Policy Archive

Getting Comfortable in the Cloud

By
John.Weigelt
Published: August 26, 2010Posted in: Cloud, General, Privacy

It seems everywhere you turn there is another gloomy statement about the potential dangers of cloud computing.  This commentary is reaching a crescendo with sensational newspaper headlines citing speculation as fact.  It’s time everyone took a step back to look objectively at what is actually happening, reflect on their decade plus experience using cloud based services and go beyond the negative hype.

So the first thing to do is to get clear on the Cloud. I often describe the challenge using the meteorological clouds which we are more familiar with. If I were to say to you, “Don’t go outside if there are clouds,” you would clearly think I was nuts. The clouds could be cirrus clouds (high and wispy), stratus clouds (low blanket like grey clouds), nimbus clouds (rain clouds), cumulonimbus (thunderstorm clouds) or even funnel clouds (tornados). For the everyday person, some clouds don’t require any additional actions be taken, some require modest safeguards e.g. umbrella and others, more significant safeguards (take cover!).  For truck drivers there are considerations like fog lights, wipers, tarpaulins and tire chains.  For pilots there are other considerations such as alternative airports, instrument flight rules, wing deicing, etc.

The naysayers deal in speculation and absolutes.  Much akin to announcing: don’t fly in airplanes because they crash, they make pronouncements for the cloud that state indirectly that privacy intrusions are happening.  Many would have you believe that the sky is falling, a meteor could drop onto the earth or you could, quite possibly, be struck by lightning as you read this.  Now while I can’t absolutely guarantee that any of the aforementioned events won’t happen, I think you’ll agree that first, it’s fairly remote that they will happen, and second, in the case of the lightning strike, you could further reduce the vanishingly small chance of occurrence by avoiding that tin foil suit while standing in the middle of an empty field during a thunderstorm. 

The first step to getting comfortable in the cloud is a review of the expert guidance for privacy and security safeguards for cloud services.  The Ontario Privacy Commissioner’s office has published guidance on safeguarding data in cloud services in “Privacy in the Clouds: Privacy and Digital Identity – Implications for the Internet” and  “Modeling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach.” The Government of Canada Treasury Board Secretariat has published a guidance document: “Taking Privacy into Account Before Making Contracting Decisions,” which provides a checklist and other tools to help organizations address their privacy requirements.  Cloud providers also provide detailed guidance on how their services work.  For example, Microsoft’s Global Foundation Services, the group that builds and operates Microsoft’s Data Centers and Online Services, has published a whitepaper that describes how they Secure Microsoft’s Cloud Infrastructure.  You’ll note that the privacy development lifecycle outlined on Page 8 aligns with the Privacy By Design approach promoted in the guidance from the Ontario Privacy Commissioner’s Office.   Noteworthy references such as these provide a useful foundation for the Threat Risk Assessment (TRA) process for security and the Privacy Impact Assessment (PIA) process that organizations routinely use to identify and manage the risks associated with internal and external service delivery.

Data Sovereignty is one discussion point that frequently arises in discussions on Cloud computing and privacy.  The USA Patriot Act is the most common on international legislation that people are talking about.  The Canada, Mexico and USA Trilateral Committee on transborder data flows held multiple meetings between September 25, 2008 and June 15, 2009 to explore the challenges associated with cross border information flows.  In their final report they noted that:

  1. “While the USA PATRIOT Act does not create a restriction on the movement of data across borders, misperceptions surrounding it appear to be negatively impacting data flows.” (page 11)
  2.  “The Questionnaire (of the business community) indicated the occurrence of misperceptions within the business community regarding the USA Patriot Act, and how the lack of clarity surrounding this piece of legislation has resulted in lost opportunities.” (page 17)

In testimony at the second meeting of the committee, privacy expert Fred Cate indicated that “The likelihood of the government resorting to searches of personal data from provincial Canadian public sector authorities held by, or accessible through, service providers in the United States as a reliable law enforcement or counterterrorism tool is “vanishingly small.”  The Federal Privacy Commissioner held public Consultations on Cloud Privacy in June of 2010 and while a final report remains outstanding, prominent Canadian privacy lawyer David T.S. Fraser presented the rough equivalence of legal authority in Canada and the US.  He further reinforced the opinion that US authorities would sooner work directly with their Canadian counterparts than seek the information unilaterally through the US.  This opinion is reinforced by the Canadian Advanced Technology Association in one of two publicly available submissions.  And while one or two organizations continue to highlight concerns, albeit without consideration for the application of safeguards, it appears that the guidance provided by the Federal Privacy Commissioner on “Processing Personal Data Across Borders” remains as valid guidance for business leaders today.  This guidance was also called out be the trilateral committee as leading “to increased understanding and less concern from individuals about cross‐border data transfers.”

