by Graham Thompson
What are the main issues this creates for a Canadian corporation? The answer is twofold, but the first bit involves the U.S. Patriot Act.
To understand the impact of the Patriot Act on cloud computing, we must first understand what it is. According to the Treasury Board of Canada, it permits U.S. law enforcement officials, for the purpose of an anti-terrorism investigation, to seek a court order allowing access to the personal records of anyone without that person’s knowledge.
"Under the act, U.S. officials could access information about citizens of other countries, including Canada, if that information is physically within the United States," reads a report on the website of Canada’s Treasury Board Secretariat. "Therefore, the potential exists for law enforcement agencies to obtain information about Canadians whose information might be handled under a contract between the federal government and a U.S.-based company."
Another critical aspect of the Patriot Act that can impact a corporation, regardless of physical location, and one that’s highly cloud-specific, falls under one of the main principles of cloud computing: multi-tenancy.
Multi-tenancy makes cloud computing work financially for the cloud provider, and is what makes it possible for the cost savings often seen by "moving to the cloud." But the downside to multi-tenancy is your cloud processes could be affected by actions taken by agencies under the Patriot Act on another system, corporation or person with whom you share a common infrastructure.
However slight, the good news is this act has never affected a Canadian entity. But that doesn’t mean it’s something to be ignored – in a recent Forresters survey of countries offering cloud-based data storage, only China, Russia, Thailand, Singapore and the United States are listed as being subject to government surveillance.
Thankfully, there’s plenty of precedence surrounding the storage of data, personally identifiable or not, in an offshore location. There are previous privacy complaints against Canadian companies outsourcing data to American firms. None have been found guilty by the privacy commissioner of breaking any privacy laws.
However, these companies followed the rules.
The rule is quite simple, really: if using an American cloud provider on an American-based data centre, you need to, at the very least, advise clients that data related to them will be stored in another country and offer an opt-out system.
This is clear in the Canadian-based Personal Information Protection and Electronic Documents Act, which states: "An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party."
But you do need to be aware that no contract can override the criminal, national security or any other laws of the country to which the information has been transferred. Specifically, the Office of the Privacy Commissioner of Canada states clearly that “organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement.”
Which brings us to issue No. 2 of using the cloud. You are accountable.
You need to be aware that in the event of a breach, you are accountable for any damages that may occur. This being said, many cloud providers are audited to SAS 70, PCI and other standards. But that doesn’t mean your systems are fully patched and configured properly – that’s something that you still have to perform in many cloud deployments.
However, the lines of justice become somewhat more blurred and complicated when dealing with trans-border issues.
Take the case of Google Gmail (a cloud-based, software-as-a-service e-mail system) and their now-public case of insider intrusion, when a system engineer employed by the firm was caught illegally accessing the e-mail boxes of users. Would your company be in a position to pursue justice against this American citizen for a crime committed in the United States on an American-based server holding sensitive Canadian content? Possibly, but at what cost?
On the whole, the examples above should give you pause and make you reflect on what data and systems are cloud-friendly and what is not, especially when hosting and processing on American-based servers.
Graham Thompson, CISA, CISSP, is vice-president for educational issues at Intrinsec Consulting.
