Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN)
SPIN No.: 2017-01
On this page
- 1. Purpose
- 2. Scope
- 3. Effective date
- 4. Application
- 5. Context
- 6. Direction
- 6.1 Risk management
- 6.2 Information assurance and asset protection
- 6.2.1 Secure development and implementation
- 6.2.2 Data residency
- 6.2.3 Identity, credential, and access management
- 6.2.4 Network security
- 6.2.5 Asset and configuration management
- 6.2.6 Vulnerability management
- 6.2.7 Personnel security
- 6.2.8 Physical security
- 6.2.9 Service continuity
- 6.2.10 Secure acquisition
- 6.3 Security operations
- 7. Enquiries
- 8. References
- 9. Additional guidance
- 10. Definitions
The purpose of this Security Policy Implementation Notice (SPIN) is to:
- support departmentsFootnote 1 in understanding existing TBS security policy requirements in the context of cloud computing
- set out guidance to assist organizations in the secure use of commercial cloud services (cloud services)
This SPIN applies to Government of Canada (GC) information that has a security category of Protected B for confidentiality, medium integrity and medium availability. These requirements should also be applied to Protected A information when justified by a risk assessment.
3. Effective date
This SPIN is effective as of .
This SPIN applies to all departments within the meaning of Schedules I, I.1, II, IV and V of the Financial Administration Act unless excluded by specific acts, regulations or orders-in-council.
Cloud computing has the potential to provide a flexible means of delivering IT services. This alternative service delivery model allows individuals and organizations (or “tenants”) to use software, hardware and services that are hosted separately from the GC’s facilities and managed by private sector organizations, including:
- software, such as email and customer relationship management
- platforms, such as operating systems and databases
- infrastructure, such as servers, storage and networks
Care must be taken to mitigate risks associated with using cloud services. Adopting this model will require:
- due diligence and prudence on the part of the GC when selecting an appropriate cloud service provider (CSP)
- a clear delineation of the roles and responsibilities between the GC and the CSP for implementing, operating and maintaining security controls that support GC obligations for data protection and privacy
Deputy heads have a duty and responsibility to ensure the protection of information systems under their organization’s custody and/or control. These responsibilities include:
- safeguarding the confidentiality, integrity and availability of GC information and IT assets
- implementing appropriate measures to assure the protection of personal information when using cloud services
These responsibilities may be satisfied by an assertion from Shared Services Canada (SSC) for the services it provides in fulfillment of its role as the GC’s cloud broker.
Departments are responsible for effectively managing and using cloud services, including adequately protecting the confidentiality, integrity and availability of information that is stored, processed and transmitted. Using GC-provided services can help meet some of the requirements outlined in the sections that follow.
For more information on best practices, refer to Communications Security Establishment’s (CSE’s) Guidance on Cloud Aecurity Assessment and Authorization.
6.1 Risk management
Departments must continuously manage the security risks to their information and IT assets throughout the life of their programs and services.Footnote 2 In the context of cloud, risk management is based on a model of shared responsibility. The CSP fulfills some responsibility with respect to risk mitigation, but departments are ultimately accountable for risks.
Implementing a risk-based approach:
- supports well-informed decision making
- must be applied before a business owner grants authorization of a cloud-based service to process, store or transmit protected GC information
The GC Cloud Security Risk Management Approach and Procedures is available to support departments in managing risk. This document, which is based on CSE’s ITSG-33 IT Security Risk Management: A Lifecycle Approach, describes the authorities, approach and procedures for managing IT security risks when using cloud services. It also highlights shared responsibilities in implementing security controls with the appropriate rigour to allow the hosting of GC services and related information on cloud services provided by commercial CSPs.
6.1.1 Security categorization
Before using cloud services to support departmental programs and services, departments must identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability.Footnote 3 A security categorization tool is available to support departments in performing this activity.
6.1.2 Baseline security controls
Departments must apply graduated safeguards that are commensurate with the risks to their information and IT assets, with more rigorous safeguards as asset values, service delivery requirements, and threats to confidentiality, availability or integrity increase.Footnote 4 Security control profiles can be established to support this requirement.
