[LINK] Australian government agencies, and clouds.

Roger Clarke Roger.Clarke at xamax.com.au
Tue Aug 15 11:49:40 AEST 2017 

At 1:30 AM +0000 15/8/17, Stephen Loosley wrote:
>Australian government agencies spent $6.2 billion on ICT in 2015-16, of which just $58 milion was on cloud services - less than 1 percent. ...

I posted the following Kiernan article to the privacy list this morning, commenting that:

[The article misses a vital point.  It's one thing (although in itself a good thing) for a provider to have capacity in Australia for data that needs to remain under domestic control and jurisdiction.  But the service must also have an effective, certified and audited capability to ensure that no data is ever farmed out to a host that is outside the jurisdiction. 

[That's a much bigger technical and managerial challenge than installing new devices, infrastructure and network connections, and running up a bunch of software.]


>Microsoft to launch Azure in Canberra in push for sensitive govt data
>Hyperscale data centres hoping for ASD approval.
>By Steven Kiernan  Aug 15 2017
>https://www.itnews.com.au/news/microsoft-to-launch-azure-in-canberra-in-push-for-sensitive-govt-data-470794
>
>Microsoft is launching two Canberra regions for its Azure platform in a major investment to convince Australian government agencies to move their data to its public cloud.
>
>The company will go live with the new regions, based in Canberra Data Centres' Hume and Fyshwick facilities, in the first half of 2018.
>
>These regions will join Microsoft's existing Australian public cloud data centres in Sydney and Melbourne, taking the total number of global Azure regions to 42.
>
>The move also steals a march on Azure's biggest competitor, Amazon Web Services, which does not have any data centres in Canberra, though recently announced Direct Connect through NextDC.
>
>The two Azure regions - dubbed Australian Central 1 and 2 - will be plumbed into the ICON network that connects all Australian government agencies.
>
>"Less than three years ago, we launched our first cloud services from an Australian data centre. Since then, we've worked to lead the way in delivering trusted innovation to our customers and partners, which has at times meant the hard work of undertaking very onerous compliance processes," James Kavanagh, Microsoft Azure engineering lead for Australia, said.
>
>"We've taken on that effort to reduce the work our partners and customers must do themselves, thus accelerating their ability to adopt innovation.
>
>"This has led the Australian Signals Directorate to certify a total of 52 services across Microsoft Azure, Microsoft Office 365 and Microsoft Dynamics 365 - far more than all other cloud services combined."
>
>Under rules managed by the ASD, government data is classified into four levels: unclassified, protected, secret and top secret.
>
>Only two cloud providers are currently certified to handle protected-level data, Vault Systems and Sliced Tech.
>
>Microsoft has been awarded unclassified certification for specific Azure and Office 365 services, and is now actively seeking protected status - which, despite the company's bullish language and significant investment in Canberra, is not guaranteed and could still be some way off.
>
>Some 40 Microsoft cloud services have been audited by IRAP assessor Shearwater Solutions, with the assessor recommending 25 of these for protected certification, and the other 15 requiring further work.
>
>"We're still working to finalise this certification process with Australian Signals Directorate and for clarity it is important to be aware that Microsoft Azure is not certified at protected level by ASD. We still have work to do, but the pathway is understood," Kavanagh said.
>
>Classified information
>
>Microsoft hopes to eventually be able to offer government agencies an option for all four level of classified data: unclassified and protected on the Azure public cloud, and secret and top secret on Azure Stack.
>
>Azure Stack, which became generally available in July, offers a public cloud-like experience using on-premises hardware from the likes of Dell EMC, Hewlett-Packard Enterprise and Lenovo.
>
>James Turner, an analyst from IBRS who was briefed on Microsoft's plans, said it would be welcome news for public sector IT teams as they tried to align their IT positions with the ASD's Information Security Manual.
>
>"Government agencies have the ISM as their external risk compass, but many agencies struggle with two key aspects of ISM compliance. The first is to actually achieve ISM compliance in the challenging areas where things get complicated, and then the second is to maintain compliance in these areas - because they're complicated," Turner said.
>
>"It's going to be compelling for many CIOs that a vendor like Microsoft, that really gets the enterprise, steps up and says that it's done the heavy [lifting] to provide a platform that is likely more secure than many agencies could build or maintain for themselves."
>
>IBRS has seen government agencies rule out large cloud vendors from consideration in the past because of a lack of ASD certification, Turner said.
>
>"Being able to lean on a vendor Ðthat's prepared to make the upfront investment Ðand be held to account through certification from the ASD is a big deal."
>
>Co-location partner
>
>Like most public cloud providers, Microsoft has typically been cagey about naming the co-location facilities that house its public cloud services - it has never publicly revealed where Azure in Australia is hosted.
>
>But in this instance the vendor wants to leverage Canberra Data Centres' privileged position among government agencies.
>
>While the firm claims to have grown in the last ten years to be the largest provider of data centre capacity to government, CDC chief executive Greg Boorer admits "a lot of people have not heard of us".
>
>This growth is no coincidence: CDC's facilities have been constructed with top secret data in mind and are ASD approved up to secret level.
>
>"Over 10 years - through merit not mandate - we have won lot of government tenders on an agency-by-agency basis," Boorer said.
>
>"We have now brought together more than 40 federal government departments and agencies, which deliver services for more than 80 agencies as well as the ACT government.
>
>"We now have a government ecosystem where there is huge potential for government agencies to share data and improve government service by removing friction between agencies."
>
>Boorer said CDC's Australian ownership was another selling point to government customers with sovereignty concerns. The company, which was established in 2007 by ASI Solutions' founders Ken and Maree Lowe, is 48 percent owned by the Commonwealth Superannuation Corporation and 4 percent by management.
>
>"A change of control that would impact government in an adverse way is not possible," Boorer said.
>
>Angus Taylor, federal assistant minister for Cities and Digital Transformation, welcomed the news.
>
>"The Australian government has embarked on a sweeping program of change, bringing digital innovation to the transformation of the Australian public sector."
>
>The potential upside for government agencies is significant, given how much public sector IT budget is spent just keeping the lights on.
>
>Australian government agencies spent $6.2 billion on ICT in 2015-16, of which just $58 milion was on cloud services - less than 1 percent.
>
>"It is not like government doesn't understand cloud. There are a lot of very capable people," Kavanagh said.
>
>But he pointed out that 78 percent of the government's 2015-16 IT budget was spent on running existing technology, much of this legacy systems.
>
>"Almost half of all government applications are more than 10 years old. The big, hairy systems - for defence operations, for welfare payments, for taxation, the big complicated heavy systems - they are not easy to peel apart and lift and shift onto the cloud."
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                                 http://www.rogerclarke.com/
			             
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/ 

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list