Does the CCCS require Canadian businesses to store data in Canada when using cloud services?

The CCCS does not mandate that all data be stored in Canada, but it recommends that organizations understand where their data is stored and processed and consider the legal and regulatory implications. Under PIPEDA, organizations must ensure adequate protection of personal information regardless of where it is stored. Some provincial laws and sector-specific regulations may have more specific data residency requirements.

What is the shared responsibility model in cloud security?

The shared responsibility model means that cloud security is divided between the cloud provider and the customer. The provider secures the underlying infrastructure, while the customer is responsible for securing their data, user accounts, access controls, and application configurations within the cloud environment. The CCCS recommends that organizations clearly understand this division to avoid gaps in their security.

Should a small business back up data that is already in the cloud?

Yes. Cloud providers typically protect against infrastructure failures through redundancy, but they generally do not protect against accidental deletion, account compromise, or application-level data corruption. The CCCS recommends maintaining independent backups of important data, including data stored in cloud services. This aligns with the baseline control for data backup and recovery (BC.7).

BC.10 10 min read

Cloud Services Security — Canadian Baseline Control BC.10

By Cybersecurity Canada Editorial Team | Last updated March 8, 2026

What Cloud Services Security Means

Cloud services security encompasses the policies, controls, and practices used to protect data, applications, and infrastructure hosted in cloud computing environments. Under the Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), control BC.10 addresses the need for organizations to understand and manage the security of cloud services they use, including the shared responsibility between the cloud provider and the customer.

Canadian businesses of all sizes increasingly rely on cloud services for email, file storage, collaboration, accounting, customer management, and many other business functions. While cloud services can offer security benefits such as automatic updates and professional infrastructure management, they also introduce risks that organizations must actively manage.

This page provides educational information based on publicly available Canadian Centre for Cyber Security guidance. It is not professional cybersecurity advice. Organizations should consult qualified professionals for advice tailored to their specific circumstances.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations take an active role in securing their use of cloud services. The guidance emphasizes that moving to the cloud does not transfer all security responsibility to the provider — organizations remain responsible for many aspects of their security.

Key recommendations from the CCCS include:

Understand the shared responsibility model for each cloud service you use. Know which security controls are managed by the provider and which are your responsibility.
Configure cloud services securely, including enabling security features offered by the provider, restricting administrative access, and reviewing default settings.
Use strong authentication for cloud accounts, including multi-factor authentication (MFA) for all users, and especially for administrative accounts.
Understand data residency — know where your data is stored and processed, and consider the legal and regulatory implications for your organization.
Back up cloud data independently rather than relying solely on the cloud provider's infrastructure redundancy.
Review and manage cloud service permissions to ensure users have only the access they need and that unused accounts are disabled.
Assess cloud providers before adopting their services, evaluating their security practices, certifications, and terms of service.

The CCCS has also published specific guidance on cloud security considerations, including its Cloud Security Risk Management publications, which provide more detailed recommendations for organizations adopting cloud services.

Why This Matters for Canadian Businesses

Cloud adoption among Canadian businesses has accelerated significantly. For many SMBs, cloud services are now the primary platform for email, document storage, and business applications. This reliance on cloud services makes their secure use a business-critical concern.

Key risks associated with cloud services include:

Misconfiguration — Cloud services often ship with default settings that may not be secure for your use case. Misconfigured cloud storage, overly permissive sharing settings, or disabled security features are common causes of data exposure.
Account compromise — Cloud accounts accessible from anywhere on the internet are attractive targets. Compromised cloud credentials can give attackers access to email, documents, customer data, and other business information.
Data loss — While cloud providers maintain infrastructure redundancy, they typically do not protect against user-initiated data deletion, account-level compromise, or application-level data corruption.
Compliance risks — Canadian organizations subject to PIPEDA and provincial privacy legislation must ensure that personal information stored in cloud services is adequately protected, regardless of where the cloud provider's servers are located.
Vendor lock-in and continuity — Dependence on a single cloud provider without adequate backups or data portability planning can create business continuity risks.

The CCCS National Cyber Threat Assessment has noted that cloud environments are increasingly targeted by threat actors, and that misconfiguration of cloud services is a common factor in data breaches affecting Canadian organizations.

How to Get Started

Securing your organization's use of cloud services requires a structured approach. The following steps provide a practical starting point for Canadian SMBs.

1. Inventory Your Cloud Services

Start by identifying all cloud services your organization uses. This often reveals more services than expected, including:

Email platforms (Microsoft 365, Google Workspace)
File storage and sharing (OneDrive, Google Drive, Dropbox)
Accounting and payroll software
Customer relationship management (CRM) tools
Communication and collaboration platforms
Industry-specific SaaS applications

Include services adopted by individual departments or employees without formal IT approval, sometimes called shadow IT. Our free cybersecurity assessment can help identify gaps across all 13 Baseline Controls, including cloud security.

2. Understand the Shared Responsibility Model

For each cloud service, understand the division of security responsibilities:

The cloud provider is typically responsible for the security of the underlying infrastructure — physical data centres, networking hardware, hypervisors, and base platform services.
Your organization is typically responsible for securing your data within the cloud service, managing user accounts and access, configuring security settings, and ensuring data is backed up.

The exact division varies depending on the type of cloud service (Infrastructure as a Service, Platform as a Service, or Software as a Service). Review each provider's documentation to understand what they secure and what falls to you.

