ThinkOn Sovereign Cloud:
Securing Canada’s data supply chain
We are a Canadian-owned and Canadian-operated company, so we have a vested interest in protecting Canadian data.
Canadian data requires a homegrown, truly sovereign cloud
Historically, we don’t allow foreign interests to own or control our critical infrastructure such as telecommunications or energy interests.
Why? Because we can’t risk letting foreign interests control what we need to function as a country, and because it would leave Canadian citizens vulnerable.
In our modern, technology-driven world, data is part of our critical infrastructure, and whoever governs the cloud it’s stored in ultimately controls that data.
Hyperscale clouds advertise sovereign cloud solutions
Organizations often believe the misconception that their trusted cloud providers manage and secure client data in a sovereign way. However, all hyperscale clouds rely on offshore resources for some tasks—even when the data remains at a domestic location. For that reason, their claims of sovereignty are not only misleading, but outright wrong. Lack of full data sovereignty means that sensitive Canadian data could be divulged to another government without the knowledge or approval of the Canadian customer.
Sovereign cloud goes beyond government
Sovereign cloud isn’t just for the public sector. It benefits virtually any enterprise, across every vertical concerned with maintaining the privacy of their Canadian clients’ data. There is a significant advantage to customers in regulated industries, such as financial services, healthcare, retail, energy, defense, intelligence, research, regional telecom, and government services.
We like to say that ThinkOn is “Where Data Thrives.” And that’s more than a marketing message, it’s what we aspire to every day—especially when it comes to our Canadian service delivery infrastructure.
“Some people equate data (as an asset) to oil, but I disagree with that comparison, because if someone steals your oil, you know it. As the headlines reveal, most organizations don’t know when their data was taken or compromised until it’s too late. As more organizations face that reality, more will understand that if there are laws in place to protect their data, it behooves them to leverage infrastructure that aligns with those laws. At ThinkOn, we’ve made the commitment to align our offerings with the regulatory frameworks imposed on us by the people of Canada.”
– Craig McLellan, Founder and CEO, ThinkOn
As Canadian as canoes, poutine, and hockey
Working with a truly Canadian company like ThinkOn ensures that data sovereignty, traceability, and supply chain management are in full compliance with Canadian regulations.
Built to handle PBMM data
ThinkOn is an approved CSP under the Shared Services Canada Framework Agreement for Secure Workloads.
And, because of our commitment to the Canadian public sector, we’ve taken several steps to ensure enhanced reliability and security. Our infrastructure is continually reviewed against internal compliance controls and regularly audited by third parties to ensure our security measures align with best practices for reporting and control.
We partner with VMware
VMware recognizes ThinkOn as their Canadian VMware Sovereign Cloud partner.
The VMware Sovereign Cloud initiative helps customers engage with trusted national CSPs to meet geo-specific requirements around data sovereignty and jurisdictional control, access and integrity, security and compliance, independence and mobility, analytics, and innovation.
Canadian infrastructure
We don’t rely on employees or contractors that reside outside of Canada to support our Canadian infrastructure.
And, because of our commitment to the Canadian public sector, we’ve taken several steps to ensure enhanced reliability and security. Our infrastructure is continually reviewed against internal compliance controls and regularly audited by third parties to ensure our security measures align with best practices for reporting and control.
FAQ:
What is the difference between data sovereignty and data residency?
Data residency refers to the geographical location of the data. In the case of a foreign party operating a data center in Canada, the assets within that facility are subject to Canadian jurisdictional rules. Data sovereignty refers to the ownership and operational supply change locations. For example, in many situations data is deployed on assets in Canada (residency) that are owned by a foreign entity and/or are operated by non-residents that lack security clearance. These vendors attempt to obfuscate a non-sovereign service by positioning residency as an equivalent.
If my data is in my country of residence, do I have to worry about who manages the infrastructure?
The issue here is that if non-resident individuals manage the infrastructure, they’re not required to maintain compliance with your country’s privacy policies. While compliance may be a requirement of employment, they’re still governed by the laws and policies of their country of residence. For example, in a situation where an individual or group resides in a low-labor-cost market lacking anti-bribery laws, another party may take advantage of the situation to bribe them to enable access to your data for a brief period—or to export a copy of your data to a 3rd party. When discovered, the individual would be relieved of their duties for breaking the provider’s policies, but they would not be legally accountable for their actions. If the bribe they were paid was significant enough, the loss of their employment would be irrelevant.
If all my data is encrypted, am I still at risk if data leaks outside of my country?
This is a common excuse provided by operators using non-resident resources. Their argument is that the data encryption key is under the control of the subscriber. Unfortunately, there are several foreign interests that are simply harvesting encrypted data in large volumes and waiting to decrypt it as soon as quantum computing becomes available. The idea of legacy encryption as a long-term solution is a convenient explanation, but it’s a fallacy—and a very dangerous argument—because once your data is stolen there is no way to recover from the loss, and the cloud operator has no capability to assist you.