Government of Canada Cloud Guardrails

1. Introduction

1.1 Background

In August 2019, the Government of Canada (GC) established supply contracts for Protected B cloud services with Amazon Web Services Canada and Microsoft Azure. In order for the GC to use the cloud services securely and responsibly, the Chief Technology Officer of the GC deemed that an underlying operationalization framework was required. An operationalization framework was established and endorsed by the GC Enterprise Architecture Review Board in September 2019. The framework established a set of minimal cyber security controls and architecture requirements before departments use Protected B cloud services. These controls are known as the GC cloud guardrails.

1.2 Scope

The Government of Canada Cloud Guardrails:

2. Cloud guardrails

The Government of Canada Cloud Guardrails describe a preliminary set of baseline cyber security controls to ensure that the cloud service environment has a minimum set of configurations. Departments must implement, validate and report on compliance with the guardrails in the first 30 business days of getting access to their cloud account.

Departments are responsible for implementing the minimum configurations identified in the following tables. Validation of the guardrails will be performed by the SSC Cloud Services Directorate. The Standard Operating Procedure for GC Cloud Guardrails Validation and Escalation Oversight has been developed to support the validation.

For Government of Canada Cloud Guardrails, the following definitions will be used:

  • mandatory requirements: A set of baseline security controls that departments must implement, validate and report on in the first 30 business days of getting access to their cloud account.
  • additional considerations: Additional security controls that are highly recommended and should be taken into consideration. While these controls are not expected to be implemented within 30 business days of departments getting access to their cloud account, the controls include best practices that should be considered as departments establish their cloud-based environments.

2.1 Guardrail 1: protect user accounts and identities

2.1.1 Objective

Protect user accounts and identities.

2.1.2 Applicable service models

Infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS)

2.1.3 Mandatory Requirements

ActivityValidation
  • Implement strong multi-factor authentication (MFA) for all user accounts. Use phishing resistant MFA where and when available

Note: user accounts and identities include:

  • Confirm that MFA is implemented according to GC guidance through screenshots, compliance reports, or compliance checks enabled through a reporting tool for all user accounts
  • Confirm that digital policies are in place to ensure that MFA configurations are enforced
  • Confirm and report the count of registered root or global administrators (you should have at least two and no more than five)
  • Configure alerts to ensure the prompt detection of a potential compromise, in accordance with the GC Event Logging Guidance
  • Confirm whether monitoring and auditing is implemented for all user accounts
  • Confirm that alerts to the authorized personnel have been implemented to flag misuse or suspicious activities for all user accounts
  • Use separate dedicated accounts for highly privileged roles (for example, domain administrators, global administrators, and root and any domain administrator equivalent access) when administering cloud services to minimize the potential damage
  • Provide evidence that there are dedicated user accounts for administration (for example, privileged access)

2.1.4 Additional considerations

None

2.1.5 References

2.1.6 Related security controls from IT Security Risk Management: A Lifecycle Approach (ITSG-33)

AC-2, AC-2(11), AC-3, AC-5, AC-6, AC-6(5), AC-6(10), AC-19, AC-20(3), IA-2, IA-2(1), IA-2(2), IA-2(3), IA-2(11), IA-5(8), SI-4, SI-4(5), SA-4(12), CM-5

2.2 Guardrail 2: manage access

2.2.1 Objective

Establish access control policies and procedures for management of all accounts.

