On May 8th, 2014, we attended the Alberta Network for Health Information eXchange (ANHIX). There, Robert Martin, the Chief Information Security Officer for Alberta Health Services (AHS) presented a session called “Health Information in the Cloud.” In my opinion, this presentation was the result of some of the most difficult and thorough thinking that has been done with the cloud hosting question. I’d like to take a couple minutes to explore the enlightened decisions resulting from this work, and give a Spieker Point Hat Tip to Robert Martin and his colleagues and staff at AHS.

But first, a bit of background. At the time of this writing, there are two major questions being contemplated here in Canada in the server infrastructure hosting arena.

1. Owning Hardware vs. Cloud Hosting

This first area regarding controlling your own server hardware vs. hosting in the cloud is being questioned all over the world right now, not only in Canada. There are many cloud providers nowadays. Amazon Web Service (AWS) is likely the most powerful and wide-spread. Google announced earlier this year that they intend to dominate the cloud space, and are already driving costs down. There are others, including Linode, Tenzing, RackSpace, and smaller players regionally (in Canada) RackNine, and Solid Technology Solutions to name a few.

The question for a company like Spieker Point and even AHS: Do we build the server infrastructure ourselves and incur the capital and operation costs of these data centres, or do we look to vendors who have strengths that far outstrip ours in areas which are not our core business, AND pass on the benefit of downward cost pressure as this area of computing becomes commoditized?

One important thing to note with cloud providers: It’s best for their business if they DON’T KNOW anything about the type of data you’re hosting on their infrastructure. It’s best if they’re unable to look inside the server or the data they’re hosting for you. Legally, they want nothing to do with it, and they go to great lengths to ensure they don’t have to know about it—not because they think it is nefarious, but because their lawyers tell them to stay away from it. Much like a self-storage locker found in any part of the world.

Spieker Point came to a conclusion on this topic in the early spring of 2013, and we moved to cloud based hosting. Since then, we’ve been able to offer our customers a much more stable hosting solution.

2. Canadian vs. International Hosting

Currently the big guys (AWS and Google) don’t offer cloud solutions on Canadian soil, but lots of the smaller providers do (with less control for us customers). The need for “Canadian soil hosting” is seen as important by some of our customers due to arguments surrounding “the draconian” US Patriot Act. Some feel that this act allows foreign governments unfettered access to their data if it is sitting on US soil. The argument seems to include some mention of the impotence of the Canadian government in terms of access to data which is sitting on Canadian soil.

In conversation with both of the law firms Spieker Point uses, this argument is riddled with holes. Laws around governmental data access in Canada seem to be much more “draconian” than the US Patriot Act ever has been, and for a much longer time.

The Hat Tip

The first part of our hat tip to Robert Martin and his team is around access to data. In his presentation, Mr. Martin expressed that if a request for data access came in to AHS with a lawful warrant attached to it, AHS would be willing and able to comply. He succinctly put into one sentence in his presentation something which we’ve discuss with many customers using many more words (more on that below). Nicely done.

The second part of our hat tip is around the amount of thinking that this team has put into the question of hosting data in the cloud. From the presentation, it seems to have taken about two-and-a-half years to study the situations and reach conclusions.

One thing they did was an in-depth study comparing internal hosting and cloud hosting. They had a list of many concerns, and each concern received a grade in three potentially affected areas: Confidentiality of Data, Integrity of Data, and Availability of Data and Applications. With each concern, they assigned a grade of: “weaker”, “the same” or “stronger” when comparing the cloud solution against an internally hosted solution.

In presenting the results, they had many “notes” on all of the concerns and the three areas. But the general results presented were this:

• In terms of Confidentiality, the majority of questions were “stronger” with all others being “the same” between the cloud solution and internally hosting solution.
• In terms of Integrity, all questions were “the same” for a cloud solution.
• In terms of Availability, with all question they looked at, the cloud solution was “stronger” than an internally hosted solution, except for one question, which was graded “the same.”

Granted, there were “notes” in many of these areas, but these notes were not shared at the conference.

The next step Robert Martin took was the presentation of the underlying AHS security measures as they move into cloud computing and storage. He boiled it down to three axioms (in my own words) that must be in place to move forward with cloud computing and data storage:

Data must be encrypted in the cloud solution.
AHS controls the encryption keys.
There must be an audit trail for access to information.

We believe that these are enlightened in their simplicity and at the same time their protective complexity. They seem somehow akin to Isaac Asimov’s “Three laws of Robotics.” At first, they may appear simplistic, but a closer look reveals just how well they stand up under so much scrutiny and debate.

A significant piece of the presentation was dedicated to discussing the first two points (encrypted data and AHS control of the encryption keys) and cloud based hosting solutions outside of the boundaries of Alberta (including but not limited to US soil). As long as these three axioms are in place, location of the data is not seen as a concern to Mr. Martin and his team.

The overall conclusions from this study by the AHS Information Security group are due in a couple of months. These findings will dovetail announcements on changes in how AHS approaches cloud based computing and data storage, as well. We eagerly anticipate the changes ahead.

Mr. Martin et al, a well deserved hat tip to you! We look forward to the formalized conclusions from this important work!

Greg