By: Craig McLellan, CEO, ThinkOn
This is the first in a series of four articles. Each article, authored by a different Thinker, deep dives into a specific topic that underlies data sovereignty—mobility, governance and compliance, public and private sector data requirements, and value to partners and customers.
When it comes to data security, “just trust us” is no longer good enough—especially if your data resides on infrastructure owned by a US company. With rising geopolitical tensions, more Canadian organizations are waking up to the reality that data sovereignty isn’t just a nice-to-have; it’s a necessity.
The US government has broad powers to access data stored by American cloud service providers, even if that data physically resides in Canada. And with ongoing unpredictability, who’s to say Canadian businesses won’t be caught in the crossfire?
This growing concern has sparked a surge in demand for cloud solutions that prioritize data sovereignty, ensuring Canadian data remains under Canadian laws and is not subject to foreign intervention.
A Canadian sovereign cloud platform is Canada’s best solution to provide the data services we need while protecting our nation’s digital infrastructure and data sovereignty.
The Canadian cloud difference: What is sovereign cloud and how do we deliver it?
Sovereign cloud ensures that Canadian data remains under Canadian jurisdiction, safeguarding it from foreign government intervention. With escalating tensions between Canada and the United States, concerns about data sovereignty have taken on new urgency.
In a recent Globe and Mail article, Craig McLellan, CEO of ThinkOn, highlights the growing awareness of these risks: “People are realizing that as long as that data is residing on a cloud infrastructure owned by an American company, they really aren’t safe.”
The reality is that data stored on US-owned cloud platforms, even when housed in Canada, remains subject to US laws and government actions. This means American authorities could compel access to Canadian data without notification, raising security and privacy concerns.
This growing realization underscores the risks of relying on foreign-owned cloud providers. Industry experts warn that the US could impose restrictions on cloud services or block Canadian access to vital technologies, like AI infrastructure. With cross-border data policies in flux, Canadian businesses are rethinking their cloud strategies.
A sovereign cloud offers a path to mitigate these risks, ensuring that sensitive data remains fully within Canadian jurisdiction. While global cloud giants have scale and resources, Canada must find ways to reduce its dependency on foreign providers and reinforce its digital sovereignty.
A Canadian data security story
As an approved cloud service provider under the Shared Services Canada GC Cloud Framework Agreement for secure workloads, we are a Canadian-owned and operated company, dedicated to Canadian sovereignty and with Canadian interests at heart.
As the only Canadian cloud provider approved for sensitive government workloads, ThinkOn adheres to all VMware specifications in addition to our commitment to the federal government. Foreign-owned cloud providers cannot make these promises because they are subject to the laws of their own country and because, most of the time, the data they’re committed to protecting isn’t being managed by Canadians—within Canada.
Is your provider really delivering the sovereign cloud they promised?
Checking your data into the “Hotel California”
When it comes to cloud applications, many international cloud vendors prioritize scale over transparency. Much like checking into the Hotel California, you might think you’re simply signing up for a cloud service, but once your data is in, it’s not so easy—or affordable—to get it back.
An IDC report confirms that “Canadian organizations are frequently surprised by the operating costs of their workloads in the cloud. Ingress and egress costs, bandwidth, and even capacity costs can increase well beyond equivalent traditional infrastructure for frequently accessed workloads and data, especially as organizations make use of the scale afforded to them by cloud providers.” iii
The report also cited security and return on investment as the top reasons for repatriating workloads, followed by complex governance and compliance, and IT consolidation. When your data is locked into an ever-expanding universe of costly cloud applications with no way out—thanks to unmanageable egress fees—that’s a budget-blowing nightmare.
Has anyone seen my data?
The “big three” cloud providers offer an environment with multiple tools that allow you to rapidly build things, but in the process, you lose data mobility and portability. In other words, the big three cloud providers make it easy to become a user—but difficult to leave.
By the time most people realize this, it’s too late. When you use a set of tools that are only available in one hyperscaler cloud, you not only lose the ability to leave—you lose the ability to collaborate. Multi-cloud computing is a growing strategy that provides organizations with options for where to move workloads to best manage security, capacity, and accessibility. With the big three hyperscalers, you lose that flexibility and mobility.
Some applications are not designed to fit into an “elastic” box where they start to consume more resources. It’s important to ask if you should run your applications in the cloud or if you’d be better off running in a fixed format where you can control costs better and your data might be more secure”
Cloud can be more expensive than a private database, but it is also more flexible and offers more options for capacity and analytics. As an organization, it pays to be smart about where you choose to run your applications.
Checking up on—and checking out of—hidden fees
You can’t leverage the power of your data if you can’t access it when you need it. That’s why access and integrity are required components of a sovereign cloud.
ThinkOn Canadian Sovereign Cloud offers 99.999% uptime, in addition to backup and recovery protocols that meet data sovereignty requirements. This limits disruption and keeps data safe by providing reliable access. A sovereign cloud also protects data integrity to ensure data is accurate and complete.
Data sovereignty laws place restrictions on how data travels across borders. These restrictions on data movement and sharing can limit where a company can do business if they want to avoid compliance headaches. ThinkOn’s Sovereign cloud avoids these issues by keeping sensitive data compliant while operating as part of a broader multi-cloud ecosystem, with portability and interoperability that supports migration and upgrades to future-proof infrastructure—all without hidden fees.
Canada-first: Where do the humans reside?
The issue of sovereignty comes down to who you can trust to manage your data. Foreign actors who don’t understand our sovereignty laws and requirements can lead you astray, but talking to trained compliance experts in Canada ensures that you are getting the best advice and service. It also means that you don’t get lost in a voicemail system designed to put you off from talking to a real person—a fellow Canadian who can address your unique situation.
At ThinkOn, we offer a dedicated task force of in-country data sovereignty experts combined with the best cloud technology to ensure that, as a resident of Canada using digital government services, you don’t have to worry about inadvertent data loss to foreign services or foreign markets.
Protecting Canada: the bad actors lurking around the corner
The federal government recognizes the importance of a digital Canada and the need to secure our information, stating that “Canadians increasingly rely on digital technology to connect with loved ones, to work, and to innovate. That’s why the Government of Canada is committed to making sure Canadians can benefit from the latest technologies, knowing that their personal information is safe and secure and that companies are acting responsibly.” iv
Foreign-owned CSPs may store encryption keys or metadata in offshore markets. If a non-Canadian is managing infrastructure or has access to encryption keys or other tools that limit the ability to apply Canadian privacy policies or data control policies to operations, then the data is not sovereign.
This can open the door to a cyber breach, data corruption, or ransomware attack.
Keeping Canada safe
As Canada navigates its shifting relationship with the United States, data sovereignty is more critical than ever. Canadian organizations, both public and private, are starting to ask tough questions about the security and control of their data. With ongoing geopolitical tensions and the potential for the US to leverage its cloud infrastructure against Canadian interests, it’s clear that Canada must prioritize data sovereignty to protect its digital infrastructure.
Want to learn more about Canadian Cloud Sovereignty? Listen to the “The Canadian Cloud Difference” podcast on Canadian Government Executive Radio with J. Richard Jones and ThinkOn CEO Craig McLellan.