2.2.2 Applicable service models

IaaS, PaaS, SaaS

2.2.3 Mandatory Requirements

ActivityValidation
  • Demonstrate that access configurations and policies are implemented for different classes of users (non-privileged and privileged users)
  • Confirm that the access authorization mechanisms have been implemented to:
    • uniquely identify and authenticate users to the cloud service
    • validate that the least privilege role is assigned
    • validate that role based access is implemented
    • terminate role assignment upon job change or termination
    • perform periodic reviews of role assignment (minimum yearly)
    • disable default and dormant accounts
    • avoid using user generic accounts
  • Verify that a review of role assignment for root or global administrator accounts is performed at least every 12 months
  • Leverage role-based access and configure for least privilege; doing so can include built-in roles or custom roles that have been established with only the minimum number of privileges required to perform the job function
  • Demonstrate that built-in roles on cloud platforms are configured for least privilege. Custom roles can be used but a rationale should be documented and approved
  • Confirm that the default passwords have been changed for all built-in accounts for the cloud service
  • Demonstrate that password policy for the cloud platform has been configured according to the Password Guidance by:
    • requiring passwords that are at least 12 characters long without a maximum length limit
    • countering online guessing or brute force of passwords using throttling, account lockout policies, monitoring and multi-factor authentication
    • protecting against offline attacks using effective hashing, salting and keyed hashing
  • Implement mechanisms to protect against password brute force attacks
  • Confirm that mechanisms, such as throttling, account lock out policies, monitoring and risk-based authentication, to protect against password brute force attacks have been implemented
  • Establish a guest user access policy and procedures that minimize the number of guest users and that manage the life cycle of such accounts so that such accounts are terminated when they are no longer needed
  • Note: a guest is someone who is not an employee, student or member of your organization (a guest does not have an existing account with the organization’s cloud tenant)
  • Confirm that only required guest user accounts are enabled (according to the business requirements of the service)
  • Provide a list of non-organizational users with elevated privileges
  • Verify that reviews of guest access are performed periodically

2.2.4 Additional considerations

ActivityValidation
  • Confirm that the access control procedure for management of administrative accounts has been documented for the cloud service. The access control procedure:
    • should include provision for any guest accounts and custom accounts
    • must refer to the emergency break glass procedure
  • Enforce just-in-time access for privileged user accounts to provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary or misused access permissions
  • Confirm just-in-time access for all privileged user accounts to provide time-based and approval-based role activation
  • Enforce attribute-based access control to restrict access based on a combination of authentication factors, such as devices issued and managed by the GC, device compliance, sign-in and user risks, and location
  • Provide evidence that attribute-based access control mechanisms are in place to restrict access based on attributes or signals, such as authentication factors, devices issued and managed by the GC, device compliance, sign-in and user risks, and location.
  • Leverage tools, such as privilege access management systems, to enforce access control to privileged functions by configuring roles that require approval for activation
  • Choose one or multiple users or groups as delegated approvers
  • Provide evidence that all role activation for privileged user accounts require approval, and that privilege elevation is temporary (time-bound).

2.2.5 References

2.2.6 Related security controls from ITSG-33

AC‑2, AC‑2(1), AC‑2(7) AC‑3, AC‑3(7), AC‑3, AC‑4 AC‑5, AC‑6, AC‑6(5), IA‑2, IA‑2(1), IA‑2(8), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6)

2.3 Guardrail 3: secure endpoints

2.3.1 Objective

Implement increased levels of protection for management interfaces.

2.3.2 Applicable service models

IaaS, PaaS, SaaS

2.3.3 Mandatory Requirements

ActivityValidation
  • Confirm that administrative access to cloud environments is from approved and trusted locations and from devices issued and managed by the GC that enforce the Endpoint Management Configuration Requirements
  • Demonstrate that access configurations and policies are implemented for devices

2.3.4 Additional considerations

ActivityValidation
  • All administrative tasks should be undertaken on dedicated administrative workstations
  • Note: a dedicated administrative workstation is a secured physical (thick or thin) client workstation used to perform specific and sensitive administrative tasks or tasks requiring privileged access (such a workstation must have no Internet access and related services, such as email and web browsing, must be disabled and prohibited)
  • Confirm whether dedicated administrative workstations are used to conduct all administrative activities

2.3.5 References

2.3.6 Related security controls from ITSG-33

AC3, AC-3(7), AC-4, AC-5, AC-6, AC6(5), AC-6(10), AC-19, AC-20(3), IA-2, IA-2(1), IA-2(11), IA-4, IA-5, IA-5(1), SI-4, AU-6, AU-12

2.4 Guardrail 4: enterprise monitoring accounts

2.4.1 Objective

Create role-based accounts to enable enterprise monitoring and visibility.

2.4.2 Applicable service models

IaaS, PaaS, SaaS

2.4.3 Mandatory Requirements

ActivityValidation
  • Create role-based accounts to enable enterprise monitoring and visibility for cloud environments that are procured via the GC Cloud Broker or are included in the scope of centralized guardrails validation
  • Verify that roles required to enable visibility in the GC have been provisioned or assigned
  • Review access privileges periodically and remove access when it is no longer required
  • Confirm that alerts to authorized personnel have been implemented to flag misuse, suspicious sign-in attempts, or when changes are made to privileged and non-privileged accounts

2.4.4 Additional considerations

None

2.4.5 References

2.4.6 Related security controls from ITSG-33

AC-3(7), AC-6(5), IA-2(1)

2.5 Guardrail 5: data location

2.5.1 Objective

Establish policies to restrict sensitive GC workloads to approved geographic locations.