A baseline security control profile is a set of IT security controls that an organization establishes as minimum mandatory requirements for its information systems. By adhering to a standardized set of security controls, departments can:
- identify and assess risks
- develop strategies to appropriately mitigate risks
The The Government of Canada Security Control Profile for Cloud-Based GC IT Services is available as a starting point for departments. It sets out the baseline security controls recommended for implementation by CSPs and GC departments in order to appropriately protect cloud-based services that have a security category of Protected B, medium integrity and medium availability. It also documents the context in which these security controls are expected to be implemented.
For information and IT assets that have a security category other than Protected B, or a medium category for integrity or availability, a different set of baseline security controls is likely required. Annex 1 ofCSE’s ITSG-33 IT Security Risk Management: A Lifecycle Approach provides guidance in this regard.
6.1.3 Third-party assurance
Departments do not have direct control over all the security controls in a cloud-based service. Neither do they have sufficient visibility into the design, development and installation of those security controls. Consequently, alternative security assessment approaches need to be applied. Departments can leverage independent reporting such as the following to establish third-party assurance when physical inspection and audit by departments is not feasible or practical:
- ISO/IEC 27001
- ISO/IEC 27017
- ISO/IEC 27018
- Federal Risk and Authorization Management Program (FedRAMP)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR)
- AICPA Service Organization Controls (SOC) audit reports or certifications
A third-party certification requires an independent third party that is bound to be objective and to apply professional standards to the evidence it reviews and produces.
CSPs are expected to clearly document the security controls and features implemented within their cloud services to help the GC understand the security controls within its scope of responsibility. Such controls include those inherited by the CSP. For example, a software provider using an infrastructure provider to deliver a software as a service (SaaS) offering will inherit security controls from the infrastructure provider. In this case, the CSP is expected to obtain assurance that the underlying infrastructure as a service (IaaS) or platform as a service (PaaS) offering being leveraged for the SaaS offering has:
- implemented the appropriate controls within its scope
- obtained valid third-party industry certifications or audit reports
To support this process, the GC will assess CSP security control implementation evidence centrally, in collaboration with appropriate lead security agencies. These assessments will highlight residual risks and suggest additional risk mitigations.
6.1.4 Security assessment and authorization
Departments must perform security assessment and authorization of their information systems or services before approving them for operation.Footnote 5 In the context of cloud, this responsibility extends to any additional security controls being implemented to satisfy departmental requirements (as per section 6.1.2 of this document).
Understanding the overall effectiveness of security controls is essential in determining and managing the residual risks under which a cloud-based service will be operating. Prioritizing security at the beginning of a project life cycle and building security in cloud-based services from the outset are also effective ways to streamline security assessment and ensure successful authorization.
Departments that are seeking to consume cloud services can leverage the results of GC-assessed CSPs (as per section 6.1.3 of this document) to support risk-based decisions. These assessments can be reviewed in conjunction with the security assessments performed for security controls that departments are responsible for implementing.
6.1.5 Continuous monitoring
Departments must continuously manage the security risks to their information and IT assets throughout the life of their programs and services.Footnote 6 Such management includes continuously monitoring cloud-based services as an essential component of an effective IT security strategy. Continuous monitoring encompasses activities such as:
- monitoring threats and vulnerabilities
- reviewing the results of system monitoring
- self-assessment and internal audits
- developing corrective action plans where necessary to remediate deficiencies
Using GC-provided services, such as those from SSC’s Security Operations Centre, can help departments meet some of these requirements.
CSPs are expected to continuously monitor their cloud services in order to detect changes in the security posture of the cloud service environment, including:
- monitoring their security controls
- assessing security controls regularly
- demonstrating that the security posture is continuously acceptable
6.2 Information assurance and asset protection
In accordance with Appendix C of the Directive on Departmental Security Management, departments must safeguard their information and assets, including those hosted in CSP environments, from unauthorized access, use, disclosure, modification, disposal, transmission, or destruction throughout their life cycle. These safeguards must:
- protect GC data while in transit, in use and at rest
- be commensurate with the security category of the information and assets
- include an assurance of their appropriate implementation
When departments are considering using cloud services for storing personal information,Footnote 7 guidance must be sought from privacy and access to information officials within their institution.
