Leading up to Thursday’s Microsoft Security Roundtable discussion in Toronto, Microsoft Canada commissioned Toronto-based Leger Marketing to conduct a survey of C-level executives across Canada to get a sense of their comfort with cloud services.
John Weigelt, national technology officer for Microsoft Canada, shared some of the findings with the panel before launching into their discussion. The findings are pretty close to those published in previous reports on cloud security. “Twenty-nine per cent of organizations surveyed are moving some sort of data into the cloud,” he said. “Sixty-one per cent of respondents felt they still need to know more about the cloud.” Weigelt also mentioned that 80 per cent felt that cloud was a trend they needed to embrace.
This is by no means a surprise. Cloud is a big deal and Canadian businesses are rather tentatively starting to use it, with or without their knowledge.
But after the findings were presented, the discussion quickly moved to some of the reasons why Canadian businesses are so worried. According to Ann Cavoukian, information and privacy commissioner of Ontario, it is often wrapped up in concerns about compliance, security and privacy. “(Implementing cloud is) not a choice between security and privacy,” she said. “If you have security versus privacy, privacy always takes the hit.”
What Cavoukian, and the Canadian government, is now suggesting is a fundamentally different approach to privacy and IT. Privacy by Design, a concept the Office of the Privacy Commissioner has developed, has been adopted recently as an international standard and posits that privacy and security issues are best mitigated by being implemented from the start of new projects. “When you think of privacy proactively … then the ease with which you can assure the public (of security) is far more likely to be assured than if you retrofit a system after the fact,” she said. “Privacy by design will enable you to embed privacy as an integral component in everything you do including everything you do in the cloud.”
The conversation also covered one of the biggest current concerns about cloud privacy, The U.S. Patriot Act. Cavoukian argued that companies shouldn’t fear it, because it’s not that big a deal. Michael Power, a privacy lawyer at Michael Power Barrister & Solicitor, agreed. “There are a lot of things you should ask your cloud provider … but location shouldn’t be the sole focus,” he said. “You’ll find that a lot of the similar kinds of provisions that are found in the Patriot Act already exist in Canada.”
Power said that businesses should be more concerned with meeting regulatory guidelines and, as Privacy by Design suggests, plan compliance strategy during negotiations, not after. “At the end of the day, you have to know who’s holding you data and have a certain amount of oversight,” he said.
