All Roads Lead to SOCI: Addressing data security
The following is a transcription of Episode 4 of our All Roads Lead to SOCI podcast series.
Here, Jamie Morse, Head of Industry & Policy at Macquarie Technology Group, and Sonia Sharma Partner - Commercial, Maddocks, take a deep dive in the importance of critical data and provide insights into how organisations can better safeguard their data from cyber threats.
Jamie shares some of the initiatives that Macquarie Technology Group have in place to ensure the safety of Australia’s critical infrastructure assets. The concept of sovereign data is also discussed, along with what factors organisations should consider when it comes to their data handling practices.
This episode was recorded from Macquarie Technology's Intelli Centre, 2 3 Data Centre, in Sydney, Australia.
Sonia Sharma: SOCI defines each class of critical infrastructure asset, a single critical infrastructure asset includes multiple parts which function together as a system and network. So that includes premises, computers and datas. But I don't think many of our listeners, and myself included, would have been or set foot in a data centre. We're here right now. I've cleared security. I've cleared all of those human traps, and we're right in the middle of the data centre. What are we looking at here?
Jamie Morse: Okay, well, maybe to paint a picture. So you're standing outside of a facility, which is multiple stories, I guess a very large piece of real estate. It is a heavily secure environment, both to get inside to the perimeter of the site, and then again, to get within the outer sort of public halls, if you like, to get inside the data halls within the facility, there are multiple gates of security, three factor authentication, which we need to go through. So a highly secure environment.
This particular data centre that you are standing here at today is rated by ASIO, that's the Australian Security Intelligence Organisation, to 'Zone Three', which means that it's rated to carry information of classification up to ‘Secret’. We also have facilities within the building which are rated to 'Zone Four', so they can go up to ‘Secret’ and above. To paint a picture of what you're seeing here today, obviously, you're within a very secure facility. There are two factor authentication just to get within the perimeter of the site, and multiple security gateways that you need to get through to get inside the building, and then further, three factor authentication to get into the core of the facility where the data centres, or the data halls, where the actual racks and all of the interesting stuff actually happens.
Because of those security bona fides, if you like, and various other compliance elements that we need to adhere to, from a Federal Government perspective, you are within what is called an ASIO ‘Zone Three' rated facility, so called by the Australian Security and Intelligence Organisation, which rate data centres against their ability to house classified data. A 'Zone Three' facility, which you're in today, that we can house data that is classified, up to protected, and then within the data halls here in Macquarie Park, we also have enclaves, if you like, or facilities within the facility that are rated to 'Zone Four'. We are holding data that is classified up to 'Secret' here in this facility. To get to ‘Top Secret’, that 'Zone Five', we need to add an electromagnetic field or a Faraday Box within any of the data halls and we will satisfy ASIO requirements to house 'Top Secret'. The actual physical cabling infrastructure and the network infrastructure within the building is already ready to receive up to 'Top Secret', it's really the environment that houses the racks that hold that data that refers to the Faraday Cages, or those other elements that we need to build within, within the data halls, to reach those levels of compliance.
Sonia Sharma: It was so interesting walking through all those levels of security. Personally, as a Lawyer, who's drafted many contracts around where data should be stored or data should be protected, but actually walking through it and seeing and feeling that security and being subject to it, myself. Being within those human containments as I walked through the Data Centre was really interesting and actually exciting to see.
But one of the things that's really captured my attention in the data centres is these cooling systems. It's just incredible to feel the hot temperatures, and then walk in and feel the cooling going on, there's a lot happening here to actually keep the data cold. Jamie, talk me through these really complex cooling systems that you have going on within the data centre.
Jamie Morse: Sure, so the air conditioning, it's probably relevant to talk about air conditioning and energy and sort of two sides of the same coin. All computer acts as sort of, anybody who's ever had a laptop sitting on their lap will know they all create a certain amount of heat, or they emanate a certain amount of heat. So keeping them cool is important to ensure that they don't overheat, they don't crash. They're operating at an acceptable optimal temperature, which is why data centres need, necessarily to invest heavily in air conditioners to keep the data halls at that acceptable, or within that acceptable temperature threshold. Within this facility, we've actually got two different engineering concepts that are utilised to cool the different data halls that we have within our Macquarie Park facility. They are supported by a very large supply of on-site water, which we need to keep to ensure those air conditioners are running 24/7-365. As I mentioned, energy is a sort of flip side to the air conditioning discussion. From an energy perspective, we have on-site diesel generators which can kick-in in a matter of seconds in the event of a critical incident knocking out power.