6.2.1 Secure development and implementation
Departments must address security requirements and adjust security requirements throughout all the stages of the system development life cycle, including:
- at the earliest stages of planning and reviewFootnote 8
- as part of a cloud exit strategy
Cloud-based services are expected to be designed and developed following industry best practices (for example, SAFECode Fundamental Practices for Secure Software Development, ISO/IEC 27034 and OWASP) in order to minimize security issues that could:
- compromise GC information
- cause a loss of service
- enable other malicious activity
Using sensitive or protected data for testing and development instances or applications within cloud services requires appropriate authorization and compensating controls.
Departments must implement department-level security controls in their cloud-based services, depending on the service model being deployed. For example, if the service model is IaaS, departments will need to implement the security controls of the platform and application layers of the cloud technology stack. Even under the SaaS service model, additional security controls such as user access need to be implemented.
6.2.2 Data residency
Departments are expected to apply the Directive on Service and Digital when implementing safeguards for GC electronic data residency.
6.2.3 Identity, credential, and access management
Departments must identify and authenticate individuals and devicesFootnote 9 to an appropriate level of assurance before being granted access to information and services hosted in cloud services. Such authentication is in accordance with the Standard on Identity and Credential Assurance and aligns with GC enterprise identity and authentication services.
Access must be restricted to personnel based on the principles of least privilege,Footnote 10 need to knowFootnote 11 and segregation of duties,Footnote 12 and be supported through appropriate security controls. Restricting access includes:
- establishing appropriate use restrictions and device configurations
- taking into consideration the threat environment when accessing cloud services
For privileged user access to cloud-based services, the use of stronger authentication mechanismsFootnote 13 (for example, multi-factor authentication) must be configured. Additional security measures, such as the use of privileged access workstations and dedicated management networks, may further mitigate the risks associated with privileged access.
Refer to CSE guidance in ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems.
6.2.4 Network security
Data transiting networks must be adequately protected through the use of appropriate encryption and network safeguards.Footnote 14 Cloud-based services should make use of CSE-approved cryptographic algorithms and protocols, as outlined in:
- CSE’s TSP.40.111 Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information
- CSE’s ITSP.40.062 Guidance on Securely Configuring Network Protocols
Robust key management processes and procedures are also essential to protect encryption keys from being compromised or lost, which could result in unauthorized disclosure or loss of information.
All external interfaces of the cloud-based service must be identified and appropriately protected.Footnote 15 Management interfaces may require increased levels of protection. Refer to CSE’s guidance in:
6.2.5 Asset and configuration management
Departments must be aware of the assets they hold and their associated sensitivity and criticality.Footnote 16 It is essential that all assets are accounted for, regardless of location. Any changes to cloud-based services and their configurations need to be appropriately managed and consist of activities such as:
- authorizing and properly testing changes
- maintaining known and approved system and component designs, settings, parameters and attributes
When using IaaS and PaaS, the GC is responsible for implementing measures to support “hardening” (for example, disabling of all non-essential services, ports or functionality) of systems, devices and applications.Footnote 17 Doing so will help ensure that the following are appropriately configured:
- operating systems
- virtual hosts
- endpoint devices and services
6.2.6 Vulnerability management
Departments must continuously manage vulnerabilities in information systems.Footnote 18 Failing to promptly apply security-related patches and updates can result in exposed vulnerabilities and may lead to serious security incidents. These measures extend to CSPs for the cloud service components within their scope of responsibility.
When using IaaS and PaaS, the GC is responsible for performing vulnerability and patch management of its cloud-based services. An effective vulnerability and patch management process must be developed and tested as a key part of a defence-in-depth strategy.Footnote 19 Such a process includes:
- monitoring relevant information sources for vulnerability alerts
- implementing corrective actions in a timely manner
CSE provides additional guidance in ITSB-96 Security Vulnerabilities and Patches Explained - IT Security Bulletin for the Government of Canada and, where required, on an emergency basis.