2.5.2 Applicable service models

IaaS, PaaS, SaaS

2.5.3 Mandatory Requirements

ActivityValidation
  • According to subsection 4.4.3.14 of the Directive on Service and Digital:

Ensuring computing facilities located within the geographic boundaries of Canada or within the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified.

  • Demonstrate that the service location is within Canada for all Protected B cloud services where configurable, in accordance with the applicable cloud usage profiles

2.5.4 Additional considerations

None

2.5.5 References

2.5.6 Related security controls from ITSG-33

SA-9(5)

2.6 Guardrail 6: protection of data at rest

2.6.1 Objective

Protect data at rest by default (for example, storage) for cloud-based workloads.

2.6.2 Applicable service models

IaaS, PaaS, SaaS

2.6.3 Mandatory Requirements

ActivityValidation
  • Implement an encryption mechanism to protect the confidentiality and integrity of data when data is at rest in storage
  • For IaaS and PaaS, confirm that storage service encryption is enabled for data at rest (if required based on the security risk assessment)
  • For SaaS, confirm that the cloud service provider (CSP) has implemented encryption to protect customer data
  • Use cryptographic algorithms and protocols approved by Communications Security Establishment Canada (CSE) in accordance with ITSP.40.111 and ITSP.40.062
  • Cryptographic algorithms and protocols configurable by the consumer are in accordance with ITSP.40.111 and ITSP.40.062
  • For SaaS, confirm that the CSP has implemented algorithms that align with ITSP.40.111 and ITSP.40.062.

2.6.4 Additional considerations

ActivityValidation
  • Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments
  • Confirm that privacy is part of the departmental software development life cycle
  • Leverage an appropriate key management system for the cryptographic protection used in cloud-based services, in accordance with the Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services and the Cyber Centre’s Guidance on Cloud Service Cryptography (ITSP.50.106)
  • Confirm that a key management strategy has been adopted for the cloud tenant

2.6.5 References

2.6.6 Related security controls from ITSG-33

IA-7, SC-12, SC-13, SC-28, SC-28(1)

2.7 Guardrail 7: protection of data in transit

2.7.1 Objective

Protect data transiting networks through the use of appropriate encryption and network safeguards.

2.7.2 Applicable service models

IaaS, PaaS, SaaS

2.7.3 Mandatory Requirements

ActivityValidation
  • Encrypt data in transit by default (for example, Transport Layer Security (TLS) 1.2) to protect the confidentiality and integrity of data, including for all publicly accessible sites and external communications, according to the GC Web Sites and Services Management Configuration Requirements, and wherever possible for internal zone communication
  • Confirm that TLS 1.2 or above encryption is implemented for all cloud services (via Hypertext Transfer Protocol Secure (HTTPS), TLS or another mechanism)
  • Note: while this encryption setting is often the default, cloud platforms and cloud services often have configuration options to select the permitted TLS version
  • Use CSE-approved cryptographic algorithms and protocols in accordance with ITSP.40.111 and ITSP.40.062
  • Leverage cryptographic algorithms and protocols configurable by the user in accordance with ITSP.40.111 and ITSP.40.062
  • Confirm that non-person entity certificates are issued from certificate authorities that align with GC recommendations for TLS server certificates

2.7.4 Additional considerations

None

2.7.5 References

2.7.6 Related security controls from ITSG-33

IA-7, SC-12, SC-13, SC-28, SC-28(1)

2.8 Guardrail 8: segment and separate

2.8.1 Objective

Segment and separate information based on sensitivity of information

2.8.2 Applicable service models

IaaS, PaaS

Note

The following guardrail is not applicable to SaaS. The cloud service provider is responsible for the management and security of the network and this responsibility is included as part of the SaaS offering. Refer to section 4.3 of Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104) to understand key considerations for cloud network segmentation.