                As your organization looks to take advantage of the economies of scale, the business agility and the robust security inherent in cloud computing, it is vital that you understand that many of your applications do not deal with personal information and therefore would not require specific privacy impact assessments to move to the cloud.  For those that do, there are a variety of safeguards, both already in the cloud and that you can implement, that will mitigate the risk to less than vanishingly small.

Share

The Remaining 49

By
John.Weigelt
Published: August 10, 2010Posted in: Digital Economy, General, Policy

As you can probably tell, June was a busy month and I didn’t quite make it to my 60 posts in 60 days.  Here are the remaining 49 to close out the full 60:

Tourism

Supply chain and Logistic

Sports

Cyber Security

Textiles

Policing

Digital Libraries / Archives

Banking

Food Services

Carbon Sequestering

Pharma Research

New Materials

Aviation

Law & Policy

Distance Education

Farming

Carbon Markets

Biotech

Smart Grid

Alternative Energy

Archaeology
Mining Livestock Management Energy Efficiency Robotics Weather prediction Space

Fresh Water Management
Electronic Gaming Manufacturing Open Data National Security Defence Research Telecom

Environmental Protection
Film Design Surface Transportation Aquaculture Identity ManagementClaims Management Sociology & Anthropology Diplomacy
Green Petroleum Extraction Architecture Beverages Endangered Species Management Alternative Energy Policing Genetics

General subject headings tend to hide the details, but i think you can appreciate that there are any number of programs and activities in support of the Digital Economy behind each subject heading.  If we were, for example, to dig a little deeper on, say, Surface Transportation we would see a wide variety of elements supported by and supporting the Digital Economy.  Consider smart containers, Radio Frequency Identifiers, logisitics tracking systemsintelligent transportation systems , border management systems, real time route planning, traffic management systems, warehouse management and more. Of course the same exercise can be done for each of the subject headings (that’s what i had hoped to do :-) ). So unless there is some enterprising reader out there that would like to extend and expand each of the titles, I’ll have to extrapolate and estimate that there would be well over 500 different Digital Economy impacting solutions in primary support of these business areas.  If we were to think a little more we could quickly come up with another 10 subjects to support each primary area.  I think we can all see the quick expansion of the number of areas of the economy that are digital and why I chose to drop the “digital” from the recent consultations.

Share

11- Critical Infrastructure Protection

By
John.Weigelt
Published: May 28, 2010Posted in: Digital Economy, Policy, Security

I had the privilege of being invited to the press conference where the Honorable Vic Toews, Minister of Public Safety, announced the Canadian National Strategy and Action Plan for Critical Infrastructure. The Honorable Minister was joined representatives from across Canada in making this important announcement.  It was cool that the event was held at the Ottawa Hydro operations center and I must admit that I watched one or two of the tens of screens as they displayed what was happening on the electrical grid in real time (sorry, flashing screens have always caught my attention).  It was especially cool given that just yesterday I blogged about  Energy and how this digitally enabled industry is an important part of the Digital Economy.  You can see one or two of the screens (one with a weather map) behind Minister Toews in the clip from the CBC .

One thing that stood out in today’s announcement was the Federal, Provincial and Municipal coordination and cooperation that went into the strategy development.  There was also clear evidence of coordination and cooperation with industry.  This cooperation will be essential moving forward, especially since much of Canada’s Critical Infrastructure is operated by private sector organizations.  This cooperation amongst a relative small community is where Canada has an advantage which can be leveraged in the Digital Economy.

We often overlook the sheer size of our country, our distributed population and our rich infrastructures.  When we think a little bit about the long distances that our infrastructures must span, we quickly see how big the jobs could be to make sure that these infrastructures remain safe and available.  It could almost seem an impossible task, unless we had great people safeguarding these vital assets and great people willing to share information, cooperate and to build out even more resiliency in Canada’s infrastructures.  Because of this relatively small community, it’s often easier to connect with the right experts,  reach decisions faster and as a result be more agile to pivot to pursue new directions if required.  Our smaller community also fosters the establishment of relationships of trust between individual stakeholders, because in addition to the ever present policy and legal frameworks, CIP stakeholders interact on a person to person basis.  Being able to work with the same people over a period of time builds the confidence often required in time of crisis.

