Top-heavy data-centre adoption threatens Australian government data security, ASPI warns

As one provider secures 79% of government panel contracts, the ASPI think tank warns about “blind and dangerous outcome” from “confused and inconsistent” data governance.

A person leaps between platforms surrounded by sharks. [danger / risk / challenges]
Gremlin / Getty Images

An “unexpected concentration” of Australian government data on just one data-centre provider marks a failure of policy and has created new security risks in the process, according to a strategic review of government procurement policy whose relevance is even stronger given the ongoing revelations about a recent surge in nation-state hacking.

The government’s Digital Transformation Agency (DTA) implemented a Data Centre Facilities Supplies Panel (DCFSP) in 2010 to manage procurement of data-centre services through 2025, and the panel is up for renewal or replacement early in 2021.

However, a new review of the panel’s operations by the Australian Strategic Policy Institute (ASPI) found that despite having approved 15 companies for inclusion on the DCFSP, 54% of the 87 current contracts—comprising $779 million in total value—were with just one data-centre provider.

Of these contracts, 79%—representing $620 million in revenues—had been taken out with the dominant industry provider. By point of comparison, the second-largest single-provider arrangement was worth just $32 million.

This top-heavy outcome, the ASPI observed, represents an “unintended market failure” that may have fostered a lack of diversification amongst data-centre providers, introduced new barriers to exit for agencies, and expanded contract scope in a way that effectively keeps agencies from going back to the panel as an open-market approach. The recent SolarWinds breach is an example of what can happen when a particular platform becomes dominant or even universal—and then ends up being hacked into a universal vector for breaches.

Heavy concentration of government data services could also, ASPI warned, create “a higher risk of single potential points of failure which have the potential to prevent government from delivering its services”.

Combined with a lack of oversight of government data security at the whole-of-government level, ASPI’s report warned. “The current panel arrangement is transferring whole-of-government risk to agencies despite some not having adequate knowledge, budget or expertise to manage these risks.”

Data centre security eggs all in one basket

The Australian government raised eyebrows last year when it signed a whole-of-government arrangement with Amazon Web Services (AWS). And while arrangements like that one may have improved access to a range of data services, ASPI warned, “the focus on individual agency risk means that agencies will choose convenient options regardless of any compound risk that may be occurring across government. This is a blind and dangerous outcome.”

The potential risks of such an outcome came into sharp focus in recent weeks, as US government and industry bodies raced to evaluate their exposure to a campaign of nation-state hacking that saw hackers leverage SolarWinds’ Orion network management platform to gain sustained access to dozens of target networks.

Although the Australian government’s potential exposure to the campaign has not yet been confirmed, the attacks show the dangers of homogeneity across a large number of agencies—particularly if, as ASPI warned, those agencies are being left to manage and evaluate the risk of such exposure by themselves.

“Having 79% of all government data housed with one provider is a very big risk,” Macquarie Government managing director Aidan Tudehope said, warning that the ‘eggs in one basket’ situation “should be a genuine concern for government.”

“In the corporate world, organisations would never tolerate such risks to their data and will often ensure they have supplier diversity in case the unthinkable ever happens,” Tudehope noted. “While individual government departments may be considering their specific circumstances and risk exposures, they are not assessing the risks created from decisions made by multiple government agencies in aggregate. This aggregated risk rises every time a government agency moves its data into this single provider.”

Monitoring the risks of aggregation

Such movement is becoming more common as government agencies tap data-centre providers to support their increasingly cloud-based digital services platforms.

Yet agencies must be careful not to assume that their use of panel services somehow frees them from risk mitigation, ASPI said, warning that “risk shouldn’t be outsourced, but that’s exactly what’s happening in relation to outsourced data centres.”

Australian government agencies have been hobbled by a “confused and inconsistent approach to data protection and management” that had not, the report found, provided any way to track the “compound risk of devolved decision-making on data and its protection”.

Existing data-security frameworks offered no way of evaluating or tracking this risk, ASPI said, warning that the government needed to improve its visibility of panel operations and the assessment of whole-of-government risk.

This included a need for the establishment of a strategy to manage Australia’s information and data assets “as a whole, going beyond the current agency-by-agency approach.” The review found that “data and information management need to be elevated to the level at which government finances are managed to ensure top-to-bottom understanding of the implications of data-centre procurement decisions.”

Copyright © 2021 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.