2.8.3 Mandatory Requirements

ActivityValidation
  • Isolate and secure cloud workloads based on the sensitivity of the data
  • Confirm that the department has a target network architecture with a high-level design or a diagram with appropriate segmentation between network security zones in alignment with ITSP.50.104, ITSP.80.022 and ITSG-38
  • Confirm that the department has documented a deployment guide for the cloud platform and associated services (the guide should capture the landing zone if applicable)
  • Confirm that the cloud service provider’s segmentation features are leveraged to provide segmentation of management, production, user acceptance testing (UAT), development (DEV) and testing (for example, the use of subscription, instances or other cloud provider constructs)

2.8.4 Additional considerations

ActivityValidation
  • Develop a target network security design that considers segmentation via network security zones in alignment with ITSP.50.104, ITSP.80.022 and ITSG-38
  • Leverage landing zones that include predefined, secured, multi-account support to allow automated onboarding of different workloads and teams

2.8.5 References

2.8.6 Related security controls from ITSG-33

AC‑4, SC‑7

2.9 Guardrail 9: network security services

2.9.1 Objective

Establish external and internal network perimeters and monitor network traffic.

2.9.2 Applicable service models

IaaS, PaaS, SaaS

2.9.3 Mandatory Requirements

ActivityValidation
  • Ensure that egress and ingress points to and from GC cloud-based environments are managed and monitored
  • Confirm the policy for limiting the number of public Internet Protocols (IPs)
  • Implement network boundary protection mechanisms for all external facing interfaces that enforce a deny-all or allow-by-exception policy
  • Confirm the policy for network boundary protection
  • Perimeter security services, such as boundary protection, intrusion prevention services, proxy services and TLS traffic inspection, must be enabled based on risk profile according to GC secure connectivity requirements and CSE guidance
  • Confirm policy for limiting to authorized source IP addresses (for example, GC IP addresses)
  • Ensure that access to cloud storage services is protected and restricted to authorized security zones or networks, users, and services
  • Confirm that storage accounts are not exposed to the public

2.9.4 Additional considerations

ActivityValidation
  • Use centrally provisioned network security services where available
  • Confirm whether the department is intending to establish dedicated and secure connections to on-premise resources

2.9.5 References

2.9.6 Related security controls from ITSG-33

AC-3, AC‑4, SC‑7, SC‑7(5), SI-4, SI-4(18)

2.10 Guardrail 10: cyber defence services

2.10.1 Objective

Establish a memorandum of understanding for defensive services and threat-monitoring protection services.

2.10.2 Applicable service models

IaaS, PaaS, SaaS

2.10.3 Mandatory Requirements

ActivityValidation
  • Confirm with the Cyber Centre that the memorandum of understanding has been signed
  • Implement defensive services, including host-based sensors (HBSs), cloud-based sensors (CBSs), and network-based sensors (NBSs), in accordance with the Cyber Centre’s onboarding guidance where available
  • Confirm that the Cyber Centre’s sensors or other cyber defence services are implemented where available

2.10.4 Additional considerations

None

2.10.5 References

2.10.6 Related security controls from ITSG-33

SI‑4

2.11 Guardrail 11: logging and monitoring

2.11.1 Objective

Enable logging for the cloud environment and for cloud-based workloads.

2.11.2 Applicable service models

IaaS, PaaS, SaaS

2.11.3 Mandatory Requirements

ActivityValidation
  • Implement adequate level of logging and reporting, including a security audit log function in all information systems
  • Confirm policy for event logging is implemented
  • Confirm that the following logs are included:
    • sign-in (interactive and non-interactive sign-ins, API sign-ins)
    • access privilege and group changes (including group membership and group privilege assignment)
    • changes in the configuration of the cloud platform
    • cloud resource provisioning activities
  • Configure events within the solution to support security monitoring, in accordance with the GC Event Logging Guidance
  • Confirm whether monitoring and auditing is implemented for all users
  • Ensure that the appropriate contact information is configured so that the cloud service provider can notify the GC organization of incidents they detect
  • Confirm that the security contact record within the account should be completed with the details of at least two appropriate information security personnel (if multiple personnel are permitted by the cloud platform)
  • Configure an appropriate time zone for the audit records generated by your solution components
  • Confirm that the appropriate time zone has been set
  • Ensure that resources are assigned to monitor cloud-based events
  • Demonstrate that the monitoring use cases for the cloud platform have been implemented and have been integrated with the overall security monitoring activities being performed by the department (evidence could include monitoring a checklist or a system generated report)

2.11.4 Additional considerations

None

2.11.5 References

2.11.6 Related security controls from ITSG-33

AU‑12, SI-4, SI-4(7)

2.12 Guardrail 12: configuration of cloud marketplaces

2.12.1 Objective

Restrict third-party software from cloud service providers to ensure that only GC-approved products are used.