But then to operate the cooling systems, we've obviously got to have very, very robust energy guarantees. And here in Macquarie Park, it's a designated zone for data centre construction, which means we do have energy guarantees in this area. It's also why you'll see that there are a number of different data centre operators that are also present in the Macquarie Park zone.
The energy piece is a really important discussion for data centres, such that the evolution and the engineering development which is going behind not only the data centres themselves, but also the racks within the data centres. A lot of that energy, a lot of that effort, is being applied to reducing the energy consumption, right across all of the elements that go into a facility like this. And you might have seen, as part of a tour in the centre, that we showed you a liquid cooling computer rack. That's the kind of the next generation of engineering ingenuity, if you like, which will, we hope, be deployed to power the racks that support AI. They have considerably greater compute power so they run, potentially, they run a lot hotter. Keeping them cooler, or applying more energy to keep them cool is going to be a part of that mix. All of this is relevant and very important to the engineering effort that goes behind the design and the construction of a centre such as this one.
Sonia Sharma: It's really fascinating to see the cooling systems, the energy, the engineering that goes behind, you know, protecting business critical data, protecting the, you know, these critical infrastructure assets. It's really interesting to see it actually come to life, and without naming names, Jamie, or perhaps you are able to share some with me. Walking through the data centre and just thinking about all of the massive amounts of data that's being processed here and stored and kept secure. Can you share details of, or name the customers, that you're helping to support within the data centre?
Jamie Morse: To answer your question specifically, well, we do have Federal Government customers here. We have state government customers here. Critical infrastructure providers are our customers as well. We have hyper-scalers here as well. And of course, we have a mix of enterprise customers from across the Australian economy.
Sonia Sharma:
It's such an incredible experience to be physically walking through where this data is being held, and to be right here in Sydney and walking through it is actually quite a profound experience for me. Now, we spoke about this in previous episodes. Security, it's not just about technology. People are key.
Tell me about the Macquarie Technology engineers, the staff who are working at the data centre to keep it secure.
Jamie Morse: Well, for starters, though, they will be security cleared. Working with Federal Government data, as we do, we are required to employ only vetted security, vetted personnel. So a large cohort of our business, I think it's over 200 now, have got ‘NV One’, or above security clearance. So that's going to be a very important part of the personnel that you see here. They've already been vetted by the Federal Government to work in a facility such as this.
Sonia Sharma: Jamie, we're right here in Australia right now in Sydney. And Macquarie Technology is proudly Australian. Tell me why this is important to you, this concept of data sovereignty, the concept of the data being onshore here in Australia.
Jamie Morse: Sure it is, I think it's part of a global trend, frankly, for governments in particular, to want to be able to exert some kind of regulatory control over the data that is critical to the proper functioning of their economies and their society. And that's certainly where we're at currently in the evolution of the Security of Critical Infrastructure (SOCI) regime, and now with the prospect of a Cybersecurity Act. It's government really wanting to be able to exert some kind of regulatory compliance, some kind of regulatory oversight, some kind of control to affect a change, an uplift where it needs to affect that change. That's really why data needs to be onshore, and in certain circumstances, it needs also to be sovereign, such that an effect can be directed to it by government and applied to it by vendors such as us, and how we manage and store and protect that data.
Sonia Sharma: And now, Macquarie Technology has been quite vocal on its position about the regulation of business critical data under the SOCI Act, the fact that, in your view, the definition of business critical data is perhaps not wide enough, and the fact that the SOCI Act doesn't provide enough protection where data is stored offshore. Why is this so important to you?
Jamie Morse: Yeah, look over the previous iterations of SOCI, there was discussion about wanting to not create a perverse loophole for critical infrastructure providers to see a way out of having to comply with SOCI by moving their data offshore. And that still exists, we believe in certain circumstances. And it shouldn't be there, even by accident or much less by design, that there be an incentive, a perverse incentive, to move data offshore to avoid compliance with the Act, given the intent behind the Act, which is, you know, we think it's in the national interest that data should be able to be governable such as I mentioned, the government can direct uplift compliance regulations against that data, the data that really our economies and our societies rely on for proper functioning.
If there's a perverse loophole that will allow critical infrastructure operators, or maybe incentivise them in some way, to move that data offshore, we think that's a problem. And again, we think it's a problem not from a security perspective, but from a governance perspective. If it's offshore, it's going to be much harder for the Australian Government to do anything about it, and it's going to be much harder for, frankly, the critical infrastructure operator to be able to direct any kind of security compliance or governance uplift, such that it might desire to do just in the interests of safe and ongoing functioning of its assets.
