429
edits
Changes
Jump to navigation
Jump to search
Line 63:
Line 63: + + + Line 77:
Line 80: + Line 87:
Line 91: −
no edit summary
'''♦''' If a Department orders Protected B Azure, does it already follow all the security protocols? Or do we need to implement them after we get access to Azure?
'''♦''' If a Department orders Protected B Azure, does it already follow all the security protocols? Or do we need to implement them after we get access to Azure?
The Cloud Service Provider (CSP) environment has been assessed as part of the issuance of the contract. How the consumer configures and uses the services is the responsibility of the consumer or department. Please refer to the shared responsibility model – see figure 3-3 (https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/cloud-security-risk-management-approach-procedures.html).
The Cloud Service Provider (CSP) environment has been assessed as part of the issuance of the contract. How the consumer configures and uses the services is the responsibility of the consumer or department. Please refer to the shared responsibility model – see figure 3-3 (https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/cloud-security-risk-management-approach-procedures.html).
<br>
'''♦''' Do Security guardrails are implemented by the vendor directly ie Microsoft?
'''♦''' Do Security guardrails are implemented by the vendor directly ie Microsoft?
No, departments are responsible for implementing the cloud guardrails. Please also review this site - https://github.com/canada-ca/cloud-guardrails.
No, departments are responsible for implementing the cloud guardrails. Please also review this site - https://github.com/canada-ca/cloud-guardrails.
<br>
'''♦''' Azure is an IAAS and that we will need to be responsible for User Access/ identity, Data, Applications, and Platform. Do we have access to the report assessment so that we can run our assessment internally to make sure it is always compliant?
'''♦''' Azure is an IAAS and that we will need to be responsible for User Access/ identity, Data, Applications, and Platform. Do we have access to the report assessment so that we can run our assessment internally to make sure it is always compliant?
The CCCS CSP IT Security Assessment report is available by contacting contact@cyber.gc.ca. Further, in Azure, the Canadian Federal PBMM Blueprint is available in the Security Center section (https://docs.microsoft.com/en-ca/azure/security-center/update-regulatory-compliance-packages).
The CCCS CSP IT Security Assessment report is available by contacting contact@cyber.gc.ca. Further, in Azure, the Canadian Federal PBMM Blueprint is available in the Security Center section (https://docs.microsoft.com/en-ca/azure/security-center/update-regulatory-compliance-packages).
<br>
'''♦''' Do you have any additional cloud references we can consult?
'''♦''' Do you have any additional cloud references we can consult?
Yes, see the references below.
Yes, see the references below.
o Direction on Electronic Data Residency: Understand the Government of Canada’s requirements for the storage of data within Canada.
o Direction on Electronic Data Residency: Understand the Government of Canada’s requirements for the storage of data within Canada.
o Cloud Security Risk Management Approach and Procedures: Describes the authorities, approach, and procedures to ensure that risks are effectively addressed when using cloud services.
o Cloud Security Risk Management Approach and Procedures: Describes the authorities, approach, and procedures to ensure that risks are effectively addressed when using cloud services.
<br>
Additional References
Additional References
• GCcollab link for GC Cloud Working Group - https://gccollab.ca/groups/profile/1785962/engc-cloud-working-groupfr
• GCcollab link for GC Cloud Working Group - https://gccollab.ca/groups/profile/1785962/engc-cloud-working-groupfr
• Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
• Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
• Guidance on Cloud Authentication for the Government of Canada
• Guidance on Cloud Authentication for the Government of Canada
• CSE CSP IT Security Assessment Program (ITSM.50.100)
• CSE CSP IT Security Assessment Program (ITSM.50.100)
<br><br>
<br><br>