2.12.2 Applicable service models

IaaS, PaaS, SaaS

2.12.3 Mandatory Requirements

ActivityValidation
  • Only GC approved cloud marketplace products are to be consumed. Turning on the commercial marketplace is prohibited.
  • Confirm that third-party marketplace restrictions have been implemented

2.12.4 Additional considerations

ActivityValidation
  • Submit requests to add third-party products to marketplace to SSC’s Cloud Broker

Not applicable

  • Ensure that software offered through the cloud service provider or the cloud service provider marketplace undergo a software assurance process to ensure that only approved products are used

Not applicable

2.12.5 References

2.12.6 Related security controls from ITSG-33

CM5, CM8, SA12

2.13 Guardrail 13: plan for continuity

2.13.1 Objective

Ensure that there is a plan for continuity of access and service that accommodates both expected and unexpected events.

2.13.2 Applicable service models

IaaS, PaaS, SaaS

2.13.3 Mandatory Requirements

ActivityValidation
  • Document, implement and test a break glass emergency account management process
  • Verify that an emergency account management procedure has been developed
  • Verify that alerts are in place to report any use of emergency accounts
  • Verify that testing of emergency accounts took place, and that periodic testing is included in emergency account management procedures
  • Obtain confirmation from the departmental chief information officer (CIO) in collaboration with the designated official for cyber security (DOCS) with signatures that acknowledge and approve the emergency account management procedures
  • Confirm through attestation that the departmental CIO, in collaboration with the DOCS, has approved the emergency account management procedure for the cloud service

2.13.4 Additional considerations

ActivityValidation
  • Develop a cloud backup strategy that considers where GC data is stored, replicated, or backed up by the cloud service, and the IT continuity plan for the service or application
  • Confirm through attestation that the cloud backup strategy is developed and approved by the business owner
  • Verify if there are scripts that support the ability to restore from code (for example, infrastructure as code)
  • Ensure that cloud workloads are associated with the relevant Application ID (identifier) in the Treasury Board of Canada Secretariat Application Portfolio Management (APM) tool, in support of Appendix H: Standard on At-Risk Technology
  • Provide a list of all software, including versions, deployed on virtual machines associated with the Application IDs from the APM
  • Ensure that departmental cyber security event management plans include cloud services, in alignment with the Government of Canada Cyber Security Event Management Plan
  • Confirm that the departmental cyber security event management plan includes contact information to reach the cloud service provider in case of a security event or incident

2.13.5 References

2.13.6 Related security controls from ITSG-33

AC-1, CP-1,CP-2,CP-9,CA-3

3. After the first 30 business days

Implementing the guardrails is one of the first steps to establishing a secure cloud-based environment. Departments are expected to continue implementing the security requirements as outlined in:

Departments should engage with their IT security risk management teams to obtain advice and guidance on integrating security assessment and authorization activities as part of the implementation of the GC cloud environment. The Government of Canada Cloud Security Risk Management Approach and Procedures outlines activities for departments to consider as part of risk management.

Shared Services Canada (SSC) will perform periodic audits of the departmental tenant environment to ensure ongoing compliance with the guardrails after the first 30 business days.

4. Cloud usage profiles

4.1 Overview

The following table outlines the cloud usage identifier, profiles, descriptions and cloud service models used in the GC.

Table 1: cloud usage identifiers, profiles and service models
Identifier (ID)ProfileDescriptionApplicable cloud service model

1.

Experimentation or sandbox

  • Cloud-based services used for experimentation or sandbox
  • No direct system-to-system network interconnections required with GC data centres

IaaS, PaaS, SaaS

2.

Non-sensitive cloud-based services

  • Cloud-based services hosting non-sensitive GC content
  • No direct system-to-system network interconnections required with GC data centres

IaaS, PaaS, SaaS

3a.

Sensitive (up to Protected B) cloud-based services

  • Cloud-based services hosting sensitive (up to Protected B) information
  • No direct system-to-system network interconnections required with GC data centres

IaaS, PaaS, SaaS

3b.

