Canadian Security Magazine

Panel tackles security risks of the Cloud

Linda Johnson   

News Data Security

Cloud technology is still shrouded in myths and misunderstandings, a recent panel discussion concluded, and business leaders need to learn more about it.

At the discussion, John Weigelt, national technology officer for Microsoft Canada, which hosted the meeting, said a survey of Canadian C-level executives found that, while 29 per cent of organizations have already moved some data into the cloud, 44 per cent of them are still concerned about issues such as security and privacy.

According to the survey, conducted last October by Leger Marketing, 61 per cent of respondents said they needed more information. It also found that, remarkably, 19 per cent of those who said they were not using cloud services were in fact doing so.

“As people start moving into the cloud, a lot of them are doing so without having that full understanding of what’s happening in the cloud,” Weigelt said.

Many people, he added, don’t understand that the security environment of enterprise-class cloud services is far stronger than that of consumer grade services, like social media sites.

Ann Cavoukian, Information and Privacy Commissioner of Ontario, said people can have the benefits of the cloud, and have privacy as well. Privacy does not have to be achieved at the expense of another interest, such as business efficiency.

Privacy can be built into systems — such as information technologies and best practices — from the start, and then users can be sure even with the most advanced technology that their privacy is secure, she added.

Privacy by Design becomes more important, Cavoukian said, as an increasing amount of information moves to wireless systems, such as the cloud, and so exceeds the grasp of regulators.

“Less and less is coming to my attention. As regulators, we see the tip of the iceberg. More and more, it’s going to be the challenge of the unregulated and the unknown in terms of potential breaches. To me, that’s unacceptable,” she said.

“So, I want organizations to prevent the harm from arising by proactively embedding the necessary protections into the design.”

Michael Power, a privacy lawyer and consultant, said many of his international clients who are considering cloud computing ask about cross-border data protection. The fear centres on the Patriot Act and the greater legal ability that law gave American police and intelligence services to access information.

But this concern is largely unfounded, Power says, because Canadian laws provide authorities here with the same abilities. “There are a lot of questions to ask your cloud provider, but location should not be the sole focus,” he said.

Canadian law imposes many obligations on organizations, he added, and companies should make sure their provider will help them meet these requirements. If necessary, they should consult a security expert, one who is familiar with the cloud.

“If your data is in the cloud, it’s in the custody of a third party, and you need to have a good understanding of what you’re getting into when you take your confidential business data to a third party,” he said.

Organizations must adopt a “privacy management process,” Power said. Putting confidential information into the hands of an outside entity changes relationships between employers and workers. It may, for example, affect employment or union agreements.

“You have to think about the relationships and how they change. How does this change the way we do business?” he said.

Offering a practical example of cloud computing, Robert Cook, CIO at the University of Toronto, discussed the school’s decision to start introducing last September Microsoft’s Live@edu email and software service to its 70,000 students. The system, administrators knew, had to provide better online communication and document sharing, but also had to provide a high level of security and privacy.

“We concluded that the new service would exceed the standard of protection that the university would have been able to provide through its own resources. It was better than we had been doing, or could do in the future, on our own,” he said, adding the students have so far responded well to the service.

Cook said the system has allowed them to free up resources they can use towards the school’s main purposes, teaching and conducting research. “This experience has encouraged us to consider other new ways of providing necessary services, and some of those will be in the cloud.”

Print this page


Stories continue below