WIXLIB

Software as a Service: SaaS (also known as “on-demand” software) is a service model wherea cloud provider licenses the use of on-demand applications to its customers. Common SaaSexamples include web hosting, office productivity, document storage and online collaborationtools and services. Customers can interact with this type of service as end-users who directlyuse software applications (such as webmail), as organizations that purchase access rights forthe use of existing software for its staff, or as organizations that customize web-based servicesfor their own, or other, organizations. SaaS providers typically host the applications on theirown infrastructure, but may also install the application on the customer’s networks or devices.SaaS customers can be billed based on the number of end-users, the time of use, thenetwork bandwidth consumed, the amount of data stored or the duration of stored data. If theapplications are uploaded onto the customer’s infrastructure, they are disabled once the ondemand contract expires. In a SaaS environment, the customer has no control over the cloudinfrastructure with only limited capabilities to configure applications.ADVANTAGES OF CLOUD COMPUTINGCloud computing offers the potential to use services and applications faster than traditionalcomputing, reducing run and response times by leveraging the infrastructure of third partycloud providers.Organizations that contract services out to a cloud provider can add functionality, whileimproving operational efficiency and reducing costs by off-loading the administrativeresponsibilities associated with deploying and maintaining services.In some models, organizations do not need to concern themselves with equipment purchases,scalability issues or workload limitations; rather, as cloud customers, they can purchase the ondemand services that are needed to carry out their specific business requirements.In addition, cloud computing can more effectively address surge computing, as workload spikescan be distributed among servers to alleviate the pressure on one machine.Finally, cloud computing can provide enhanced security with respect to risks arising in thecontext of traditional computing. Cloud computing may be more flexible, with access to agreater number of computing resources, allowing it to address security issues more quickly andefficiently. Many kinds of security measures are cheaper when implemented on a larger scale.Therefore, the same amount of investment in security may buy better protection.5There is a wide variation in the power and functionality of cloud services available toorganizations. Organizations thinking about cloud services will need to satisfy themselves thatthe advantages discussed above are applicable to the services under consideration.5“This includes all kinds of defensive measures such as filtering, patch management, hardening of virtual machineinstances and hypervisors, etc. Other benefits of scale include: multiple locations, edge networks (content delivered orprocessed closer to its destination), timeliness of response to incidents, threat management.” See European Network andInformation Security Agency (ENISA), Cloud Computing Security Risk Assessment, special report, November 2009, p. 7.4Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions

3. RISKS OF CLOUD COMPUTINGDespite the opportunities for improved operational efficiencies and services, and for reducedoverhead and other costs, cloud computing introduces its own privacy, security and compliancerisks that must be addressed.6The discussion that follows is not an exhaustive risk analysis. Ontario public sector institutionshave obligations to manage the personal information in their custody and control in waysconsistent with Part III of the Freedom of Information and Protection of Privacy Act (FIPPA)and Part II of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)(collectively, “the Acts”) and their regulations.Regulation 460, section 4 under FIPPA and Regulation 823, section 3 under MFIPPA includespecific requirements relating to privacy and security. They state:(1) Every head shall ensure that reasonable measures to prevent unauthorized access tothe records in his or her institution are defined, documented and put in place, takinginto account the nature of the records to be protected.(2) Every head shall ensure that only those individuals who need a record for theperformance of their duties shall have access to it.(3) Every head shall ensure that reasonable measures to protect the records in his or herinstitution from inadvertent destruction or damage are defined, documented and put inplace, taking into account the nature of the records to be protected.It is an institution’s responsibility to fully assess the risks and benefits of cloud services and, inmost cases, it is advisable to consult with an IT professional and to obtain legal advice.While a wholly private cloud, administered solely by an institution for its own uses, may reduceprivacy and security risks, the costs associated with this approach make it challenging, ifnot impossible, for most institutions. As a result, many cloud services are outsourced to,or managed by, third parties. This may result in the introduction of new risks to the privacyand security of the information involved and risks to the institution that may result from noncompliance.Before considering which cloud infrastructure and service model are right for your institution’sneeds, you must determine whether you intend toThe potential loss of control ofprocess personal information in the cloud and theinformation is the chief categorynature of the personal information involved. If yourof risk associated with movinginstitution is considering a cloud computing serviceoperations to the cloud.to manage personal information, then you shouldconduct a privacy impact assessment (PIA). A PIA is arisk management tool used to identify the effects of a6For an excellent overview of cloud computing risks, see Office of the Privacy Commissioner of Canada, Reaching forthe Cloud(s): Privacy Issues Related to Cloud Computing, research paper, March 2010.Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions5

