38 million customer accounts. That’s the scope of the Canadian Tire e-commerce database breach disclosed in October 2025 (CBC News, October 2025). Names, addresses, emails, dates of birth, encrypted passwords. Not from the banking system. Not from the loyalty programme. From a supporting e-commerce database that served Canadian Tire, SportChek, Mark’s, and Party City.
The banking data was fine. The Triangle Rewards data was fine. The system nobody thought to protect with the same rigour as the crown jewels turned out to be the one with 38 million records in it. Technical analysis suggests a configuration error or an unpatched vulnerability, not a sophisticated attack (OffSeq Threat Radar, February 2026).
A firewall around the perimeter. Nothing around the data.
The threat isn’t always the one wearing a hoodie
Your data lives everywhere. Cloud platforms, local files, SaaS applications, test environments, remote endpoints, and the legacy server in the closet that survived 3 office moves and an Edmonton winter. In Canada, federal and provincial rules around privacy, access, residency, and incident reporting cross jurisdictions and change regularly.
And it’s not always hackers. Misconfigurations. Copy-paste jobs between environments. Former employees whose access persisted months past their last day. Well-meaning vendors with broader permissions than the contract intended. These cause as many incidents as external threats. Nobody writes a dramatic headline about a misconfiguration, but the damage is the same.
Security as rings, not walls
Perimeter defence made sense when the perimeter was a place. Security has to follow the data now, not surround the building. Think concentric rings, each one protecting the layer inside it.
Ring 1: identity at the centre
No identity, no security. Everything else is decoration. Microsoft Entra ID provides role-based access and context-aware controls that reduce the attack surface before a threat arrives. Who is this person? What device? Is this request consistent with their normal behaviour? Identity is the smallest ring and the most consequential. Get it wrong and every other ring is a suggestion.
Ring 2: protect the data itself
The perimeter is gone. The data is what’s left to protect. Encryption at rest and in transit: Protegrity for fine-grained, field-level protection across platforms, Azure Key Vault and database-native capabilities for encryption management. Data masking in test environments, sensitive-data tagging through the catalogue, automated risk flags. When the data moves, the protections move with it. When someone copies production to dev (and someone will), the masking is already applied.
Ring 3: monitor everything, automatically
You can’t protect what you can’t see, and you can’t see what you’re not watching. Microsoft Sentinel and Defender deliver continuous, real-time visibility and anomaly detection. When Gary’s phone buzzes at 2 a.m., the difference between a 10-minute resolution and a 10-week investigation is whether context was attached to the alert. An alert without context is noise. An alert with lineage, classification, and access history is a decision.
Ring 4: resilience, because containment beats prevention
Assume breaches happen. Build for containment and recovery. Incident response built around Azure Arc and Rubrik immutability features lets you isolate damage, recover data, and move forward while protecting client trust. Resilience isn’t a backup strategy. It’s the difference between a Tuesday morning incident and a Tuesday morning crisis.
Security is what lets AI ship
Security sits underneath every AI, cloud, and analytics initiative that actually makes it to production. The strongest version of it isn’t patched after the fact. It’s built into the data architecture from day one.
Where this leads
Security enforces the rules. Governance decides them. Nobody gets promoted for governance work covers the framework that gives security its mandate.
Security protects data. Privacy decides what counts as protected. Your policy says one thing, your environment says another covers the controls that tell security what to defend.
And if your data and AI workloads need to stay under Canadian law, that’s the Data Sovereignty service.
