Whole-of-government Hosting Strategy
We live in an age where government functions, from policy development to program implementation and service delivery, use data captured digitally.
Australians expect government to leverage innovative technologies to continually improve services for the community. Australians also expect government to protect their personal data and to deliver digital services that can be trusted.
The government has made significant investments in safeguarding the security and privacy protection of government-held data. Cornerstones of this secure environment are data centres and associated infrastructure.
This strategy provides policy direction and guidance applicable to the Australian Government hosting ecosystem including facilities and infrastructure. It is supported by a clear roadmap to deliver the outcomes described in this strategy.
This strategy supports the government’s commitment to privacy, security and resilience, while improving the delivery of government services.
The Digital Transformation Strategy outlines our vision to be a world-leading digital government for the benefit of all Australians. We have developed the whole-of-government Hosting Strategy (‘the strategy’) to ensure government data and digital infrastructure enable the Digital Transformation Strategy goal of a government that’s fit for the digital age.
The strategy provides a defined approach to hosting arrangements that meets the needs of Australian Government agencies as they deliver the Digital Transformation Strategy.
The scope of hosting comprises data centre facilities, infrastructure, data storage and data transmission.Back to top
Digital Transformation Strategy
The Digital Transformation Strategy outlines the future direction of digital government to 2025 for the benefit of Australian people and businesses. It is supported by four strategies:
- The Sourcing Strategy advises how agencies can engage with the market to acquire or uplift technical capability to realise the 2025 vision.
- The Platforms Strategy provides a unified user experience for people and businesses and reduce duplication across government through the reuse of business services to enable the 2025 vision.
- The Hosting Strategy sets direction for underlying digital infrastructure that supports the 2025 vision.
- The Digital Capability Strategy builds digital skills across government to ensure government can deliver the 2025 vision.
These are underpinned by the digital continuity, information and data strategies, which set a whole-of-government approach to use and reuse of data.Back to top
Why do we need a hosting strategy?
Government organisations face a wide range of ICT and data challenges, in an environment of significant ongoing change. The immediate issues to be addressed by the strategy include the risks to data sovereignty, data centre ownership and the supply chain. This strategy provides clear policy guidance for agencies and industry and aims to create whole-of-government efficiencies. In the medium term, the strategy better positions government agencies and industry to adopt new technologies and services, fosters innovation and reduces the barriers and cost created by legacy systems.
In 2008, the Australian Government commissioned a review into the use of ICT and recommended developing a Data Centre Strategy, primarily for cost avoidance.
The Australian Government Data Centre Strategy 2010-2025 was published in March 2010 with a savings target of $1 billion over a 15-year period.
By 2017 the 2010-2025 strategy was on track to achieve its saving target. However, changes in the technology landscape highlighted an emerging set of challenges, including:
- emerging risks to the sovereignty of data held in Australian Government data centres
- increasing risks to the sovereignty and security of the hosting supply chain
- reducing transition costs associated with data centre ownership changes
- encouraging innovative solutions from industry and agencies in a cost-constrained environment
- delivering investment certainty to stakeholder agencies and industry partners
- taking advantage of emerging Software-as-a-Service (SaaS) solutions while simultaneously managing non-cloud ICT operations.
As digital services continue to grow, organisations are increasingly moving towards cloud services. There is strong growth in cloud adoption, driven by increasing data consumption worldwide and the benefits cloud services offer. The use of on-premise IT infrastructure is declining. However, it remains a critical part of many organisations’ IT strategies. A 2018 Gartner study shows a strong preference for hybrid cloud solutions worldwide. Gartner foresees double-digit growth in government use of public cloud services, with spending forecast to grow on average 17% per year through to 2021. Governments are expected to implement private cloud at twice the rate of public cloud through 2021.Back to top
Government strategic landscape
The Australian Government has a clear digital transformation strategy and mature service capabilities that rely on having a trusted, connected and secure data and digital infrastructure. In developing the strategy, we have considered a broad strategic landscape, including:
- The Digital Transformation Strategy which sets the Australian Government’s vision to be one of the top three digital governments in the world by 2025. It will achieve that by making government easy to deal with, fit for the digital age and informed by users.