I know you’re thinking that the addressable market for CIP expertise is probably pretty small and that there are only select customers that would be interested in these services.  And I guess you’re probably right.  If we were to think for a minute of the broader economic impact of a strong CIP program we can quickly find a strong compelling economic reason for ensuring a reliable and resilient infrastructure.

Consider for a moment our relatively “flat world”, where businesses and their employees can locate anywhere to contribute to the economy.  If you were looking to move outside of Canada (not that you would, but humour me) what would you think about?  Probably a nice place to live.  Well what would Nice mean?  A lovely region, a safe community, clean drinking water, electricity, Internet access, smooth flowing traffic (sorry Toronto :-)  ) , easy access to health-care, and perhaps, as Richard Florida suggests, other creative people.  Businesses do the same.  They seek out locations with reliable access to green power sources, water, smart employees, transportation routes to ship their goods and strong financial systems to support their growth.  Assurance in Canada’s Critical Infrastructures contributes to the spikiness that attracts business and individuals alike to our great country. 

So while you may have breezed over today’s announcement as only applying to a small number of Canadians, I invite you to take another look and reconsider how important a reliable, trusted and resilient critical infrastructure is to Canada’s Digital Economy.

Share

Consultations on Canada’s Digital Economy

By
John.Weigelt
Published: May 11, 2010Posted in: Digital Economy, Policy

Federal Government Vision for Canada's Digital Economy

Industry Canada launched their public consultations on Canada’s Digital Economy yesterday http://de-en.gc.ca/home/.  Some people may dismiss this important process by placing an emphasis on the “Digital“, perhaps with the belief that if they are not involved with broadband networks, Internet services or software development that this doesn’t apply to them.  When I look at this conversation I see consultations on Canada’s Economy.  While conversations on the Digital Economy may often focus on fiber optic networks and feeds and speeds, let’s not forget about the other innovations that are part of the Digital Economy.  Over the 60 days of consultation, I’ll look to identify those business areas that we might not traditionally associate with the Digital Economy.  You’ll see how this consultation reaches across all businesses and industries and builds the foundation for Canadian competitiveness in the future.

Share

Storm Clouds?

By
John.Weigelt
Published: April 29, 2010Posted in: CIO Toolbox, Security

If you were asked about the link between technology and the weather what would you say?  You might first think about constant change or perhaps areas of high pressure.  (Hopefully you won’t mention bad similes as well.)   The excitement surrounding the latest era of computing has cemented the connection between technology and the weather.   This latest era is familiarly called Cloud computing as shorthand.  Unfortunately, the shorthand terminology creates challenges for business and individuals alike as they look to gain a better understanding of what it means to make use of the many advantages of this new computing paradigm. 

If we lay back, hands behind our head in a grassy field and look up at the sky, we may see any number of different types of clouds.  A quick search reveals a long list of meteorological phenomena, including:  cirrocumulus, cirrus, cirrostratus, altostratus, altocumulus, cumulus humilis, cumulus mediocris, stratocumulus, nimbostatus, stratus, cumulonimbus, cumulus congestus, pyrocumulus, noctilucent.  For most of these clouds we could remain comfortable on the grass, but if we see a select few (e.g. cumulonimbus:  thunderstorm clouds) we would probably seek extra protection.  The same can actually be said of cloud services technologies.  There are a wide variety of cloud services and several options for how these services can be provided.  Cloud services are often characterized as infrastructure as a service, platform as a service and software as a service and are available in a continuum from a fully private cloud through hosted cloud to a fully commercial cloud offering.   Each of these varieties of cloud service has its own considerations for protection and imposes different obligations on the organizations that leverage them.

The most significant barrier for organizations looking to harness cloud computing is uncertainty.  Organizations are uncertain about the cloud’s impact to their business or uncertain about how the cloud will impact their status quo.  This uncertainty impedes an organization’s efforts to build up the confidence to make use of cloud services.  So like pilots planning their route from take-off to landing carefully review the specific types of clouds that they may encounter along the way, IT and business leaders must become skilled on the variety of cloud technology options that are available to them as they plan their projects.  A comprehensive understanding of the cloud offering that matches their business will help provide a focus on the actual risks to the business and not those derived from the unfortunate generalizations frequently found today.  So as you and your organization explore the vast potential of cloud computing, be sure to take a little extra time to identify the specific cloud options applicable to your business.  A little bit of up front effort will go a long way to crisply identify the detailed risks and compensating safeguards to help avoid a turbulent ride.

Share
« Older Entries
Newer Entries »