Monday, December 16, 2013

US congressional group calling out Canada on trade protectionism under the banner of national security

The National Post is reporting that a group of powerful US lawmakers are calling out Canada on the frivolous use of "National Security" as a thinly-veiled effort at protectionism. In an number of very large scale procurement contracts, regardless of the security classification of the information, the government has disqualified any vendor where the data may cross the Canadian frontiers.

I have seen this first-hand where government paranoia about the cloud simply leads bureaucrats to the risk-averse decision of keeping data exclusively in Canada under the banner of "data sovereignty." This is one of the reasons why Canada lags behind in the adoption of cloud computing and why Canadian governments spend hundreds of millions of dollars on operating and maintaining thousands of little data centres instead of taking advantage of the massive savings offered by cloud computing.

The Treasury Board of Canada has long-standing guidelines that require a risk assessment in every case that takes into account the sensitivity of the data and the risk of exposure, but Public Works appears to have adopted a one size fits all "no-can-do" attitude.

It will be interesting to see if this turns into a proceeding before the international trade tribunals.

See: John Ivison: Powerful U.S. Congress group accuses Canada of trade protectionism under guise of national security | National Post.

Thursday, May 9, 2013

UK Government announces "Cloud First" policy

The Government of the UK has just announced its "Cloud First" policy.

Government announces 'Cloud First' procurement policy - Government Computing Network:

Government announces 'Cloud First' procurement policy

Charlotte Jee

Published 05 May 2013

Mandates central government to consider cloud solutions before all others when buying IT

The government has confirmed that it has adopted a 'Cloud First' policy, making it mandatory for buyers of IT products and services in central government to consider purchases through the cloud as their first option.

Cabinet Office minister Francis Maude said that the policy will drive wider adoption of cloud computing in the public sector, boosting business through the G-Cloud programme's CloudStore, and ensuring the public sector buys IT in a 'quicker, cheaper, more competitive way'.

According to the Cabinet Office, as of now, when they buy new or existing services, public sector organisations should consider and fully assess potential Cloud solutions first, before looking at any other option.

A statement explained, "This approach is mandated to central government and strongly recommended to the wider public sector. Departments will remain free to choose an alternative to the Cloud if they can demonstrate that it offers better value for money."

Alongside today's announcement, the third iteration of G-Cloud (G-Cloud III) is going live today, with 708 firms offering over 5,000 services listed on the new framework- up from the 458 suppliers and 3,000 services on G-Cloud II when it went live last October .

Maude said, "Many government departments already use G-Cloud, but IT costs are still too high. One way we can reduce them is to accelerate the adoption of Cloud across the public sector to maximise its benefits.

"The Cloud First policy will embed the skills a modern civil service needs to meet the demands of 21st-century digital government and help us get ahead in the global race."

The policy has been under consideration for some time, with G-Cloud programme director Denise McDonagh suggesting at a roundtable in March that Maude was likely to give it the go-ahead.

McDonagh, who has long advocated a 'Cloud First' policy, said, "Sales from G-Cloud are rising steadily, with cumulative spend now over £18 million - two-thirds of it with SMEs. This is still small relative to overall government IT spend, and the transition to widespread purchasing of IT services as a commodity won't happen overnight.

"The adoption of a Cloud First policy will give added impetus for Whitehall and the wider public sector to move in this direction - complementing our ongoing work to encourage Cloud adoption and to help buyers adapt to this way of purchasing IT, which is already showing results."

US federal agencies have been operating with a cloud first policy since December 2010, and a number of other countries are believed to be considering instituting similar directives.

Friday, March 15, 2013

US federal district court judge rules National Security Letters are unconstitutional

The Electronic Frontier Foundation is reporting that a US Federal District Court judge in San Francisco has ruled that National Security Letters are unconstitutional as a violation of the First Amendment of the US Constitution and the separation of powers. The Judge's order has been stayed for 90 days to permit the federal government time to appeal.

National Security Letters (NSLs) are a form of administrative subpoena that can be issued by a senior official of the FBI, which requires the recipient to provide non-content or transactional information and is usually accompanied by a gag order.

