Evidence of meeting #56 for Public Accounts in the 44th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was departments.
A video is available from Parliament.
Deputy Minister, Department of Public Works and Government Services
Thank you, Mr. Chair, for that question.
I would just note that we have a physical inspection regime that has our employees doing the site inspections for cloud service providers as well as personnel security screening. Those are the two main activities that PSPC does to ensure that the cloud service providers are meeting their expectations.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
This question is for Mr. Gupta or Ms. Luelo.
Why is the government shifting from a cloud-first strategy to a cloud-smart strategy, and what does that mean operationally?
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
I'll take that one and then Rajiv can add something if he wants to.
The reason we're shifting from cloud-first to cloud-smart, first of all, is that using the cloud allows us to stand things up very quickly. Where we would take potentially months to stand up an environment in which we can start building a new system for Canadians or migrating a new system for Canadians, we can do that in hours or days in cloud, so there's a huge opportunity to move more quickly to deliver service to Canadians.
We needed to get the government going in a direction because we were all data centres, and in fact SSC had an issue around the fact that they had some very old data centres. Before we just picked up and moved to a data centre, we said let's start moving some of the stuff into the cloud. As part of that, many of the things we've learned were pointed out in the Auditor General's report, including the fact that we need more maturity around our cost model. That is why we went into more of a cloud-smart model, so that we are really going to put that financial lens on migration to consider whether it's more efficient, when you put all things together, such as speed and cost, to have it in the cloud or to have it in an enterprise data centre.
So that was really the shift, and we'll continue to tune that as we go forward. As I noted in my remarks, there will never be a world in which we will be fully in the cloud, and that situation is consistent with those of many large organizations across the globe.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
Thank you for that. Building on that, what are the cost comparisons between managing cloud services within the government and using third party providers?
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
That's the work we're undertaking right now, and it's not a one-to-one answer, because there is a cost and a benefit to speed, and there's a cost with buying computing from Amazon Web Services or Microsoft Azure versus having all of the infrastructure that Sony needs to put in place to physically operate a facility with servers and all the things that we need to host on premise.
So we really needed to do what we've done, to move some of our systems over to the cloud in order to have some real-life examples around the cost and the benefit of a cloud environment versus the cost and the benefit of an enterprise data centre, but I would say that the theory that it is less expensive to go to the cloud is not a good theory. It is also not a good theory to say that you can get the equivalent amount of agility from a data centre environment that you can get from a cloud environment. We've seen that throughout COVID and how we've been able to use cloud to move very quickly on some things.
We need to balance all of those things to come up with the right economics because it takes staffing to do things in both environments and that has costs associated with it as well.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
With the adoption of a hybrid work model in the public service, employees will need to access personal data remotely, regardless of their location. Is there a big difference, for the purpose of employee access, between cloud and on-premises data centres?
Would Mr. Perron like to answer?
President, Shared Services Canada
Thank you, Mr. Chair, for the question. That is a very good one.
We are using the cloud as a commercial solution. Catherine mentioned the name “hyperscaler”, which offers cloud. When they have been certified and we have approved utilization, they are integrated into our network. The traffic—whether it's a service, program or application in the cloud or running into a data centre—still comes to our network. The monitoring tools that a cybersecurity centre provides, and the enhanced monitoring we have on the Government of Canada networks, still apply to what we call the “workload”—let's call it the “applications”—that runs in the cloud, in the same way it would in the enterprise data centre.
It's why the security requirements, or the assessment done before we approve a hyperscaler to provide these services.... The validation of the guardrails or security control is so important, because it's one more option we have for hosting applications. Catherine explained really well the agility that comes with the cloud, but we have to do it in a safe way. We cannot lose the level of security we have built around the traditional [Inaudible—Editor] just because we are using a new [Inaudible—Editor]. We find a way to integrate that. We are never done with this. The guardrails we have today will continue to evolve and be perfected over time.
However, I think what the Auditor General reminded us about.... Did you know, now, that 200 instances of the cloud are organized and configured in line with these guardrails? Frankly, this raised the alert for us. We put the team on checking this. I was very glad to receive a report, last spring, that we were in a good place, in terms of compliance. The few departments that had challenges were notified and, with the support of the CGCIO, we got them to address it. However, this is an ongoing watch. We always have to make sure nothing is being changed and that the level of security remains there.
It's why automation is important. Human intervention in five instances is one thing. When we are at 200, 400 or 500, it will become almost impossible to have our eyes on everything, all the time. Automation is the way for us to get an alert if a guardrail is being changed by a department user. When I talk about the department, there is a small number of people who can change these. For various reasons, someone may decide to—or by mistake—change one of the configuration elements. We need to be alerted, so we can address that in a timely manner.
This is no different from when we were running data centres, before. It's just a different way to apply these guardrails.
Conservative
The Chair Conservative John Williamson
Okay. Thank you.
You are way over the time. You were wise not to interrupt. Committee members know that, when we have a good question, I like to hear the answer.
I'm sorry that Mr. Fragiskatos is not timing me today, because he would have to give a lot of time to the Liberal bench.
Anyway, that was a good question and a good answer. Thank you.
