Article written by Scott Egan, portfolio director - protected cloud, Fujitsu
Government data is the engine of civilisation; it allows individuals to be identified, migrants to become citizens, couples to get married and businesses to file taxes amongst others. Given the large amount of data the Australian government receives on a daily basis, the effective and secure storage of sensitive citizens’ data is imperative for all Government departments.
This is because even a small breach in data security can have immediate and significant consequences on both local and national security levels. A breach within a database used by the Australian Federal Police (AFP), state public transportation system or even local hospitals can have dangerous and in the worst case, even fatal consequences.
In view of Australia’s push to be a digitally transformed economy, it comes as no surprise that government data is making its way to the cloud. This move delivers greater data storage capacity, cost savings, convenience and increased flexibility for running ICT services amongst others.
In order for the transition to the cloud to be successful, it critical that government organisations are fully informed about cloud certification standards, what constitutes as secure, and that consistency is adopted across the board.
As more public and private organisations have embraced digital transformation and cloud services, so too did the Australian Signals Directorate (ASD). ASD is an intelligence agency in the Australian Government Department of Defence and provides advice and assistance on information and communications security, known as InfoSec.
ASD announced that Government departments managing ‘Protected’ workloads must engage with Cloud service providers who at the very least have attained a “Protected” level of certification. One aspect that ASD ‘Protected’ certified Cloud service providers share in Australia, is that they operate data-centres located solely within Australia, keeping sensitive Australian data within Australia.
As a result of the ASD’s ‘Protected’ certification standards, there are currently only a few companies in Australia that can provide compliant cloud services for the Federal and State Governments. While there has been some discourse stating that this directive is limiting and restrictive for Government departments, general public sentiment seems to be aligned with the ASD.
Security of citizens’ personal information is vital to the Australian public. As New South Wales begins to implement digital identification and biometrics security, the amount of personal information that is stored by the government continues to increase.
Along with the increase in the amount personal data being stored, is the increase in theft of personally identifiable information. In fact, the results of the 2017 Australian Community Attitudes to Privacy Survey revealed that 93% of Australians don’t want their data to be stored overseas and 73% don’t want their data shared with other organisations.
While these results may seem extreme, officials only need to look at the recent overseas Cloud incursions of Spectre and Meltdown, where the Intel chip flaw was found to have led to the exposure of millions of people’s data stored on global cloud providers which are utilised by the public along with business, and industry clients.
Recently other reports have surfaced, proving that wearable fitness gear, such as the fitness trackers worn by U.S Armed Forces may have been responsible for exposing the whereabouts of soldiers via the live transmission of GPS data to an open Cloud Service.
With the continued proliferation of WikiLeaks, election email hacks and cyber-crime; global cloud providers are constantly at risk and making updates to their platform in order to keep them secure.
With these public breaches happening around the world, it’s not a surprise that the Australian public prefer an ‘Aussie Made Cloud’ that takes no chances when it comes to security implementation
Despite having secure Australian technology, there are still organisations and individuals who are advocating for the dilution of ASD certification requirements that will enable global providers to gain a place on the Australian Signals Directorate’s Certified Cloud Services List.
Rather than a strict ASD certification model, advocates are endorsing a layered Cloud Certification Model to be created which could potentially provide greater platform flexibility and opportunities for agency-led certifications.
These bespoke platforms would include proposed ‘integration toolkits’ that enable agencies to seamlessly transition between cloud services. These are interesting considerations which will allow for greater levels of innovation and interplay between providers. However, given the recent issues, one must wonder why the Australian Government are now looking to lower the standard and embrace convenience over security.
As the Australian Government continues to race down the road of digital transformation, many platforms and new technology will be embraced. Regardless of what paths are taken down the stretch, one thing will be certain, digital data will continue to grow.
It is obvious that the Australian government will need to find a way to store this sensitive information about its citizens that meet government standards, doesn’t take shortcuts with security, and stays consistent with further decisions.