subject: Cloud Security for Canadians [print this page] Cloud Security for Canadians Cloud Security for Canadians
CLOUDS, PIPEDA, PATRIOT and YOU.
Canadian Companies are being done a great disservice by the lack of available public cloud computing providers operating in Canada. Of the leading Public Cloud Providers (Amazon, Google, Microsoft), none have data centres in Canada.
The issue for a Canadian Corporation looking to the cloud? The American PATRIOT act. The American PATRIOT act allows federal agencies the right to access a system and the data stored on it without a warrant. This has many Canadian companies concerned. However slight, the good news is that a Canadian entity storing data (cloud or otherwise) in the United States has never been the subject to access of data section of the PATRIOT act.
If using an American Cloud Provider on an American-Based data centre, you need to, at the very least advise clients that data related to them will be stored in another country and offer an opt-out system. This is clear in the PIPEDA act.
""An organization is responsible for personal information in its
possession or custody, including information that has been
transferred to a third party for processing. The organization
shall use contractual or other means to provide a comparable
level of protection while the information is being processed by a
third party."
- Schedule 1 of the PIPEDA act.
Now, is it impossible to run your services on a U.S. Based cloud? Not at all. There are previous examples of Canadian companies outsourcing data to American firms. None have been found guilty of breaking any privacy laws. However, these companies followed the rules. They advised clients that data related to them was being stored in the United States (or elsewhere). So, for the most part, unless you are a Government department, you are most likely fine operating in the Cloud. However, you should engage a professional services firmproficient in Cloud Securityto discuss your options. Discussing the matter with a Cloud Security firm will address the Confidentiality, Integrity and Availability of data; all of which are impacted by moving to the cloud.
