Jun 8, 2023 | Blogs, Resources

Part 1: Canadian Sovereign Cloud: Data Security Begins at Home 

By: Craig McLellan, CEO, ThinkOn 

This is the first in a series of four articles. Each article, authored by a different Thinker, deep dives into a specific topic that underlies data sovereignty—mobility, governance and compliance, public and private sector data requirements, and value to partners and customers.  

As Canadians, we rely on public services to take care of our needs, better our lives, and keep us safe. The challenge faced by our government is how to deliver those services efficiently while ensuring the privacy of Canadians.  

Our country is unique in its vast geography, remote communities, and diversity of terrain and weather, making some services difficult to access without digital options. A Canadian sovereign cloud platform is Canada’s best solution to provide the services we need while protecting our precious data.  

The Canadian cloud difference: What is sovereign cloud and how do we deliver it?  

How do we provide the capacity, efficiency, and accessibility in digital services that governments and Canadians need?  

Turning to one of the big three foreign-owned cloud providers may seem like a simple solution, given the number of cloud applications they provide, but their company policies can be a risky proposition for government agencies that must adhere to Canadian data sovereignty regulations. Canada has unique public service needs, and we can’t afford to trust foreign actors with our sensitive data.  

Data security and sovereignty is important to Canadians. According to a Data Privacy Week survey taken by Interac Corp., “…[N]early eight in ten Canadians (76 percent) are worried about protecting their online privacy, and seven in ten (74 percent) want more control over their online information.”i  

As Canadians, we want ownership of our information, and that means understanding the difference between data residency and data sovereignty. 

When a foreign-owned cloud service provider (CSP) claims that data will reside in Canada, that can be misleading, because they are referring to servers, software, and digital components. Their supply chain management, however, is a different story. What they don’t tell their clients is that foreign-owned CSPs use offshore resources to manage and move data.  

This means that offshore governments and third parties could have access to Canadian data. If you’re managing highly sensitive data and relying on a supply chain that includes offshore elements, why risk it? 

The Canadian story 

ThinkOn was founded in 2013 to address the gap in data security as organizations migrated to the cloud. At that time, we made a commitment to three core principles: 

  • First: All our cloud computing services would be easy to understand and simple to deliver.  
  • Second: Cloud services would be transparently priced with no hidden charges.  
  • Third: Cloud services would be secure and well-supported.   

As the only approved cloud service provider under the Shared Services Canada framework agreement for secure workload we’ve gone above and beyond our promises—and that counts for a lot in a digital landscape where data security is critical to the future of our country and the protection of our citizens. Simply put, the data can’t physically leave if there’s no connection out of the country. That’s the difference between data residency and data sovereignty. 

We are a Canadian-owned and -operated company, dedicated to Canadian sovereignty and with Canadian interests at heart.  

Sovereignty on a global scale 

To meet the data sovereignty needs of its domestic organizations, governments, and citizens, every country needs a domestic cloud service provider able to deliver services that adhere to local laws and guarantee data residency and data operations.  

VMware, a global player in the cloud computing space, has developed a certification initiative for cloud providers, requiring a high standard of sovereign data services delivery in every country where they do business. According to Rajeev Bhardwaj, vice president of product management, cloud infrastructure business group, VMware, “This will allow customers to remain within sovereign regions and jurisdictional control while achieving cutting-edge transformation at scale.”ii  

ThinkOn’s Canadian Sovereign Cloud is the first VMware sovereign cloud software certified in Canada. This is significant because VMware technology supports over 90 percent of our public sector workloads. As a preferred global VMware CSP, ThinkOn is in the best position to deliver seamless migrations of virtualized workloads with full data security, both in transit and at rest, for public service clients in Canada. 

As the only protected B cloud provider in Canada, ThinkOn adheres to all VMware specifications in addition to our commitment to the federal government. That makes us stand out as an organization that lives up to both the values specified by the Canadian government, and worldwide industry practices for sovereign cloud management. 

Foreign-owned cloud providers cannot make these promises because they are subject to the laws of their own country—and because, most of the time, the data they’re committed to protecting isn’t being managed by people in Canada.  

Checking your data into the “Hotel California”  

Trusting our data to a foreign-owned cloud provider can feel like the opening to a horror flick. Everything seems bright and hopeful at the start, but there’s a pervasive doubt about what’s lurking around the corner—and it only gets worse. 

When it comes to cloud applications, most international cloud vendors offer quantity over quality. Just like checking into the Hotel California, you aren’t quite sure what the full cost will be until they have you locked in, and then you can never leave (or you can, but it will cost you dearly).  

