A major datacentre project for northern region district health boards is described as "at risk" due to delays in Spark-owned datacentre provider Revera achieving infrastructure-as-a-service (IaaS) recertification.
At issue are a number of security concerns.
Revera, now CCL, is one of three providers on the Department of Internal Affairs' (DIA) infrastructure as a service (IaaS) panel, the others being Datacom and IBM.
An update on digital health projects published by the Ministry of Health late last year reported that a Northern Region Datacentre (IaaS) project was running seven months late "due to delays in the Revera recertification".
The project was coded red on a green-amber-red "traffic-light" scale and its confidence rating described as "at risk".
DIA told Reseller News there are two components to Revera's IaaS offering that need to be recertified: the physical security of one of its three datacentres and the infrastructure services provided from all of them.
"Revera has three datacentres – two of these have current physical security certifications and the other one is due to complete a new certification in the first quarter of this year," DIA said.
"The recertification of Revera’s IaaS services delivered from those datacentres requires further work on risk remediation to meet the requirements for certification.
"Revera is fully committed to remediating these risks and meeting the full certification requirements."
There has been no impact to either of the other two all-of-government IaaS panelists.
"A Revera commissioned independent review of the IaaS is currently underway," said the Ministry of Health report.
It was anticipated that the business case for the datacentre project would be approved by the remaining DHB boards (Counties-Manukau and Waitemata) in October/November 2019.
However, that has not happened.
"Due to Revera losing its DIA accreditation in August the remediation work is well underway in order for DIA re-certification in early 2020," the report said.
The expected revised business case approval and contract execution date had at that stage been pushed out to March/April 2020.
Progress against the project plan was impacted by other factors as well Revera's troubles, including delays completing a counterfactual review, an affordability analysis and a cost reduction analysis and negotiations.
Those issues were further compounded the provider's need for recertification.
"The progression of service establishment and the migration business case is dependent on Revera being re-accredited," the report said
Jane Kennedy, general manager for all of government services delivery, at Internal Affairs told Reseller News in a statement that, as the lead agency for IaaS, DIA's focus was on working with providers to ensure good security practices were in place and risk was appropriately managed.
While DIA certifies ICT shared capabilities, she clarified, agencies accredit the service for their own use.
"The accreditation process is performed by agencies to determine if the risk position of the service is appropriate for their use," she explained.
Revera’s IaaS capabilities were due for recertification by DIA in 2019, she said. The certification audit identified risks in a number of areas that needed improvement.
"We continue to work closely with Revera to ensure the outstanding issues are resolved so that full re-certification can be completed by June 2020."
The focus was to ensure good security practices were adopted and implemented across DIA's suppliers, Kennedy said.
DIA uses the NZ Information Security Manual, issued by the GCSB, as the primary reference for security requirements. Its approach is risk-based rather than compliance orientated.
"We focus on monitoring risk in a constantly changing threat landscape, working with suppliers in managing their services," Kennedy said.
Andrew Allan, CEO Revera/CCL said achieving recertification was a top priority for the business, and the company was committed to completing the necessary work as quickly as possible to continue its long-standing government relationship.
Allan said that in line with DIA's contract terms, Revera/CCL went through an audit of its government IaaS datacentre services.
It was determined that some items needed to be addressed before recertification could be granted.
"We are working closely with the lead agency to complete recertification in the coming months," Allan said.
During this process, Revera/CCL’s IaaS datacentres "remain certified, or in the process of being certified" by DIA, he said.
"Eligible agencies can continue to consume existing services and deploy new services, if they deem it appropriate."
Any service improvements and technology updates made as a result of the audit will automatically be available to new and existing customers.
DIA confirmed agencies were free to use Revera’s IaaS offering.
"Based on an agency’s business context and risk appetite they can use a service that requires certification. As part of an agency’s certification and accreditation process, they need to conduct a risk assessment and determine if they need to implement risk mitigating or compensating security controls to ensure the associated risk position of the service is appropriate and accepted by the business."
The department said it advised consuming agencies that there would be a delay to the re-certification of Revera’s IaaS last August.
"Revera is fully committed to remediating these risks and meeting the full certification requirements," Kennedy said. "Evidence of this was provided through a letter of commitment from Revera’s CEO.
"As lead agency, we have kept consuming agencies informed on how remediations are tracking.
"In December 2019, agencies were advised there were no major issues in relation to the work programme and that Revera/CCL will be starting their security audit in February, with the target for re-certification being the end of June."
Northern region shared ICT services provider HealthAlliance, which appears to be managing the datacentre project, declined to comment.
However, in its 2019 annual report it described the project as involving the relocation of datacentre services from from regional hospital premises to a "state-of-the-art third-party data centre, reducing risk and providing a modern, safe, and secure computing environment for the future."
One other project in the Ministry of Health's report was also coded red: the National Child Health Information Platform (NCIP). However, that project's confidence rating was green for "achievable", as opposed to red for "at risk".
The main challenge there appeared to be inconsistency of data from feeder systems.