According to EFF's media release, Judge Susan Illston ordered that the FBI stop issuing NSLs and cease enforcing the gag provision in this or any other case.

From the EFF: National Security Letters Are Unconstitutional, Federal Judge Rules | Electronic Frontier Foundation

A copy of the Judge's decision is available here, also on the EFF website.

Monday, February 11, 2013

New Zealand Privacy Commissioner offers cloud guidance

The Privacy Commissioner of New Zealand has released a checklist for businesses and a guidance document [PDF] to about cloud computing. Here is the Commissioner's summary of the two documents: Cloud computing guidelines.

From the Checklist:

  1. Figure out which cloud services will work for you and what your current risk level is
  2. Know what information you'll be sending to the cloud
  3. Recognise that the responsibility is ultimately yours
  4. Security - lock it down
  5. Check out your provider
  6. Know exactly what you're signing up for
  7. Be as up front with your clients as you can
  8. Location - where will the information be?
  9. Use and disclosure - who sees the information and what will it be used for?
  10. Ability to exit, and deleting information

Monday, January 14, 2013

Note to HRSDC: Cloud computing and remote access dramatically reduces the risk of portable device data breaches

The Canadian news has been full of reports related to two significant privacy breaches emanating from the federal ministry of Human Resources and Skills Development Canada. The first to be reported was the loss of a USB thumb drive containing the personal information (including personal health information) of more than 5,000 disabled Canadians who were receiving benefits under programs administered by HRSDC. In the course of investigating that first breach, a second came to light. Apparently someone at HRSDC thought it would be wise to backup the data of over half a million student loan recipients onto a portable USB hard-drive, which could be easily lost or misplaced. Guess what happened ... it was lost or misplaced.

Problems with storing sensitive personal information on USB storage devices are not unknown. The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has recently been on a tear over a USB-related breach by Elections Ontario resulting from poorly understood policies, bad training and a lack of accountability. In fact, she's published reams of reports on the breach, its root causes and what should be done to prevent it from happening again. (The TL;DR version: Employees were engaged in a project where they had to clean up electoral lists at an off-site location. They decided to transfer the data using USB thumb drives and didn't even do that well.)

The HRSDC Minister's media release says that, as a response to the second breach, employees will be given training on a new information security policy. That suggests to me that the reckless practice of placing unencrypted personal information on portable storage devices was A-OK. Well, it's not. Never has been and never will be.

The full facts of the HRSDC breaches are still very sparse, but we know that the second breach was caused by an employee or employees who wanted to make a backup of data (probably a good idea) and put the backup on a small portable device (a very bad idea). It may be that the first breach was caused by an employee who either needed to work offsite with the data or needed to move it from one computer to another. Both are reasonable things to want to do. And in some computing environments, can only be accomplished by making a copy of the data and USB devices are a handy way of accomplishing that.

A large part of my practice is advising clients on cloud computing. And I also often get invited to speak to groups of IT professionals and fellow lawyers on legal issues related to cloud computing. For the past few years, the majority of questions about the risk of cloud computing have focused on the fact that the data may be outside of Canada and that the customer is trusting someone else to secure the data. Those are both important questions to ponder, but few turn their minds to the fact that, in most cases, cloud computing is much safer for the data and significantly lowers the risk to data.

If Elections Ontario or HRSDC were using a cloud computing model, none of these breaches would have happened in any of the scenarios outlined above. Cloud computing keeps the data on a server or series of servers in highly secured data centres. There's no need to copy or move the data to get access to it remotely. This is accomplished through secured connections between an authorized computer or browser and the data centre. If you want it backed up, that's usually done on tapes in the data center and the data seldom has to leave the secured premises. In any data centre worth its salt, disk inventory is carefully controlled and audit tools are used to keep track of who has accessed what data. If tapes are moved offsite for redundancy's sake, there is usually a much higher level of diligence exercised as it follows documented processes.

When questions are being asked about how this happened and what can be done to prevent such breaches from happening again, the government should carefully consider how cloud computing or other remote access models dramatically reduce the risk of such breaches.