- The Secure Cloud Strategy provides the framework for sustainable change so that all agencies can leverage the benefits of cloud services. This strategy provides guidelines and principles for government agencies preparing for or undergoing the transition to cloud.
- The whole-of-government Digital Service Platforms Strategy provides a unified user experience for people and businesses, to reduce duplication across government through leveraging capabilities.
- The Critical Infrastructure Resilience Strategy describes the Australian Government’s approach to enhancing the resilience of critical infrastructure to all hazards.
- The Cyber Security Strategy establishes 5 themes of action for Australia’s cyber security to be achieved by 2020:
- a national cyber partnership
- strong cyber defences
- global responsibility and influence
- growth and innovation
- a cyber smart nation.
A new Digital Infrastructure Service will be established within the Digital Transformation Agency to:
Reduce data sovereignty, ownership and supply chain risks by:
- Offering a certification of facilities, for placement of government data up to the PROTECTED classification.
- Guiding agencies to assess their own risk appetite and implement appropriate data protection controls.
Ensure government hosting services are more efficient and cost-effective by:
- Leveraging whole-of-government panels to achieve greater economies of scale.
- Enhancing secure communication links for transfer of data across facilities.
Provide certainty on the Australian Government hosting operating environment for industry and agencies by:
- Clearly articulating government policies and standards, including recognition that hosting services will be delivered in partnership with industry.
- Providing whole-of-government coordination points and reducing duplication for common hosting functions.
The strategy is guided by the following principles:
- Hosting arrangements must be designed to ensure resilience and business continuity.
- Hosting arrangements must be founded on robust, risk-based assessments to ensure data sovereignty and supply chain integrity.
- Existing policies and certification processes should be used where appropriate.
- Where common hosting requirements are identified across the APS, centralised arrangements should be accessible and leveraged by agencies
- Government agencies continue to have the autonomy to select the best hosting arrangements for their requirements.
To support the Digital Transformation Strategy’s priority of government that’s fit for the digital age, by ensuring that people and businesses will have trust and confidence that the Australian Government is managing data securely and in the national interest.
Keys to success
1. Address sovereign issues within hosting supply chains
Action: mitigate against supply chain and data centre ownership risks through the implementation of a certification framework and effective governance model.
Outcome: an effective control regime that mitigates the risk, expense and impact of undesirable changes in supply chain and data centre ownership, control and use.
Changing hosting arrangements mid-contract due to risks created by changes in ownership, access and control is not in the interests of government or industry.
A business service often sits on a complex array of technology services that all have sovereign considerations. Technology platforms can operate on networks and servers provided by managed service providers, who, in turn, may lease space from other third-party data centres.
Agencies and industry must have confidence that hosting arrangements in each part of the ecosystem meet government’s criteria regarding data sovereignty, privacy, supply chain risk and cyber security on an on-going basis.
In modern IT systems, data is managed by systems and services that rely on complex global supply chains. The risks to data sovereignty created by these supply chains vary widely.
The more complex the supply chain, the more difficult it becomes for agencies to manage risks. Where an agency is using a hosting provider and the hosting service is provided over telecommunications infrastructure leased from a third party, the agency cannot control whether the infrastructure:
- becomes wholly or partially foreign-owned/controlled
- is governed by a contract subject to elements of foreign law
- is re-located to a physical location outside Australia.
To address these challenges, data centre providers that are part of whole-of-government panel arrangements will be certified based on the degree of sovereignty assurance they provide to government.
Hosting Certification Framework
The Digital Infrastructure Service will establish the Hosting Certification Framework and associated assessment criteria.
