A cloud hangs over Amazon data certification

Joseph Brookes
Senior Reporter

The world’s biggest cloud company Amazon Web Services has been certified under the federal government’s data sovereignty scheme despite its links to a controversial Chinese-owned data centre and the US giant declining to disclose its current level of compliance, or what undertakings its certification is based on.

US company Amazon Web Services (AWS) joined local firms Vault Cloud, AUCloud, and Sliced Tech on Thursday in the first tranche of cloud providers to be certified under the Hosting Certification Framework (HCF), the federal government’s data sovereignty scheme that was established as a result of foreign ownership and security fears.

The next biggest cloud provider, Microsoft, was not part of the first tranche of companies certified, but is understood to be in the final stages of the process.

green parliament
There are clouds and there are cloud services

The announcement comes after what industry sources said was an initial hesitation from AWS to sign on to the scheme, which allows the government to specify and maintain stringent ownership and control conditions over government data. HCF certification agreements at the highest level — which AWS has been granted — guarantee that providers will cover all the government’s reasonable re-platforming costs if they breach the contract.

AWS’ Seattle-based corporate entity signed a $39 million whole-of-government sourcing contract two years ago which has now ballooned to more than $283 million. This includes a $159 million extension in July this year, making any possible exit costs under the new framework very high stakes for the US cloud giant.

Australia’s top security bureaucrat, Home Affairs secretary Mike Pezzullo, has previously flagged the government’s tightening data controls will “not be attractive” to international cloud companies in particular.

InnovationAus has been told by parts of the local industry that the policy verges on being unworkable for some companies and creates huge barriers to entry for others, because of tough requirements and the government’s discretion in what can be deemed a risk serious enough to breach a contract and trigger the re-platforming costs.

There are further concerns about how the certification requirements will be applied to the next phase of software-as-a-service providers, of which there are many more providers, each relying on even more complex supply chains.

A lack of transparency prompted the peak industry body, the Australian Information Industry Association, to voice its worries to the Digital Transformation Agency and advocate for a more “open and transparent process” for software providers.

The government policy has been in the works for years but is not based on underlying legislation or regulation. It follows government concerns about foreign-owned facilities and services holding and processing its data, and the potential high costs for government to exit the facilities.

Last year, large government departments scrambled to exit a Sydney data centre operated by Chinese-owned Global Switch because of security fears, reportedly at a cost of around $500 million.

The minister responsible for the HCF, Stuart Robert, has said all sensitive government data in future and in-flight projects must be held by providers with one of the two new HCF certifications: Certified Assured or the higher Certified Strategic.

He argues the tightening requirements — which include security assessments, local personnel with security clearance and exit cost guarantees — minimise data sovereignty and security risks, improve supply chain transparency and protect government investments.

“The Morrison Government is committed to having effective controls in place for the critical systems and data holdings that underpin the operation of government,” Mr Robert said in June when the scheme came into force with just three vendors certified.

“This includes knowing how, where and when data is stored and transmitted whilst achieving greater assurance over the operation and supply chains of providers.”

Six data centre companies are also certified under the scheme, including local firms and US and Japanese subsidiaries.

It is understood some of the initial certifications are contingent on undertakings from the companies that they will reach full compliance with HCF requirements in the future.

This has triggered concerns in the industry that a company could lose certification in the future or decide it is not worth the investment, causing a domino reaction down the supply chain where companies need to re-platform to certified providers and government services may be disrupted.

This risk could potentially be mitigated and better managed by publicly disclosing undertakings, according to one certified company which has voluntarily disclosed its undertakings. But there is currently no requirement for others to do so.

The Digital Transformation Agency (DTA), which developed the framework and administers HCF certifications, did not respond to detailed questions on whether companies had been certified based on undertakings or the status of cloud providers’ certification, but confirmed it will not require that companies publicly disclose their undertakings under the scheme.

“The DTA continues to assess other providers who have registered interest in receiving certification,” a spokesperson for the agency told InnovationAus on Wednesday, ahead of the cloud provider tranche being revealed.

“The DTA does not intend to publish a list of these providers, or any undertakings made by certified providers to maintain certification.”

Amazon Web Service (AWS) was Certified Strategic on Thursday for its Government Cloud Service offering in the Australian region.

The company did not provide a response to questions about its current level of compliance or whether its certification is contingent on an undertaking to the DTA.

After agreeing to provide answers to questions about its certification progress, AWS spokespeople stopped responding on Thursday in the lead up to the DTA announcement about the certified cloud providers tranche. AWS released a company blog post at the same time celebrating the certification.

But the post made clear AWS sees distinct limits on its responsibilities under the new framework.

“Through our shared responsibility model, AWS takes on the security of the cloud – we develop, deploy, and maintain the infrastructure that supports digital service development. Customers manage the security of their own applications and data, ensuring security in the cloud,” the post, written by AWS local public sector director Iain Rouse, said.

“AWS supports our customers with training, tools, and best practices so that they can better manage their own responsibilities to maintain the highest levels of security. This means that even when working with certified HCF suppliers, customers must still take steps to mitigate unauthorised access through encryption, and cyber deception defence. We also encourage customers to deploy proactive services to not just detect unusual behaviour but immediately deploy mitigating actions, which are ready-to-use on AWS.”

Following its certification, AWS declined to answer questions about undertakings or re-platforming cost guarantees for its government customers.

AWS is known to use the Sydney data centre of Chinese-owned Global Switch, which several government departments scrambled to get out of last year. This includes Defence, which was only able to migrate its classified data out by last year’s deadline, and needed to sign a five-year extension with the company this year to complete the move out.

The other companies to be certified under the HCF on Thursday are all Canberra based, government focused cloud or managed service providers.

AUCloud was Certified Strategic for its Government Cloud Service offering, as was Sliced Tech Pty Ltd for its Government Cloud Service offering. Vault Cloud was also certified Strategic for its Australian Government Cloud Service offering.

Vault Cloud said it is supportive of transparency around certifications and has chosen to reveal its undertakings, but acknowledged there may be sensitive information in others’ commitments.

The Canberra-based company said its certification is conditional and will be reviewed at the end of this year. Vault Cloud has committed to two undertakings as a result of non-compliance found during its assessment process.

The two undertakings are certification to ISO 28001 and having its non-operational management staff and board members security cleared by the Australian Government Security Vetting Agency (AGSVA). Vault Cloud said all its operational staff already have appropriate AGSVA clearances.

Vault Cloud chief executive Rupert Taylor-Price said unnecessary opacity in the HCF could create supply chain risks which are difficult to manage.

“In the absence of transparency, government, industry and Australian citizens are at risk of assuming that ‘certified’ means that a provider must be compliant and that data is being handled in line with citizen expectations,” Mr Taylor-Price said.

The Australian Information Industry Association (AIIA) would also like to see more transparency in the HCF.

“The AIIA has been actively involved with the DTA since last year on this issue,” the peak body’s chief executive Ron Gauci told InnovationAus.

“We have consistently and constantly asked for an open and transparent process.”

The AIIA is particularly concerned with the implications for software-as-a-service (SaaS) companies working with government. Certification becomes especially complex for cloud native SaaS providers, Mr Gauci said, because there are far more providers compared to data centres and each have their own supply chains.

“Therefore the complexity and the volume is different as is the framework,” Mr Gauci said.

“Hence us asking for an open and transparent process when dealing with SaaS providers.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories