Data sovereignty in the cloud: a Canadian perspective

Cloud computing has made its way to organizations’ IT infrastructure strategy rapidly over the past few years. In particular, Canadian businesses are showing an increased adoption. This article decodes how Canada’s IT infrastructure shaped up in the last decade, why data sovereignty is now a hot topic, and what the future holds for the cloud.

While on-premises IT infrastructure continues to be relevant even today, both SMBs and enterprises are now embracing the cloud more than ever.

In Canada, the importance of a cloud-first strategy was established much before the pandemic. As early as 2015, 46% of Canadian small businesses were using at least one cloud-based function. In 2018, the Government of Canada came up with a cloud adoption strategy to use modern and emerging technologies to deliver a better digital experience to its citizens. Even more recently, IDC found that more than 90% of Canadian organizations have adopted at least one SaaS product. Post-pandemic, the shift has only accelerated.

Sustainable scalability and security: Finding the right balance

Data security is critical, whether an organization chooses to store data on-premises or in the cloud. Before cloud computing was used, organizations relied on on-premises data centers to store business-critical information on servers they owned. Even though the capital expenditure was high, organizations believed that they had complete control over their data. But without the right safety controls and backup mechanisms in place, on-premises infrastructure was vulnerable to data loss or breaches. And as businesses scaled, the operating costs—which were a factor of infrastructure, resources, and time—saw an exponential rise. Securing an on-premises infrastructure around the clock became a challenge.

Cloud-based solutions, on the other hand, were the answer to scalability. Infrastructure was no longer a bottleneck. With pay-as-you-go services available, it was more cost effective than on-premises. Agile and flexible integrations also worked in favor of cloud, but it did not gain widespread acceptance until the 2010s, even though it had been around for over two decades. However, as use of the cloud spread, there were also growing concerns around data security, residency, and sovereignty. Those concerns added to the reluctance of organizations to move to the cloud when they were heavily invested in on-premises setups. 

In 2012, Gartner defined the term Cloud Access Security Brokers (CASB), identifying  four key capabilities: visibility, threat detection, data security, and compliance. CASB was one of the first security policies implemented in the cloud and helped spur on demand for the cloud as well as the introduction of more cloud-focused security policies. The same decade saw a boom of new, tech-enabled small businesses in Canada. Compared to larger businesses, it was much easier for the small businesses to choose cloud-based services over on-premises, given the lower initial investment and faster deployment.

In recent years, it was the pandemic that accelerated cloud adoption, enabling collaboration and seamless business continuity. With more robust security solutions developed for the cloud, the cloud gained widespread acceptance around the world.

Data sovereignty and residency

With the ever-increasing reliance on cloud services, data sovereignty has become a topic of great interest for CIOs and CISOs across Canada. Data stored in the cloud might be secure but many organizations find it a cause of concern if the data resides in another country and is governed by their laws.

There is no single federal law that applies to data in Canada. PIPEDA applies to private sector organizations across Canada (except Quebec, Alberta, and British Columbia), and the Privacy Act applies to government organizations. While neither law mandates organizations to keep their sensitive data in Canada, the Directive on Service and Digital by the Canadian government says keeping computing facilities within the border should be considered the first choice.

Quebec, Alberta, and British Columbia have provincial laws similar to PIPEDA. The Quebec legislation requires organizations to conduct a privacy assessment if data is sent outside Quebec, and British Columbia requires public bodies to store personal information inside Canada.

To avoid legal hassles and the complexity involved in processing data across national borders, cloud service providers have started setting up their own data centers in Canada. This move is particularly important for healthcare and insurance organizations that are required to store personally identifiable information, now that Canadian regulations will be followed. According to a Research and Markets report, the Canadian data center market is expected to grow at a CAGR of 8.93% from 2022 to 2027.

Cloud: 2023 and beyond

The cloud has certainly seen greater-than-expected adoption over the past few years. IDC has predicted that spending in the Canadian information and communication technology market will reach C$132.6 billion by 2025, primarily driven by cloud computing and security. With the sheer amount of data that continues to be stored in the cloud, the focus is going to remain on how it is stored and transmitted, as well as who has control over it. This will bring data sovereignty to the top of the agenda of IT security decision makers in Canada and around the world.

Sairam T A
Regional Marketing Specialist