6.2.7 Personnel security
Security screening practices must provide reasonable assurance that individuals can be trusted to safeguard government information, assets and facilities, and to reliably fulfill their duties.Footnote 20 Such screening includes limiting access to authorized users who have been security-screened at the appropriate level. These measures extend to CSP personnel, who by virtue of their position could:
- gain access to GC data
- have the ability to adversely affect cloud-based GC services
In order to perform duties on behalf of the GC, CSPs are expected at all times to demonstrate the measures they perform to grant and maintain the required level of security screening for CSP personnel pursuant to their access privileges to protected information. Security screening:
- must be applied in accordance with, or use an adequate risk-based approach aligned with the definition and practices in the Treasury Board Standard on Security Screening as stated for Reliability Status
- is subject to the provisions of any international information-sharing agreements
CSP conformance with the Standard on Security Screening will be:
- ascertained centrally by the GC, in collaboration with appropriate lead security agencies
- be supported by the third-party assurance process (as per section 6.1.3 of this document)
6.2.8 Physical security
In accordance with Appendix C of the Directive on Departmental Security Management,, information, assets and facilities are to be protected from unauthorized access, disclosure, modification or destruction, in accordance with their level of sensitivity, criticality and value. Appropriate physical security controls need to be implemented within facilities that are hosting GC data and IT assets in order to protect them from unauthorized access by CSP personnel and by third parties.
CSPs are expected to demonstrate measures to ensure asset protection and resilience, such as:
- physical protection of commercial facilities that host GC data and IT assets
- controlled maintenance of information systems and their components to protect their integrity and ensure their ongoing availability
- protection of assets that store or process GC data against all forms of tampering, loss, damage or seizure
Physical protection measures:
- must be applied in accordance with, or use an adequate risk-based approach aligned with the physical security controls outlined in the Government of Canada Security Control Profile for Cloud-Based GC IT Services
- must be applied in accordance with, or use an adequate risk-based approach aligned with the practices in the Royal Canadian Mounted Police (RCMP) guidance and standards on physical security
- are subject to the provisions of any international information-sharing agreements
CSP conformance with GC physical security requirements will:
- be ascertained centrally by the GC, in collaboration with appropriate lead security agencies
- be supported by the third-party assurance process outlined in section 6.1.3 of this document
6.2.9 Service continuity
In support of IT continuity planning,Footnote 21departments must take into account their cloud-based services in their contingency and disaster recovery plans. Such planning includes understanding where GC data is stored, replicated or backed up by the cloud service (where applicable, given the relevant cloud service model). CSPs are expected to define the levels of service (for example, a service level agreement) for their cloud services, which will help departments determine whether their availability and resiliency requirements will be addressed.
Cloud-based services should be designed to take into consideration suitable geographic dispersal and data replication capabilities to meet business continuity objectives. Such services can include holding a local copy of backup data in case of failure of the cloud service or related communications. A documented and tested process is required for backing up the data within the cloud-based service.Footnote 22 Departments can work with SSC when developing their disaster recovery plans for alternative storage and processing should a CSP experience a catastrophic event.
6.2.10 Secure acquisition
Departments must ensure that IT security requirements are addressed at every stage of contractingFootnote 23 when acquiring cloud services. These requirements are also subject to the provisions of any international information-sharing agreements. Centrally procured cloud services (for example, a GC cloud brokered service) must be used when available.
CSPs are expected to apply supply chain risk management practices to maintain confidence in the security of the sources of information systems and the IT components used to provide their cloud services.
