There’s no question that the cloud offers many appealing business benefits, such as better agility, improved efficiency, and customized solutions based on your needs. But before making the leap, there are also important security concerns you need to be aware of—especially if your business is located in Canada.
There are some things to consider when deciding if cloud-based computing is right for your business.
How secure is the cloud?
Data in motion is always a prime target for cybercriminals – and when you are working in the cloud that applies to a greater percentage of your data. It’s important to make sure any cloud solution you use has stringent security practices in place to keep all your data safe.
Based on recommendations from the Office of the Privacy Commissioner of Canada, here are some best practices to follow with any cloud service provider:
- Limit access to the information and restrict further uses by the provider. Set parameters for restricted access and use of personal information that is appropriate for the context and sensitivity of the information.
- Ensure that the provider has in place appropriate authentication/access controls. Stronger methods of authentication are recommended, such as multi-factor authentication.
- Manage encryption. Understand what type of encryption method is being used and identify where data is encrypted or unencrypted at each stage (e.g., data in transit, data at rest). Risks may be reduced if organizations encrypt personal information before it is sent to the cloud provider.
- Ensure that there are procedures in place in the event of a personal information breach or security incident. These should include technical and organizational measures that will be implemented in the event of accidental or deliberate loss, or unauthorized access or disclosure of personal information.
- Ensure that there are procedures in place in the event of an outage to ensure business continuity and prevent data loss. Business continuity plans should be clearly documented in the contract.
- Ensure periodic audits are performed. Ensure the cloud provider logs all accesses and uses of personal information. Audits should be conducted periodically to inspect access logs and confirm that physical locations where personal information is processed and stored are inspected.
- Have an exit strategy. Ensure the termination procedures permit the transfer of personal information back to the organization and require that the cloud provider securely delete all personal information within reasonable and specified timeframes.
Who’s accountable for data security?
The short answer is, you are. Under Canada’s private sector privacy legislation, all businesses in Canada, regardless of their size, are ultimately accountable for the personal information they collect, use, and disclose even if they outsource personal information to a service provider that operates in the cloud.
You must have the same trust in your cloud service provider that your clients have in you to protect their data. It’s important to do your due diligence and ensure you’re working with a provider who can address all of the security practices listed above.
Another thing to keep in mind is what happens to data when it crosses borders and boundaries into other regional and national jurisdictions?
While it’s not against the law to use services based in other locations, you need to be aware that any data transferred to another jurisdiction becomes subject to the laws of that jurisdiction. This becomes even more complicated in the case of cloud computing where data may be stored across servers in several different jurisdictions.
Weighing the risks with the benefits
A growing number of businesses are embracing the cloud as a modern and flexible solution to growing IT needs. There are many compelling reasons to make the switch to the cloud, but as with anything online, there can be security risks involved.
There are many things you can do to enjoy the benefits of the cloud while also addressing the security concerns outlined above. Look for a cloud service provider located in your geographic area. If you’re located in BC and your cloud provider is also in BC, you can alleviate most of your concerns related to transferring data to other jurisdictions.
The bottom line is to find a partner you trust. Look for a cloud partner who has a proven process in place to ensure they understand your needs and are able to address any security concerns you might have.