|
|
Line 29: |
Line 29: |
| | | |
| </div>{{TOCright}} | | </div>{{TOCright}} |
− | | + | {{Delete|reason=Expired Content}} |
− | == Overview ==
| |
− | Cloud computing has introduced a fundamental shift in the way IT services are delivered and the Government of Canada (GC) will position itself to use this alternative service delivery model. Cloud adoption will ensure that the GC can continue to sustain IT service excellence during a period of increased demand by Canadians for online services and timely access to accurate information. This developing shift will affect how we procure, secure, and work with IT systems that support GC and departmental programs and services.
| |
− | | |
− | Under the cloud computing paradigm, the GC will depend on vendors for many aspects of security and privacy, and in doing so, will confer a level of trust onto the cloud service provider (CSP). To establish this trust, the GC requires an IT security risk management approach and procedures that are adapted to cloud computing.
| |
− | | |
− | For more information about the Cloud Security Initiative, please read the [[Media:GC Cloud Security Risk Management Approach and Procedures - EN.pdf|GC Cloud Security Risk Management Approach and Procedures]] document and the [http://www.tbs-sct.gc.ca/hgw-cgf/oversight-surveillance/itpm-itgp/it-ti/cloud-nuage/cas-san-eng.asp Cloud Adoption Strategy].<br>
| |
− | | |
− | == GC Cloud Security Risk Management Approach for Adopting Cloud ==
| |
− | | |
− | GC departments and agencies are ultimately responsible and accountable for the IT security risks incurred by their use of IT services offered by external suppliers, including the cloud services provided by CSPs and cloud brokers. As a result, the GC needs to adopt a structured approach for managing risks that accounts for the incorporation of cloud services into their IT services to support their program objectives and outcomes.
| |
− | | |
− | The cloud security risk management process consists of a series of procedures that are implemented by a combination of CSP and GC resources, with the exception of authorization, as this procedure remains an inherent governmental responsibility that is directly linked to the management of IT security risks.<br><br>
| |
− | | |
− | <div><ul>
| |
− | <li style="display: inline-block;"> [[File:GC Cloud Security Risk Management Framework.PNG|thumb|center|700x700px|link=GC Cloud Security Risk Management Procedures|GC Cloud Security Risk Management Framework]] </li>
| |
− | </ul></div>
| |
− | | |
− | <br>The approach is also described below in the sub-sections below and can be expanded by clicking on 'Expand' on the far right. <br><br>Additional IT security risk management procedures that GC departments and agencies are expected to complete to procure the right cloud service offerings when implementing or moving GC services to the cloud are also provided.<br>
| |
− | | |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''1. Perform Security Categorization''' <div class="mw-collapsible-content">
| |
− | ---- {{:Perform Security Categorization}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''2. Select Security Controls and Cloud Deployment and Service Model''' <div class="mw-collapsible-content">
| |
− | ---- {{:Select Security Controls and Cloud Deployment and Service Model}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''3. Assess cloud services, implement GC security controls and authorize operations of cloud-based GC service''' <div class="mw-collapsible-content">
| |
− | ---- {{:Assess cloud services, implement GC security controls and authorize operations of cloud-based GC service}} </div></div>
| |
− | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%">
| |
− | '''4. Continuously monitor cloud-based GC services and maintain authorization state''' <div class="mw-collapsible-content">
| |
− | ---- {{:Continuously monitor cloud-based GC services and maintain authorization state}} </div></div>
| |
− | <br><br>For more information about the GC Cloud Security risk management approach, please read the [[Media:GC Cloud Security Risk Management Approach and Procedures - EN.pdf|GC Cloud Security Risk Management Approach and Procedures]] document.
| |
− | | |
− | == GC Cloud Roles and Responsibilities: A Shared Responsibility Model ==
| |
− | | |
− | In the shared responsibility model, the CSPs is responsible for deploying the security controls under the scope of their responsibility depending on the cloud service model selected. The GC is also responsible for deploying security controls on the GC scope of responsibility. This shared responsibility is shown in the image below. <br><br>
| |
− | | |
− | [[File:GC Cloud Security Shared Responsibility Model.PNG|centre|thumb|603x603px|Cloud Shared Responsibility Model]]
| |
− | <br>The division of responsibility between the GC organization and the CSP is dictated by the cloud service model that is selected for the GC service being deployed. For example, is the service model is IaaS, the GC organization must implement the security controls of the platform and application layers of the cloud technology stack. These include security controls for access control, audit and accountability, identification and authentication, system and communications protection, configuration management, contingency planning, incident response, maintenance, and system and information integrity. Even under the SaaS service model, the GC organization needs to implement some security controls to manage user access, conduct audits, and respond to incidents.
