Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

How much trust do you want to give a cloud provider?

Alex Rau, Symantec

20-May-2015 What are the security and privacy implications when moving data to the cloud?


Organizations are seeking ways to reduce costs, driven by outsourcing their infrastructures so they don’t have to keep up with advancements. They’re also seeking to make employees more effective, and make things more convenient for clients.

What are the implications for security and privacy when moving data to the cloud?
Where will it reside?
How is it protected?
How can we audit it?

“Know what your data is – data classification perspective, as well as privacy – what information is included in your data,” said Alex Rau, National Information Security Strategist, Symantec. “Once you know that you can decide which of those data can be stored where.”

How much trust do you want to give a cloud provider? The higher you go into the cloud stack the less handle you have on security of the data you’re storing.

If you select a true cloud provider using VMs then you’re only relinquishing hardware and data center security to your cloud provider. If they provide the application, suddenly you don’t have full control.

One thing that comes up often is the issue of data residence. With Snowden’s revelations, many others are interested in where their data is located.

“In Canada our PIPEDA doesn’t make restrictions on where data resides; only that it is protected appropriately,” Rau said. “Only three provinces – BC, NS, QC – have legislation about data storage, and those are only for public entities. Health Services BC for example is only allowed to store data it collects inside BC.”

Amazon and Microsoft have data centers all around the world. The design of the Internet is a global infrastructure. Prohibiting data residency prohibits doing business properly.

“On one hand I feel government has a cloud strategy to save money,” said Rau. “On the other hand they have rules and regulations that don’t allow them to store citizens’ data outside of Canada. Yet we have limited cloud services within Canada.”

Some exceptions are if the protections are equal to or superior to what regulations mandate, that can be considered. Although who decides what is “equal to or superior” is not specified.

Cloud service providers are making strides to combat those issues. Microsoft for example has adopted ISO 27018 regarding PII (personally identifiable information) in the cloud.

In Canada lobbying continues to take the ISO standard as due diligence for organizations to show the Privacy Commissioner that the provider is protecting PII equally or better than the organization is capable of.

The opening of many new data centers in Canada is a trend that is reacting to this. When you talk with a customer and you want to provide cloud services. Even if there is no data residency requirement, you’re more inclined to choose a Canadian data center.  You must ensure it’s a reputable cloud service provider and follows ISO standards for data storage.

“If the USA wants to see your data, it can,” Rau said. “This comes down to the brilliant idea of making the Internet a network. It cannot be restricted… at some point, one of your data packets will touch the USA in some shape or form. We all want the Internet to work. It works by its nature of fault tolerance.”