How Amazon Web Services Complies to Canadian Government Policy Requirements

Canadian Government documents ( IT Shared Services Security Domain & Zones Architecture ) specify that:
Given that each department maintains responsibility for a significant portion of the total solution, including the security controls to be implemented, it is unlikely that the risk of grouping multiple client departments into a single SSC domain, and the sharing of zones that this implies, would be acceptable.
For this reason a domain per department is recommended for IaaS type services.

AWS is addressing this requirement by ability to create new security domain for each new customer Canadian Government agency. AWS Virtual Private Cloud is completely capable of providing all necessary features needed for implementation of security domain.

Government standards envision various levels of interaction between departments and service providers as per picture below:

AWS is able to serve Government of Canada needs at many levels of involvement.

  • As Co-location provider via AWS dedicated instances program.
  • As IaaS provider via EC2, ESB, S3 offerings
  • As PaaS provider via RDS, Elastic MapReduce and many other offerings

Government standards require that following practices are maintained:

Applications are created and tested in the development environment, after which they are “promoted” (i.e. moved) to staging where they are tested in a production like environment. Finally, once the application has successfully passed client acceptance within staging, it is “promoted” to the production-hosting environment.

Each of these three environments is depicted as within a separate SSC security domain.

AWS offers capabilities to create separate domains for each stage so that proper change management procedure is followed.

Advertisements

Comments

  1. This shows that AWS complies to some technical specifications, but what about Canadian privacy policy compliance? Amazon is a US-owned company so the US Patriot Act, which allows the US government to seize data without notifying the owner, applies to anything stored on the Amazon cloud.

    A brief summary of Canadian and some Provincial privacy laws are here: http://en.wikipedia.org/wiki/Canadian_privacy_law and there is some exisiting Canadian case law that deals with storing Canadian private citizen data on US hosts.

    I think Share Services Canada needs to clarify its position on hosting in the cloud. I think that it will have to be hosted in Canada by a Canadian-owned company, or risk being subject to foreign privacy legislation, which is a risk that they cannot take.

  2. Yes this is the #1 Cloud topic for sure Lynn, a great dialogue to have and a very fertile area for us to innovate new solutions.

    I also agree that it requires a strong and clear definition from Canadian Government. I’ve seen policies that restrict it right down to the Provincial level and also ones that allow it outside of Canada to any country that also complies with Canadian privacy laws. The latter seems the most accurate and practical so that agencies are free to best leverage the power of the Cloud in a manner that drives the cost savings which benefit taxpayers, while also protecting the data.

    Of course it would be great to see local Canadian providers deliver these services but this then highlights the other main challenge for Canada, the overall tech innovation crisis including lack of Venture Capital. Part of this equation is also to ask what actual Canadian Cloud providers are there, who have made the same scale of investment as Amazon? If there’s not many then this again would point to a lack of digital economy policy and also under-investment, and so it leaves the market open for players like Amazon.

  3. Here is a good article on this:
    Avoid Patriot Act Surprises: Encrypt Cloud Data On-premise
    http://tinyurl.com/Amazon-Patriot-Act

  4. The Federal Privacy Commissioner has clarified that information can be stored in the cloud in US servers. There are some provincial statutes that are more restrictive when dealing with certain types of specific information (B.C. and N.S.) but generally there is no restriction. See this link: http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/gv00508.html. Also, there are just as many laws in Canada that allow the information to flow to both the Canadian and U.S. government under gag orders.

  5. That’s a hugely helpful insight and link Shanti, thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: