Government of Canada Cloud Guardrails

• Implement strong multi-factor authentication (MFA) for all user accounts. Use phishing resistant MFA where and when available

Note: user accounts and identities include:

• root or global administrator (as it has enhanced or the highest level of privilege over the control plane and addresses all aspects of access control)
• other administrative user accounts; for the definition of privileged accounts, refer to:
  • section 4 of the Directive on Service and Digital Appendix G: Standard on Enterprise Information Technology Service Common Configurations - Account Management Configuration Requirements
• regular GC user accounts

• Confirm that MFA is implemented according to GC guidance through screenshots, compliance reports, or compliance checks enabled through a reporting tool for all user accounts
• Confirm that digital policies are in place to ensure that MFA configurations are enforced
• Confirm and report the count of registered root or global administrators (you should have at least two and no more than five)

• Configure alerts to ensure the prompt detection of a potential compromise, in accordance with the GC Event Logging Guidance

• Confirm whether monitoring and auditing is implemented for all user accounts
• Confirm that alerts to the authorized personnel have been implemented to flag misuse or suspicious activities for all user accounts

• Use separate dedicated accounts for highly privileged roles (for example, domain administrators, global administrators, and root and any domain administrator equivalent access) when administering cloud services to minimize the potential damage

• Provide evidence that there are dedicated user accounts for administration (for example, privileged access)

• Implement a mechanism to enforce access authorizations for all user accounts, based on criteria in the Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations, and in section 3 of the Account Management Configuration Requirements

• Demonstrate that access configurations and policies are implemented for different classes of users (non-privileged and privileged users)
• Confirm that the access authorization mechanisms have been implemented to:
  • uniquely identify and authenticate users to the cloud service
  • validate that the least privilege role is assigned
  • validate that role based access is implemented
  • terminate role assignment upon job change or termination
  • perform periodic reviews of role assignment (minimum yearly)
  • disable default and dormant accounts
  • avoid using user generic accounts
• Verify that a review of role assignment for root or global administrator accounts is performed at least every 12 months

• Leverage role-based access and configure for least privilege; doing so can include built-in roles or custom roles that have been established with only the minimum number of privileges required to perform the job function

• Demonstrate that built-in roles on cloud platforms are configured for least privilege. Custom roles can be used but a rationale should be documented and approved

• Change default passwords in accordance with the GC Password Guidance

• Confirm that the default passwords have been changed for all built-in accounts for the cloud service

• Configure the default password policy in accordance with GC Password Guidance

• Demonstrate that password policy for the cloud platform has been configured according to the Password Guidance by:
  • requiring passwords that are at least 12 characters long without a maximum length limit
  • countering online guessing or brute force of passwords using throttling, account lockout policies, monitoring and multi-factor authentication
  • protecting against offline attacks using effective hashing, salting and keyed hashing

• Implement mechanisms to protect against password brute force attacks

• Confirm that mechanisms, such as throttling, account lock out policies, monitoring and risk-based authentication, to protect against password brute force attacks have been implemented

• Establish a guest user access policy and procedures that minimize the number of guest users and that manage the life cycle of such accounts so that such accounts are terminated when they are no longer needed
• Note: a guest is someone who is not an employee, student or member of your organization (a guest does not have an existing account with the organization’s cloud tenant)

• Confirm that only required guest user accounts are enabled (according to the business requirements of the service)
• Provide a list of non-organizational users with elevated privileges
• Verify that reviews of guest access are performed periodically

• Document a process for managing accounts, access privileges, and access credentials for organizational users and non-organizational users (if required), based on criteria listed in the Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations, and in section 3 of the Account Management Configuration Requirements. This process should be approved by the chief security officer (or their delegate) and by the designated official for cyber security.

• Confirm that the access control procedure for management of administrative accounts has been documented for the cloud service. The access control procedure:
  • should include provision for any guest accounts and custom accounts
  • must refer to the emergency break glass procedure

• Enforce just-in-time access for privileged user accounts to provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary or misused access permissions

• Confirm just-in-time access for all privileged user accounts to provide time-based and approval-based role activation

• Enforce attribute-based access control to restrict access based on a combination of authentication factors, such as devices issued and managed by the GC, device compliance, sign-in and user risks, and location

• Provide evidence that attribute-based access control mechanisms are in place to restrict access based on attributes or signals, such as authentication factors, devices issued and managed by the GC, device compliance, sign-in and user risks, and location.

