Australian data sovereignty and protection concerns increase

Australian government agencies and critical industries should look closer at data sovereignty in light of new frameworks and legislation and COVID-related challenges, says AUCloud Managing Director, Phil Dawson.

This year, AUCloud became the first “authorised” organisation to provide secure Phase 2 cloud services under the Australia’s Cloud Assessment and Authorisation Framework (CAAF).

Dawson says there is a heightened awareness of risk and how to manage it within government and critical national industries in the wake of the CAAF, introduced in July 2020, and the Hosting Certification Framework (HCF) introduced in March this year.

The CAAF mandate requires detailed information on data ownership and access across all types, such as metadata, analytics and support data, not just customer data.

The HCF – which is currently applied to government-facing data centre providers and will soon also apply to cloud providers – is designed to ensure all “direct and indirect” providers meet strict ownership and control conditions.

Together, the new standards are designed to prevent the transmission of government data to overseas data centres, and access by unknown or unauthorised personnel.

“The pendulum of globalisation has swung back towards localisation because of the growing recognition and understanding about the criticality of data in all its forms and the importance of having some sovereign control and determination over that,” says Dawson.

“Because if that data is floating overseas, if somebody is accessing it, that’s a privacy issue. If they’re changing it, that’s an integrity issue. If they’re doing something that makes it unavailable to you at a point in time, that’s a service delivery issue.

“When you’re dealing with services that are government related, whether it’s Centrelink or your vaccination status – it could be a whole range of things – then you’ve got to be concerned about that.”

According to Dawson, the three biggest hurdles for government pertain to procurement, security and an understanding of privacy. 

“Nobody understood the privacy one until the CovidSafe app came out, then everybody understood what privacy meant, at that point,” he says.

Amendments to the Security Legislation Critical Infrastructure Bill 2020 will bring security into even sharper focus. The amendments will increase from four to eleven the number of industries deemed critical under the legislation.

“If you get ransomwared and you haven’t got immutable storage to read to recover from that, then you could find that two or three weeks of that is going to put you out of business. One of the reasons for the new legislation is to give government the authority to step into that situation in critical sectors,” Dawson says.

Organisations should consider the risk that the integrity of their critical data could be compromised without anyone ever knowing, he adds. 

“For example, what if somebody came in and just changed all the genomic records in a database,” says Dawson. “So the entire basis on which we’re medicating people is completely erroneous now, but the system is telling us it’s accurate.”

Preparing for tomorrow

Deploying government-approved infrastructure that meets evolving Australian data sovereignty and security requirements is “one of the easiest ways to remove the bulk of the challenge”, Dawson says. “Then all you’ve got to worry about is the minor piece, which is what the software and analytics are doing.”

He recommends they follow the CAAF. “Every company should look to meet the standards of the Cloud Assessment and Authorisation Framework because actually I genuinely believe that it is the best practice to mitigate risk of your data,” says Dawson. 

AUCloud works with government, defence, and public sector agencies to develop and execute security strategies that are both CAAF and HCF compliant. 

Dawson encourages government agencies to think about data more holistically. To him, there is no such thing as ‘government data’. Either directly or indirectly, that data is ours, he says. He calls it “citizen data”, and regards government as merely a custodian. 

“It’s our data,” he says. “And on our behalf, they should care. And in most cases they do care and they do think about it, and though they may have different motivations as to why, they are guided by these frameworks. 

“AUCloud has built its business model around meeting and in-fact exceeding those standards because our view of it is that what’s good enough today is probably not going to be good enough tomorrow.” 

Talk to AUCloud, Australia’s sovereign cloud Infrastructure as a Service provider experienced in cloud migration and implementation.