| |
− | | |
− | <br>Please read the [[Media:GC Cloud Security Risk Management Approach and Procedures - EN.pdf|GC Cloud Security Risk Management Approach and Procedures]] document. Additional information is provided as part of the [[SPIN 2017-01|SPIN 2017-01 implementation guidance]].<br>
| |
− | <br>
| |
− | == Guardrails ==
| |
− | <br> The following references outlines recommended minimum configurations to consider when establishing the cloud tenant and hardening of SaaS solutions such as Microsoft Office 365.
| |
− | <br>
| |
− | <br>
| |
− | [[Media:GC Cloud Guardrails.pdf|<nowiki/>]][[Media:GC Cloud Guardrails.pdf|GC Cloud Guardrails]]
| |
− | *[https://www.gcpedia.gc.ca/gcwiki/images/e/ed/GC_Cloud_Guardrails.xlsx GC Cloud Guardrails - Initial 30 Days (Scope is security of the cloud tenant)]
| |
− | *[[Media:SOP for Validating Cloud Guardrails.pdf|<nowiki/>]][[Media:SOP for Validating Cloud Guardrails.pdf|Standard Operating Procedure for Validating Cloud Guardrails]]
| |
− | <br>
| |
− | *[https://canada-ca.github.io/cloud-guardrails-O365 GC Cloud Guardrails for Office 365]
| |
− | *[[Media:Office 365 Security Baseline Configuration.xlsx|DRAFT Office 365 Security Baseline Configuration]]
| |
− | <br>
| |
− | | |
− | == References ==
| |
− | * [http://www.tbs-sct.gc.ca/hgw-cgf/oversight-surveillance/itpm-itgp/it-ti/cloud-nuage/cas-san-eng.asp GC Cloud Adoption Strategy]
| |
− | * [https://gccollab.ca/file/download/642228 GC Cloud Reference Architecture]
| |
− | * [[Media:GC Cloud Security Risk Management Approach and Procedures - EN.pdf|GC Cloud Security Risk Management Approach and Procedures]] // [[Media:Approche et procédures de gestion des risques liés à la sécurité de l’informatique en nuage - FR.pdf|Approche et procédures de gestion des risques liés à la sécurité de l’informatique en nuage]]
| |
− | * [[Security Categorization Tool]]
| |
− | * [[Media:GC Cloud Profile PBMM - EN.pdf|GC Security Control Profile for Cloud-based GC IT Services (PB/M/M) (Version 1.1, March 2018)]] // [[Media:GC Cloud Profile PBMM - FR.pdf|Profil de contrôle de sécurité pour les services de la TI du GC fondés sur l'informatique en nuage (PB/M/M) (Version 1.1, mars 2018)]]
| |
− | ** [[Media:GC Cloud Security Controls v1.1.xls|Version 1.1 - Appendix A Matrix (Excel)]]
| |
− | ** [[Media:GC Cloud Profile PBMM v1.1 - EN (Track Changes).pdf|Track Changes Version 1.1]]
| |
− | | |
− | * [[Media:GC Secure Cloud Certification and Standards Analysis.pdf|GC Secure Cloud Certification and Standards Analysis]]
| |
− | * [[Annex B: Cloud Security|GC ESA Concept of Operations - Annex B Cloud Security]]
| |
− | * [[Media:GC Enterprise Hybrid Cloud High-Level Design.pdf|GC Enterprise Hybrid Cloud High-Level Design]]
| |
− | * [[Media:GC Cloud Roles and Responsibilities.docx|GC Cloud Roles and Responsibilities]] (Version 1.0 approved by GC EARB)
| |
− | * [[Media:GC Cloud Authentication Guidance.pdf|''GC Cloud Authentication Guidance'']] ''(DRAFT in progress)''
| |
− | * ''[[Media:Recommendations for 2FA within the GC Enterprise Domain.pdf|Recommendations for Two-Factor Authentication within the GC Enterprise Domain]]'' [[Media:Recommendations for 2FA within the GC Enterprise Domain.pdf|''(DRAFT in progress)'']]
| |
− | * [[Media:GC Cloud Event Management Standard Operating Procedure.pdf|GC Cloud Event Management Standard Operating Procedure]]
| |
− | * [https://www.cse-cst.gc.ca/en/publication/itsg-33 ITSG-33 IT Security Risk Management: A Lifecycle Process]
| |
− | * [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations]
| |
− | | |
− | [[Category:Government of Canada Enterprise Security Architecture (ESA) Program]]
| |
− | [[Category:Enterprise Security Architecture]]
| |
− | [[Category:GC Enterprise Architecture]]
| |