Difference between revisions of "Configuration & Toolkits"

From wiki
Jump to navigation Jump to search
m
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{Cloud Information Centre - Government of Canada}}
 
{{Cloud Information Centre - Government of Canada}}
 +
<b>
 +
</b>
 +
<!-- Columns -->
 +
 +
{| width="100%" cellpadding="10"
 +
 +
|width="90%" style="color: black;" align="right" |
 +
<!-- COLUMN 1 STARTS: -->
 +
[[Configuration et trousse d’outils|Français]]
 +
<!-- COLUMN 1 ENDS: -->
 +
|width="10%" style="color: black; align="center" |
 +
 +
<!-- COLUMN 2 STARTS: -->
 +
 +
<!-- COLUMN 2 ENDS: -->
 +
 +
|}
 +
 +
<!-- Columns -->
 +
 +
{| width="100%" cellpadding="10"
 +
|-valign="top"
 +
 +
|width="33.3%" style="color: black;" |
 +
<!-- COLUMN 1 STARTS: -->
 +
[[Image:Tech build.jpg|250x250px|center |link=Cloud technical build]]
 +
<!-- COLUMN 1 ENDS: -->
 +
 +
|width="33.3%" style="color: black;" |
 +
<!-- COLUMN 2 STARTS: -->
 +
[[Image:Migration.jpg ‎|250x250px|center |link=Cloud migration]]
 +
<!-- COLUMN 2 ENDS: -->
 +
 +
|width="33.3%" style="color: black;" |
 +
<!-- COLUMN 3 STARTS: -->
 +
[[Image:Cic.jpg|center|250x250px |center |link=GC_Cloud_Infocentre]]
 +
<!-- COLUMN 3 ENDS: -->
 +
|}
 +
<b>
 +
</b>
 +
<b>
 +
</b>
 
<big><big>
 
<big><big>
<span style="font-family: Century Gothic; font-size: 28pt;"><font color="#9F000F;">Editing Configuration & Toolkits</font></span>
+
<span style="font-family: Century Gothic; font-size: 28pt;"><font color="#9F000F;"> Configuration & Toolkits</font></span>
 
== GC Cloud Security Risk Management Approach for Adopting Cloud ==
 
== GC Cloud Security Risk Management Approach for Adopting Cloud ==
Multiple Security breaches from companies known for their reputations on protecting personal information, lead the Government of Canada to take and hard look at security risks and the develop the appropriate mitigating factors. This will required a structured approach to managing risks associated with the protection of government data and infrastructure in public cloud. GC Cloud Security Risk Management Approach for adopting Cloud is one of the initiative developed by TBS to provide the necessary direction to GC departments.  
+
Multiple Security breaches from companies known for their reputations on protecting personal information, lead the Government of Canada to take and hard look at security risks and develop the appropriate mitigating factors. This will required a structured approach to managing risks associated with the protection of government data and infrastructure in a public cloud. [https://www.gcpedia.gc.ca/wiki/Cloud_Security_Initiative#GC_Cloud_Security_Risk_Management_Approach_for_Adopting_Cloud GC Cloud Security Risk Management Approach for adopting Cloud] is one of the initiatives developed by TBS to provide the necessary direction to GC departments.  
  
 
== GC Cloud Operationalization Framework ==
 
== GC Cloud Operationalization Framework ==
With the needs of securing protected B data in a Public cloud, the office of GC Chief Technology Officer developed an operationalization framework which was approved by GC Enterprise Architecture Review Board (EARB).  
+
With the needs of securing protected B data in a Public cloud, the office of GC Chief Technology Officer developed an operationalization framework approved by the GC Enterprise Architecture Review Board (EARB).  
  
 
== GC Event Logging Guidance ==
 
== GC Event Logging Guidance ==
<nowiki>***</nowiki> In construction ***
+
TBS had developed a High-level strategy to configure event logging.
 +
https://www.gcpedia.gc.ca/gcwiki/images/e/e3/GC_Event_Logging_Strategy.pdf
  
 
== GC Accelerator ==
 
== GC Accelerator ==
Conscious of the fact that wide adoption in GC will require enabling GC department to effectively and rapidly deploy application, computing etc. in public could environment. TBS in collaboration with SSC and other departments had developed GC accelerator for Microsoft Azure and AWS cloud.
+
Conscious of the fact that wide adoption in GC will require enabling GC departments to effectively and rapidly deploy applications, computing etc. in public cloud environment. TBS in collaboration with SSC and other departments has developed a GC accelerator for Microsoft Azure and AWS cloud.
  
