The majority of Canadian business decision-makers (52 per cent) have their heads in a cloud – they are actively working to harness the power of cloud computing, according to new research from Microsoft Canada Inc.
But the same study also shows that while Canadian executives may be eyeing the benefits of cloud-based data processing and storage, their concerns about security persist: more than half of those surveyed said they had concerns about data in the cloud, with only 35 per cent saying they feel their data is safer there. Nearly half also said they wanted a local data centre that provides them with more control over their data.
That said, 85 per cent of Canadian businesses recognize they are failing to take full advantage of perceived benefits from the new technology, even though roughly half of the 700 senior level business decision makers surveyed believe doing so would help their business stay competitive.
Asked to help unpack this apparent contradiction between perceived business benefits and security concerns, Microsoft’s National Technology Officer John Weigelt acknowledged the hesitancy could be triggered by issues of ‘data sovereignty’ and the need to have both data storage facilities and IP networks running between them here at home.
“Microsoft employs a ‘defense in depth’ approach to security with a variety of complementary controls to protect customer data from a security and privacy perspective,” he explained. Microsoft Canada Data centres ensure that content entrusted to the company by its enterprise customers “remains at rest in Canada.” Data availability is supported by distributing a customer’s content across multiple computers, and Weigelt added that “the copies required to support this capability also remain in Canada” with the data being “encrypted in transit between customers and between our data centres.”
It’s all part of the plan, certainly, as Microsoft moves to deliver commercial cloud services from Canada (Azure, Office 365 and Dynamics CRM Online services will be delivered from Toronto and Quebec City in 2016).
“Soon, the Microsoft Cloud will be truly Canadian,” said Kevin Turner, Worldwide Chief Operating Officer, Microsoft, who was in Toronto earlier this year to make the announcement. He described how the company’s substantial investment in cloud service capacity from data centres on Canadian soil would open up significant new cloud-based possibilities, especially for organizations that must adhere to strict data storage compliance codes.
The data centres in Toronto and Quebec City will be the first Microsoft cloud locations in Canada, and help the company deliver cloud services already used by about 80,000 Canadian businesses, previously served by Microsoft data centres outside of country.
Now, while customers will have assurance that their content data is stored in Canada, Weigelt also noted that the “routing of traffic between customers, the global Internet and data centres depends heavily on … local connectivity. “
That’s due to the fact that data on its way to or from the cloud may travel through other countries, and may be subject to the laws of those jurisdictions.
Knowing just where in the cloud data goes and how it gets there is a key contractual consideration for cloud users and service providers alike: business agreements, service contracts or peering arrangements can be used to help spell out multi-national data considerations.
So, too, a Canadian developed website and interactive tool called IXMaps, that lets users track the route their data takes when heading to an intended destination.
With support from the Canadian federal privacy commissioner, researchers there have shown that data sent from one Canadian location to another Canadian location nevertheless crosses borders and jurisdictions on its way.
Certainly Microsoft is aware of this, as are other companies serving the data needs of Canadian businesses, like Canadian Web Hosting.
The company now has its own dedicated network backbone across Canada to support its Web-hosted and cloud-based customers.
A company than owns and runs its own network (CWH says it’s the only one in Canada) is well-positioned to prevent its data moving onto the public Internet, and to increase security.
The multi-million dollar investments poured by CWH into the network were made “so our customers no longer have to settle for legacy networks designed in the late ’90s, second-tier bandwidth, or connections owned by American companies that continue to flow through cities like Chicago or Seattle and being routed back into Canada,” said Canadian Web Hosting’s Chief Strategy Officer, Matt McKinney.
It’s a common thread in the cloud.
Many industry groups and organizations tell companies having or making cloud computing arrangements that they need to be aware of, and sensitive to, the differing data protection rules of each country their data may travel through.
The Payment Card Industry Security Standards Council has published guidelines for protecting sensitive data in the cloud. And while it was written to protect credit card information, the same concepts apply to any data stored remotely.
The challenge organizations face when storing data in the cloud is that they lose an element of control, the Council says, and therefore important security and privacy issues are raised by cross-border data flow.
And as an interdisciplinary team of researchers from the University of Toronto has reported, data being stored, processed and/or routed in the cloud may travel outside of Canadian jurisdiction, and therefore lose important Canadian legal and constitutional protections.
The results of a year-long study are reported in Seeing Through The Cloud: National Jurisdiction and Location of Data, Servers, and Networks Still Matter in a Digitally Interconnected World, released earlier this fall.
It states plainly that legal foundations for claims that the data of Canadians receives similar levels of protection from access by government agencies when stored in or transit through the United States or other countries “are fundamentally flawed.”
Flawed, and in flux.
Debate and discussion is still swirling around the multilateral trade deal known as TPP, struck by the Trans Pacific Partnership of countries in which Canada is a member. Many parts of the deal are not yet fully understood or well-known, but leaks from the agreement and the negotiations that led to it have indicated it includes such ‘cloudy’ text as:
“No Party may prevent a service supplier of another Party from transferring, accessing, processing or storing information, including personal information, within or outside the Party’s territory, where such activity is carried out in connection with the conduct of the service supplier’s business.”
In response, some industry initiatives are pushing for new ‘data rights’ at national and international levels, such as the need to have one place of contact for data regulation and possible restitution; a requirement that companies and organizations must notify such an entity about series data breaches within 24 hours; and the right to data portability, which would give data owners the ability to move their assets from one provider to another should privacy, safety or jurisdictional concerns arise, without undue commercial penalty.
How new rules and regs will affect the Canadian cloud remains to be seen, as Microsoft’s Weigelt noted, “[T]here are no Canadian specific standards or certifications” for the safe handling of data, so “Canadian customers adopt and rely upon internationally recognized certifications such as ISO 27001, SSAE 16 (SOC I and SOC II), ISO 27018 (cloud privacy standard) as well as PCI and even industry specific certifications such as HIPAA and FEDRAMP. Microsoft’s cloud services meet some of the most rigorous international standards for privacy and security, and have been adopted by leading businesses in highly-regulated sectors.”
As the Microsoft cloud survey reveals in a somewhat sobering manner, corporate spending on security is very low here even though businesses know they should be spending more – 52 per cent say they are spending less than 20 per cent of what they should be on security.
Still, more than half of respondents said that businesses will need to move to the cloud to better offer their products and services. With that prediction on the horizon, one hopes increased safety, security, national investment and legislated protection will be a big part of the online weather forecast.
# # #
The Canadian cloud study was conducted on behalf of Microsoft Canada by Northstar, a globally integrated insights consulting firm, among 700 C-suite executives in Canada. Margin of error is +/- 3.7 percentage points, 19 times out of 20.