Ms. Sinclair‑Desgagné, you have the floor for six minutes.
Bloc
Nathalie Sinclair-Desgagné Bloc Terrebonne, QC
Thank you very much, Mr. Chair.
I thank all the witnesses for being here today. Indeed, it's important to talk about the topic at hand.
I will begin directly with a question to Mr. Hayes.
Clearly, the Office of the Auditor General is sounding the alarm not only on cybersecurity, but beyond that, as we know that cybersecurity raises security issues that exceed the cloud world.
In fact, you've sounded the alarm on two fronts. First, it's about cyber threats, so the damage we could suffer. Secondly, you pointed out a potential lack of resources and guidance that we would normally see from Treasury Board.
Did I understand your report correctly?
Deputy Auditor General, Office of the Auditor General
We found deficiencies and have made recommendations to Treasury Board about them.
Bloc
Nathalie Sinclair-Desgagné Bloc Terrebonne, QC
That's fine, thank you.
I know that some information was not included in the report precisely because it was sensitive. Of course, we don't want to divulge the flaws in our system to unwanted parties.
Do you have any hypothetical examples you could give to inform the committee today?
Deputy Auditor General, Office of the Auditor General
I'm thinking, for example, about the importance of following up on requirements. That's an example of information that we didn't include in the report, along with other details.
The recommendations that we made to the department were to do the things that are in the policies.
Bloc
Deputy Auditor General, Office of the Auditor General
Public Services and Procurement Canada.
Bloc
Deputy Auditor General, Office of the Auditor General
This is something we have to do. It was important for us to put a note in our report that we made that recommendation, so that we could...
Bloc
Nathalie Sinclair-Desgagné Bloc Terrebonne, QC
No, excuse me. I'm talking about the deficiency you raised about the lack of follow-up.
Deputy Auditor General, Office of the Auditor General
Yes. This was regarding Public Services and Procurement Canada.
Bloc
Nathalie Sinclair-Desgagné Bloc Terrebonne, QC
All right, thank you.
I'm going to ask Ms. Luelo now about Treasury Board and the lack of guidance that has been found regarding the security measures that should be in place for all departments that want to store potentially sensitive information in the cloud.
When the Office of the Auditor General sounded the alarm, did you not see fit to slow down the process of storing information in the cloud, waiting until you had sufficient security measures in place before continuing?
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
Thank you for the question. In fact it is interesting because while the Auditor General's office was doing their assessment, a lot of work was under way. I walked you through some of the items. We had updated our GC CSEMP, our roles and responsibilities, and our policy guidance around Canadians' information in the cloud. We are kind of arriving at a destination together since we already had work in progress to remediate a lot of the things that were rightfully pointed out in the audit because we had reached a certain critical size and had therefore been doing that reflection ourselves.
Certainly there were things the Auditor General pointed out, but none, in my opinion, that are not well enough along—in terms of the improved guidance we're providing or the improved monitoring that is in place—that would cause us to slow down our progress. I would just note that our progress is very slow when you compare it to that of other organizations I've worked for. We move at a very slow pace. I would consider it a manageable risk.
Bloc
Nathalie Sinclair-Desgagné Bloc Terrebonne, QC
So, as I understand it, you have continued to store potentially sensitive information in the cloud.
You say you have updated everything, including your policy. After that, do you follow up to make sure the policy is being enforced across all departments?
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
We're actually just in the process. At the beginning of April all of the departments across government will be sending in their annual plans on service and digital. It would be good for us to check those to make sure they have implemented within their plans some of the guidance we've been providing.
The second thing is for some of the larger programs that are going on. I noted our benefits delivery modernization program. We are working very closely with them as they are building out the system. They have not put data into a production environment in the cloud. I think all of the checks and balances are in place, but certainly, to Sony's point, automating this is very important. When you put humans into the equation to measure whether there's compliance, that's not a sustainable model. We will be doing regular checks with the departments, and we will continue to do the cyber-event management program. We just completed one. We do those on an annual basis. It's my belief that we have enough checks and balances in place, including, when we turn something over into production, a checklist that we go through that allows us to manage that risk.
Conservative
The Chair Conservative John Williamson
Thank you very much.
Mr. Desjarlais, you have the floor for six minutes.
NDP
Blake Desjarlais NDP Edmonton Griesbach, AB
Thank you very much, Mr. Chair. I too want to thank the witnesses for being present with us today, and I want to thank the Auditor General's office for this really important audit.
This brings to mind particular questions amongst Canadians with respect to the confidence they have in the kinds of safety and security mechanisms there are for their personal information. I think these are some of the most critical things governments across the world are dealing with as we transform our systems into digital ones. I have learned quite a bit and I'm sure my colleagues have as well with respect to the nature of how those are being operated in the government. It was a surprise to me in many ways to hear that it's only 10% of those systems. We're really at the very start of this in some ways. I think it's incredibly important for us to get these initial aspects right. I believe this may be the first or second audit in relation to personal information when it comes to the cloud. I'm not certain whether there was one prior to this. This may be the first. Is that correct, Mr. Hayes?
Deputy Auditor General, Office of the Auditor General
This is the first one we did that was focused on this area.