The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that sets out how organizations can collect, use and disclose personal information in the course of commercial activity. While PIPEDA does not prohibit the transfer of personal information outside of Canada, it requires organizations to provide adequate levels of protection and transparency when transferring data outside the country’s borders or outside a province. The Office of the Privacy Commissioner (OPC) launched a formal consultation process in 2019 which covers cross-border transfers of information and is considering changing the law in this respect. As a result the subject of cross-border personal information transfer is the focus of much attention in Canada.
Since 2009 organizations subject to PIPEDA did not need to obtain additional consent for a cross-border transfer of personal information but they were obliged to give notice. More recently however, in the latest consultation and in close alignment with the General Data Protection Regulation (GDPR), the OPC now states that the cross-border transfer of personal information requires consent.
Data Privacy legislation differs between provinces which means CISOs and Security professionals are struggling to understand the differences in mandates and how to adhere to them. For example in British Columbia the Freedom of Information and Protection of Privacy Act (FIPPA) applies to personal information that is in the custody or under the control of a public body and the act requires that public bodies ensure that “personal information is only stored in and accessed from inside Canada”. Many provinces are preparing for such legislation to be rolled-out more widely in the future.
To add to the complexity, in 2018 Canada adopted ‘Cloud-First’ as its national IT strategy with use of the public cloud as its number one priority, which contradicts the general feeling within the Canadian public sector that the public cloud cannot meet data residency requirements in the same way that on-premises storage can. And these concerns are not unfounded, with many cloud-based WAF vendors unable to guarantee that, as part of their attack mitigation processes, data will not be moved across the border into the US for inspection, in the event of a DDoS attack for example. This presents a real challenge for organizations, in particular large enterprises such as financial institutions and government bodies that store large amounts of sensitive customer data and for whom ensuring that web traffic terminates and is inspected within Canada is critical.
Imperva offers a solution to this problem with its advanced architectural topology which ensures that traffic inspection is guaranteed to be maintained within Canada’s borders.
Traffic Termination and Inspection
DDoS attacks can cause considerable disruption to cloud services and while the advanced technology used to defend against them might take only a matter of seconds to conduct the high-velocity deep packet inspection process, it also usually entails data being moved offshore. This presents organizations in countries with data sovereignty laws or guidance in place with a problem as it leaves them vulnerable to data violations while their data is outside the country of origin.
The challenge for cloud-based WAF solutions today is that in the case of a very large DDoS attack, many vendors cannot guarantee that the traffic will not be diverted outside Canada (and terminated in the US where the data could be compromised) if their Canadian Points of Presence (PoPs) are unable to absorb such a large-scale attack.
Previously, traffic was always inspected within the closest Point of Presence
Cloud WAF Data Sovereignty
To address this challenge Imperva has designed a ground-breaking new network topology for its Cloud WAF architecture and integrated CDN and DDoS mitigation solutions. Our mesh network for international scrubbing and Canada-only decryption and termination enables unlimited DDoS protection while traffic inspection is guaranteed to be maintained within Canada’s borders.
Imperva has a large scrubbing capacity within Canada with PoPs in Toronto and Vancouver. In addition, thanks to new mesh topology, the traffic may be scrubbed in international POPs for layer 3 and layer 4 traffic inspection and scrubbing, while the layer 7 traffic will transit within our network to be decrypted and inspected within Canada only.
In the new topology, even if the traffic is scrubbed outside of Canada in order to benefit from our large network capacity, the layer 7 traffic, still encrypted, will transit within the Imperva network and the decryption and traffic termination will always happen within our Canadian PoPs.
This new innovative architecture provides an additional layer of security to allow Canadian organizations to securely manage their operations in the cloud without the worry of breaching data residency laws.
Imperva DDoS protection mitigates the largest attacks immediately without incurring latency or interfering with legitimate users. Find out more here.