429
edits
Changes
Jump to navigation
Jump to search
Line 37:
Line 37: − + − Same process as procuring unclassified cloud services using GC Cloud brokering.+ Line 47:
Line 47: − + Line 66:
Line 66: − + − + − + Line 75:
Line 75: − + − + − + − + Line 102:
Line 102: − + − +
no edit summary
<br>
<br>
- All cloud service requests should be submitted through the GC Cloud Broker, no matter the procurement authority.
- All cloud service requests should be submitted through the GC Cloud Broker, no matter the procurement authority.
<br>- All cloud services should be entered into an Application Portfolio Management (APM).
<br>- All cloud services should be entered into the Application Portfolio Management (APM).
<br></br>
<br></br>
'''♦''' '''How do I buy PB cloud?
'''♦''' '''How do I buy PB cloud?
<br>
<br>
The process of acquiring PB cloud is the same as the one procuring unclassified cloud services using GC Cloud brokering. This process is outlined under the Procurement section of the GC-CIC site.
<br>
<br>
'''
'''
'''♦''' '''What do I do if my request is not being actioned?'''
'''♦''' '''What do I do if my request is not being actioned?'''
<br>
<br>
Departments should use the usual establish cloud brokering service issue reporting mechanism.
Departments should use the usual established cloud brokering service issue reporting mechanism.
</br><br>
</br><br>
'''♦''' '''Do I need SCED before using PB cloud?
'''♦''' '''Do I need SCED before using PB cloud?
</br>
</br>
<br>
<br>
'''♦''' '''What are Departments budgetary limits for cloud solutions?'''
'''♦''' '''What are Departments' budgetary limits for cloud solutions?'''
<br>
<br>
Departments have procurement authorities up to a given limit and for given commodity groupings. Contact your procurement officers for clarification on your department's limits.
Departments have procurement authorities up to a given limit and for a given commodity groupings. Contact your procurement officers for clarification on your department's limits.
The Contracting Policy annexes provide a list of who can exclusively buy what or to which limit. Although it doesn’t refer to cloud directly. It simply talks about services. Departments can procure services unless otherwise specified in the policy's annexes.
The Contracting Policy annexes provide a list of who can exclusively buy what or to which limit. Although it doesn’t refer to the cloud directly. It simply talks about services. Departments can procure services unless otherwise specified in the policy's annexes.
https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=14494
https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=14494
'''♦''' '''Where to procure cloud services? '''
'''♦''' '''Where to procure cloud services? '''
<br>
<br>
Departments can buy the service from SSC if it is available through their brokerage. SSC has providers who have already undergone all security vetting and service terms that have been negotiated. This saves departments time and risk assessment. SSC has gone out and captured the hyperscale market with their framework agreement. While this market does not have a lot of players in it, it will represent the bulk of the GC's data holdings. SSC and their security partners spent a lot of time with these providers.
Departments can buy the service from SSC if it is available through their brokerage. SSC has providers who have already undergone all security vetting and service terms that have been negotiated. This saves departments time and risk assessment. SSC has gone out and captured the hyperscale market with its framework agreement. While this market does not have a lot of players in it, it will represent the bulk of the GC's data holdings. SSC and its security partners spent a lot of time with these providers.
<br></br>
<br></br>
'''♦''' '''What happens if I don’t select an SSC provider? '''
'''♦''' '''What happens if I don’t select an SSC provider? '''
</br>
</br>
Should you choose to go with another provider you will need to navigate risk decisions which can be typically slow in GC hierarchies, especially with PB data.
Should you choose to go with another provider you will need to navigate risk decisions that can be slow in GC hierarchies, especially with PB data.
<br>
<br>
We also recognize that there is a long tail of cloud providers that will hold smaller and less sensitive data sets. These can be big cloud companies, but are often more focused on the consumer market than the enterprise market. They often may not hold that same security accreditation as the hyperscales. This is not the market SSC has captured. Some of these providers may, eventually, end up on the SSC framework agreement, but are not there today. To procure these services, you will need departmental authorities or work with PSPC if your department does not have sufficient authorities.
We also recognize that there is a long tail of cloud providers that will hold smaller and less sensitive data sets. These can be big cloud companies but are often more focused on the consumer market than the enterprise market. They often may not hold that same security accreditation as the hyperscales. This is not the market SSC has captured. Some of these providers may, eventually, end up on the SSC framework agreement, but are not there today. To procure these services, you will need departmental authorities or work with PSPC if your department does not have sufficient authorities.
You must security assess these services. No matter where you buy, departments are ultimately responsible for assessment and risk assessment. When you buy through the SSC Framework Agreement, a portion of the security controls have been assessed by SSC and their security partners, thus accelerating your security assessment.
You must security assess these services. No matter where you buy, departments are ultimately responsible for assessment and risk assessment. When you buy through the SSC Framework Agreement, a portion of the security controls has been assessed by SSC and their security partners, thus accelerating your security assessment.
<br><br>
<br><br>
'''♦''' '''If a Department orders Protected B Azure, does it already follow all the security protocols? Or do we need to implement them after we get access to Azure?
'''♦''' '''If a Department orders Protected B Azure, does it already follow all the security protocols? Or do we need to implement them after we get access to Azure?
<br>
<br>
'''References available on Canada.ca'''
'''References available on Canada.ca'''
* Government of Canada Cloud Adoption Strategy: Learn how the Government of Canada will maximize the benefits of cloud adoption while keeping the confidentiality and privacy of Canadian’s data.
* Government of Canada Cloud Adoption Strategy: Learn how the Government of Canada will maximize the benefits of cloud adoption while keeping the confidentiality and privacy of Canadian data.
* Government of Canada Right Cloud Selection Guidance: Find out which workloads are right for the cloud, and how to consider deployment methods.
* Government of Canada Right Cloud Selection Guidance: Find out which workloads are right for the cloud, and how to consider deployment methods.
* Government of Canada Security Control Profile for Cloud-based IT Services: A robust risk-management approach will ensure that the appropriate Government of Canada Security controls are in place.
* Government of Canada Security Control Profile for Cloud-based IT Services: A robust risk-management approach will ensure that the appropriate Government of Canada Security controls are in place.
* Direction on the Secure Use of Commercial Cloud Services: Sets out guidance to assist organizations in understanding their responsibilities for securing, managing, and using cloud services.
* Direction on the Secure Use of Commercial Cloud Services: Sets out guidance to assist organizations in understanding their responsibilities for securing, managing, and using cloud services.
* Data Sovereignty White Paper: Read how the Government of Canada has assessed the risks of foreign governments accessing Canadian data when using commercial cloud.
* Data Sovereignty White Paper: Read how the Government of Canada has assessed the risks of foreign governments accessing Canadian data when using the commercial cloud.
* Direction on Electronic Data Residency: Understand the Government of Canada’s requirements for the storage of data within Canada.
* Direction on Electronic Data Residency: Understand the Government of Canada’s requirements for the storage of data within Canada.
* Cloud Security Risk Management Approach and Procedures: Describes the authorities, approach, and procedures to ensure that risks are effectively addressed when using cloud services.
* Cloud Security Risk Management Approach and Procedures: Describes the authorities, approach, and procedures to ensure that risks are effectively addressed when using cloud services.
