429
edits
Changes
Jump to navigation
Jump to search
Line 57:
Line 57: − + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
'''♦''' '''What happens if I don’t select an SSC provider? '''
'''♦''' '''What happens if I don’t select an SSC provider? '''
</br>
</br>
Should you choose to go with another provider you will need to navigate risk decisions which can be typically slow in GC hierarchies, especially with PB data.
Should you choose to go with another provider you will need to navigate risk decisions which can be typically slow in GC hierarchies, especially with PB data.
We also recognize that there is a long tail of cloud providers that will hold smaller and less sensitive data sets. These can be big cloud companies, but are often more focused on the consumer market than the enterprise market. They often may not hold that same security accreditation as the hyperscales. This is not the market SSC has captured. Some of these providers may, eventually, end up on the SSC framework agreement, but are not there today. To procure these services, you will need departmental authorities or work with PSPC if your department does not have sufficient authorities.
We also recognize that there is a long tail of cloud providers that will hold smaller and less sensitive data sets. These can be big cloud companies, but are often more focused on the consumer market than the enterprise market. They often may not hold that same security accreditation as the hyperscales. This is not the market SSC has captured. Some of these providers may, eventually, end up on the SSC framework agreement, but are not there today. To procure these services, you will need departmental authorities or work with PSPC if your department does not have sufficient authorities.
You must security assess these services. No matter where you buy, departments are ultimately responsible for assessment and risk assessment. When you buy through the SSC Framework Agreement, a portion of the security controls have been assessed by SSC and their security partners, thus accelerating your security assessment.
You must security assess these services. No matter where you buy, departments are ultimately responsible for assessment and risk assessment. When you buy through the SSC Framework Agreement, a portion of the security controls have been assessed by SSC and their security partners, thus accelerating your security assessment.
<br>
'''♦''' If a Department orders Protected B Azure, does it already follow all the security protocols? Or do we need to implement them after we get access to Azure?
The Cloud Service Provider (CSP) environment has been assessed as part of the issuance of the contract. How the consumer configures and uses the services is the responsibility of the consumer or department. Please refer to the shared responsibility model – see figure 3-3 (https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/cloud-security-risk-management-approach-procedures.html).
'''♦''' Do Security guardrails are implemented by the vendor directly ie Microsoft?
No, departments are responsible for implementing the cloud guardrails. Please also review this site - https://github.com/canada-ca/cloud-guardrails.
'''♦''' Azure is an IAAS and that we will need to be responsible for User Access/ identity, Data, Applications, and Platform. Do we have access to the report assessment so that we can run our assessment internally to make sure it is always compliant?
The CCCS CSP IT Security Assessment report is available by contacting contact@cyber.gc.ca. Further, in Azure, the Canadian Federal PBMM Blueprint is available in the Security Center section (https://docs.microsoft.com/en-ca/azure/security-center/update-regulatory-compliance-packages).
'''♦''' Do you have any additional cloud references we can consult?
Yes, see the references below.
References available on Canada.ca
o Government of Canada Cloud Adoption Strategy: Learn how the Government of Canada will maximize the benefits of cloud adoption while keeping the confidentiality and privacy of Canadian’s data.
o Government of Canada Right Cloud Selection Guidance: Find out which workloads are right for the cloud, and how to consider deployment methods.
o Government of Canada Security Control Profile for Cloud-based IT Services: A robust risk-management approach will ensure that the appropriate Government of Canada Security controls are in place.
o Direction on the Secure Use of Commercial Cloud Services: Sets out guidance to assist organizations in understanding their responsibilities for securing, managing, and using cloud services.
o Data Sovereignty White Paper: Read how the Government of Canada has assessed the risks of foreign governments accessing Canadian data when using commercial cloud.
o Direction on Electronic Data Residency: Understand the Government of Canada’s requirements for the storage of data within Canada.
o Cloud Security Risk Management Approach and Procedures: Describes the authorities, approach, and procedures to ensure that risks are effectively addressed when using cloud services.
Additional References
• GCcollab link for GC Cloud Working Group - https://gccollab.ca/groups/profile/1785962/engc-cloud-working-groupfr
• SSC Cloud Brokering Service - http://service.ssc-spc.gc.ca/en/services/dc/cloud
• GCpedia link to Cloud Security Initiative as part of the GC Enterprise Security Architecture (ESA) program - http://www.gcpedia.gc.ca/wiki/Cloud_Security_Initiative. References include:
• Overview of Industry Standards and Audit Process (SOC 2 Audit process)
• GC Cloud Event Management Standard Operating Procedure
• Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
• Guidance on Cloud Authentication for the Government of Canada
• CSE CSP IT Security Assessment Program (ITSM.50.100)
<br><br>
<br><br>
If you cannot find your topic or have a question that wasn’t answered, please send us an [[ZZCIOBDP@tbs-sct.gc.ca|email]] to reach our team.
If you cannot find your topic or have a question that wasn’t answered, please send us an [[ZZCIOBDP@tbs-sct.gc.ca|email]] to reach our team.
