A new computer hardware manufacturing facility that offers a complete forensic chain of authority for every product is Australia's latest step towards sovereign resilience in IT infrastructure.
The public cloud has been vital for keeping both business and government afloat during the global COVID-19 pandemic, but by its very nature, offers reduced control over the data stored within. Part of this loss of control is the location of the infrastructure the data is processed and stored on. For organisations whose livelihood and security depends on their data remaining secure, the risk that judicial authority or local legislation of another nation may be used to access their data is not worth the convenience of the public cloud.
Additionally, the handful of corporations that manufacture the hardware and operate those public cloud services are owned and operated by China and the US respectively, which similarly creates concerns around who exactly has access to the data they manage. For example, the US Cloud Act of 2018 compels US-owned vendors to “disclose the contents of an electronic communication or noncontent records or information pertaining to a customer or subscriber, regardless of whether the communication or record is located within or outside the United States.”
Essentially: the US can choose to force a US-owned public cloud service provider, such as Amazon, Google, or Microsoft, to share customer data, even if that data is stored overseas. China's 2017 Cyber Security Law, the UK's 2019 Crime (Overseas Production Orders) Act, and Article 49 of the EU's General Data Protection Regulation (GDPR) offer similar legislation-enabled powers.
In response to these risks, many organisations are turning towards sovereign cloud - a service now being recognised in many countries, including Australia, as critical national infrastructure.
The promise of sovereign cloud
Sovereign cloud infrastructure is owned, managed, located and regulated within a single geographic region. It offers the convenience and reduced management overhead of the public cloud, with fewer external legislative risks. This is an essential step towards sovereign resilience, due to both the domestic ownership of the cloud services and infrastructure involved, and the strengthening and retention of hard-to-come-by IT skills in the national workforce.
Sovereign cloud services and infrastructure are essential for not only sovereign resilience but also to support initiatives like Australia's Government 5.0 strategy. However, even locally owned and managed digital infrastructure is still at risk of cyber attacks, including those that exploit the global supply chain.
But what about the hardware?
When supply chain attacks are outlined in popular media, often the attention is focused on software. However, far more difficult to detect, and therefore potentially far more devastating, are hardware-based infiltrations.
Most IT equipment used for sovereign cloud infrastructure today is sourced from organisations where product design and manufacturing methodologies are obscure and obfuscated; essentially ‘black boxes' of compute, network and storage. But can a sovereign cloud really be ‘sovereign', if the underlying hardware and software on which it is based can't be fully audited?
In recognition of this, the Australian federal government recently awarded computing hardware manufacturer SoftIron a $1.5 million Sovereign Industrial Capability Priorities (SICP) grant to build the first commercial start-to-finish computer hardware manufacturing facility in Sydney, Australia.
A new, secure provenance approach to IT infrastructure manufacturing
Specialising in both data center and edge deployment computing infrastructure, SoftIron has uniquely focused its efforts on facilitating a pathway towards secure provenance for its customers, an essential element for resilience against hardware-based cyber attacks. This is achieved through a completely transparent approach to their hardware design, engineering and manufacturing process, offering every part of a product's development up for forensic audit. Customers can then verify for themselves whether the product they receive is exactly the same as the one that left SoftIron's manufacturing floor - mitigating the risk of hardware trojans potentially introduced during their journey through the global supply chain.
This is achieved by SoftIron building all their products from the component level up, in contrast to traditional manufacturers of data center hardware outsource the build and in some cases the final construction of their products, typically to factories in China and Taiwan.
Another way SoftIron notably diverges from traditional IT infrastructure manufacturing practices is their ‘task-specific' engineering approach, in which every element of a product is designed specifically to maximise the efficiency of the open source storage software that runs atop their hardware platform. This interoperability between hardware and software has produced extreme power efficiency and storage density, an ideal foundation for establishing sustainable sovereign clouds and edge computing deployments.
The commissioning of SoftIron's manufacturing facility in Sydney will be a boost for any organisation operating in Australia that is seeking an alternative from the unknowns of the public cloud. And any Australian business looking to enter the cloud services industry now has the opportunity to gain a competitive edge over the larger, more well-established providers on the market, by taking a secure provenance approach to their data center infrastructure.