The Canadian government’s ongoing effort to adopt the public cloud took another step forward this summer with the help of Microsoft and AWS, representing a “massive leap of faith” in cloud security, according to Peter Melanson, director of federal sales at Microsoft Canada.
“We’re talking about internal workloads of government data…things like human resources systems and financial systems,” he said, referring to the types of workloads the federal government is moving to public cloud.
These workloads fall under the Protected B classification, which according to the Department of Justice, is described as “information where unauthorized disclosure could cause serious injury to an individual, organization or government.” Protected B includes medical information, information protected by solicitor-client or litigation privilege, or received in confidence from other government departments and agencies.
The migration to public cloud is part of the government’s Cloud First Strategy. In 2017, the federal government started to migrate unclassified data to public cloud storage, with the goal to eventually store its Protected B workloads in the same environment as well.
Unsurprisingly, any vendor bidding for the contracts to store these workloads has to clear a high bar. There are 469 separate security controls, as outlined by the Canadian Cyber Security Centre, that the government has to follow, explained Melanson.
“They want to make certain that you are compliant before they put these very intimate workloads up into the public cloud,” indicated Melanson.
It’s not much of a surprise then that the SCC selected Azure and AWS, two of the big three public cloud providers, to host its Protected B data.
In April 2019, Shared Services Canada (SSC) signed an enterprise agreement with Microsoft Canada that will provide client departments with access to Microsoft 365. On Aug. 8, SSC signed Cloud Framework Agreements with AWS Canada and Microsoft Azure. The two have various other contracts with the federal government when it comes to hosting some of its unclassified data, a lot of which is done through channel partners.
The two vendors have done a lot over the years to quell the public sector’s fears around public cloud security, indicated a spokesperson for SSC.
“Initial reservations of migrating data to the cloud were based primarily upon concerns about cloud security features. Over the past few years, cloud computing and storage have matured significantly,” they wrote in an email. “The Cloud First Strategy aligns Canada with Australia, New Zealand, United Kingdom and the United States.”
Quoting Sean Roche, the associate deputy director for digital innovation at the Central Intelligence Agency, Rejean Bourgault, country manager for public sector at AWS Canada, emphasized the acceptance of cloud security among governments.
“On its weakest day, the cloud is more secure than a client service solution,” Bourgault recited. “On a global basis, AWS has more than 5,000 government agencies using AWS at all classification levels…all the way up to Top Secret.”