3. Secure Your Cloud Accounts

Cloud account security is one of the most important and achievable steps:

Enable multi-factor authentication for all cloud accounts. This is the single most effective measure against account compromise. See Authentication (BC.5) for detailed guidance.
Use strong, unique passwords for all cloud service accounts.
Protect administrative accounts with the highest level of security. Limit the number of people with administrative access and use dedicated admin accounts separate from day-to-day accounts.
Disable unused accounts promptly when employees leave or change roles.
Review access permissions regularly to ensure they follow the principle of least privilege.

4. Configure Cloud Services Securely

Review and adjust the security settings of each cloud service:

Review sharing settings — Ensure files and folders are not shared more broadly than intended. Many cloud services default to allowing link sharing or broad access.
Enable audit logging where available, so you have a record of who accessed what and when.
Configure data loss prevention features if your cloud platform offers them, to help prevent sensitive data from being shared inappropriately.
Review connected third-party applications — Cloud platforms often allow third-party apps to connect via OAuth or API integrations. Review and remove any that are unnecessary.
Enable available security features — Many cloud services include security capabilities that are not enabled by default. Review your provider's security documentation and enable relevant features.

5. Address Data Residency

For Canadian organizations, data residency is an important consideration:

Know where your data is stored — Determine which countries and regions your cloud provider uses for data storage and processing.
Understand the legal implications — Data stored in other countries may be subject to the laws of those jurisdictions. For example, data stored in the United States may be subject to U.S. law enforcement access under certain circumstances.
Check regulatory requirements — Some sectors and provinces have specific requirements about where certain types of data can be stored. Federal institutions are subject to the Government of Canada's cloud-first policy, which includes data residency considerations.
Choose Canadian data centre regions where available. Major cloud providers including Microsoft, Google, and Amazon Web Services operate data centre regions in Canada.

6. Back Up Your Cloud Data

Do not assume your cloud provider's infrastructure redundancy is equivalent to a backup. Implement independent backups of important cloud data:

Use third-party backup solutions that can back up data from cloud platforms such as Microsoft 365 or Google Workspace.
Consider the 3-2-1 backup rule — maintain copies of cloud data on separate storage.
Test your ability to restore cloud data, just as you would test any other backup.
Ensure backup data is encrypted and stored securely.

7. Assess Cloud Providers

Before adopting a new cloud service, evaluate the provider's security posture:

Security certifications — Look for relevant certifications such as SOC 2, ISO 27001, or FedRAMP (for services also used by U.S. government agencies).
Data protection practices — Review how the provider encrypts data at rest and in transit.
Terms of service — Understand the provider's responsibilities, liability limitations, and data handling practices.
Incident notification — Review the provider's commitment to notifying you of security incidents that affect your data.
Data portability — Ensure you can export your data in a usable format if you need to switch providers.

Common Mistakes to Avoid

Cloud security programs are frequently undermined by preventable errors. Be aware of these common pitfalls.

Assuming the Cloud Provider Handles All Security

The most common and significant mistake is believing that moving to the cloud transfers all security responsibility to the provider. Under the shared responsibility model, you remain responsible for securing your data, accounts, and configurations. A misconfigured cloud service is your organization's responsibility, not the provider's.

Not Enabling Multi-Factor Authentication

Cloud accounts are accessible from anywhere on the internet, making them high-value targets. Accounts protected only by passwords are vulnerable to credential stuffing, phishing, and password spraying attacks. MFA is available on virtually all major cloud platforms and should be enabled for every user.

Overly Permissive Sharing Settings

Cloud storage services make it easy to share files and folders, but default sharing settings can expose data more broadly than intended. Regularly audit sharing permissions and ensure that sensitive documents are shared only with specific, authorized individuals rather than via open links.

Ignoring Shadow IT

Employees often adopt cloud services without formal IT approval to solve immediate work problems. These unauthorized services may not meet your security standards and create unmanaged risk. Rather than simply prohibiting shadow IT, provide approved alternatives that meet employee needs while maintaining security standards.

No Independent Backups of Cloud Data

Cloud provider redundancy protects against infrastructure failures but not against accidental deletion, malicious deletion by a compromised account, or application-level corruption. Independent backups of cloud data are essential for comprehensive data protection.

Connecting Cloud Security to Other Controls

Cloud services security intersects with several other Baseline Controls:

Data Backup & Recovery (BC.7) — Cloud data should be included in your backup strategy. Do not rely solely on cloud provider redundancy for data protection.
Authentication (BC.5) — Cloud accounts must be protected with strong authentication, including multi-factor authentication for all users. This is perhaps the most critical security control for cloud environments.
Network & Perimeter Security (BC.9) — Connections between your organization's network and cloud services should be secured, and network controls should account for the reality that business data now resides both on-premises and in the cloud.

For a complete view of how all 13 Baseline Controls work together, visit the controls overview page or take the free assessment to evaluate your organization's current posture.

Additional Resources

Disclaimer: The information provided on this website is for general educational and informational purposes only and does not constitute professional cybersecurity, legal, IT, compliance, or risk management advice. All content, including assessment results, scores, grades, and recommendations, is provided on a best-effort, "as is" basis without warranties of any kind. We expressly disclaim liability for any errors, omissions, or inaccuracies. Organizations should consult with qualified cybersecurity professionals and legal counsel to assess their specific situation. Use of this website or the assessment tool does not create a professional-client relationship. See our Terms of Use for full details.

Cybersecurity Canada is an independent resource and is not affiliated with, endorsed by, or connected to the Canadian Centre for Cyber Security, the Communications Security Establishment, or the Government of Canada.

How does your organization score on Cloud Services Security?

Take our free cybersecurity assessment to evaluate your organization across all 13 Baseline Controls. 50 questions, under 30 minutes, 100% confidential — your answers never leave your browser.

Take the Free Assessment