• Leverage tools, such as privilege access management systems, to enforce access control to privileged functions by configuring roles that require approval for activation
• Choose one or multiple users or groups as delegated approvers

• Provide evidence that all role activation for privileged user accounts require approval, and that privilege elevation is temporary (time-bound).

• Implement access restrictions to ensure that devices issued and managed by the GC are configured and managed, in accordance with Endpoint Management Configuration Requirements

• Confirm that administrative access to cloud environments is from approved and trusted locations and from devices issued and managed by the GC that enforce the Endpoint Management Configuration Requirements
• Demonstrate that access configurations and policies are implemented for devices

• All administrative tasks should be undertaken on dedicated administrative workstations
• Note: a dedicated administrative workstation is a secured physical (thick or thin) client workstation used to perform specific and sensitive administrative tasks or tasks requiring privileged access (such a workstation must have no Internet access and related services, such as email and web browsing, must be disabled and prohibited)

• Confirm whether dedicated administrative workstations are used to conduct all administrative activities

• Create role-based accounts to enable enterprise monitoring and visibility for cloud environments that are procured via the GC Cloud Broker or are included in the scope of centralized guardrails validation

• Verify that roles required to enable visibility in the GC have been provisioned or assigned

• Review access privileges periodically and remove access when it is no longer required

• Confirm that alerts to authorized personnel have been implemented to flag misuse, suspicious sign-in attempts, or when changes are made to privileged and non-privileged accounts

• According to subsection 4.4.3.14 of the Directive on Service and Digital:

“Ensuring computing facilities located within the geographic boundaries of Canada or within the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified.”

• Demonstrate that the service location is within Canada for all Protected B cloud services where configurable, in accordance with the applicable cloud usage profiles

• Implement an encryption mechanism to protect the confidentiality and integrity of data when data is at rest in storage

• For IaaS and PaaS, confirm that storage service encryption is enabled for data at rest (if required based on the security risk assessment)
• For SaaS, confirm that the cloud service provider (CSP) has implemented encryption to protect customer data

• Use cryptographic algorithms and protocols approved by Communications Security Establishment Canada (CSE) in accordance with ITSP.40.111 and ITSP.40.062

• Cryptographic algorithms and protocols configurable by the consumer are in accordance with ITSP.40.111 and ITSP.40.062
• For SaaS, confirm that the CSP has implemented algorithms that align with ITSP.40.111 and ITSP.40.062.

• Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments

• Confirm that privacy is part of the departmental software development life cycle

• Leverage an appropriate key management system for the cryptographic protection used in cloud-based services, in accordance with the Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services and the Cyber Centre’s Guidance on Cloud Service Cryptography (ITSP.50.106)

• Confirm that a key management strategy has been adopted for the cloud tenant

• Encrypt data in transit by default (for example, Transport Layer Security (TLS) 1.2) to protect the confidentiality and integrity of data, including for all publicly accessible sites and external communications, according to the GC Web Sites and Services Management Configuration Requirements, and wherever possible for internal zone communication

• Confirm that TLS 1.2 or above encryption is implemented for all cloud services (via Hypertext Transfer Protocol Secure (HTTPS), TLS or another mechanism)
• Note: while this encryption setting is often the default, cloud platforms and cloud services often have configuration options to select the permitted TLS version

• Use CSE-approved cryptographic algorithms and protocols in accordance with ITSP.40.111 and ITSP.40.062

• Leverage cryptographic algorithms and protocols configurable by the user in accordance with ITSP.40.111 and ITSP.40.062

• Leverage non-person entity certificates from certificate authorities that align with the Government of Canada Recommendations for TLS Server Certificates for GC Public Facing Web Services

• Confirm that non-person entity certificates are issued from certificate authorities that align with GC recommendations for TLS server certificates

• Isolate and secure cloud workloads based on the sensitivity of the data

• Confirm that the department has a target network architecture with a high-level design or a diagram with appropriate segmentation between network security zones in alignment with ITSP.50.104, ITSP.80.022 and ITSG-38
• Confirm that the department has documented a deployment guide for the cloud platform and associated services (the guide should capture the landing zone if applicable)
• Confirm that the cloud service provider’s segmentation features are leveraged to provide segmentation of management, production, user acceptance testing (UAT), development (DEV) and testing (for example, the use of subscription, instances or other cloud provider constructs)