proposed or existing information technology, process, system, program or other activity on anindividual’s privacy. By completing a PIA, you will be able to guide your institution through aprocess that will identify the privacy impacts and the means to address them.7PRIVACY RISKSThe use of cloud computing may introduce or heighten a number of privacy risks, including thefollowing:New Data Streams: New Disclosures, New UsesCloud services have the potential to generate new types of data streams and information,including metadata, which may become available to the cloud service provider, subcontractorsand other third parties. Although these data streams may not be relevant to the original cloudoperation, there are risks that they will be used either by the institution, the cloud serviceprovider or other parties for unauthorized purposes, such as profiling and marketing. As such,consideration should be given to whether these activities constitute uses or disclosures ofpersonal information under FIPPA and MFIPPA. If they do, the institution must ensure that thereis proper legal authority for them.Unauthorized Processing/Secondary PurposesInstitutions should consider that cloud service providers may inappropriately access,manipulate or mine the information entrusted to them for purposes not specified or authorizedin their contract or under FIPPA and MFIPPA.Access and Correction RightsFIPPA and MFIPPA include individual rights to accessrecords and to seek correction of personal information.Institutions must ensure that their arrangements withcloud service providers will not negatively impact theirability to comply with their statutory obligations.Institutions must ensure thattheir arrangements with cloudservice providers will notnegatively impact their ability tomeet their access to informationand correction obligations.Covert SurveillanceIf your institution uses a shared cloud infrastructure, law enforcement requests for accessto information in the control of the cloud service provider could result in the inadvertent,or intentional disclosure of additional information beyond what is required to respond tothe request, including information owned by other organizations. In addition, the cloudinfrastructure increases the risk that individuals and the institutions with custody of theirinformation will be unaware of these disclosures; that is, disclosures may take place without theknowledge or involvement of the institution.76For further information about how to conduct a PIA, see IPC, Planning for Success: Privacy Impact AssessmentGuide, May 2015.Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions

INFORMATION SECURITY RISKSMaintaining the confidentiality, integrity and availability of information is a significant concernwhen dealing with cloud service providers. Any scenario that results in the sharing of controlof your institution’s information holdings represents a potential threat, since the serviceprovider’s infrastructure and security safeguards maybe insufficient. Security management is an ongoingchallenge when outsourcing services to cloud providers.8Security management is anongoing challenge whenoutsourcing services tocloud providers.For example, you may have no control or input intothe operational and functional capabilities of yourcloud service provider, or the security associatedwith safeguarding information. Information may beencrypted in transit and in storage, but processing typically requires working on unencryptedinformation. Consequently, the following security risks need to be considered.Insider ThreatsGreater and more frequent access to larger amounts of information increases the risksposed by insiders. Cloud architecture requires that certain administrative staff manage thedata held within the cloud and the security of the cloud. These individuals have significantaccess and power, potentially increasing the risks of inappropriate access to or use anddisclosure of information. The risks may be heightened in those cases where cloud serviceproviders, their staff and any subcontracted agents have the ability to access informationwithout detection or producing an audit trail.Breach Detection, Remediation and ReportingCloud computing may compromise an institution’s ability to detect unauthorized access, useor disclosure of information stored and processed with a cloud provider. This may increasethe risks of failing to properly deter, contain and remediate breaches when they occur, and tocomply with breach reporting requirements.BackupsInformation ownership questions may arise due to potential replication of information withincloud-based infrastructures. An institution may not know that copies of its information havebeen created, and this can become a significant issue if the cloud service provider claimsownership of the new copies of the information. Backups also increase risks of interception,unauthorized access, use and disclosure and insecure deletion or destruction. Conversely, insome cloud services, there may be no backups at all, which introduces different risks if theinformation becomes corrupted or otherwise unavailable.8Security management covers data protection, operational integrity, vulnerability management, identity management,business continuity and disaster recovery.Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions7

