This is in stark contrast to what has been happening in the past, ever since the Australian Signals DIrectorate was given the task of certifying which companies could provide Protected cloud services – in other words, companies that were able to host government data that had the highest security classification.
It is indeed somewhat ironical that the Digital Transformation Agency — which has whole-of-government deals only with foreign firms AWS, IBM, Microsoft, Rimini Street, SAP and Concur — should be one of the parties drafting the rules that aim to give preference to local companies when it comes to secure cloud contracts.
As to why there was a need for new rules, some informed speculation is indeed illuminating. The earlier avatar of certification had the Australian Cyber Security Centre and the ASD jointly signing off.
|
The man claimed to be favouring the Americans and allowing them concessions is said to be the former head of ACSC, Alastair MacGibbon, though he has denied this.
Microsoft, for example, was given the certification along with a host of changes that it needed to make post-certification. This did not sit too well with the Signals folk.
Indeed, there were reports that the ASD staffer who oversaw Microsoft's application refused to grant it on security grounds. She was then promptly unseated by then ASD director-general Mike Burgess, something which has, of course, been denied.
And in the case of Amazon Web Services, again there was murmuring that the company had offered just its bog-standard service for evaulation and been shown an open door.
In the US, the AWS cloud service offered to the government is air-gapped, has top-notch encryption, controlled metadata and only on-shore security-cleared personnel can operate the facility. But Australia, evidently, is a poor relative.
Strangely, as flagrant as these happenings were, they were not the straw that broke the camel's back. They were not spoken about apart from in some very narrow circles.
Canberra sources tell iTWire, that the change came about when AWS was given the contract — without any competition, by the Department of Home Affairs — to store data for the Australian COVIDSafe app.
Apparently, this matter was discussed to death on social media and it generally caused a big stink about the business of government contracts.
And the outcome was that phrases like "sovereign cloud providers — those owned and operated by Australians within Australia — could provide a significantly reduced risk compared with foreign-owned entities, even those operating from within Australia", suddenly appeared in the new guidelines for secure cloud providers.
Now it is entirely possible that these words will remain just that: words.
But it is worthwhile noting that after years of effort, one man, Rupert Taylor-Price, who runs the cloud firm Vault, finally managed to overcome a hoodoo — or bias, take your pick — and strike a whole-of-government deal with an Australian government, in this case the state government in NSW.
That was something nobody expected to see, not in this century anyway. Given that, it may well be that other surprises also lie ahead.