• Develop a target network security design that considers segmentation via network security zones in alignment with ITSP.50.104, ITSP.80.022 and ITSG-38

• Leverage landing zones that include predefined, secured, multi-account support to allow automated onboarding of different workloads and teams

• Ensure that egress and ingress points to and from GC cloud-based environments are managed and monitored

• Confirm the policy for limiting the number of public Internet Protocols (IPs)

• Implement network boundary protection mechanisms for all external facing interfaces that enforce a deny-all or allow-by-exception policy

• Confirm the policy for network boundary protection

• Perimeter security services, such as boundary protection, intrusion prevention services, proxy services and TLS traffic inspection, must be enabled based on risk profile according to GC secure connectivity requirements and CSE guidance

• Confirm policy for limiting to authorized source IP addresses (for example, GC IP addresses)

• Ensure that access to cloud storage services is protected and restricted to authorized security zones or networks, users, and services

• Confirm that storage accounts are not exposed to the public

• Use centrally provisioned network security services where available

• Confirm whether the department is intending to establish dedicated and secure connections to on-premise resources

• Sign a memorandum of understanding with the Cyber Centre by contacting CDOServiceDeployments@cyber.gc.ca

• Confirm with the Cyber Centre that the memorandum of understanding has been signed

• Implement defensive services, including host-based sensors (HBSs), cloud-based sensors (CBSs), and network-based sensors (NBSs), in accordance with the Cyber Centre’s onboarding guidance where available

• Confirm that the Cyber Centre’s sensors or other cyber defence services are implemented where available

• Implement adequate level of logging and reporting, including a security audit log function in all information systems

• Confirm policy for event logging is implemented
• Confirm that the following logs are included:
  • sign-in (interactive and non-interactive sign-ins, API sign-ins)
  • access privilege and group changes (including group membership and group privilege assignment)
  • changes in the configuration of the cloud platform
  • cloud resource provisioning activities

• Configure events within the solution to support security monitoring, in accordance with the GC Event Logging Guidance

• Confirm whether monitoring and auditing is implemented for all users

• Ensure that the appropriate contact information is configured so that the cloud service provider can notify the GC organization of incidents they detect

• Confirm that the security contact record within the account should be completed with the details of at least two appropriate information security personnel (if multiple personnel are permitted by the cloud platform)

• Configure an appropriate time zone for the audit records generated by your solution components

• Confirm that the appropriate time zone has been set

• Ensure that resources are assigned to monitor cloud-based events

• Demonstrate that the monitoring use cases for the cloud platform have been implemented and have been integrated with the overall security monitoring activities being performed by the department (evidence could include monitoring a checklist or a system generated report)

• Only GC approved cloud marketplace products are to be consumed. Turning on the commercial marketplace is prohibited.

• Confirm that third-party marketplace restrictions have been implemented

• Submit requests to add third-party products to marketplace to SSC’s Cloud Broker

Not applicable

• Ensure that software offered through the cloud service provider or the cloud service provider marketplace undergo a software assurance process to ensure that only approved products are used

Not applicable

• Document, implement and test a break glass emergency account management process

• Verify that an emergency account management procedure has been developed
• Verify that alerts are in place to report any use of emergency accounts
• Verify that testing of emergency accounts took place, and that periodic testing is included in emergency account management procedures

• Obtain confirmation from the departmental chief information officer (CIO) in collaboration with the designated official for cyber security (DOCS) with signatures that acknowledge and approve the emergency account management procedures

• Confirm through attestation that the departmental CIO, in collaboration with the DOCS, has approved the emergency account management procedure for the cloud service

• Develop a cloud backup strategy that considers where GC data is stored, replicated, or backed up by the cloud service, and the IT continuity plan for the service or application

• Confirm through attestation that the cloud backup strategy is developed and approved by the business owner
• Verify if there are scripts that support the ability to restore from code (for example, infrastructure as code)

• Ensure that cloud workloads are associated with the relevant Application ID (identifier) in the Treasury Board of Canada Secretariat Application Portfolio Management (APM) tool, in support of Appendix H: Standard on At-Risk Technology

• Provide a list of all software, including versions, deployed on virtual machines associated with the Application IDs from the APM

• Ensure that departmental cyber security event management plans include cloud services, in alignment with the Government of Canada Cyber Security Event Management Plan

• Confirm that the departmental cyber security event management plan includes contact information to reach the cloud service provider in case of a security event or incident