== CG Accelerators - Azure ==
+
== GC Accelerators - Azure ==
To access the Azure accelerator, consult canada-ca/accelerators_accelerateurs-azure  
+
To access the Azure accelerator, consult [https://github.com/canada-ca/accelerators_accelerateurs-azure canada-ca/accelerators_accelerateurs-azure]
  
== CG Accelerators – Amazon Web Services ==
+
== GC Accelerators – Amazon Web Services ==
To access the AWS accelerator, consult canada-ca/accelerators_accelerateurs-aws  
+
To access the AWS accelerator, consult [https://github.com/canada-ca/accelerators_accelerateurs-aws canada-ca/accelerators_accelerateurs-aws]
  
 
== Secure Cloud Connectivity ==
 
== Secure Cloud Connectivity ==
 
The establishment of secure cloud connections to cloud services and trusted interconnection points will:  
 
The establishment of secure cloud connections to cloud services and trusted interconnection points will:  
  
• Improve resiliency of the GC infrastructure with dedicated and private connections to cloud;  
+
• Improve resiliency of the GC infrastructure with dedicated and private connections to the cloud;  
  
thereby ensuring continued access to GC information systems and solutions hosted in the cloud;  
+
Thereby ensuring continued access to GC information systems and solutions hosted in the cloud;  
  
 
• Help the GC to mitigate direct attacks from the Internet against cloud-based GC resources; and  
 
• Help the GC to mitigate direct attacks from the Internet against cloud-based GC resources; and  
Line 33: Line 76:
 
Below are the link to the GC Secure Cloud Connectivity Requirements.  
 
Below are the link to the GC Secure Cloud Connectivity Requirements.  
  
GC Secure Cloud Connectivity Requirements  
+
:o [http://%5Bhttps://www.gcpedia.gc.ca/gcwiki/images/e/e7/GC_Secure_Cloud_Connectivity_Requirements.pdf GC Secure Cloud Connectivity Requirements]
  
o GC Cloud Access Use Cases  
+
::— [https://www.gcpedia.gc.ca/gcwiki/images/1/18/GC_Cloud_Access_Use_Cases.xlsx GC Cloud Access Use Cases]
  
o GC Connection Patterns - DRAFT for Consultation  
+
::— [https://www.gcpedia.gc.ca/gcwiki/images/7/75/GC_Cloud_Connection_Patterns.pdf GC Connection Patterns - DRAFT for Consultation]
  
 
== GC Guardrails ==
 
== GC Guardrails ==
The purpose of the guardrails is to ensure that departments and agencies are implementing a preliminary baseline set of controls within their cloud-based environments. These minimum guardrails are to be implemented within the GC-specified initial period (e.g. 30 days) upon receipt of an enrollment under the GC Cloud Services Framework Agreement.  
+
The purpose of the guardrails is to ensure that departments and agencies are implementing a preliminary baseline set of controls within their cloud-based environments. These minimum guardrails are to be implemented within the GC-specified initial period (e.g. 30 days) upon receipt of enrollment under the GC Cloud Services Framework Agreement.  
  
GC Cloud Guardrails - DRAFT for Consultation  
+
:o [https://www.gcpedia.gc.ca/gcwiki/images/8/84/GC_Cloud_Guardrails.pdf GC Cloud Guardrails - DRAFT for Consultation]
  
o Cloud Guardrails - Initial 30 Days  
+
::— [https://www.gcpedia.gc.ca/gcwiki/images/e/ed/GC_Cloud_Guardrails.xlsx Cloud Guardrails - Initial 30 Days]
  
o Standard Operating Procedure for Validating Cloud Guardrails  
+
::— [https://www.gcpedia.gc.ca/gcwiki/images/1/19/SOP_for_Validating_Cloud_Guardrails.pdf Standard Operating Procedure for Validating Cloud Guardrails]
  
 
https://github.com/canada-ca/cloud-guardrails
 
https://github.com/canada-ca/cloud-guardrails
Line 54: Line 97:
  
 
== GC Cloud Guardrails – Amazon Web Service ==
 
== GC Cloud Guardrails – Amazon Web Service ==
https://github.com/canada-ca/cloud-guardrails-aws
+
The GC accelerator for AWS is on GitHub: https://github.com/canada-ca/cloud-guardrails-aws
* The GC AWS Accelerator main page is on GitHub:
 
* The GC AWS Accelerator main page is on GitHub: https://github.com/canada-ca/accelerators_accelerateurs-aws/blob/master/HOWTOs/GC_AWS_LZ_Package/README.md
 
 
* The UTM Firewall VPC Overlay templates and scripts are also on GitHub and can be found here: https://github.com/canada-ca/accelerators_accelerateurs-aws/tree/master/templates
 