Sensitive (up to Protected B) cloud-based services (hybrid IT – extension of GC data centres)

  • Cloud-based services hosting sensitive (up to Protected B) information
  • GC cloud-based systems required to interact with systems in GC data centres
  • Restricted environment for GC users only
  • No external user connections to or from GC cloud-based virtual private cloud and no publicly accessible services

PaaS, SaaS

4a.

Sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutions

  • Cloud-based services hosting sensitive (up to Protected B) information for GC-wide enterprise applications (SaaS)
  • No direct system-to-system network interconnections required with GC data centres

SaaS

4b.

Sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutions (hybrid IT – extension of GC data centres)

  • Cloud-based services hosting sensitive (up to Protected B) information for GC-wide enterprise applications (SaaS)
  • GC cloud-based systems required to interact with systems in GC data centres
  • Restricted environment for GC users only
  • No external user connections to or from GC cloud-based virtual private cloud and no publicly accessible services

SaaS

5.

GC to GC only (hybrid IT – extension of GC data centres)

  • Hybrid IT environment with an extension of the GC network to cloud-based virtual private cloud (up to Protected B) information
  • GC cloud-based systems required to interact with systems in GC data centres
  • Restricted environment for GC users only
  • No external user connections to or from GC cloud-based virtual private cloud and no publicly accessible services

IaaS, PaaS

6.

Cloud-based services with external user access and interconnection to GC data centres

  • Cloud-based services hosting sensitive (up to Protected B) information
  • GC cloud-based systems required to interact with systems in GC data centres
  • Environment accessible to GC users and external users and services
  • Solution implemented, managed, and operated by a GC department or agency

IaaS, PaaS

4.2 Mapping guardrails to cloud usage profiles

The following table describes the applicability of the guardrails during the first 30 business days of departments getting access to their cloud account. Within each departmental cloud tenant, there will be various information systems being provided. Each cloud sub-account or resource group should be tagged with the relevant cloud usage profile to ensure that appropriate policies are applied and validation is performed.

Table 2: guardrail identifiers, service models and cloud usage profiles
Identifier (ID)GuardrailApplicable service modelsProfile 1: experimentation or
sandbox
Profile 2: non-sensitive cloud-based servicesProfile 3a and 3b: sensitive (up to Protected B) cloud-based servicesProfile 4a and 4b: sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutionsProfile 5: GC to GC only (hybrid IT – extension of GC data centres)Profile 6: cloud-based service accessible to external users (connections to GC data centres required)
1

Protect user accounts and identities

IaaS, PaaS,SaaS

Required

(minimum for privileged users)

Required

Required

Required

Required

Required

2

Manage access

IaaS, PaaS, SaaS

Required

Required

Required

Required

Required

Required

3

Secure endpoints

IaaS, PaaS, SaaS

Recommended

Required

Required

Required

Required

Required

4

Enterprise monitoring accounts

IaaS, PaaS, SaaS

Required (for billing)

Required

Required

Required

Required

Required

5

Data location

IaaS, PaaS, SaaS

Recommended

Recommended

Required

(required in Canada for GC storage of Protected B information and above)

Required

(required in Canada for GC storage of Protected B information and above)

Required

(required in Canada for GC storage of Protected B information and above)

Required

(required in Canada for GC storage of Protected B information and above)

6

Protection of data at rest

IaaS, PaaS, SaaS

Not required

Recommended

Required

Required

Required

Required

7

Protection of data in transit

IaaS, PaaS, SaaS

Recommended

Required

Required

Required

Required

Required

8

Segment and separate

IaaS, PaaS

Required (network filtering at a minimum)

Required

Required

Required

Required

Required

9

Network security services

IaaS, PaaS, SaaS

Recommended

Required

Required

Required (restrict to GC only)

Required (deny external access, GC only)

Required

10

Cyber defence services

IaaS, PaaS, SaaS

Not required

Required

Required

Required

Required

Required

11

Logging and monitoring

IaaS, PaaS, SaaS

Recommended

Required

Required

Required

Required

Required

12

Configuration of cloud marketplaces

IaaS, PaaS, SaaS

Required

Required

Required

Required

Required

Required

13

Plan for continuity

IaaS, PaaS, SaaS

Not required

Required

Required

Required

Required

Required

5. References


Appendix A: Cloud operationalization framework

The following table provides an overview of the updated framework. The framework sets out the steps that organizations must take in order to make use of Protected B cloud services.