A recent IDC report confirms that “Canadian organizations are frequently surprised by the operating costs of their workloads in the cloud. Ingress and egress costs, bandwidth, and even capacity costs can increase well beyond equivalent traditional infrastructure for frequently accessed workloads and data, especially as organizations make use of the scale afforded to them by cloud providers.”iii  

The report also cited security and return on investment as the top reasons for repatriating workloads, followed by complex governance and compliance, and IT consolidation. When your data is locked into an ever-expanding universe of costly cloud applications with no way out due to unmanageable egress fees—that’s a budget-blowing nightmare.  

Has anyone seen my data? 

The “big three” cloud providers offer an environment with multiple tools that allow you to rapidly build things, but in the process, there is a loss of mobility and portability of data. In other words, the big three hyperscalers have made it very easy to become a user and very difficult to leave.  

Most people don’t understand that until it’s too late. When you use a set of tools that are only available in one hyperscaler cloud, you not only lose the ability to leave—you lose the ability to collaborate. Multicloud computing is a growing strategy that provides organizations with options for where to move workloads to best manage security, capacity, and accessibility. With the big three hyperscalers, you lose that flexibility and mobility.  

Some applications are not designed to fit into an “elastic” box where they start to consume more resources. It’s important to ask, “Do I need to run my applications on the cloud or am I better off running in a fixed format where I can control costs better and my data might be more secure?” 

Cloud can be more expensive than a private database, but it is more flexible and offers more options for capacity and analytics. As an organization, it pays to be smart about where you choose to run applications. 

Checking up on—and checking out of—hidden fees 

You can’t leverage the power of your data if you can’t access it when you need it. That’s why access and integrity are required components of a sovereign cloud.  

ThinkOn Canadian Sovereign Cloud offers 99.999% uptime, in addition to backup and recovery protocols that meet data sovereignty requirements. This limits disruption and keeps data safe by providing reliable access. A sovereign cloud also protects data integrity to ensure data is accurate and complete.  

Data sovereignty laws place restrictions on how data travels across borders. These restrictions on data movement and sharing can limit where a company can do business if they want to avoid compliance headaches. Sovereign clouds avoid these issues by keeping sensitive data compliant while operating as part of a broader multicloud ecosystem, with portability and interoperability that supports migration and upgrades to future-proof infrastructure—all without hidden fees. 

Canada-first: Where do the humans reside? 

The issue of sovereignty comes down to who you can trust to manage your data. Foreign actors who don’t understand our sovereignty laws and requirements can lead you astray, but talking to trained compliance experts in Canada ensures that you are getting the best advice and service. It also means that you don’t get lost in a voicemail system designed to put you off from talking to a real person—a fellow Canadian who can address your unique situation. 

At ThinkOn, we offer a dedicated task force of data sovereignty experts combined with the best cloud technology to ensure that, as a resident of Canada using digital government services, you don’t have to worry about inadvertent data loss to foreign services or foreign markets.  

Protecting Canada: the bad actors lurking around the corner 

Canadian data is precious, and the consequences of letting our diligence to Canadian sovereignty lapse can be dire. A sovereign cloud provider uses multi-layered security and access controls to protect data. This prevents unauthorized access and data loss in the face of growing cyberattacks. 

The federal government recognizes the importance of a digital Canada and the need to secure our information, stating that “Canadians increasingly rely on digital technology to connect with loved ones, to work, and to innovate. That’s why the Government of Canada is committed to making sure Canadians can benefit from the latest technologies, knowing that their personal information is safe and secure and that companies are acting responsibly.”iv 

Foreign-owned CSPs may store encryption keys or metadata in offshore markets. If a non-Canadian is managing infrastructure—or has access to encryption keys or another tool that limits the ability to apply Canadian privacy policies or data control policies to operations—then the data is not sovereign.  

This can open the door to cyber breach, data corruption, or ransom attack—the evils lurking around every corner in a digital landscape. A sovereign cloud eliminates the risk that a cloud provider will hand access to Canadian data over to a foreign interest. 

Keeping Canada safe  

Canadian organizations deserve end-to-end protection from their cloud provider—protection that includes the entire lifecycle experience, including the human element. As Canadians, we need to ask key data sovereignty questions, including who runs our cloud infrastructure, what qualifications do they have, where are they based, and what offshore resources do they rely on?  

In any jurisdiction, laws evolve with the political landscape, and it takes expert compliance staff to understand and follow local and industry regulations. Sovereign cloud providers have local compliance experts to keep up with the latest laws and protect the organizations using their services.  

Cloud complexity, data management issues, and cyberattack risks are increasing faster than most organizations can keep up, and with public service budgets shrinking, we must be able to control costs while serving Canadians and keeping our data safe. A Canadian sovereign cloud provider with data residency and access contained within our country is the best defence in a free and secure Canada.  

Want to learn more about Canadian Cloud Sovereignty? Listen to the “The Canadian Cloud Difference” podcast on Canadian Government Executive Radio with J. Richard Jones and ThinkOn CEO Craig McLellan. 

Connect on Social