* The UTM Firewall VPC Overlay templates and scripts are also on GitHub and can be found here: https://github.com/canada-ca/accelerators_accelerateurs-aws/tree/master/templates
 
* The GC AWS Accelerator documentation including build books, etc., is currently stored in GCCode: https://gccode.ssc-spc.gc.ca/GCCloudEnablement/AWS/tree/master/GC%20Accelerator%20-%20AWS%20Landing%20Zone%20Package%20(July%202019)  
 
* The GC AWS Accelerator documentation including build books, etc., is currently stored in GCCode: https://gccode.ssc-spc.gc.ca/GCCloudEnablement/AWS/tree/master/GC%20Accelerator%20-%20AWS%20Landing%20Zone%20Package%20(July%202019)  
Line 68: Line 109:
 
== Naming and Tagging ==
 
== Naming and Tagging ==
 
To effectively manage GC cloud Resources, Shared Services Canada had developed a Cloud Resources Naming and Tagging Convention which was approved and ready to be used by GC departments deploying GC IT resources using approved public cloud services.
 
To effectively manage GC cloud Resources, Shared Services Canada had developed a Cloud Resources Naming and Tagging Convention which was approved and ready to be used by GC departments deploying GC IT resources using approved public cloud services.
<br>
 
== Cloud Security ==
 
=== Overview and Current Situation in Government of Canada ===
 
Cloud computing has made the jump from buzzword to deployed technology. However, many potential cloud customers do not understand the scope of the cloud, how it should be used, and how to address security in the cloud. The image below is a simplified view of an enterprise such as the GC. The goal of the organization is to provide needed services to the citizens of Canada and other public users as well as internal services to allow GC employees and contractors to keep the business of the GC running. Service delivery is the ultimate goal, but there are several foundational elements provided by the people, processes, and technology of the GC. The technical contribution to the foundation is contained in information technology and information systems (IT/IS). As shown in the image on the left, cloud computing is simply an enabling information technology supporting the mission of the business of the enterprise.
 
<br><br>
 
The GC IT/IS enterprise is large in scope and geography, yielding a challenging operational, maintenance, and security environment. GC users hail from 400,000+ federal government employees and 100,000+ federal government business enterprise employees. Canada's population is 35 million, representing the pool of potential Canadian citizen public users. GC resources are also accessed by non-Canadian public users, including international visitors to GC sites. The hundreds of GC agencies and departments are spread across the country and around the world, each with independent policies, assets, and resultant security postures.
 
<br><br>
 
Currently, the GC operates 480+ data centres attached to thousands of stove-piped networks running unique instances of front-office and back-office applications. These data centres consist of purpose built servers racked for each application, resulting in low hardware utilization rates (i.e. 15% or less), long lead times for provisioning (i.e. weeks to months), sub-optimal use of data centre space, power and cooling, and high recurring costs.
 
<br><br>
 
Current use of cloud computing is department-based, deployed internally in department-hosted private data centres and clouds for processing sensitive information and contracted with cloud providers for unclassified and public information sites. This distributed, department-led IT procurement and deployment model leads to a number of enterprise level issues, including: inconsistent application and adoption of new technologies and business processes, standards, and open systems; a lack of ability to adapt to the changing threat environment while increasing the threat surface faster than security mitigations are deployed; incomplete network and element awareness and mapping; independently owned and operated legacy applications (5000+) and associated data and information stores, many without a path to a consolidated infrastructure and modern security protections; limited inter-domain interoperability and inadequate information sharing and access between agencies, departments, and partners. All of these effects perpetuating the expensive, inefficient, and insecure aspects of the current enterprise.
 
<br><br>
 
A contributing aspect to the low penetration of low-cost, high performance solutions enabled by cloud computing is the slow uptake of cloud technology in Canada as a whole. In a white paper published by IT World Canada, the perspective of Canadian CIOs on cloud computing was described as follows:
 
"Their posture towards the cloud, in other words, could not be more Canadian: optimistic but pragmatic, slow but deliberate, purposeful but not aggressive."
 
<br><br>
 
In addition to worries about security and reliability, several additional factors contribute to the slow uptake, including data and information security and the protection of personal privacy, loss of control, expected cost and effort to convert to cloud computing, lack of a clear return on investment, change to a different management and contracting paradigm, data and information sovereignty requirements, ramification from the Personal Information and Electronic Documents Acts (PIPEDA) and the US Patriot Act, lack of open cloud and cyber security standards, concerns with vendor lock-in, lack of suitable bandwidth, and the desire to try the technology first or see solid proof of cost savings from other with trusted vendors before deploying to the greater enterprise.
 
