Thinking About the Cloud for Canadian Libraries

05 Jun 2015

I'm a pretty big advocate of libraries using the public cloud, by which I broadly mean running some or all of your applications and/or infrastructure outside your own data centre via AWS, DigitalOcean, Heroku, whatever. In short form:

I think the concerns about data security, loss of control and migration are addressable, and the risk is no greater (and may be substantially less, in some circumstances) than running everything internally.
I don't think most libraries are equipped to provide the ease of use with provisioning, automation and hosting of new applications that the public cloud provides.
I think the cost savings can be substantial when looking at total cost of ownership.
I think the public cloud can save staff time in doing repetitive, commodity-level systems administration work and allow libraries to focus limited resources on developing their technology in areas important to their specific challenges.

In Canada (where I work and live) in particular, a lot of library people I talk to have concerns about the cloud. I don't think these concerns are illegitimate, but I think if we want to have a coherent conversation about Canadian libraries making use of the cloud, we have to have a clearer articulation of what the concerns actually are.

I won't promise to go back at some point and fill the below in with links to more information, but I'd like to (especially for point #1).

1. It's Illegal to Store Identifiable Patron Data Outside Canada

Microsoft Azure coming to Canadian-located data centres may help to make this conversation more coherent and less FUD-filled, but my understanding is that outside of possibly BC (which has somewhat stricter data harbor laws than other provinces), there's nothing actually illegal about having confidential, identifiable data held in servers outside of Canada.

This is in contrast to the EU. If you've ever wondered why Amazon etc have EU-specific data centres but not Canadian ones, this is a factor in why.

2. It's Unethical to Store Identifiable Patron Data Outside Canada

This is a separate argument from #1 above, and I think addressing it requires a more rigourous understanding of what protecting patron privacy would really mean in the post-Snowden era. Specifically, I mean whether or not we are using things like:

Strong encryption in storing patron data
Fully-encrypted websites
Good internal controls around system access
Modern authentication for third-party resources (not bloody SIP, which was originally intended for on-site self-checkout systems and shows it)

The professional ethics of patron data security for libraries is a huge topic, but I have sometimes seen it in the discussion in Canada reduced to a simplistic binary about "where" the data is located. This is not a reflection of the post-Snowden reality, and I think libraries would best serve their patrons by focusing on getting strong encryption on everything than on anything else.

Anecdotally, I have also heard from lawyers specializing in the area that the 5 Eyes information-sharing agreements actually makes it easier for US intelligence agencies to access data on Canadian servers than on US servers, due to Canada's weaker legislation around law enforcement and intelligence agency access to data on Canadian servers.

3. The Public Cloud Encourages Vendor Lock-In

How locked in to a particular public cloud implementation you are varies depending on the choices you make in what you use the cloud for. There's also huge strides being made in the last several years (Docker and otherwise) in making applications portable in the cloud.

Also, I think if we're going to be really concerned about lock-in, it should be in the much longer-standing areas of vendor lock-in like the ILS and third-party services. :P

"Further Study Is Needed"