The Treasury Board of Canada is creating a government-wide policy on the use of cloud computing services. It has asked for input from the industry, but already this journey is taking some interesting directions.
“Of particular interest are the privacy implications of using cloud computing services, particularly where the data is either hosted outside the country or by foreign-owned organizations,” writes Michael Geist, a law professor at the University of Ottawa. Indeed, proposed contractual clauses address encryption and data storage, as well as rules about where the data can reside.
Per the Treasury Board's industry request:
The services provider (the contractor) must not store any nonpublic, personal, or sensitive data and information outside of Canada. This includes backup data and disaster recovery locations.
This kind of request is not unique to Canada. Some European countries also won’t allow certain types of data to leave the country. However, Canada has been open about using technology from the United States in the past, so a Canada-only request is unusual.
One likely reason is the PRISM scandal, where a massive, global Internet spying effort on U.S.-hosted data by the U.S. government was revealed. Another potential reason is the continued lack of clear policies around the U.S. government’s ability to search online data. Even our close neighbor to the north is skittish about leaving certain types of data on U.S.-based cloud servers.
Although the concerns here are understandable, the Canadian government may discover it’s hard to find enough local points of presence to satisfy such regulations. If you’re moving to the cloud, you’ll likely want to do so with the larger and more popular U.S-based providers. If you’re moving to a larger, more popular provider, it is likely to replicate data across borders. In some cases, you might know it is happening. In other cases, you’ll have no clue.
The reality is if you move to a multinational cloud provider, such as Amazon Web Services, Google, or Microsoft, the ability to secure the data depends on the processes and technology. If you think it's sufficient to leave data on servers where you happen to know the physical address, you’re fooling yourself.
However, IT organizations tend to think in primitive ways when it comes to data security. If it’s local, it’s safe; if it’s remote, it’s not secured.
But in recent years, local server safety has proven to be only a myth. Go ask Sony Pictures, Home Depot, and Target.