Sonia Sharma: Jamie, I think to put that into a picture, you and I sort of stepped through this, through the legislation. If we've got an energy provider, or it's a regulated entity, they've sub-contracted, some services to another provider – that data is then stored offshore in, say, Sri Lanka, or somewhere like that. SOCI, as it currently stands, there are some loopholes around the protection of that data and whether it's sort of in the scope of the SOCI Act. And I think it's going to be interesting to see whether there's changes to the legislation to effectively protect that data, because it is a strange outcome, that data from a critical infrastructure asset perspective, if it ends up offshore, doesn't sort of contain the same level of protection that it would if it was onshore.
Jamie Morse: Yeah, it's a really good point. And I think what the regime is trying to do is it is trying to put the obligation on the critical infrastructure asset owner provider to make sure that that doesn't happen, and I think that that's the right direction for the legislation to go. That CI's, either knowingly or unknowingly, do not allow an offshore service to exfiltrate data that is critical to the operations and the effective operations of the organisation, or the organisation running the asset or the asset itself, that they have a responsibility to know where that the data they rely on is being held, both in transit and at rest, and do its level best to ensure that that data is always and forever in Australia, such that it can be regulated, as I mentioned earlier.
And I think that intent of the legislation is exactly the direction that it needs to be going as to whether or not, you know, it's starting to have that effect. I feel like it is starting to have that effect, but even so, a question that we often ask of organisations that we engage with, whether they be critical infrastructure or not, is, do you know where your data is?
And certainly in the case of software applications that you know, they will utilise as part of their digital transformation, in many cases, they don't know. And you can well imagine we're getting up to speed here, right? We've only been having this discussion about data on-shoring for 24 months, maybe, many of the CI organisations that are subject to SOCI will have availed themselves of digital transformation tools going back 5-10, years, maybe. So this discussion is just really getting up to speed with where your data is versus the digital transformation that you may have undergone over the last decade. They're starting to merge, and they're merging in the context of the SOCI regime.
Sonia Sharma: That’s certainly been our experience advising clients as well. Is that there's still some work to do to understand where your data is being stored, particularly when you're using third party providers, that there's still work to be done by many on that.
But let's look at current obligations. Responsible entities for a critical infrastructure asset are required to notify their third party data storage or processing provider that the provider is storing or processing business critical data for a critical infrastructure asset.
If we take that example and bring it to life, let's say, a University – which is a critical infrastructure asset has a program of research and that might be focused on, say, the Australian Defense Force or something like that, that University has a contract with Macquarie Technology for the provision of cloud storage for data relating to that research. The responsible entity for that Uni is required to notify you that you're storing that business critical data. In your view, do you think organisations have complied with that obligation, or do you think many are yet to properly undertake that process and notify.
Jamie Morse: I couldn't give you a confirmation on, yes they all are, or no, some aren't. I don't know, in terms of all of the customers that we have who fall under the SOCI regime, whether or not all of them are. But what I will say is that it's something that we're so alive to, I would be very, very surprised if that wasn't a discussion with the customers that we are engaging with who fall under the regime. It's a bit like, you know, we're sort of flocking together the folks who are subject to the regime, and we're kind of 'all in this together'. And I think that there is a sense now of comradeship, if I can use that word, in terms of the compliance obligations that we're required to adhere to. It's just so top of mind that I can't imagine it not being an active discussion for us, and I guess individually or even a sector by sector as well. I know from first-hand experience that CI's within the 11 sectors are organising themselves, if you like, around their compliance obligations, energy, transportation, food and logistics.
They're going through it at a sector level, and then they're going through it a cross-sector level as well. And the data storage and processing sector, which we are part of, we are a horizontal effect across all of those sectors. So in a way, was sort of like the kind of blood that is running through everybody's veins in this discussion. So we get to see how these discussions are maturing in each of the different sectors that are affected by SOCI in a way that perhaps some of the others don't. They don't get that opportunity, but we do, because, as I say, we've got that horizontal effect across all of them.
Sonia Sharma: Just speaking to that practical point, data categorisation, it's a difficult process for entities to undertake, and you certainly need to be able to do that under SOCI to identify what is business critical data. But practically speaking, that seems like a challenge. How's that piece being played out is there data segmentation, and being able to identify and categorise that data as business critical and then protecting it differently? Is that what's occurring, how is it practically playing out?
