OTTAWA, Sept. 9 (Xinhua) -- A Canadian government agency has discussed with Microsoft Corp. ways of securely storing secret data on American servers, which is prohibited under federal policy, a major Canadian news outlet reported Friday.
According to Canada's access-to-information law, the Canadian Broadcasting Corp. (CBC) obtained a copy of a redacted May 2017 internal Canadian government memorandum.
The memorandum noted Shared Services Canada (SCC) - a federal agency that manages the country's IT infrastructure - was exploring "the feasibility of Microsoft or any other cloud vendor" to store Canadian government encrypted data in a way that SCC "holds and owns the decryption keys and is able to access the data," while the vendor could not.
However, according to a cloud adoption strategy in the government's IT strategic plan for 2016-2020, "all sensitive or protected data under government control will be stored on servers that reside in Canada, to ensure Canada's sovereign control over its data, departments and agencies."
CBC reported that Amazon Web Services in the United States already hosts "low-risk" Canadian data, such as for Canada.ca web pages, on its cloud servers.
The SCC memo Microsoft stated that it "always informs clients about any legal requests for access to information prior to releasing information," and that "the company has never released the data of one country to a foreign government, including the United States."
Last year, Microsoft launched a lawsuit against the U.S. Justice Department over an American law that allows U.S. officials to access emails or online files stored on Microsoft servers without users' knowledge.
But Raj Thuppal, assistant deputy minister of cyber and IT security at SSC, cautioned John A. Glowacki Jr., chief operating officer of the agency, in the memo that "although Microsoft identified mechanisms to reduce the risks to client data, no mechanism is able to entirely prevent foreign access to data should legal requests be invoked."
He highlighted the risk of storing encrypted data in the cloud. In order to be processed, it has to be decrypted, and "the cloud operator or malicious actors could make a forensic dump of memory of the virtual machine that holds the unencrypted data and provide it to a foreign government under legal request or use the data to injure the government of Canada," Thuppal wrote.
Encryption keys could also be held on Canadian government premises that would require hardware security modules and which could result in "loss of availability if the modules lose connectivity with the encrypted data in the cloud," the memo said.
"Few Microsoft clients leverage this option owing to the complexity of the design, the risk of availability and the cost."
