid-19 as well as a growing realisation of the potential risks of not on-shoring data. A new language around ‘sovereign resilience’ has certainly become much more prominent over the last 12 months.
At AUCloud, with a mission to deliver the leading scalable, infrastructure-as-a-service sovereign to Australia supporting Governments and Critical National Industries (CNI), we give deep thought to what is meant by sovereignty in respect of data. We are especially sensitive to ensuring protection of Australian jurisdictional environments that enable our customers to have confidence in the confidentiality, availability and integrity of their data We reduce the data at rest risk through the use of Certified Strategic Data Centres and the data in transit risk through ensuring all metadata, monitoring data and all analytics data remains within Australia.
For those familiar with some of the previous blogs we have published on the concept of sovereignty, you will be aware of the two dimensions that we believe are critical to developing a sovereign capability: namely sovereign control and domestic capability. It is reassuring to see Government taking a similar approach.
Hosting Certification Framework
First, through the Hosting Certification Framework within the Whole-of-Government Hosting Strategy, the government is ensuring appropriate sovereign control of those data centre providers who are hosting data with a Protected classification; an approach which will shortly be extended to all providers of cloud and managed services.
Cloud Assessment and Authorisation Framework
Second, through the related Cloud Assessment and Authorisation Framework (CAAF), the government is ensuring (and ensuring confidence in) the capability of cloud IaaS, PaaS or SaaS providers. This is being done via a Phase 1 assessment by an IRAP assessor who compiles and collates, with a view to assessing, the necessary information and artefacts demonstrating the credentials and capabilities of the cloud service provider, followed by a Phase 2, Authorisation by a government agency that the cloud service achieves the Protected controls outlined within the ISM.
A key aspect of the CAAF, is to encourage the sharing across government of these Authorisation artefacts, which will speed up authorisation of cloud services across government, reducing costs and risks and ultimately increasing domestic capability in the delivery of digital services.
Combined, the Hosting Certification Framework and CAAF, will ensure that government has access to a breadth of domestic capability delivering a wide range of digital services, where data risks are minimised and sovereign control can be assured.
For cloud service providers with a genuine sovereign capability and commitment to sovereign control of data, this is a good place to be.