The Hosting Certification Framework will allow the Digital Infrastructure Service to assess and measure supply chain risks presented by hosting providers, and outline standards, measures and timelines to achieve the government’s desired hosting standards. This framework will be developed in collaboration with agencies to ensure thorough consideration of Australia’s sovereign interests, including:
- data sovereignty and facility ownership
- hosting ecosystem architectures
- cloud adoption
Ownership and control assurances
Ownership and control assurances will be categorised as follows:
- Certified Sovereign Data Centre represents the highest level of assurance and is only available to providers that allow the government to specify ownership and control conditions.
- Certified Assured Data Centre arrangements safeguard against the risks of change of ownership or control through financial penalties or incentives, aimed at minimising transition costs borne by the Commonwealth should a data centre provider alter their profile.
Depending on their business requirements, agencies will stipulate their preference for certified sovereign or certified assured facilities when going to market for hosting services.
Agencies must ensure that services hosted by third parties, such as managed services providers, also comply with the above assurances.
How will success be measured?
- Establishment of an accepted Hosting Certification Framework.
2. Connect government hosting assets
Action: create a secure hosting ecosystem, including certified data centres and network infrastructure.
Outcome: a whole-of-government secure ecosystem that enables efficient and effective use of government hosting assets.
The Digital Infrastructure Service will investigate the telecommunications networks connecting certified data centres, including cost and security models.
The Intra-government Communications Network (ICON), which only exists in the Australian Capital Territory, provides cost effective and secure telecommunication connections for data in transit. A key characteristic of the ICON approach is the charging model, which is based on covering the cost of network assets rather than network traffic or transmission fees. This charging model allows agencies to leverage network capabilities without driving up data transmission costs.
Certified data centres should have a capacity to be connected through a telecommunication connection with an ICON-like costing model. This model would decrease telecommunication costs associated with data transmission.
An expansion of ICON will enable data in transit to logically reside within a broader security boundary. Under this model agencies can leverage secure communication capabilities across dark fibre connectivity between data centres.
Data risks are emerging due to the change in classification of data over time. Data once deemed UNCLASSIFIED may become sensitive due to changed community expectations or as a result of data aggregation.
The following minimum hosting requirements should be used to ensure public trust is maintained:
- When considering a hosting solution, data and systems must be assessed for the likelihood of data sensitivity changing over time
- PROTECTED and whole-of-government systems must be hosted in a certified sovereign or certified assured data centre.
How will success be measured?
- Reduction in telecommunications costs for agencies.
3. Provide common government hosting, services and advice
Action: establish a Digital Infrastructure Service to drive the strategy implementation and provide coordination, governance and advice on achieving best value from hosting services.
Outcome: effective assessment of whole-of-government risks and removal of cost, time and capability barriers which have affected government’s ability to take advantage of innovative technology solutions.
Agencies are responsible for ensuring they, along with their suppliers, have the appropriate controls in place to meet government requirements. However, across government, there is a need for:
- consistent certification and accreditation frameworks
- holistic approaches to risk management
- coordinated procurement
- sharing learnings.
Digital Infrastructure Service
The Digital Infrastructure Service will reside in the DTA and provide agencies with services that can be used with confidence, demonstrating best practice in hosting while using relevant governance frameworks. The Digital Infrastructure Service will manage the procurement and Hosting Certification frameworks.
Agencies will be able to order network, compute and storage services through these arrangements. The Digital Infrastructure Service will assess these arrangements against a range of performance indicators, including:
- hosting provider performance
- facility utilisation
- pricing profile
- facility and hosting supply chains.
How will success be measured?
- Industry will be able to invest in solutions for government with improved certainty.
4. Redefine strategic relationships with the ICT industry
Action: develop a genuine strategic relationship between government and the ICT industry that recognises government as a single customer.
Outcome: reduced inefficiencies associated with engaging separately and transactionally with over 200 agencies, who each have varying degrees of maturity.
In a services-based ICT business model, government agencies will be able to compose business processes from a range of externally provided Software-as-a-Service (SaaS) and Business-Process-as-a-Service solutions (BPaaS). Service composability opens the door for agencies to easily add solutions to their systems portfolio at any time and from any provider, including new entrants from the small business and start-up communities. Increasingly, the main services consumed through data centre facilities will be those of SaaS providers, enabling greater innovation and public value.