Remote AccessRemote access or browser-based interfaces between the cloud service and individual usersmay make information more vulnerable to attack, as more data is in transit than in traditionalcomputing. Institutions must critically evaluate a cloud service provider’s security practices toensure that they meet required standards.Multi-tenancy (Non-segregation)Cloud computing’s strength is founded on shared computing resources that can be instantlyaccessed in response to demand. This means that an institution’s information will typically sharestorage, memory and routing with unrelated organizations, a situation called “multi-tenancy.”However, multi-tenancy introduces risks that information may be accessed by unauthorizedparties if not properly segregated. These risks are less significant in the case of private andcommunity clouds.Data PermanenceData permanence is also a risk that institutions must consider. Information must be securelyretained while held by the cloud provider, but must also be securely deleted in accordance withyour institution’s records retention requirements. Some cloud services may not be able to fullydelete information. This may occur in cases where the cloud provider has stored extra copies ofdata in inaccessible locations or if the deletion will impact data of other cloud customers.Loss of AccessCloud computing services, being remote in nature, necessarily depend upon reliable, securehigh-speed access between the institutional customer and the cloud service provider. Anyinterruption of access introduces risks of compromising operations and services. This is a riskfactor regardless of the cloud infrastructure or service model that you may choose. Even ifyou do not know where your data is, a cloud provider should tell you what will happen to yourinformation and service in case of a disaster.“Any offering that does not replicate the data and application infrastructure across multiplesites is vulnerable to a total failure,” says Gartner, Inc., a global IT research and advisory firm.Ask your provider if it has “the ability to do a complete restoration, and how long it will take.”9OTHER COMPLIANCE RISKSIn addition to the need to comply with FIPPA, MFIPPA and their regulations, Ontario publicsector institutions must verify that cloud service providers do not store and process informationin a manner that may violate existing institutional policies, other legal requirements orcontractual agreements. Certain compliance risks are increased whenever an institution handsover control to a third party.JurisdictionOne of the primary concerns with outsourcing to cloud providers is the risk that the data and/or applications offered by the cloud provider may be physically located and housed outside of98Jay Heiser and Mark Nicolett, Gartner, Inc., Assessing the Security Risks of Cloud Computing, special report, June 3, 2008.Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions

the institution’s legal jurisdiction. In addition, information stored and processed with a cloudservice provider may leave the jurisdiction when in transit from your institution to the cloudprovider. Information transmitted or stored outside of the country or managed by a foreignowned provider could be subject to the laws of the country housing the data or that of theprovider. These laws may be substantially different from Ontario laws. For example, in the eventof a dispute with the cloud service provider, institutions may be forced to seek remedies underforeign regulatory regimes.10 These risks may be compounded if the cloud service providersubcontracts processing to agents and partners located in other jurisdictions.Audit/CertificationIt may be difficult to audit your institution’s informationmanagement practices in a cloud environment, particularlywhere other organizations share a common infrastructure.Cloud service providers may be reluctant to allow customersto directly audit their facilities and practices, and mayinsist that the institution accept their own assessments andreports or those of third parties chosen by the provider.Lock in/PortabilityInstitutions run the risk of being “locked in” to a single cloudservice provider. Without adequate guarantees of access todata, application and service portability, it may be difficult forthe institution to migrate from one provider to another, or tomigrate data and services back to an in-house IT environment.This introduces the risk of dependency on a particular cloudservice provider.Some cloud providersuse contracts ofadhesion, which meansinstitutions that seektheir services will nothave the power tonegotiate or modifythe terms. This posessignificant complianceand other risks.Contracts of AdhesionA “contract of adhesion” is a standard form “take-it-or-leave-it” contract drafted by oneparty. Some cloud providers use contracts of adhesion, which means institutions that seektheir services will not have the power to negotiate or modify the terms. This poses significantcompliance and other risks. The main risk is that the terms of service that govern the relationshipwith the cloud service provider may allow for the collection, use, disclosure and retention ofinformation by the provider that is contrary to the Acts. Therefore, these standard contracts maynot enable compliance with FIPPA and MFIPPA, their regulations and other relevant legislationor government policy guidelines. Moreover, the cloud provider may have the right to unilaterallychange the contractual terms, making the evaluation of risks at the outset challenging.Some cloud providers are reluctant to enter into customized contracts as they benefit fromeconomies of scale associated with the delivery of identical services to their various clients.While larger institutions may have the ability to negotiate special arrangements, smallerinstitutions may not have that ability.10The IPC provides guidance on outsourcing in PC12-39: Reviewing the Licensing Automation System of the Ministryof Natural Resources: A Special Investigation Report, June 2012.Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions9

4. RISK MITIGATION STRATEGIESThe following risk mitigation strategies should be considered if your institution is thinking aboutusing a cloud service provider to process and store personal information. Consult with yourprivacy, security and legal staff about requirements and practices that may be specific to yourinstitution and your project.KNOW YOUR LEGAL AND POLICY OBLIGATIONSThere is no legal prohibition in Ontario against outsourcing computing services to a thirdparty cloud service provider. This applies regardless of whether the third party stores personalinformation in a foreign jurisdiction. However, FIPPA and MFIPPA and their regul

In addition, cloud computing can more effectively address surge computing, as workload spikes can be distributed among servers to alleviate the pressure on one machine. Finally, cloud computing can provide enhanced security with respect to risks arising in the context of traditional computing. Cloud computing may be more flexible, with access to a