CSPs are expected to prohibit unauthorized access to, use, or alteration of GC data hosted in their cloud service environments. This restriction includes implementing measures to support an exit strategy, which includes:
- the removal of all GC data by an agreed method and time frame, in alignment with CSE’s ITSP.40.006 v2 IT Media Sanitization guidance guidance
- the ability for the GC to retrieve its data in an agreed format and time frame until the exit process is complete
6.3 Security operations
As part of an active defence strategy,Footnote 24 departments must ensure that measures are implemented to audit and monitor access to their cloud-based services. Using GC-provided services, such as those from SSC’s Security Operations Centre, can help departments meet requirements for information system monitoring and security incident management.
6.3.1 Information system monitoring
Continuously monitoring system events and performance, and including a security audit log function in all information systems,Footnote 25 enables the detection of incidents in support of continued delivery of services. It is essential that an adequate level of logging and reporting is configured for the scope of the cloud-based service within the GC’s responsibility. Such documentation will help:
- enable the prompt detection of suspicious activities
- facilitate investigation of and response to security incidents
- support auditing
These measures also extend to CSPs that are expected to continuously monitor the cloud-based service components within their scope of responsibility.
Retention policies for the audit log functionFootnote 26 should be set in accordance with:
- Library and Archives Canada’s generic valuation tool for information technology
- other departmental requirements and standards
6.3.2 Security incident management
Incident management is a key element of an active defence strategy.Footnote 27 The GC must continue to have the ability to respond to cyber security events in a consistent, coordinated and timely manner across the GC enterprise, in alignment with the Government of Canada Cyber Security Event Management Plan (GC CSEMP) (GC CSEMP) and in coordination with the Canadian Centre for Cyber Security.
Departments play a key role in GC-wide cyber security event management, whether directly affected by an event or not. Cloud-based services need to be accounted for within departmental incident management plans in order to ensure timely response and recovery.Footnote 28
Departments provisioning cloud-based services are responsible for:
- establishing appropriate mechanisms to respond effectively to security incidents
- exchanging incident-related information with designated lead departments such as the Canadian Centre for Cyber Security, in accordance with GC incident reporting protocolsFootnote 29 (specifically, to support the completion of incident reports and responses to Request for Actions)
- establishing mechanisms to inform service recipients of cyber security events that impact their systems or information
CSPs are expected to notify the GC when a security incident or breach of GC data or their cloud services impacts the cloud-based GC service. Such notifications should be distributed to:
- relevant departmental contacts (for example, cloud-based service owner)
- the Canadian Centre for Cyber Security
For additional information or clarification regarding this SPIN, address inquiries to:
8.2 Related policy instruments
8.3 Additional references
9. Additional guidance
9.1 GC references
- CSE TSG-33 Overview: IT Security Risk Management: A Lifecycle Approach
- CSE ITSB-89v3 Top 10 IT Security Actions to Protect Government of Canada Internet-Connected Networks and Information
- CSE ITP.80.022 Baseline Security Requirements for Network Security Zones in the Government of Canada
- CSE ITSG-38 Network Security Zoning - Design Considerations for Placement of Services within Zones
- CSE ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems
- CSE ITSP.40.062 Guidance on Securely Configuring Network Protocols
- CSE ITSP.40.006 V2 IT Media Sanitization, July 2017
- Industrial Security Manual
- RCMP Guide G1-006 Identification Cards / Access Badges
- RCMP Guide G1-026 Guide to the Application of Physical Security Zones
- RCMP Guide G1-024 Control of Access
- RCMP Guide G1-031 Physical Protection of Computer Servers (03/2008)
- RCMP Guide G13-02 Secure Demising Wall (SDW), July 2013
9.2 Other references
- UK Government, Implementing the Cloud Security Principles, September 2016
- Australia Signals Directorate, Cloud Computing Security for Tenants, April 2015
- New Zealand Government, New Zealand, Security Requirements for Offshore Hosted Office Productivity Services Explained (WORD document, 471 KB), January 2017
- US FedRAMP
- ISO/IEC 27001:2013 Information Technology - Security Techniques - Information Security Management Systems - Requirements
- ISO/IEC 27002:2013 Information Technology - Security Techniques - Code of Practice for Information Security Controls
- ISO/IEC 27017:2015 Information Technology - Security Techniques - Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services
- ISO/IEC 27018:2014 Information Technology - Security Techniques - Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors
- CSA Security Guidance for Critical Areas of Focus in Cloud Computing v4.0, 2017
- NIST Special Publication 800-145, The NIST Definition of Cloud Computing (PDF document, 84 KB), September 2011
- Government of Ontario, GO-ITS 25.21 Security Requirements for Cloud Services, April 2016
- AICPA, Service Organization Controls (SOC) for Service Organizations
- cloud service broker
- An organization that acts as an intermediary between CSPs and consumers by providing various types of brokerage services, including the cloud marketplace.
