With almost daily reports of cyber breaches, many organisations are unclear what approach to take to ensure their own security. Some view the challenge as an issue for the IT department while others look to senior management and the board for answers.
Within the sphere of the data centre, as security requirements extend beyond the design and operation of a data centre into the structure of the business and its supply chain, clarity is also increasingly required by company boards around how far to take sovereignty when setting up a company structure and data facility.
The issue of digital sovereignty, at least in Australia, has risen largely on the back of fears of ‘soft diplomacy’, data access or surveillance by foreign adversaries.
Ownership of data centres, the financing of undersea cables, and even the origin of equipment used in the construction of next-generation cellular networks, have all made sovereignty an issue in recent years.
There have been concerns that foreign ownership, financing or construction of assets could pose a threat to national security, allowing side-door access to local communications and data.
That has driven a range of measures and actions, from bans on certain types of equipment, to Australia stepping in to finance regional communications projects, and government agencies shifting data and workloads into facilities that have Australian ownership.
The government has gone one step further on data centres, establishing a new Hosting Certification Framework that offers an additional assurance of government agencies that a facility they have servers or data in meets certain ownership and control conditions as either a Certified Strategic Hosting Provider or a Certified Assured Hosting Provider.
The Digital Transformation Agency’s Whole of Government Hosting Strategy Hosting Certification Framework explains that a “Certified Strategic Hosting Provider represents the highest level of assurance and is only available to providers that allow the Government to specify ownership and control conditions.” In addition, it also outlines that “Certified Assured Hosting Provider arrangements safeguard against the risks of change of ownership or control through financial penalties or incentives, aimed at minimising transition costs borne by the Commonwealth should a data centre provider alter their profile.”
What we know is that sovereignty is fast becoming a pre-qualification checkbox item in terms of the certifications expected to demonstrate a provider’s compliance to industry standards when buying software, hardware or the space to host either.
Drawing a line
We’re all familiar with the use of the term ‘sovereign’ to mean the physical location where data storage is housed.
The Australian government’s hosting strategy now extends the ‘sovereignty’ concept to service provider control and ownership.
But sovereignty can go even further than that. For example, it can extend to any software programs or plant that a data centre operator uses, and where that is coded, hosted or built.
CyberCX predicted sovereignty and the origins of products and services “will take primacy over cost savings” when building or transforming capabilities in 2021. “Increasingly organisations will examine products’ source code and hardware design specifications. There will also be a drive to better understand the origins and vulnerabilities of the technology we use,” it said.
The Australian Information Industry Association (AIIA) also highlighted the importance of developing sovereign digital capabilities in a recent report. Sovereignty, it says, covers not only infrastructure, but IP transfer and local employment.
The question then becomes: how far do we take sovereignty? Where does it start and stop? This is an issue that customers and service providers alike are currently grappling with.
And while we can’t profess to have all the answers, as a greenfields operator in Australia, Hickory Data Centres as a wholly owned Australian business has an opportunity to build facilities that are sovereign by design in addition to being certified to international security standards.
Arguments over sovereignty tend not to favour organisations of a certain size.
Size often means complexity – different shareholdings, a web of ownership, a large number of supported vendors and equipment – all of which make it difficult to certify sovereignty over.
If you’re a smaller, agile, based-in-Australia business, such as Hickory Data Centres it’s a lot easier to become sovereign-certified than it is for an existing operator with lots of different ownership interests or locations in different regions, each subject to its own set of local laws and restrictions.
Sovereignty is about security
It’s hard to get away from the fact that the trend towards sovereignty is primarily being driven by security concerns – over where data is physically held, which foreign laws it is subject to, and how trusted the owners of those physical spaces are.
Therefore, one lens through which to view sovereignty is as the next evolution of what a secure data centre is.
The security measures and compliance assessments that operators undertake in this space will largely depend on their target market. As Hickory Data Centres is building and operating facilities for the hyperscale cloud providers, it will as a result tailor its offering or “build and operate to suit” in order to meet the stringent security standards that these companies expect from contracted suppliers. For us, this will include SOC 2 compliance, considered a minimum standard for information protection in as-a-service environments, and ISO 27001, considered an international standard for secure information management and facilitates designed to a minimum SCEC Zone 4 level as standard making it easier to address higher levels as required.
Hickory Data Centres are focused on securing the “Strategic’ level certification to ensure its fully supporting its customers as a key part of their supply chain.
Building for the hyperscale/wholesale market, many of which already manage large workloads for government agencies in Australia, requires a hyperscale data centre provider to certify to the different sovereignty requirements laid out in Australia’s whole-of-government hosting strategy – as many domestic operators are now doing.
As you can see, sovereignty is driving up security requirements for data centre operators and service providers.
This is resetting the baseline for what a secure data centre looks like, though facilities will differ in their specific approaches based on their target market.