Over the past few months, the Treasury Board of Canada has quietly been developing a government-wide policy on the use of cloud computing services. The initiative started with an industry engagement event in November that highlighted many of the issues faced by the government. Following that event, the government issued a cloud computing Request for Information that asked the industry to provide detailed information and recommendations on the government’s approach. The deadline for submissions to the RFI close today. Unfortunately, the public is unlikely to gain access to the submissions as the government has promised to keep confidential the information it receives.
The government’s cloud computing RFI provides considerable insight into its current thinking. Of particular interest are the privacy implications of using cloud computing services, particularly where the data is either hosted outside the country or by foreign-owned organizations. While the consultation asks the industry for its views on these questions, the document features proposed contractual clauses that address encryption and data storage. These include:
The Contractor must encrypt all non-public, personal and sensitive data and information in
transit to the Cloud during the life of the Contract and 90 days after termination.
The Services Provider (the Contractor) must not store any non-public, personal or sensitive data and information outside of Canada. This includes backup data and disaster recovery locations.
The Contractor and/or any and all subcontractors must ensure that all the databases
used by organizations to provide the services described in the Contract containing any
Personal Information, related to the Work, are located in Canada, the United States (US),
the European Union (EU) or in the following additional countries with which Canada has
a Bilateral and Multinational Memorandum of Understanding and Industrial Security
Arrangement: Australia, Israel, New Zealand, Norway, and Switzerland.
The government apparently hopes to conclude its process with a fully-developed cloud computing usage policy by the summer.
It’s a bit too bad that they asked the “industry”, meaning the suppliers, rather than the “community”, including thge peoplem using it.
For example, GTALUG CAG might have proposed “The Contractor must ensure the customer can encrypt all non-public, personal and sensitive data and information before transfer to the cloud, using a provided, standard-conforming and certified product and a key not known to the cloud supplier”.
[GTALUG CAG is the GTA Linux User Group’s “Community Outreach Group”]
It has to be decrypted to work with the data. This is about cloud computing, not just cloud storage.
Encrypted or not, it’s about keeping the data in Canada, so the problem is still about keeping non-authorized entities from from accessing it.
I would have a couple of specific questions for contractors to address.
One is how the contractor intends to keep the NSA from getting access. I’m remembering that Canada is one of the five eyes, so if the data gets into the hands of the Canadian Security Intelligence Service somehow, then it will be leaving the country. This could take a bit of work for a contractor to answer honestly.
Two is how they will keep data safe from hacking through software vulnerabilities. I’m afraid that honest answers might also be difficult in this regard because of the silent contracts they may have with their own upstream providers. (see next)
Illegal access through vulnerabilities is increasing and becoming better funded. Based on the past performance of the operating systems from the American Company, Microsoft, a Canadian Government department running that could be considered downright negligent in this day and age. I’m not a Linux fan myself (prefer FreeBSD) but whatever solution should have a track record of security. I suggest they use a Canadian OS like QNX which has been around since 1982 and has a solid reputation in the enterprise world as being one of the finest, most stable, and mature. The Canadian government should support Canadian business. Using an American OS, and a very insecure one at that, is an insult to the Canadian people.
While the consultation asks the industry for its views on these questions,..
The deadline for submissions to the RFI close today. Unfortunately..
Pingback: Government of Canada, Data From Canada Mandated To Remain In Canada | infopunk.org
Pingback: No, Canada! You can’t keep cloud storage local - news from Allwebsolutions.net
Pingback: Canada naively seeks to keep cloud storage within the country | Cloud Hooligans
Pingback: No, Canada! You can’t keep cloud storage local
Pingback: Canadian Government Developing Cloud Computing Strategy–focus on keeping data in Country - SJSU iSchool MARA Blog
Such are the ingredients of Adiphene that its one finest selling level is the shortage http://www.dearsan.com/en
Pingback: Canada’s cloud computing strategy calls for no cross-border data storage | IT World Canada News
The scope of the RFI was unfortunately extremely broad, is not specific to cloud computing per se (self service, on demand, pay-per-use utility compute automate-able via APIs) but covers hosting and web applications as well. Basically anything on the internet. From a policy perspective, this may be good to start with more universal approaches.
My concern however is that the government does not set up a framework to distinguish between traditional hosted applications and infrastructure, and transformative utility cloud services. Ultimately, pioneering work in the UK has shown that this is a procurement game, and established vendors are looking for ways to continue to sell software and products regardless of how much they are used (shelfware) while costing the taxpayers tons. Even a company like SalesForce who markets themselves as a poster child for cloud tries to sell user subscriptions whether there is an active user or not. Contrast this to Slack that detects inactive users and automatically credits you.
That aside, as long as political borders and the speed of light don’t change, there will be significant economic and data security advantages to use Canadian based cloud services, and there should be clear policies that outline why and when it is appropriate. Looking forward to hearing more!
Pingback: Canada Cloud Network Canada's Cloud Imperative - Canada Cloud Network