Myths and Frequently Asked Questions
How can we help you?[edit | edit source]
Browse our Frequently Asked Questions
♦ Where can I submit a Cloud service request?
- All cloud service requests should be submitted through the GC Cloud Broker, no matter the procurement authority.
- All cloud services should be entered into the Application Portfolio Management (APM).
♦ How do I buy PB cloud?
The process of acquiring PB cloud is the same as the one procuring unclassified cloud services using GC Cloud brokering. This process is outlined under the Procurement section of the GC-CIC site.
♦ What do I do if my request is not being actioned?
Departments should use the usual established cloud brokering service issue reporting mechanism.
♦ Do I need SCED before using PB cloud?
Secure Cloud Enablement and Defence (SCED) is a project whose objective is to address the risks of keeping pace with digital revolution and to help protect and enable visibility of PROTECTED B information transmitted to and from public cloud service. The implementation of SCED project will enable the use of PROTECTED B cloud.
♦ Do all Cloud SaaS requests require GCEARB approval?
The short answer is No. The criteria for what goes to EARB is found in requirement 126.96.36.199
♦ Do Cloud services have to be procured using the SSC vehicle?
As per the Directive on Service and Digital, Departments can perform a self-assessment without TBS supervision of your work. To find more about how to perform your self-assessment visit our Procurement section.
♦ What are Departments' budgetary limits for cloud solutions?
Departments have procurement authorities up to a given limit and for a given commodity groupings. Contact your procurement officers for clarification on your department's limits. The Contracting Policy annexes provide a list of who can exclusively buy what or to which limit. Although it doesn’t refer to the cloud directly. It simply talks about services. Departments can procure services unless otherwise specified in the policy's annexes.
♦ Where to procure cloud services?
Departments can buy the service from SSC if it is available through their brokerage. SSC has providers who have already undergone all security vetting and service terms that have been negotiated. This saves departments time and risk assessment. SSC has gone out and captured the hyperscale market with its framework agreement. While this market does not have a lot of players in it, it will represent the bulk of the GC's data holdings. SSC and its security partners spent a lot of time with these providers.
♦ What happens if I don’t select an SSC provider?
Should you choose to go with another provider you will need to navigate risk decisions that can be slow in GC hierarchies, especially with PB data.
We also recognize that there is a long tail of cloud providers that will hold smaller and less sensitive data sets. These can be big cloud companies but are often more focused on the consumer market than the enterprise market. They often may not hold that same security accreditation as the hyperscales. This is not the market SSC has captured. Some of these providers may, eventually, end up on the SSC framework agreement, but are not there today. To procure these services, you will need departmental authorities or work with PSPC if your department does not have sufficient authorities. You must security assess these services. No matter where you buy, departments are ultimately responsible for assessment and risk assessment. When you buy through the SSC Framework Agreement, a portion of the security controls has been assessed by SSC and their security partners, thus accelerating your security assessment.
♦ If a Department orders Protected B Azure, does it already follow all the security protocols? Or do we need to implement them after we get access to Azure?
The Cloud Service Provider (CSP) environment has been assessed as part of the issuance of the contract. How the consumer configures and uses the services is the responsibility of the consumer or department. Please refer to the shared responsibility model – see figure 3-3 (https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/cloud-security-risk-management-approach-procedures.html).
♦ Do Security guardrails are implemented by the vendor directly ie Microsoft?
No, departments are responsible for implementing the cloud guardrails. Please also review this site - https://github.com/canada-ca/cloud-guardrails.
♦ Azure is an IAAS and that we will need to be responsible for User Access/ identity, Data, Applications, and Platform. Do we have access to the report assessment so that we can run our assessment internally to make sure it is always compliant?
The CCCS CSP IT Security Assessment report is available by contacting firstname.lastname@example.org. Further, in Azure, the Canadian Federal PBMM Blueprint is available in the Security Center section (https://docs.microsoft.com/en-ca/azure/security-center/update-regulatory-compliance-packages).
♦ Do you have any additional cloud references we can consult?
Yes, see the references below.
References available on Canada.ca
- Government of Canada Cloud Adoption Strategy: Learn how the Government of Canada will maximize the benefits of cloud adoption while keeping the confidentiality and privacy of Canadian data.
- Government of Canada Right Cloud Selection Guidance: Find out which workloads are right for the cloud, and how to consider deployment methods.
- Government of Canada Security Control Profile for Cloud-based IT Services: A robust risk-management approach will ensure that the appropriate Government of Canada Security controls are in place.
- Direction on the Secure Use of Commercial Cloud Services: Sets out guidance to assist organizations in understanding their responsibilities for securing, managing, and using cloud services.
- Data Sovereignty White Paper: Read how the Government of Canada has assessed the risks of foreign governments accessing Canadian data when using the commercial cloud.
- Direction on Electronic Data Residency: Understand the Government of Canada’s requirements for the storage of data within Canada.
- Cloud Security Risk Management Approach and Procedures: Describes the authorities, approach, and procedures to ensure that risks are effectively addressed when using cloud services.
- GCcollab link for GC Cloud Working Group - https://gccollab.ca/groups/profile/1785962/engc-cloud-working-groupfr
- SSC Cloud Brokering Service - http://service.ssc-spc.gc.ca/en/services/dc/cloud
- GCpedia link to Cloud Security Initiative as part of the GC Enterprise Security Architecture (ESA) program - http://www.gcpedia.gc.ca/wiki/Cloud_Security_Initiative.
- References include:
- CSE CSP IT Security Assessment Program (ITSM.50.100)
If you cannot find your topic or have a question that wasn’t answered, please send us an email to reach our team.