523 Maui 200 File Number: CCM #011375 ADM: Raj Thuppal, 613-670-1670 DG: Dinesh Mohan. 613-762-4588 Security: PROTECTED A MEMORANDUM TO THE CHIEF OPERATING OFFICER FOR INFORMATION SUBJECT Storing Government of Canada Data Outside of Canada SUMMARY This memorandum is to provide you with an update on the feasibility of Microsoft?or any other cloud vendor?to hold Government of Canada data in such a manner that Shared Services Canada holds and owns the keys and is able to access the data while the vendor is not able to access to the data. BACKGROUND Cyber and IT Security previously briefed the President and you on how the use of non-Canadian information technology vendors for the storage of Government of Canada data, presented the possibility that Government of Canada data may travel across sovereign borders and be held on servers outside Canada. Data travelling to and from the vendor-controlled space beyond the Government of Canada demarcation point is subject to interception. The risks to data confidentiality and integrity may be partially mitigated via data using the Communications Security Establishment?s approved algorithms and appropriate methods of use to protect the confidentiality and integrity of Protected A and Protected information to the medium injury level. According to the Communications Security Establishment, implemented in accordance with the information Technology Security Guidance, Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED 40.111, should protect DOOUD1 3.23 PROTECTED A 2 Government of Canada information in this scenario as long as the keys are solely generated, distributed and controlled by the Government of Canada. KEY CONSIDERATIONS Cyber and IT Security continued further Investigation working with Microsoft as a use case - "i Thad? ?7 ISSUES Microsoft has identi?ed that having keys solely generated, distributed and controlled by the Government of Canada (Bring Your Own Key) may not resolve the issue as the keys must be imported to the cloud for replication in order for to function. This step necessitates providing the keys to Microsoft. In this case, these keys would also be sent as part of any legal request per the USA PatriotAct and similar legislation. Holding data in the cloud?which is unavoidable from a technical perspective no matter where keys are stored?generates an additional risk. The risk is ?data in use,? where the data has to be in order to be processed. ?Data in use" can be problematic as there is no during processing and the data is useable. The cloud operator or malicious actors could make a forensic dump of memory of the virtual machine that holds the data and provide it to a foreign government under legal request or use the data to injure the Government of Canada. The keys could be held solely on Government of Canada premises and not in the cloud (Hold Your Own Key), which requires on-premises hardware security modules. This scenario can result in loss of availability if the hardware security modules lose connectivity with the data in the cloud. Few Microsoft clients leverage this option owing to the complexity of the design, the risk of availability and the cost. This option is most relevant to data at rest?inactive data stored physically in a digital form?in the cloud in this use case. 000002 PROTECTED A 3 Microsoft states it always informs clients about any legal requests for access to information priorto releasing information. In some cases. Microsoft has sent the request through the client country?s judicial system for the appropriate legal response. According to Microsoft. the company has never released the data of one country to a foreign government, including the United States. Although Microsoft identi?ed mechanisms to reduce the risks to client data, no mechanism is able to entirely prevent foreign access to data should legal requests be invoked. Raj Thuppal Assistant Deputy Minister Cyber and IT Security Attachment 000003