Jamie Morse: It's a very live conversation, the definition of what business critical data might mean to different organisations. It's a really good question that has been the subject of much discussion in the consultations currently underway around the SOCI review, and that is that business critical data, is that definition might mean different things to different organisations in different sectors, or even in different use cases.
For example, an AI tool which might help to increase productivity of an energy grid, or, you know, water, sewage provider, all of these things, they could potentially be swept in under the regime because they are managing what would be defined as business critical data, such that, as if it's affecting the operations of those critical infrastructure assets. I think there's a bit of work to be done to define what the, not just the current use cases of what business critical data is, but the future use cases as well. And I think, you know, if there's a beauty in SOCI that sort of appeals to the current state in which we're in it, it's that it's an ever-evolving space. And I think we've already spoken about that before, that we would anticipate sectors to grow and some to drop off over in the coming years. The beauty of SOCI is that it will evolve. And I think the best that we can do at the moment with regard to that question of business critical data is to just put our thinking caps on as to what the future state for that might look like. But of course, you know, if there's any doubt,
... the best advice we can give to anybody is just onshore your data and onshore your digital transformation tools, such that you can have full confidence that if you need to affect any change to reach your compliance under regulation, that you can do that.
Sonia Sharma: That sounds like having that really deep understanding of your providers and data-mapping is just absolutely critical. There's been a lot for Australian organisations to do when it comes to managing data and SOCI, for those who are regulated by it, for those supply chains that are impacted by it, it adds an additional layer to that, and rightly so, because its purpose really is to ensure critical infrastructure assets are protected and resilient to disruptions that would severely impact Australia's society and economy. Do you get a sense that entities are struggling with the new regulations, or these increased regulations?
Jamie Morse: I think there's a lot to unpack with that question, because there's so many different layers that are involved in meeting compliance in an organisation, any organisation, almost, you know, with any law where security is concerned, you've got lots of different layers. There's the legal layer, the governance layer, there's the operations layer, there's the sales layer. Everybody has a stake in understanding and implementing what that compliance uplift necessarily needs to look like. So I think to answer your question, I think it depends who you speak to, organisation-by-organisation. I couldn't say hand on heart that there are any organisations that I'm aware of that are really struggling with the regulatory uplift where SOCI is concerned. But sure I could tell you that there are people like me and people in the corporate legal fraternity who are involved in the consultations around SOCI, who are still expressing concerns, that's, you know, that's not a state secret. Operationally, having to uplift, or having to find ways to reach increasingly onerous compliance obligations.
You know that the folks who do that within organisations, such as ours, we're talking about the IT, the ITSAs, certainly in organisations like us, you know, we employ lots of ITSAs which is IT, Security, Administration managers. They are having to stay across shifting compliance regimes across all manner of areas, where it's ISO, where it's Essential Eight, where it's DISP (Defence Industry Security Program) if you're working with defense. there's just, just so much going on there that they will be relatively agile in how they're responding to SOCI, whereas others in their organisations may be less agile.
Sonia Sharma: I think something that we've spoken about on our series 'All Roads Lead to SOCI', is that organisations that we see do well with these reforms, and the evolution – is where there's a culture of security as a priority. You know, data as a priority. Building that culture is so key as we move into a space where cyber security threats are so dynamic, and in order to be agile, that culture within an organisation is just so critical.
Thank you for taking me through the data centre. Being here physically feeling the heat, feeling those cooling systems, the changes in temperature, walking through the security checks, even just to get anywhere near them, has given me, a great sense of confidence to know the security that goes behind ensuring this data is safe right here in Sydney. And just brings to life the volume of information and data that we're processing and the steps that critical infrastructure organisations really need to deal with when it comes to keeping their data safe and secure.
All Roads Lead to SOCI podcast series insight articles
Next up: Episode 5
Keep up to date with our legal insights and events
Sign upRecent articles
When will employers be liable for compensation for injuries sustained at home?
A recent case serves as a reminder that no fault workers compensation liability extends beyond the employer's premises.
What Victorian Government personnel need to know about ensuring privacy compliance with ChatGPT usage
Findings on practical uses of Generative AI (GenAI) in the Victorian Public Service.
FOGO is GO GO in NSW
The NSW Government has legislated local councils collect and transport food and garden organics waste from 1 July 2030.
New Short Stay Levy to bring challenges and opportunities for owners and developers
There has been a rise of disputes within apartment buildings due to increased growth of online accommodation platforms.
Partner
Sydney