Traditionally ICT procurement processes sought to understand detailed information regarding investment in capital-intensive ICT assets.
Procuring commodity and utility services requires a lighter (consequently cheaper and faster) procurement approach, focused more on outcomes.
A new approach is needed for these services, which leverages concepts like:
- creating standard ways to describe “unit cost” that can be compared across vendors
- embracing the potential for simplification of procurement, billing and charging
- evaluating the public value and outcomes.
The Digital Infrastructure Service will create ICT procurement guidelines to help agencies procure products and services appropriately.
Procuring ICT services from the cloud requires a rethink of the existing capital-based funding and governance models. Decision makers must understand the challenges agencies face in moving from capital expenditure for landed infrastructure to operational expenditure for cloud infrastructure.
The Digital Infrastructure Service will:
- track the use of key products and services
- work with government agencies to understand cloud funding arrangements.
How will success be measured?
- Decreased number of government ICT staff supporting commoditised services
- Increased take up of SaaS products.
5. Develop capabilities for measurement and analysis
Action: develop a set of frameworks and clearly defined measurable goals that will demonstrate progress against the Strategy and ensure value is achieved from hosting services.
Outcome: successful delivery of the Digital Transformation Strategy Vision 2025 through effective management of digital and data infrastructure, increased agency maturity and efficient adoption of innovative technologies.
Measuring progress is one of the key oversight roles of the Digital Infrastructure Service. In order to achieve this, consistent frameworks for measuring progress are required.
Risks and benefits frameworks
The Digital Infrastructure Service will create risk and benefits frameworks for hosting and cloud services. These frameworks will reduce the effort required by agencies to assess services. Industry will also benefit by dealing with agencies speaking a common language.
Agencies will retain the responsibility for assessing their own risks, as well as for balancing risks against benefits in the context of their business.
Maturity Assessment Framework
The Digital Infrastructure Service will create a Maturity Assessment Framework for hosting services. This framework will draw on concepts and structures from other industry frameworks.
The Maturity Assessment Framework will allow the Digital Infrastructure Service to compare the maturity of government agencies and help each agency to develop a roadmap to improve their maturity over time.
The Digital Infrastructure Service will oversee the establishment of the framework and monitor agency progress over time.
The Digital Infrastructure Service will create practical reference architectures to guide government agencies in the implementation of hosting models. Over time, the use of standard reference architectures will serve to simplify and streamline the way hosting services are used across the government.
These reference models will be published under a creative commons licence to enable them to be used by other jurisdictions.
How will the success be measured?
- Growth in agency maturity as measured against the Maturity Assessment Framework.
The strategy roadmap consists of 3 stages:
- Horizon 1 – Immediate
The key foundational structures to enable agency and industry engagement with the whole-of-government approach to hosting services.
- Horizon 2 – Medium term
Work with agencies, industry and relevant stakeholders to establish the Digital Infrastructure Service.
- Horizon 3 – Long term
Deliver the outcomes and maturity benefits.
Horizon 1 – Immediate
- Establish the strategy governance.
- Update data centre panel contracts with ownership and control assurances.
- Develop the operating model for the Digital Infrastructure Service.
- Investigate and develop relevant business cases for telecommunications networks that connect data centres.
Horizon 2 – Medium term (2019–2020)
- Establish the Digital Infrastructure Service, including:
- Develop the Hosting Certification Framework to address ownership and supply chain risk.
- Engage with industry and third-party supply chain providers.
- Undertake assessments including:
- Initial certification of data centre providers.
- Initial supply chain assessments.
Horizon 3 – Long term (2020–2022)
- Expand and operationalise the Digital Infrastructure Service, including:
- Mature the hosting certification processes.
- Mature the supply chain assessment processes.
- Identify further opportunities for a centralised hosting service.