This is Part Two of the True Canadian Sovereign Cloud series. In Part One, we discussed the requirements for a Canadian-made solution to data storage. In Part Two, we take a deeper dive into the impact of data management in a sovereign cloud for Canadian businesses and public services.
A Canadian-made data management solution is a good first step on the road to true data sovereignty. Knowing that your data is being managed in-country, by and for Canadians, is a savvy way to ensure compliance and data security. But to fully explore the scope of data sovereignty, there are other questions you need to ask your CSP.
Can data mobility and foreign access put my data at risk?
The global nature of business can make your data vulnerable to foreign access. It’s common for data to be collected in one jurisdiction by a company that’s based in another and then stored in a third. Your cloud provider should be able to tell you who has access to your data. Do they use foreign third parties to move, analyze, or store data?
Using the word “trusted” to describe third-party associations can be misleading. If your CSP trusts an offshore source for any task in the data supply chain, sovereignty is lost, and your data could be subject to access by foreign governments. Their laws may, and often do, contravene Canadian laws for data security, and that means your data could be at risk.
The Government of Canada takes a very harsh view of this scenario: “A CSP with foreign operations could be required to comply with a warrant, court order or subpoena request from a foreign law enforcement agency seeking to obtain GC data…. Lack of full data sovereignty has the potential to damage the GC and third parties. Sensitive GC data could be subject to foreign laws and be disclosed to another government.”[1]
Is my data safe in transit?
Data travelling between data centres located in Canada remains sovereign, but does your cloud provider use foreign data centres to move data? Emily Jackson in a recent article for CIO magazine warns us to be vigilant, “[T]he path from Toronto to Montréal might cross through the United States, depending on how a network is configured…. Even if the information is being sent from Canada to Canada, it could flow south of the border.”[2]
While data is moving through foreign-owned data centres, it is subject to the laws of the country through which the data is flowing. Even if the data is encrypted, it could be captured and divulged to foreign interests.
ThinkOn Canadian Sovereign Cloud data centres are located, managed, owned, and operated solely by Canadians, so your data won’t be subject to foreign access at any time in storage, transit, or during access.
How “secret” are their “trusted” sources?
ThinkOn Sovereign Cloud is located in Canada, and all data is managed by Canadians with official Canadian government-approved security clearance. If your provider can’t say the same, then your data might be at risk. If your providers cannot provide proof that their contractors and data managers have official Canadian government-approved clearance, then you may be playing Russian roulette with your data.
The Government of Canada issues the following warning about data that leaves our borders: “As long as a CSP that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data. This is because there remains a risk that data stored in the cloud could be accessed by another country. The issue of data sovereignty is complex and continuously evolving as foreign laws are being tested in foreign courts.”[3]
As mentioned above, the word trusted can be misleading. Ask your cloud provider if their “trusted” sources are located in Canada and owned by a Canadian company—with Canadians managing your data. If they won’t answer or can’t tick all those boxes, their data supply chain could be putting you at the mercy of foreign governments, and that’s not a true sovereign solution.
What about compliance? Is your CSP accountable in its reporting and control?
Is your provider’s cloud infrastructure fully compliant with Canadian laws? Can they prove it? Here at ThinkOn, we use third-party auditors to continually review our infrastructure and ensure our security measures align with best practices for reporting and control.
We’ve taken steps to guarantee enhanced reliability and security all along the data supply chain, and you should expect no less from your cloud service provider.
Can your CSP guarantee full transparency?
You are entrusting your cloud provider with your most precious asset, so why are so many of them cagey about how they are handling your data? Can your provider tell you where they are storing your data? Who has access? How they handle data transit? What third parties they entrust your data to? Can they guarantee that your data will be deleted upon request—fully and completely—when you no longer need it or are required to store it?
The complexity of a CSP’s organizational structure is a big red flag. If their data chain looks like a weaving serpent, crossing borders back and forth while it travels through several contractors and subcontractors, how can they guarantee sovereignty and data security? Overly complex supply chains allow companies to hinder transparency and evade accountability.
ThinkOn guarantees transparency around who has access to your data—not just who partners with us, but also who they are affiliated with. We work with a handful of vetted partners, and we don’t hide who they are because they’re more than trusted partners—they are industry leaders, and we’re proud to work with them.
Can your CSP match ThinkOn Canadian Sovereign Cloud?
A true Canadian Sovereign cloud guarantees transparency, compliance, security, protection from foreign interests, and a supply chain that is wholly Canadian-owned, operated, and managed. Canadian governments, public service organizations, and private sector companies that need to protect their data and ensure full compliance with Canadian law must ask probing questions of a cloud service provider that claims Canadian sovereign cloud status.
ThinkOn Canadian Sovereign Cloud is an approved CSP under the Shared Services Canada Framework Agreement for Secure Workloads and the only Protected-B provider in Canada. As the First Canadian VMware Sovereign Cloud partner, we’ve achieved a high standard of accreditation as a true Canadian Sovereign Cloud. We’re proud to be 100% Canadian-owned and operated, so we can serve Canadians with a full understanding of the importance of our Canadian sovereignty.
Learn more about securing Canada’s data supply chain with ThinkOn Canadian Sovereign Cloud.
[1] Government of Canada. Treasury Board of Canada Secretariat. 2023. “Government of Canada White Paper: Data Sovereignty and Public Cloud .“ https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html
[2] CIO. Emily Jackson. 2022. “What every Canadian CIO needs to know about data sovereignty.” https://www.cio.com/article/305461/what-every-canadian-cio-needs-to-know-about-data-sovereignty.html
[3] Government of Canada. Treasury Board of Canada Secretariat. 2023. “Government of Canada White Paper: Data Sovereignty and Public Cloud .“ https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/gc-white-paper-data-sovereignty-public-cloud.html