Cloud Security Initiative
ESA Program Overview | ESA Foundation | ESA Artifacts | ESA Initiatives | ESA Tools and Templates | ESA Reference Materials | Glossary |
---|
SPIN 2017-01 Implementation Guidance |
---|
Overview
Cloud computing has introduced a fundamental shift in the way IT services are delivered and the Government of Canada (GC) will position itself to use this alternative service delivery model. Cloud adoption will ensure that the GC can continue to sustain IT service excellence during a period of increased demand by Canadians for online services and timely access to accurate information. This developing shift will affect how we procure, secure, and work with IT systems that support GC and departmental programs and services.
Under the cloud computing paradigm, the GC will depend on vendors for many aspects of security and privacy, and in doing so, will confer a level of trust onto the cloud service provider (CSP). To establish this trust, the GC requires an IT security risk management approach and procedures that are adapted to cloud computing.
For more information about the Cloud Security Initiative, please read the GC Cloud Security Risk Management Approach and Procedures document and the Cloud Adoption Strategy.
GC Cloud Security Risk Management Approach for Adopting Cloud
GC departments and agencies are ultimately responsible and accountable for the IT security risks incurred by their use of IT services offered by external suppliers, including the cloud services provided by CSPs and cloud brokers. As a result, the GC needs to adopt a structured approach for managing risks that accounts for the incorporation of cloud services into their IT services to support their program objectives and outcomes.
The cloud security risk management process consists of a series of procedures that are implemented by a combination of CSP and GC resources, with the exception of authorization, as this procedure remains an inherent governmental responsibility that is directly linked to the management of IT security risks.
The approach is also described below in the sub-sections below and can be expanded by clicking on 'Expand' on the far right.
Additional IT security risk management procedures that GC departments and agencies are expected to complete to procure the right cloud service offerings when implementing or moving GC services to the cloud are also provided.
For more information about the GC Cloud Security risk management approach, please read the GC Cloud Security Risk Management Approach and Procedures document.
In the shared responsibility model, the CSPs is responsible for deploying the security controls under the scope of their responsibility depending on the cloud service model selected. The GC is also responsible for deploying security controls on the GC scope of responsibility. This shared responsibility is shown in the image below.
The division of responsibility between the GC organization and the CSP is dictated by the cloud service model that is selected for the GC service being deployed. For example, is the service model is IaaS, the GC organization must implement the security controls of the platform and application layers of the cloud technology stack. These include security controls for access control, audit and accountability, identification and authentication, system and communications protection, configuration management, contingency planning, incident response, maintenance, and system and information integrity. Even under the SaaS service model, the GC organization needs to implement some security controls to manage user access, conduct audits, and respond to incidents.
Please read the GC Cloud Security Risk Management Approach and Procedures document. Additional information is provided as part of the SPIN 2017-01 implementation guidance.
Guardrails
The following references outlines recommended minimum configurations to consider when establishing the cloud tenant and hardening of SaaS solutions such as Microsoft Office 365.
GC Cloud Guardrails
- GC Cloud Guardrails - Initial 30 Days (Scope is security of the cloud tenant)
- Standard Operating Procedure for Validating Cloud Guardrails
References
- GC Cloud Adoption Strategy
- GC Cloud Reference Architecture
- GC Cloud Security Risk Management Approach and Procedures // Approche et procédures de gestion des risques liés à la sécurité de l’informatique en nuage
- Security Categorization Tool
- GC Security Control Profile for Cloud-based GC IT Services (PB/M/M) (Version 1.1, March 2018) // Profil de contrôle de sécurité pour les services de la TI du GC fondés sur l'informatique en nuage (PB/M/M) (Version 1.1, mars 2018)
- GC Secure Cloud Certification and Standards Analysis
- GC ESA Concept of Operations - Annex B Cloud Security
- GC Enterprise Hybrid Cloud High-Level Design
- GC Cloud Roles and Responsibilities (Version 1.0 approved by GC EARB)
- GC Cloud Authentication Guidance (DRAFT in progress)
- Recommendations for Two-Factor Authentication within the GC Enterprise Domain (DRAFT in progress)
- GC Cloud Event Management Standard Operating Procedure
- ITSG-33 IT Security Risk Management: A Lifecycle Process
- NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations