Asked for his reaction to repeated instances of overlooking local companies, Ron Gauci, chief executive of the Australian Information Industry Association, told iTWire that his understanding was that the deal announced on Thursday was the consolidation of a number of services being offered by the same company.
"The AIIA is always supportive of local industry and we advocate that government give as much business as possible to local companies," he added.
The Australian Computer Society was also contacted for its reaction, but said it had no comment.
AWS is one of six providers that is certified as a Protected cloud provider by the Australian Signals Directorate, which means it can host top-secret government data.
But there are three Australian companies among those six: Vault (formerly Vault Systems), SlicedTech and Macquarie Government have been certified to the Protected level and went through much tougher tests before being granted the tick of approval.
The AWS service that is certified is the same as the commercial cloud service that is offered to every entity on the face of the earth. In the US, the AWS cloud service offered to the government has to be air-gapped, have top-notch encryption and controlled metadata, and only on-shore security-cleared personnel can operate the facility.
In April, the government issued a hosting strategy that "provides a new framework that strengthens data sovereignty, supply chain and data centre ownership provisions to increase security, protect privacy and improve resilience of data infrastructure".
There are three aspects when it comes to data sovereignty – the physical aspect, the operational aspect and the legal jurisdiction aspect. Physically, the data that conforms to the hosting strategy would have to be stored within Australia.
AWS does not conform to this requirement, having told the ASD in advance that it would be offering only the same commercial service that it offers to everyone else. In operational terms, too, there would appear to be an issue as personnel from outside Australia, who have no Australian security clearance, would be handling Australian data structures for both Microsoft and AWS.
But apparently, the government has no issues with this aspect of the AWS service.
A number of IT professionals whom iTWire contacted expressed anger at the way government contracts always seemed to be awarded to foreign companies. But none of them wanted to go on the record, not even anonymously, as they feared reprisals.
One industry source summed up all their feelings, saying: "The DTA is boasting that it has done these deals to roll out the red carpet to five companies — Amazon Web Services, SAP, Microsoft, Concur and IBM — not one of them Australian."
Government Services Minister Stuart Robert mentioned the ongoing contracts with these companies, saying: "Volume sourcing agreements have now been established with Amazon Web Services, SAP, Microsoft, Concur and IBM, which have led to significant savings for taxpayers."
The industry source added: "Does no one in the organisation [DTA] see a problem with this? They go out of their way to make it easy for these companies — all of which have dubious records when it comes to paying tax — and not one Australian company gets the same special treatment.
"Can you imagine the US Government, or any other government for that matter, bending over backwards to advantage overseas competitors in selling to their governments? Most boast about doing the opposite and trying to help their local industry grow."
Update, 2 July: An AWS spokerperson sent the following response:
Census 2021: was an open tender approach to market that was contestable and ultimately contract award was to PWC (the contract is with PWC and wasn’t ‘handed’ to AWS)
Data sovereignty: AWS fully complies with data sovereignty security controls. AWS has received PROTECTED certification for 42 services, which explicitly states that customers must select the AWS Sydney region to comply with local data sovereignty requirements for PROTECTED compliance. AWS facilities in the Sydney region have been SCEC assessed at Zone 3 which meets the physical security controls for the storage of PROTECTED information. AWS does not move customer data without permission or as required to provide the services or permitted by law. The ACSC certification report goes in to further detail of ISM controls that relate to data sovereignty and physical security of Australian data centres.
Operational access by non-Australian citizens: AWS fully complies with foreign national data access controls. AWS operational staff do not access customer data in their day to day roles. The ACSC certification report explicitly addresses this risk through a layered risk management process that includes privileged access process, encryption of data in transit and at rest, rigorous employee screening checks that have been independently evaluated by ACSC and explicit guidance on storing all data in the SYD region. ACSC certification report and Consumer Guidance provide further advice.