ASPI warns Canberra about security risk with current data centre procurement approach
A report developed by the Australian Strategic Policy Institute (ASPI) has highlighted there are opportunities for reforming the Australian government’s data centre procurement arrangement, after uncovering that of the 87 current data centre facilities contracts with Australian Government agencies, 54% were with one data centre provider, equivalent to a combined total value of AU$779 million.
In its Devolved data centre decisions report [PDF], the ASPI said relying on a high concentration of data centre providers could result in an increase in data risk, reduce market flexibility, limit barriers to exit, and reduce innovation.
While the paper did not identify the dominant provider, the entity reports on procurement contracts for the 2019-20 financial year published on Austender suggested the dominate provider was Canberra Data Centre.
The paper also highlighted that individual agencies have been driving many procurement decisions because a whole-of-government approach to data security is lacking, thereby creating “unnecessary vulnerability for government data” and “fragmentation”.
“Despite the intent of the Digital Transformation Agency (DTA) Data Centre Facilities Supplies Panel, current panel arrangements place a heavy onus on individual departments and agencies to identify and mitigate data centre risks in the absence of whole-of-government oversight,” it said.
“This limits the opportunity to respond in a coordinated manner to wider interests of government, including concerns relating to supply-chain and concentrated data holdings.”
The DTA panel was established as part of the Australian government’s Data Centre Strategy 2010-25, following the Greshon review into government IT that recommended for the government to “develop a whole-of-government approach for future data centre requirements over the next 10 to 15 years in order to avoid a series of ad hoc investments which will, in total, cost significantly more than a coordinated approach”.
The ASPI added the current panel arrangement of transferring whole-of-government risk to agencies could result in a “blind and dangerous outcome.”.
“The focus on individual agency risk means that agencies will choose convenient options regardless of any compound risk that may be occurring across government,” it said.
Further, the ASPI pointed out that while DTA’s role is to provide policies, standards, and guidance, it “lacks resources and the authority to drive whole-of-government ICT outcomes”.
The ASPI suggested the federal government needed to mitigate risks that are being caused by the aggregation of data centres and establish a strategy to manage government data that goes beyond the existing agency-by-agency approach.
“An authority set up to manage this would have objectives relating to data security and management of overall data risks as well as promotion of market flexibility and efficiency,” the paper said.
Last month, the federal government refreshed its digital transformation strategy, vowing that it would be “moving from siloed capabilities to a landscape of connected platforms and services”.
“The vision is to enable better design and investment for connected government services and capabilities for Australia through initiatives such as sourcing reforms and a whole-of-government architecture,” the paper said.
“This will support the identification of re-use opportunities and encourage the adoption of common platforms, implementation approaches, standards and integrated, cross-agency services providing a strong foundation for transformation.”