- cloud service provider (CSP)
- A non-federal government organization that offers cloud services to the public and/or government customers as part of a business venture, typically for a fee with the intent to make a profit.
- commercial cloud service (cloud service)
- Refers to a CSP’s product or service offering
- cloud-based GC service (cloud-based service)
- Refers to an application that a GC department implements and operates over a cloud service.
- data residency
- Refers to the physical or geographical location of an organization’s digital information while at rest.
- infrastructure as a service (IaaS)
- The capability provided to the consumer to provide processing, storage, networks and other fundamental computing resources where the consumer can deploy and run arbitrary software, including operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage and deployed applications, and possibly limited control of select networking components (for example, host firewalls).
- A reference or designation used to distinguish a unique individual, organization or device.
- platform as a service (PaaS)
- The capability provided to the consumer to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services and tools supported by the provider.
- public cloud
- The cloud infrastructure made available to the general public or a large industry group and owned by an organization that sells cloud services. (NIST SP800-145)
- private cloud
- The cloud infrastructure operated solely for a single organization. It may be managed by the organization or by a third party, and may be located on-premises or off-premises. (NIST SP800-145)
- protected asset or information
- An asset or information that may qualify for an exemption or exclusion under the Access to Information Act or the Privacy Act because its disclosure would reasonably be expected to compromise the non-national interest. (Directive on Departmental Security Management)
- reliability status
- The minimum standard of security screening for positions that require unsupervised access to Government of Canada protected information, assets, facilities or information technology systems. Security screening for reliability status appraises an individual’s honesty and whether he or she can be trusted to protect the employer’s interests. Security screening for reliability status can include enhanced inquiries, verifications and assessments when duties involve or directly support security and intelligence functions.
- residual risk
- In the context of the Policy on Government Security, the level of security risk remaining after the application of security controls and other risk mitigation actions.
- security assessment
- The ongoing process of evaluating security practices and controls to establish the extent to which they are implemented correctly, operating as intended, and achieving the desired outcome with respect to meeting defined security requirements.
- security authorization
- The ongoing process of obtaining and maintaining a security risk management decision and to explicitly accept the related residual risk, based on the results of security assessment.
- security categorization
- The process of assigning a security category to information resources, assets or services based on the degree of injury that could reasonably be expected to result from their compromise.
- security control
- A legal, administrative, operational or technical measure for satisfying security requirements. This term is synonymous with the term “safeguard.”
- security event
- Any event, act, omission or situation that may be detrimental to government security, including threats, vulnerabilities and security incidents.
- security incident
- Any event (or collection of events), act, omission or situation that has resulted in a compromise.
- security practices
- Processes, procedures and standards that govern the implementation, monitoring and maintenance of security controls.
- security requirement
- A requirement that must be satisfied in order to reduce security risks to an acceptable level and/or to meet statutory, regulatory, policy, contractual and other security obligations.
- sensitive information or asset
- Information or asset that if compromised would reasonably be expected to cause an injury. Sensitive information includes all information that falls within the exemption or exclusion criteria under the Access to Information Act and the Privacy Act. It also includes controlled goods and other information and assets that have regulatory or statutory prohibitions and controls.
- software as a service (SaaS)
- The capability provided to the consumer to use the provider’s applications that run on a cloud infrastructure.
- Any potential event or act, deliberate or unintentional, or natural hazard that could result in a compromise.
- A factor that could increase susceptibility to compromise.
Report a problem or mistake on this page
- Date modified: