Travel Alberta needs to tighten up lax oversight of its cloud computing, Alberta's auditor general warned in a report released Wednesday.
The provincial travel agency was an early adopter of cloud computing within the government, having shifted its IT infrastructure and much of its administrative and marketing functions to online systems by 2016.
But in a report released Wednesday, the audit team reported Travel Alberta is not effectively managing and monitoring the risks that come with cloud computing, which is the practice of using Internet applications to process, manage and store data remotely.
Not taking action exposes the agency to data loss, privacy breaches and business interruptions, the report states.
The audit team found Travel Alberta has no processes to deal with the risk of managing its data online. As well, the agency didn't classify its data it moved online, and that though the provincial government has a data classification policy, Travel Alberta was not aware of it.
The report also found that the cloud service provider Travel Alberta is based in the United States, which is where the information is hosted.
"There is a risk that data that is now subject to the laws of the U.S. and other countries, may be accessible by the authorities of those countries," the report states.
In a news release, Auditor General Doug Wylie said that while the ease and cost efficiency of cloud computing is beneficial, it can potentially expose sensitive data to unauthorized users.
"Effective processes to manage the risks of cloud computing are essential to protect both Travel Alberta's corporate information, as well as the data it retains on behalf of its tourism partners and clients," he said.
The report makes recommendations on beefing up security that Travel Alberta CEO Royce Chwin said Wednesday they are already working on. He said he wasn't surprised by the findings given that Travel Alberta is a "trailblazer" in adopting cloud computing as a government agency.
"There's nothing in there that isn't insurmountable or something that we're not working on already to improve our internal processes and practices," he said.
Travel Alberta uses Microsoft Dynamics as its primary cloud service, as well as ADP Canada, which is a payroll, human resources and tax service.
As for the risk of using services hosted in other countries, he said they did review possible points of "exposure" but he said Travel Alberta does not host a lot of proprietary information.
"It is a concern for us, but it isn't as much of a concern as if we were a retail-based type of business," he said.
The audit report notes that the recommendations made to Travel Alberta ought to be taken up by other government bodies that use cloud computing.