Should security standards for cloud computing be codified? There was broad general support for establishing high standards of data security at a public forum convened by the office of the privacy commissioner, but most respondents do not feel that the government should take the lead.
Eleven written submissions were received, and a number of people participated in the public forum held in Calgary.
On the topic of data safeguards, there was unanimity that it was one of the most important issues surrounding cloud computing. Many noted that mandatory security breach notification would help provide transparency about the practices of various types of cloud computing providers.
Respondents noted that both public and private cloud providers present security challenges. While it’s a given that consumers have less control over security within a public cloud, the private cloud requires safeguards, as well.
During the public dialogue portion of the forum, panel members agreed that consumers need more, and better, information to enable them to choose a provider. Within an enterprise model, organizations also need guidance to determine what they can demand from a provider and what they should expect.
As a result of the forum, the privacy commissioner drafted six proposed actions, which include: encouraging the Royal Canadian Mounted Police to reach out to the private sector on data security and identify theft measures for consumers; urging organizations to develop security standards; conducting additional study into the management of personal information; and developing education initiatives for individuals who use cloud services.
Further input is also being requested regarding work that cloud providers are undertaking, on security issues related to a hybrid public/private cloud model, and on the suggestion that government draft security standards.
The report on the public forum can be found here.