OrganizationResponsibilities
assess the cloud service providerobtain a cloud accountapply guardrailsobtain the authority to operateevaluate connectivity readinessdeploy cloud solutionsoperate and maintain the solutions

Departments

  • Where possible, use centrally assessed services from the Canadian Centre for Cyber Security (Cyber Centre) through Shared Services Canada’s (SSC’s) Cloud Brokering Service
  • If not deemed within scope for centralized assessment, use the appropriate tool (according to the cloud-tiered assurance model) to self-assess
  • Submit cloud account request via SSC’s Cloud Broker
  • Request departmental cloud subnet (according to SSC’s Cloud IP Address Management (Cloud IPAM) Guideline)
  • Implement GC cloud guardrails within the first 30 business days of access to the cloud account
  • Provide evidence of implementation of guardrails to SSC Cloud Operations
  • Develop artifacts (for example, high-level design, operations manual)
  • Implement and validate solution-specific recommended information technology (IT) security configurations
  • Develop a plan of action and milestones to address residual risks
  • Obtain departmental authority to operate
  • Complete the cloud interconnection security agreement
  • Describe network flows 
  • Deploy the virtual private interface
  • Agree to the connectivity service level description
  • Integrate enterprise common services in collaboration with SSC
  • Complete the Workload Intake Form
  • Deploy ExpressRoute or Direct Connect
  • Test network flows
  • Manage the cloud environment
  • Perform continuous monitoring, including ongoing monitoring of compliance with guardrails
  • Address items in the plan of action and milestones as appropriate
  • Maintain systems authorization

Shared Services Canada

  • Determine which enterprise services can be leveraged to support software as a service (SaaS) solutions
  • Perform an IT security assessment of enterprise common services
  • Make the security assessment report of enterprise common services available to departments that will be using the services
  • Use SSC’s Cloud Broker to process cloud account requests from departments
  • Develop the Cloud IP Address Management (Cloud IPAM) Strategy
  • Validate the GC cloud guardrails package
  • Manage tools to support an automated approach to validate departmental implementation of guardrails for hyper-scalers under the framework agreement (FA) and for enterprise-grade SaaS recorded in the inclusion list
  • Report non-compliance with guardrails to the Treasury Board of Canada Secretariat (TBS) and escalate
  • Develop a cloud naming and tagging strategy
  • Develop GC accelerators, including templates and scripts for rapid deployment (for example, infrastructure as code) to facilitate secure cloud deployments at departments
  • Develop cloud connectivity service descriptions and offerings
  • Develop or update the Workload Intake Form for Cloud
  • Activate approved connection requests
  • Maintain cloud connectivity service levels
  • Report on the adherence to GC cloud guardrails by departments to help TBS and deputy heads identify issues and implement corrective actions

Treasury Board of Canada Secretariat

  • Monitor cloud requests 
  • Monitor cloud requests
  • Develop GC cloud guardrails, cloud usage profiles and supporting guidance
  • Escalate non-compliance of guardrails to departmental chief information officers (CIOs)
  • Develop templates to support cyber security assurance activities
  • Develop an interconnection security agreement template
  • Develop tools and templates to support secure application development
  • Develop cyber security playbooks
  • Maintain situational awareness in support of the Government of Canada Cyber Security Event Management Plan
  • Monitor departmental implementation of and adherence to GC cloud guardrails.
  • Address non-compliance with GC cloud guardrails

Canadian Centre for Cyber Security

  • If deemed within scope of the centralized assessment by the Cyber Centre, ensure that the cloud service provider (CSP) is onboarded to the program
  • Make the CSP security assessment report available to departments that will be using the services
  • Perform supply chain integrity reviews for third-party marketplace requests 
  • Work with the department to establish a memorandum of understanding in order to access the Cyber Centre’s cyber defence services
  • Validate the visibility of the departmental cloud tenant (reader account) and deploy cloud-based sensors if feasible
  • Provide IT security advice and guidance
  • Provide IT security advice and guidance
  • Provide IT security advice and guidance
  • Perform the GC security operations centre function
  • Provide second-level IT security monitoring services