Cloud Security Initiative

Revision as of 10:55, 7 April 2021 by Greggory.elton (talk | contribs) (Created page with "<div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549/gc-enterprise-secur...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
JoinusonGCconnex.png
ESAcontactus.png
GOC ESA.jpg

Overview

Cloud computing has introduced a fundamental shift in the way IT services are delivered and the Government of Canada (GC) will position itself to use this alternative service delivery model. Cloud adoption will ensure that the GC can continue to sustain IT service excellence during a period of increased demand by Canadians for online services and timely access to accurate information. This developing shift will affect how we procure, secure, and work with IT systems that support GC and departmental programs and services.

Under the cloud computing paradigm, the GC will depend on vendors for many aspects of security and privacy, and in doing so, will confer a level of trust onto the cloud service provider (CSP). To establish this trust, the GC requires an IT security risk management approach and procedures that are adapted to cloud computing.

For more information about the Cloud Security Initiative, please read the GC Cloud Security Risk Management Approach and Procedures document and the Cloud Adoption Strategy.

GC Cloud Security Risk Management Approach for Adopting Cloud

GC departments and agencies are ultimately responsible and accountable for the IT security risks incurred by their use of IT services offered by external suppliers, including the cloud services provided by CSPs and cloud brokers. As a result, the GC needs to adopt a structured approach for managing risks that accounts for the incorporation of cloud services into their IT services to support their program objectives and outcomes.

The cloud security risk management process consists of a series of procedures that are implemented by a combination of CSP and GC resources, with the exception of authorization, as this procedure remains an inherent governmental responsibility that is directly linked to the management of IT security risks.


The approach is also described below in the sub-sections below and can be expanded by clicking on 'Expand' on the far right.

Additional IT security risk management procedures that GC departments and agencies are expected to complete to procure the right cloud service offerings when implementing or moving GC services to the cloud are also provided.

1. Perform Security Categorization
2. Select Security Controls and Cloud Deployment and Service Model
3. Assess cloud services, implement GC security controls and authorize operations of cloud-based GC service
4. Continuously monitor cloud-based GC services and maintain authorization state



For more information about the GC Cloud Security risk management approach, please read the GC Cloud Security Risk Management Approach and Procedures document.

GC Cloud Roles and Responsibilities: A Shared Responsibility Model

In the shared responsibility model, the CSPs is responsible for deploying the security controls under the scope of their responsibility depending on the cloud service model selected. The GC is also responsible for deploying security controls on the GC scope of responsibility. This shared responsibility is shown in the image below.


The division of responsibility between the GC organization and the CSP is dictated by the cloud service model that is selected for the GC service being deployed. For example, is the service model is IaaS, the GC organization must implement the security controls of the platform and application layers of the cloud technology stack. These include security controls for access control, audit and accountability, identification and authentication, system and communications protection, configuration management, contingency planning, incident response, maintenance, and system and information integrity. Even under the SaaS service model, the GC organization needs to implement some security controls to manage user access, conduct audits, and respond to incidents.


Please read the GC Cloud Security Risk Management Approach and Procedures document. Additional information is provided as part of the SPIN 2017-01 implementation guidance.

Guardrails


The following references outlines recommended minimum configurations to consider when establishing the cloud tenant and hardening of SaaS solutions such as Microsoft Office 365.

GC Cloud Guardrails



References