Protecting property such as land and buildings is not always easy, but at least it is straightforward. Physical real estate comes with documented boundaries, a specified size that doesn’t grow larger each day, and a clear line of ownership. Through a combination of locks, fencing, insurance, alarms, and perhaps even security guards, you secure what matters to you, commensurate to its value and the level of privacy and accessibility you wish the property to have.
It’s much harder to protect data. Data proliferates; it feels intangible but is highly valuable and therefore highly sought after. And while your organization is responsible for the data it collects, that data ultimately belongs to the parties from which you’ve collected it.
Data collected by government agencies and businesses include citizen data, software applications, business files, emails, voicemails, chats, digital messages (such as you’d find in Teams or Slack), and even phone calls—all of which you need to account for under the Canadian Privacy Act.
Protecting data, especially the highly sensitive data gathered by government and healthcare agencies, financial services, and enterprises, challenges those organizations to pay close attention to how that data is secured and where it is stored—especially as organizations undertake cloud-first strategies.
Shared property management
When data moves to the cloud, its security becomes the shared responsibility of the agency and the selected cloud service provider (CSP). The CSP must ensure its cloud is secure, but the agency remains responsible for its data in transit to and from the cloud and while it is in the cloud.
It’s similar to an apartment building and its tenants.
The building owner and manager are responsible for the security and maintenance of the overall building, grounds, and common areas. However, each renter is responsible for protecting the objects inside their units. While you can lock your apartment to secure your belongings, you can’t ensure that your neighbor isn’t holding the door open and letting non-tenants roam the halls looking for an opportunity to jimmy your lock.
The shared responsibility and larger span of control that comes with the public cloud can lead to fears that an agency’s security posture may be reduced, leaving data at risk.
Get to know your landlords before locking into a lease
When organizations think cloud, their first thought might be hyperscale providers. These are gigantic companies with massive global deployment. While hyperscale CSPs can store your data anywhere in the world, you have the option to isolate your data to a particular region. Regional isolation is critical for compliance with government data and privacy regulations.
Moving Canadian data outside of Canada could impact access to data and services that are vital for business continuity. And even if you designate that your data remain inside Canada, hyperscale providers pose another significant security risk.
The Government of Canada warns: “Regardless of where the cloud resources are physically located, when data is stored in a cloud environment, the stored data may be subject to the laws of other countries.”[1] Hyperscale CSPs, with global deployment, “could be required to comply with a warrant, court order or subpoena request from a foreign law enforcement agency seeking to obtain [Canadian] data.”[2] Even if a CSP operates in Canada (as do the hyperscale providers), they are headquartered elsewhere and therefore subject to the laws of another country.
“Organizations based in Canada must adhere to the laws of Canada,” says Craig McLellan, CEO of ThinkOn. “True sovereignty is important because even our closest neighbors have regulations that completely contradict the privacy and data security laws we have in place in Canada and believe are important. If you look at the U.S., for example, data is monetized in ways we consider abhorrent. So why would you put your data at risk and not rely on the laws and regulations established in our own country to protect our people and their data?”[3]
Lack of full data sovereignty means that sensitive Canadian data could be divulged to another government, potentially without the Canadian agency or business knowing. According to the Canadian government, “The issue of data sovereignty is complex and continuously evolving as foreign laws are being tested in foreign courts.”[4]
Data sovereignty isn’t just for government agencies. Many private enterprises across all industries are choosing sovereign cloud for their data storage requirements to ensure they are meeting stringent compliance obligations.
A Canadian cloud company protecting Canadian data
The ThinkOn team understands that data and operational supply chain sovereignty is a concern for all Canadians and is essential to the Canadian Federal Government and to the broader public and private sectors. As reported by CIO: “Working with a Canadian service ensures that data sovereignty, traceability, and supply chain management are in full compliance with Canadian regulations.”[5]
The ThinkOn cloud “provides end-to-end protection that follows security measures outlined by Canada’s public sector security experts, as well as major cybersecurity standards. ThinkOn’s infrastructure is regularly reviewed against internal compliance controls and regularly audited by third parties. For example, ThinkOn’s accredited SOC 2 Type 2 compliance validates that its information security measures align with best practices for reporting and control.”[6]
With cloud locations across Canada, ThinkOn is the only Canadian CSP capable of offering data sovereignty to the Government of Canada. ThinkOn has the experience and the solutions to help public sector agencies digitally transform their data under the Shared Services Canada Framework Agreement for PBMM workload.
Modernization and migration are made simpler and more secure because of ThinkOn’s use of VMware technology.
The perfect pairing: An innovative stack and a homegrown cloud
VMware recognizes ThinkOn as a Canadian VMware Sovereign Cloud partner. The VMware Sovereign Cloud initiative helps customers engage with trusted national CSPs to meet geo-specific requirements around data sovereignty and jurisdictional control, access and integrity, security and compliance, independence and mobility, analytics and innovation.
As IDC states: “Sovereignty should be thought about in a wider digital context that encompasses not just data control, but also the infrastructure and software that are created and relied upon to operate in the digital world.”[7] VMware technology supports over 90% of public sector workloads. As a preferred global VMware CSP, ThinkOn delivers seamless migrations of virtualized workloads with full data security both in transit and at rest.[8]
ThinkOn’s VMware-powered services provide a digital marketplace of enterprise-ready cloud infrastructure and data management solutions that enable complete sovereignty and privacy for Canadian data. ThinkOn is proudly Canadian, and, as such, its services align with Canadian privacy-, security-, and data sovereignty-related interests.
“We are very committed to the entire VMware stack, and as the company comes out with interesting and innovative technologies, we look for ways to complement our VMware-powered service data infrastructure,” says McLellan. “VMware does not pass its technology validations around lightly, and holding both the VMware Cloud Verified and Sovereign Cloud validation is valued by our customers.”[9]
To learn more about VMware’s Sovereign Cloud initiative, contact us:
References:
[1] Government of Canada, “Government of Canada White Paper: Data Sovereignty and Public Cloud.”
[2] Government of Canada, “Government of Canada White Paper: Data Sovereignty and Public Cloud.”
[3] CIO, “ThinkOn: Providing Sovereign Cloud Solutions and Services That Meet the Needs of Canada’s Data.”
[4] Government of Canada, “Government of Canada White Paper: Data Sovereignty and Public Cloud.”
[5] CIO, “The Canadian Cloud Difference.” https://www.cio.com/article/305849/the-canadian-cloud-difference.html
[6] CIO, “The Canadian Cloud Difference.” https://www.cio.com/article/305849/the-canadian-cloud-difference.html
[7] IDC, “From Virtualization to Sovereign Cloud: VMware Assures its Place in Europe’s Digital Future (February 2022).”
[8] CIO, “The Canadian Cloud Difference.” https://www.cio.com/article/305849/the-canadian-cloud-difference.html
[9] CIO, “ThinkOn: Providing Sovereign Cloud Solutions and Services That Meet the Needs of Canada’s Data.”