[toc]

1. Address sovereign issues within hosting supply chains

Changing hosting arrangements mid-contract due to risks created by changes in ownership, access and control is not in the interests of government or industry.

A business service often sits on a complex array of technology services that all have sovereign considerations. Technology platforms can operate on networks and servers provided by managed service providers, who, in turn, may lease space from other third-party data centres.

Agencies and industry must have confidence that hosting arrangements in each part of the ecosystem meet government’s criteria regarding data sovereignty, privacy, supply chain risk and cyber security on an on-going basis.

Certification

In modern IT systems, data is managed by systems and services that rely on complex global supply chains. The risks to data sovereignty created by these supply chains vary widely.

The more complex the supply chain, the more difficult it becomes for agencies to manage risks. Where an agency is using a hosting provider and the hosting service is provided over telecommunications infrastructure leased from a third party, the agency cannot control whether the infrastructure:

• becomes wholly or partially foreign-owned/controlled
• is governed by a contract subject to elements of foreign law
• is re-located to a physical location outside Australia.

To address these challenges, data centre providers that are part of whole-of-government panel arrangements will be certified based on the degree of sovereignty assurance they provide to government.

Hosting Certification Framework

The Digital Infrastructure Service will establish the Hosting Certification Framework and associated assessment criteria.

The Hosting Certification Framework will allow the Digital Infrastructure Service to assess and measure supply chain risks presented by hosting providers, and outline standards, measures and timelines to achieve the government’s desired hosting standards. This framework will be developed in collaboration with agencies to ensure thorough consideration of Australia’s sovereign interests, including:

• data sovereignty and facility ownership
• hosting ecosystem architectures
• cloud adoption
• pricing.

Ownership and control assurances

Ownership and control assurances will be categorised as follows:

• Certified Sovereign Data Centre represents the highest level of assurance and is only available to providers that allow the government to specify ownership and control conditions.
• Certified Assured Data Centre arrangements safeguard against the risks of change of ownership or control through financial penalties or incentives, aimed at minimising transition costs borne by the Commonwealth should a data centre provider alter their profile.

Depending on their business requirements, agencies will stipulate their preference for certified sovereign or certified assured facilities when going to market for hosting services.

Agencies must ensure that services hosted by third parties, such as managed services providers, also comply with the above assurances.

How will success be measured?

• Establishment of an accepted Hosting Certification Framework.

2. Connect government hosting assets

The Digital Infrastructure Service will investigate the telecommunications networks connecting certified data centres, including cost and security models.

ICON

The Intra-government Communications Network (ICON), which only exists in the Australian Capital Territory, provides cost effective and secure telecommunication connections for data in transit. A key characteristic of the ICON approach is the charging model, which is based on covering the cost of network assets rather than network traffic or transmission fees. This charging model allows agencies to leverage network capabilities without driving up data transmission costs.

Certified data centres should have a capacity to be connected through a telecommunication connection with an ICON-like costing model. This model would decrease telecommunication costs associated with data transmission.

An expansion of ICON will enable data in transit to logically reside within a broader security boundary. Under this model agencies can leverage secure communication capabilities across dark fibre connectivity between data centres.

Data controls

Data risks are emerging due to the change in classification of data over time. Data once deemed UNCLASSIFIED may become sensitive due to changed community expectations or as a result of data aggregation.

The following minimum hosting requirements should be used to ensure public trust is maintained:

• When considering a hosting solution, data and systems must be assessed for the likelihood of data sensitivity changing over time
• PROTECTED and whole-of-government systems must be hosted in a certified sovereign or certified assured data centre.

How will success be measured?

• Reduction in telecommunications costs for agencies.

3. Provide common government hosting, services and advice

Agencies are responsible for ensuring they, along with their suppliers, have the appropriate controls in place to meet government requirements. However, across government, there is a need for:

• consistent certification and accreditation frameworks
• holistic approaches to risk management
• coordinated procurement
• sharing learnings.

Digital Infrastructure Service

The Digital Infrastructure Service will reside in the DTA and provide agencies with services that can be used with confidence, demonstrating best practice in hosting while using relevant governance frameworks. The Digital Infrastructure Service will manage the procurement and Hosting Certification frameworks.

Agencies will be able to order network, compute and storage services through these arrangements. The Digital Infrastructure Service will assess these arrangements against a range of performance indicators, including:

• hosting provider performance
• facility utilisation
• pricing profile
• facility and hosting supply chains.

How will success be measured?

• Industry will be able to invest in solutions for government with improved certainty.

4. Redefine strategic relationships with the ICT industry

In a services-based ICT business model, government agencies will be able to compose business processes from a range of externally provided Software-as-a-Service (SaaS) and Business-Process-as-a-Service solutions (BPaaS). Service composability opens the door for agencies to easily add solutions to their systems portfolio at any time and from any provider, including new entrants from the small business and start-up communities. Increasingly, the main services consumed through data centre facilities will be those of SaaS providers, enabling greater innovation and public value.

Procurement

Traditionally ICT procurement processes sought to understand detailed information regarding investment in capital-intensive ICT assets.

Procuring commodity and utility services requires a lighter (consequently cheaper and faster) procurement approach, focused more on outcomes.

A new approach is needed for these services, which leverages concepts like:

• creating standard ways to describe “unit cost” that can be compared across vendors
• embracing the potential for simplification of procurement, billing and charging
• evaluating the public value and outcomes.

The Digital Infrastructure Service will create ICT procurement guidelines to help agencies procure products and services appropriately.

Funding models

Procuring ICT services from the cloud requires a rethink of the existing capital-based funding and governance models. Decision makers must understand the challenges agencies face in moving from capital expenditure for landed infrastructure to operational expenditure for cloud infrastructure.

The Digital Infrastructure Service will:

• track the use of key products and services
• work with government agencies to understand cloud funding arrangements.

How will success be measured?

• Decreased number of government ICT staff supporting commoditised services
• Increased take up of SaaS products.

5. Develop capabilities for measurement and analysis

Measuring progress is one of the key oversight roles of the Digital Infrastructure Service. In order to achieve this, consistent frameworks for measuring progress are required.

Risks and benefits frameworks

The Digital Infrastructure Service will create risk and benefits frameworks for hosting and cloud services. These frameworks will reduce the effort required by agencies to assess services. Industry will also benefit by dealing with agencies speaking a common language.

Agencies will retain the responsibility for assessing their own risks, as well as for balancing risks against benefits in the context of their business.

Maturity Assessment Framework

The Digital Infrastructure Service will create a Maturity Assessment Framework for hosting services. This framework will draw on concepts and structures from other industry frameworks.

The Maturity Assessment Framework will allow the Digital Infrastructure Service to compare the maturity of government agencies and help each agency to develop a roadmap to improve their maturity over time.

The Digital Infrastructure Service will oversee the establishment of the framework and monitor agency progress over time.

Reference architectures

The Digital Infrastructure Service will create practical reference architectures to guide government agencies in the implementation of hosting models. Over time, the use of standard reference architectures will serve to simplify and streamline the way hosting services are used across the government. 

These reference models will be published under a creative commons licence to enable them to be used by other jurisdictions.

How will the success be measured?

• Growth in agency maturity as measured against the Maturity Assessment Framework.