By: Paul West, Director, Global Public Sector at ThinkOn
This is the second article in our series on data sovereignty. Each article, authored by a different ThinkOn Thinker, takes a deep dive into a specific topic that underlies data sovereignty: mobility, governance and compliance, public and private sector data requirements, and value to partners and customers. If you missed the first article by ThinkOn CEO Craig McLellan, “Canadian Sovereign Cloud: Data Security Begins at Home,” you can find it here.
Every citizen in every corner of Canada deserves secure and efficient access to public services. Our ability to access healthcare and education, pay our taxes, apply for a passport, and exercise our rights as citizens is fundamental to our well-being and standard of living.
Digital solutions transform this experience for Canadians, enabling easier access to services, more efficient response capabilities, and secure communication among public service organizations.
To fulfill this mandate, there exists a broader imperative in the digital delivery of public services—data sovereignty.
A Federal Mandate to Protect Canadians
In a free and sovereign nation, data is central to our well-being. As Canadians, how we protect our sensitive information—and our rights as citizens of a sovereign nation—defines who we are and what our values are. Our government has a responsibility to safeguard our way of life, and data is fundamental to that commitment.
“I believe that Canada can be an innovation hub and a model of good government while at the same time protecting the personal information of Canadians,” said Canadian Privacy Commissioner, Philippe Dufresne, in a recent address at the Vancouver International Privacy & Security Summit (VIPSS). “I believe that we can and must have privacy while at the same time fostering the public interest.”i
While foreign-owned cloud providers promise secure data management for Canadians, there’s something they hide from their customers: Third-party contractors and governments have access to Canadian data stored in their cloud.
Put simply, if we don’t control who has access to our data, we don’t fully own that data, and that can have a detrimental impact on our national security.
Dufresne continued, “Privacy supports the public interest and Canada’s innovation and competitiveness…Privacy accelerates the trust that Canadians have in their institutions and in their participation as digital citizens. This is why protecting privacy is one of the key challenges of our time.”ii
Innovation, security, our ability to compete as a nation, and our global reputation depend on our ability to control our data sovereignty.
Breaking down the requirements for data protection in a sovereign nation
Not understanding the difference between data residency and data sovereignty may seem inconsequential, but it can mean a gap in security that leaves data vulnerable. Data may reside in Canada, but if third parties contracted by a cloud provider have access to that data, it’s no longer secure. If the data is allowed to leave our borders at any time, it’s no longer subject to our sovereignty laws, and again, not secure.
“When a foreign-owned cloud service provider (CSP) claims that data will reside in Canada,” says Crag McLellan, CEO and Founder of ThinkOn, “that can be misleading, because they are referring to servers and software and digital components, while their supply chain management is a different story.”iii
In Canada, there are strict rules surrounding data sovereignty that keep our information from falling into the wrong hands. To ensure the highest levels of security, we need to make sure that our data not only resides in Canada but stays in-country throughout the digital process. It’s a “Canadians working for Canadians” imperative that ensures secure handling of our sensitive information.
To secure Canadian data, a sovereign cloud solution must be:
- Built on trusted code (instead of vulnerable open source) to meet specific local security requirements
- Certified to industry-recognized standards for information security management systems
- Deployed on self-service micro-segmentation and zero trust access to protect data.
- Based on a common security policy framework for consistent security
- Equipped with the capability to encrypt data at rest and in transit with customer-owned encryption keys
Data sovereignty means that each country must have its own strong domestic cloud service provider to ensure that data management adheres to local laws and maintains data residency and integrity throughout the digital journey.
A sovereign cloud solution
VMware is a global player in the cloud computing space, with a high level of data integrity. Their technology supports over 90% of Canadian public sector workloads and is the backbone of our data management and protection service.
Concerned about the security of domestic data in the countries they serve, VMware developed a certification initiative with stringent data management standards for cloud providers, which includes proof of a sovereign data supply chain, ITSG-33 compliance, and increased security and governance.
The VMware Sovereign Cloud initiative helps public service organizations identify and engage with local cloud service providers who meet domestic requirements and serve the unique sovereign cloud requirement of their country.
A recent VMware news release elaborates, “The growing importance of data sovereignty, scrutiny of data access and control, and increasing geo-political friction is leading governments and regulated industries to closely analyze their cloud strategies and evaluate who may have access to their data.”iv
This means that each country will have its own VMware-certified domestic partner to provide cloud services. ThinkOn is proud to be Canada’s VMWare Sovereign Cloud.
The VMware Sovereign Cloud Certification requires that the following standards are met:
- VMware Sovereign Clouds are managed within a local jurisdiction, with all data, including metadata and backups, stored and processed locally.
- Other jurisdictions are unable to assert authority over data stored beyond their national borders.