<br><br>
 
The measured rate of adoption places Canada 9th out of 24 countries considered part of the cloud global economy, up from 12th in 2012. Several efforts are pushing Canada toward the cloud. GC's Cloud First campaign is an effort to hasten the adoption of cloud computing in the GC. The Canadian Cloud Council was formed to help push the adoption and thought leadership of Canada in the global cloud economy. Large cloud service providers, such as Amazon, are moving to Canada as the country's appetite for cloud services increases. The ultimate measure of success is the establishment of cloud computing offerings within Canada and subsequent increase in adoption rates by Canadian businesses and governments.
 
<br><br>
 
With responsibility for processing and storing large amounts of sensitive data/information (e.g. classified, protected, private), the GC needs to minimize the risk of unauthorized disclosure of data. Adoption of cloud technology provides a wrinkle in the current approach to information security since portions of the information system are out of the direct control of the GC and the department charged with protecting sensitive GC information. <br>
 
<br>
 
For more information, please read the GC ESA ConOps Annex B: Cloud Security document. <br>
 
== Cloud Security Initiative ==
 
https://www.gcpedia.gc.ca/wiki/Cloud_Security_Initiative
 
  
 
</big></big>
 
</big></big>
 
{{GC Cloud Information Centre Footer}}
 
{{GC Cloud Information Centre Footer}}
 
__FORCETOC__
 
__FORCETOC__

Latest revision as of 00:59, 8 April 2020


Banne cloud.jpg



Français



Tech build.jpg
Migration.jpg
Cic.jpg

Configuration & Toolkits

GC Cloud Security Risk Management Approach for Adopting Cloud

Multiple Security breaches from companies known for their reputations on protecting personal information, lead the Government of Canada to take and hard look at security risks and develop the appropriate mitigating factors. This will required a structured approach to managing risks associated with the protection of government data and infrastructure in a public cloud. GC Cloud Security Risk Management Approach for adopting Cloud is one of the initiatives developed by TBS to provide the necessary direction to GC departments.

GC Cloud Operationalization Framework

With the needs of securing protected B data in a Public cloud, the office of GC Chief Technology Officer developed an operationalization framework approved by the GC Enterprise Architecture Review Board (EARB).

GC Event Logging Guidance

TBS had developed a High-level strategy to configure event logging. https://www.gcpedia.gc.ca/gcwiki/images/e/e3/GC_Event_Logging_Strategy.pdf

GC Accelerator

Conscious of the fact that wide adoption in GC will require enabling GC departments to effectively and rapidly deploy applications, computing etc. in public cloud environment. TBS in collaboration with SSC and other departments has developed a GC accelerator for Microsoft Azure and AWS cloud.

GC Accelerators - Azure

To access the Azure accelerator, consult canada-ca/accelerators_accelerateurs-azure

GC Accelerators – Amazon Web Services

To access the AWS accelerator, consult canada-ca/accelerators_accelerateurs-aws

Secure Cloud Connectivity

The establishment of secure cloud connections to cloud services and trusted interconnection points will:

• Improve resiliency of the GC infrastructure with dedicated and private connections to the cloud;

• Thereby ensuring continued access to GC information systems and solutions hosted in the cloud;

• Help the GC to mitigate direct attacks from the Internet against cloud-based GC resources; and

• Enhance the protection of on-premise networks from compromised GC resources in the cloud.

Below are the link to the GC Secure Cloud Connectivity Requirements.

o GC Secure Cloud Connectivity Requirements
GC Cloud Access Use Cases
GC Connection Patterns - DRAFT for Consultation

GC Guardrails

The purpose of the guardrails is to ensure that departments and agencies are implementing a preliminary baseline set of controls within their cloud-based environments. These minimum guardrails are to be implemented within the GC-specified initial period (e.g. 30 days) upon receipt of enrollment under the GC Cloud Services Framework Agreement.

o GC Cloud Guardrails - DRAFT for Consultation
Cloud Guardrails - Initial 30 Days
Standard Operating Procedure for Validating Cloud Guardrails

https://github.com/canada-ca/cloud-guardrails

GC Cloud Guardrails – AZURE

https://github.com/canada-ca/cloud-guardrails-azure

GC Cloud Guardrails – Amazon Web Service

The GC accelerator for AWS is on GitHub: https://github.com/canada-ca/cloud-guardrails-aws

Cloud reference Architecture

*** In construction ***

Naming and Tagging

To effectively manage GC cloud Resources, Shared Services Canada had developed a Cloud Resources Naming and Tagging Convention which was approved and ready to be used by GC departments deploying GC IT resources using approved public cloud services.