On Nov. 15, 2022, the Auditor General of Canada (the "AG") released its findings from a performance audit of several federal governmental departments to assess the Cloud Adoption Strategy that was first launched in 2016 by the Treasury Board. As a result of mandate adopted in 2016 to shift resources to the cloud as the preferred information technology option, the federal government conducted multiple procurements between 2018 to 2022, engaging 14 cloud service providers and awarding contracts totalling $210 million.
The AG's report specifically considers whether there is sufficient governance, guidance, and capabilities in place to address cyber security risks to Canadian's personal information stored in the "cloud."
The report found amongst other things, (1) gaps in several departments' implementation of cloud "guardrails" and security inspections of service providers that could assist in preventing cyber security incidents; (2) insufficient controls in others relating to training to detect and respond to incidents; (3) inconsistent and unclear provisions relating to security in the services agreements that had been awarded; and (4) an absence of costing models and insufficient long-term funding to assist departments transitioning to cloud providers. Notably, while these are all concerning findings, the report provides action items for each deficiency which appear to have been accepted by the Treasury Board and are expected to be implemented.
1. Inadequate implementation of cloud guardrails and inspections
Cloud "guardrails" are minimum sets of controls that federal departments are expected to implement to enhance the ability to detect and prevent cyber security incidents in the cloud. The report found that while there was a requirement to include these guardrails for procuring departments, they did not apply to contracts with service providers outside those set up through Shared Services Canada ("SSC"), such as those obtained through Public Services and Procurement Canada ("PSPC"). Further, the report found that while guardrails were vetted at the onset of a services agreement, there was limited monitoring to ensure ongoing compliance subsequently. On some occasions, providers who were found to not be fully compliant were even given passing grades. For contracts set through PSPC, the report found an absence of initial or ongoing validation of guardrails.
In light of these deficiencies, the report makes the recommendation, accepted by the Treasury Board, to expand the requirement for guardrails to contracts awarded through PSPC, as well as to clarify the requirements for initial and ongoing validation.
The report also notes there were gaps in the ways security inspections of the cloud service providers were being conducted. Understandably, there are no details provided as this would risk shedding light on potential vulnerabilities. However, the report does note its recommendation included renewing physical security inspections.
2. Insufficient training in detecting and responding to incidents
In April 2020, the Cyber Security Event Management Plan was implemented, setting out roles and responsibilities for departments and agencies to coordinate responses to a cyber security incident. It also required ongoing training, maintaining responsibility matrices identifying the relevant individuals, and testing the plans and procedures. The AG found that while there were lessons-learned exercises and action plans developed following incidents, there was insufficient testing of plans and procedures by the Treasury Board. Particularly, the report found that the Treasury Board Secretariat did not update or renew plans or organize regular tabletop simulations to test and improve existing plans (exercises were conducted once every 17 months on average, rather than annually as required).
The AG, which only received information on event management plans from three departments, found that of the three departments which reported, all three conducted tabletop exercises, but two out of the three advised (a) they lacked the funds to fully implement their plans, and (b) they did not finish defining responsibility matrices for responding to incidents.
3. Inconsistent security provisions in services agreements
For the 14 contracts awarded through SSC or PSPC that were reviewed for the report, the AG found there was insufficient language setting out the service providers' obligations during security incidents (such as time for response, and by whom).
There was also no standardized language for security clauses to ensure conformity of the obligations amongst the various service providers.
As a result of these findings, the federal government is working to develop standardized terms and conditions, to clarify security requirements for cloud service provision, and to standardize roles and responsibilities in the procurement process for cloud services.
There was also confusion within departments on how to assign roles for cybersecurity detection and prevention, internally and across departments.
4. No costing plans or long-term funding provided for departments transitioning to the cloud
In the four years since the Treasury Board directed departments to begin transitioning to the cloud, the AG found that departments had not been provided with sufficient tools to understand the costs of moving into, operating out of, and securing cloud working environments. Further, where a department did elect to move into a cloud environment, they became responsible for the funding and security of that environment; however, budgets were not augmented to account for that new expense.
The lack of long-term funding was flagged as a significant concern for large and small departments.
In response to this finding, the AG recommended the Treasury Board develop and provide a costing model to departments to assist them in understanding the costs of moving and maintaining IT assets in the cloud, and support departments in accessing funding long-term to meet that budgetary expense.
The findings by the AG are concerning, particularly in light of the immense amount of personal information of Canadians that is collected and processed by the federal government. While the move to a cloud service environment has its benefits, mitigating the enhanced risk of that personal information being inadvertently exposed to malicious actors must be a priority. The deficiencies identified by in the AG's report serve as an important reminder that any transition to the cloud must be done with due diligence. It is essential to ensure that government departments fully understand how to implement their obligation to protect personal information in this new working environment, and what they must do to achieve this important mandate.
While it would be easy to conclude on a pessimistic note, it is important to note that the recommendations proposed by the AG appear to be accepted by the departments and are in the process of being implemented. Continued scrutiny of this migration process will be key to assessing whether Canadians' personal information is being protected with the rigour it deserves.