- A certified CSP must exercise increased governance over data and support corporate and national environmental, social, and governance (ESG) strategies.
- Customers benefit from data classification and controls that are not available in commercial public clouds.
Meeting the VMware and Government of Canada standards as the only Protected-B provider in Canada puts ThinkOn in the ideal position to deliver seamless migrations of virtualized workloads with full data security, both in transit and at rest, for public service clients in Canada. We’re immensely proud of this achievement—both as a 100% homegrown technology provider and as Canadians.
A case of Nimble be quick
The public sector requires unique digital solutions. In the public service, privacy issues are heightened, national security is at stake, and the customer is a taxpayer—one that our government has a solemn obligation to serve. At ThinkOn, we have the knowledge and expertise of public service organization needs and challenges, and a thriving and trusted partner ecosystem to help us deliver digital solutions that fit the needs of Canadian government service organizations.
Case in point is ThinkOn’s collaboration with Nimble.ca to provide a document digitization and digital mail solution hosted in a Canadian Sovereign Cloud to one of the largest branches of the Canadian federal government. As a Canadian VMware Sovereign Cloud Partner with Protected-B capabilities, our technology offerings are valuable assets for this program.
“We need a trusted partner in the Federal Government to provide hosting of our applications while meeting the rigorous security standards required for Protected-B information and satisfying the ITSG-33 requirements,” says Daryl Stott, President of Nimble Information Strategies Inc. “With ThinkOn, we can check all those boxes.”v
The Nimble-ThinkOn solution consolidates all inbound communications and digitizes them, adding an interactive, searchable component that goes beyond a mere picture on a page. It integrates multiple formats and collects all data into a protected database with workflow capabilities for easy access and enhanced functionality. The resulting sovereign repository is fully compliant with Canadian laws while allowing secure access across authorized users and departments.
“Not only does that extracted data need to be highly accurate,” said Stott, “but the authority, control, and accessibility of this data must reside within Canadian Federal and Provincial boundaries to meet the data residency obligations of Nimble Information Strategies customers.”vi
And as more public sector organizations seek secure ways to find operational efficiencies, we’re building on the ThinkOn-Nimble partnership—to break down communication siloes, improve workflows, and empower more remote and hybrid work environments, all within Canadian borders.
A secure cloud is a sovereign cloud
Canada’s trusted standing as a secure, transparent, and ethical nation depends upon our ability to protect information from bad actors while ensuring secure data mobility and management. To have a positive impact on the global stage, we must fuel innovation and support entrepreneurship across a secure digital framework. Data sovereignty is fundamental to our freedom and our ability to thrive as a nation.
As our founder and CEO, Craig McLellan points out, “Our public service needs in Canada are unique, and we can’t trust foreign actors with our sensitive data.”vii
To serve Canadian public service needs, a sovereign cloud must:
- Securely analyze and derive value from data without violating data privacy laws
- Share data with trusted partners and clouds via secure access
- Allow companies to operate within and across national borders while remaining compliant
- Ensure data integrity for accurate insights
Sovereignty in Canada is not an option—it’s a fundamental right
By offering secure, compliant, predictable, and reliable cloud services and support, ThinkOn Sovereign Cloud eases the burden on internal resources for our public service organizations and is compatible with a hybrid/multi-cloud strategy. Our solution offers robust access controls and prevents foreign interference while supporting secure usage and sharing with authorized users.
The Canadian government takes its citizens’ right to privacy very seriously. At ThinkOn, we and our trusted Canadian-based partners do too.
As Commissioner Dufresne notes, “All of us, whatever our roles in the private and public sectors, or as citizens participating in our democracy, need to work together to ensure that the fundamental right to privacy is protected while we achieve other important private and public interest goals. It is not an either/or proposition.”
Sovereignty is not optional in Canada—it is a fundamental right that we must protect. In a digital-first world, a certified Canadian Sovereign Cloud is our best defence.
Learn more about how ThinkOn + Nimble helped the Government of Canada make data thrive in a sovereign Canada.
 Office of the Privacy Commissioner of Canada, Philippe Dufresne, “Privacy as a fundamental right in the digital age,” https://www.priv.gc.ca/en/opc-news/speeches/2023/sp-d_20230224/
 VMware News and Stories, “VMware Helps Cloud Providers Globally Capture the Demand for Sovereign Cloud Services,” https://news.vmware.com/releases/vmware-sovereign-cloud-momentum
 ThinkOn, Daryl Stott, “ThinkOn + Nimble: A Canadian partnership delivering high-security information management solutions to the public sector,” https://thinkon.com/wp-content/uploads/2023/03/Nimble-Case-Study.pdf
 Ibid.  ThinkOn, Craid McLellan, [reference Craig McLellan blog in this series on Data Mobility and Canadian Sovereign Cloud.]