In our globalized digital world, a local server simply can’t offer companies the support they need to reach a global audience. Consequently, information and software services are quickly being moved to the cloud, without much consideration for all the potential implications. Chances are you have used at least one cloud-based application today. iCloud, Facebook, Dropbox, Microsoft 365, Slack and Asana are all cloud-based.
Cloud-based services like Amazon Web Services, Azure, IBM Cloud and Google Cloud have enabled companies to deliver software products and services on a global level, allowing quick access to computing power, storage, databases, and advanced technologies such as machine learning, data lakes and analytics. They all offer modern, flexible and cost-effective solutions that grant companies access to the resources they need, when they need them, enabling enterprises to rapidly scale their business without buying and maintaining physical servers.
However, by storing data in a virtualized IT infrastructure, companies are becoming more and more exposed to cyber-attacks. DDoS (Distributed Denial of Service) attacks, ransomware and phishing attacks can cause major data leaks and a severe loss in both revenue and reputation.
So, when considering transitioning to a cloud-based unified communications system or looking for another type of cloud-based service/application, companies should always look into where their service provider stores their data and the security protocols it follows. Totalconnect is the sole UC provider that guarantees that all your company’s sensitive information is stored high availability data centres located in Canada, one of the countries where cloud data storage is regulated through a strict set of laws.
In this article we will discuss key concepts such as data sovereignty and data residency, and see how they impact data security, through a succinct case study on current Canadian legislation. However, each country is different so make to look up information about all the countries where your company or its partners store data and prepare your data security strategy accordingly.
Data sovereignty in Canada
Data and resources travel fast from one region to another through the cloud, and, as we’ve previously argued, cloud-based applications can become a vulnerability if companies don’t take their time to see where and how their data is being stored and what legislation is in place to protect it. The concept of data sovereignty essentially means that when information is stored in a particular region or country, data can be accessed by third parties and data owners according to local legislation only. S
o, if data privacy legislation is lax in any given region, your company’s data could be compromised. For instance, in the US the Patriot Act allows government structures to access private data provided certain conditions are met, whereas, in other countries like Canada, your company’s data is more protected thanks to Canada’s Privacy Act and PIPEDA (Personal Information Protection and Electronic Documents Act).
PIPEDA was created with 10 fair information principles in mind that control how personal information can be collected, used and disclosed. It empowers individuals and enables them to manage how their personal information is handled by private companies. According to these principles, each organization is responsible for the personal information under its control and must appoint someone to be accountable for compliance with PIPEDA principles.
PIPEDA prioritizes consent and limits collection, use, disclosure and retention, so data can only be collected for specific, well-known and agreed-upon purposes and must be discarded once these purposes are fulfilled. Individuals have full ownership of their data and can always request access to the data companies have about them and are free to challenge any organization’s compliance with the fair information principles. More information about PIPEDA is available on the website of the Office of the Privacy Commissioner of Canada
Thanks to its current legislation, both consumers and companies are protected from harmful data leaks and unnecessary government interference, making Canada one of the safest countries to store your company’s data. However, in order to benefit from these protective laws, companies must first achieve data residency.
Data Residency in Canada
In 2018, the Canadian Federal Government announced their “cloud-first strategy” marking the beginning of a digital transformation within the government. This focus on moving government data into the cloud was, of course, accompanied by a renewed focus on data security.
In order to make sure that their data is protected by Canadian legislation, companies need to achieve data residency. This means that your company’s data must never leave Canadian soil, even when you connect to your public cloud service. Consequently, setting up a private network connection to the Cloud is recommended. AWS Direct Connect is a great solution to this problem.
Storing all your data on a Canadian server is not enough to achieve data residency, your back-up needs to also be in Canada. It’s considered best practice to choose two connected data centres from different regions, thus preventing a system collapse in case of a natural disaster. This type of solution is known as a Multi-Cloud solution, but a hybrid solution with an on-premise implementation and another data centre situated at a different location in Canada can also help your company achieve data residency.
Next Steps for Data Protection Compliance
As cloud-based solutions become more and more accessible to companies, businesses need to adapt and consider concepts such as data sovereignty and data residency when choosing cloud-based services, or risk compromising data security. This is particularly true for choosing a Unified Communications solution, as this type of system handles potentially sensitive data.
Companies looking to expand and scale their business through cloud services should set up clear policies and practical systems that include specific mentions about cloud data location and jurisdiction requirements. This way decision-makers will know what criteria cloud-based applications need to meet, in terms of data security, in order to become reliable business partners.