Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Friday, 28 June 2019 11:04

Anger, caution over AWS deal with Canberra Featured

Anger, caution over AWS deal with Canberra Image by Narcis Ciocan from Pixabay

Reaction to the awarding of a whole-of-government cloud services deal to Amazon Web Services, the second big contract to go to the American company in two months, after the 2021 Census was handed to it, has ranged from muted to outright anger.

The $39 million contract, decided after a limited tender, will run until the end of April 2022, and has been awarded by the Digital Transformation Agency.

Asked for his reaction to repeated instances of overlooking local companies, Ron Gauci, chief executive of the Australian Information Industry Association, told iTWire that his understanding was that the deal announced on Thursday was the consolidation of a number of services being offered by the same company.

"The AIIA is always supportive of local industry and we advocate that government give as much business as possible to local companies," he added.

Gauci said that the whole amount that the government was spending on such services was far in excess of the figure that would be paid to AWS for the life of this contract — $39 million till April 2022 — and that there was scope for local firms to also get a share of the pie.

The Australian Computer Society was also contacted for its reaction, but said it had no comment.

AWS is one of six providers that is certified as a Protected cloud provider by the Australian Signals Directorate, which means it can host top-secret government data.

But there are three Australian companies among those six: Vault (formerly Vault Systems), SlicedTech and Macquarie Government have been certified to the Protected level and went through much tougher tests before being granted the tick of approval.

The AWS service that is certified is the same as the commercial cloud service that is offered to every entity on the face of the earth. In the US, the AWS cloud service offered to the government has to be air-gapped, have top-notch encryption and controlled metadata, and only on-shore security-cleared personnel can operate the facility.

In April, the government issued a hosting strategy that "provides a new framework that strengthens data sovereignty, supply chain and data centre ownership provisions to increase security, protect privacy and improve resilience of data infrastructure".

There are three aspects when it comes to data sovereignty – the physical aspect, the operational aspect and the legal jurisdiction aspect. Physically, the data that conforms to the hosting strategy would have to be stored within Australia.

AWS does not conform to this requirement, having told the ASD in advance that it would be offering only the same commercial service that it offers to everyone else. In operational terms, too, there would appear to be an issue as personnel from outside Australia, who have no Australian security clearance, would be handling Australian data structures for both Microsoft and AWS.

But apparently, the government has no issues with this aspect of the AWS service.

A number of IT professionals whom iTWire contacted expressed anger at the way government contracts always seemed to be awarded to foreign companies. But none of them wanted to go on the record, not even anonymously, as they feared reprisals.

One industry source summed up all their feelings, saying: "The DTA is boasting that it has done these deals to roll out the red carpet to five companies — Amazon Web Services, SAP, Microsoft, Concur and IBM — not one of them Australian."

Government Services Minister Stuart Robert mentioned the ongoing contracts with these companies, saying: "Volume sourcing agreements have now been established with Amazon Web Services, SAP, Microsoft, Concur and IBM, which have led to significant savings for taxpayers."

The industry source added: "Does no one in the organisation [DTA] see a problem with this? They go out of their way to make it easy for these companies — all of which have dubious records when it comes to paying tax — and not one Australian company gets the same special treatment.

"Can you imagine the US Government, or any other government for that matter, bending over backwards to advantage overseas competitors in selling to their governments? Most boast about doing the opposite and trying to help their local industry grow."

Update, 2 July: An AWS spokerperson sent the following response: 

Census 2021: was an open tender approach to market that was contestable and ultimately contract award was to PWC (the contract is with PWC and wasn’t ‘handed’ to AWS)

Data sovereignty: AWS fully complies with data sovereignty security controls. AWS has received PROTECTED certification for 42 services, which explicitly states that customers must select the AWS Sydney region to comply with local data sovereignty requirements for PROTECTED compliance. AWS facilities in the Sydney region have been SCEC assessed at Zone 3 which meets the physical security controls for the storage of PROTECTED information. AWS does not move customer data without permission or as required to provide the services or permitted by law. The ACSC certification report goes in to further detail of ISM controls that relate to data sovereignty and physical security of Australian data centres.

Operational access by non-Australian citizens: AWS fully complies with foreign national data access controls. AWS operational staff do not access customer data in their day to day roles. The ACSC certification report explicitly addresses this risk through a layered risk management process that includes privileged access process, encryption of data in transit and at rest, rigorous employee screening checks that have been independently evaluated by ACSC and explicit guidance on storing all data in the SYD region. ACSC certification report and Consumer Guidance provide further advice.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments