Government of Canada Cloud Adoption Strategy: 2018 update
Cloud computing can be compared to public utilities that deliver commodities such as electricity.
Instead of buying and running infrastructure itself, an organization buys computing power from a provider.
Much like electricity in a home, cloud computing is on-demand and the consumer pays for what they use. The cost of the infrastructure used for delivery (storage and services in the case of cloud computing, hydro poles and power lines in the case of electricity) is covered by the charges to the consumer.
Cloud computing offers:
- economies of scale
- on-demand provisioning
- elasticity (grows and shrinks according to the client’s needs)
- services governed by service-level agreements
- security (professional auditing and assessment of the provider’s security process)
On this page
Cloud computing represents a fundamental shift in the delivery of IT services. As cloud computing enters its second decade, the Government of Canada (GC) needs to start using it in delivering IT services. Adopting cloud computing will help the GC maintain IT service excellence during a period of increasing demand for digital services and timely access to emerging technologies.
This strategy is for people whose participation will be critical to the success of cloud adoption:
- leaders who oversee IT service delivery
- program managers who use IT services to deliver programs
- service providers in the cloud industry who serve the GC
This document describes the GC’s strategy for adopting cloud services. Intended as a policy directive for departments and agencies, it focuses on:
- a “cloud-first” adoption strategy in which cloud is the preferred option for delivering IT services and public cloud is the preferred option for cloud deployment
- an approach to managing security risks in cloud adoption that safeguards Canadians’ data and privacy
- a series of principles that will guide chief information officers (CIOs) as they adopt cloud services
- a vision for enabling community clouds, specifically, a Canadian public sector community cloud, to bring together Canadian public sector buyers with public cloud service providers, brokered and security-assessed by the GC
- a summary of changes and progress since this strategy was first published in 2016
Canadians have come to expect the government to:
- deliver digital services that give them the same quality of user experience they get from commercial service providers such as financial institutions, online shopping services and social media services
- deliver digital services with the agility and speed necessary to keep pace with changing legislation and government service offerings
- minimize the cost of applications and infrastructure
CIOs are under pressure to meet all of these expectations, but they often find that a step forward in one area results in a step backward in another. Public cloud services will provide the following benefits:
- Service performance
Self-service provisioning of computing resources can dramatically reduce the time needed to meet a requirement. Metrics-based service levels that are contractually enforced help keep performance levels consistent.
Cloud service providers offer robust security features and internationally recognized certifications that would be a challenge for any one organization to deliver on its own.
New features are being deployed continually, and the costs are amortized across a global service customer base. New technologies such as social media, mobile platforms and analytic tools are all available through subscriptions without large capital investments.
Rapid access is available to multi-featured resources at the required capacity to carry out projects from planning to full operation.
Commoditized services can grow and shrink with the level of demand; consumers pay only for what they need when they need it.
The GC is meeting the challenge of offering a modern, robust technology service by constantly transforming its IT landscape.
For example, in 2011, data centres, networks and email were consolidated under the management of Shared Services Canada (SSC). In 2012, the Report on the State of Aging IT Across the Government of Canada emphasized the need to plan for the investment that would be needed to eventually replace legacy applications.
In addition, Blueprint 2020, launched in 2013, set out a vision for a world-class public service equipped to serve Canada and Canadians now and into the future. Focused on themes of agility, collaboration and the smart use of technology, Blueprint 2020 aims to make the GC a modern workplace that makes smart use of technology so that it can meet citizens’ continuing demands for more IT-enabled services and for these services to be available through new channels such as social media.
These examples of transformation show how CIOs have continued renewal efforts while maintaining current operations. In addition to leveraging internal IT capacity and capabilities, CIOs must also leverage cloud services to bring about further transformations.
In summer 2014, the GC began consulting the IT industry to get input on the GC’s Cloud Adoption Strategy.Footnote 1 More than 60 industry organizations responded to a request for information and participated in subsequent meetings with government officials. This industry engagement has been complemented by discussions with other levels of government and with other federal governments.
The consultations with industry have been invaluable in developing this adoption strategy. The common themes that emerged from the consultations were considered and included, where appropriate. Lessons learned and approaches taken by other governments have been tailored to the Canadian context.
The aim is to take advantage of affordable tools and systems that work together to support operations, especially in our work with partners and stakeholders. This means making investments that are appropriate to sound public finances and the concrete needs of Canadians, for example, by finding innovative ways to customize public services, enable networking and provide open access to information that Canadians can use to develop innovative products and services. This will also nurture a tech-savvy culture, making use of social media tools while respecting Public Service values and ethics.
Source: “Blueprint 2020: Getting Started—Getting Your Views,” .
Progress and evolution of the strategy
In the more than 14 months since the GC Cloud Adoption Strategy was first published, much work has been done on both cloud adoption and policy development. This work has reinforced some components of the original strategy and has led to the reevaluation or clarification of others.
The adoption of cloud has progressed at a different pace in each department. Science-based organizations, such as Communications Research Centre Canada, have used cloud to change how they do research-based modelling. Early adopters have contributed generously to the cloud community by sharing their work openly.
In , the GC issued the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice and the Direction for Electronic Data Residency. These directions allow for Protected B data to be hosted in the public cloud.
Finally, SSC awarded contracts to various cloud service providers for the storage and processing of unclassified data. SSC has also launched the light-touch brokering service to support access to these contracts.
As implementation of the strategy progresses, the strategy continues to evolve. Highlights of the evolution include:
- The “right cloud strategy” outlined in the original version of this document has evolved into a cloud-first strategy. This change recognizes that cloud remains the preferred option for IT delivery, but public cloud is now the preferred model for cloud deployment.
- The GC Enterprise Architecture Review Board now plays a role in decisions about cloud.
- PSPC and SSC must now collaborate when procuring cloud services.
Vision for cloud adoption
The cloud adoption strategy has 3 broad goals:
- to help balance the supply of IT services with the demand for those services
- to manage the risks of cloud adoption consistently
- prepare the IT workforce for cloud
Balance supply with demand
The demand for IT services is outstripping the supply of those services. The demand for digital services and the need to renew aging assets are increasing capabilities and capacity and are sparking alternative forms of service delivery. Cloud better equips IT professionals to meet the demands of the GC’s diverse portfolio of programs and projects. By adopting cloud, the GC can bring IT supply and demand into balance. Departmental IT plans will forecast demand and identify opportunities for using cloud technology.
Manage risks consistently
Cloud computing has similar risks to those currently faced in IT, including span of control, security and privacy. This strategy describes how these risks will be managed consistently, while still giving departments and agencies the flexibility to act based on their specific risk tolerance.
Prepare the workforce
How quickly the GC can adopt cloud services depends on how quickly IT professionals can acquire cloud skills. To adopt cloud successfully, the GC will have to develop talent, and IT staff may need to acquire professional IT credentials.
This strategy is part of the Government of Canada Strategic Plan for Information Management and Information Technology 2017 to 2021 and fulfills strategic actions 7 to 10 of the Implementation Roadmap:
- 7: Adopt cloud computing services
- 8: Establish a cloud service broker
- 9: Offer public cloud services
- 10: Offer private cloud services
Guiding principle 5: cloud first approach
Cloud first adoption strategy
When this document was originally published, in the summer of 2016, a right cloud adoption strategy was advocated. The strategy has evolved in the past year, and the GC has moved to a cloud-first strategy.
The primary difference between these strategies is that cloud-first sets out an order of preference when selecting a cloud deployment model but still recognizes that no one deployment model meets all of the GC’s needs. As stated in the strategic plan for 2017 to 2021, “Public cloud services will be the priority choice for departments when choosing a cloud deployment model,” and “[d]epartments will use private clouds where needs cannot be met by public clouds (e.g., secret information).”
Cloud deployment models
CIOs can use the cloud deployment models described below. The Government of Canada Right Cloud Selection Guidance has been made available to CIOs to help them decide which applications are suitable for the cloud and which deployment model is best for each application.
- Public cloud
A commercially available offering procured and security-assessed for the use of all government organizations. In this deployment model, the government organizations will securely share tenancy with private companies, non-profits and individuals.
- Private cloud
A cloud offering tailored to the GC. In this deployment model, the GC will be the only tenant residing on the cloud. Private clouds include both off-premises and on-premises clouds managed by the GC or by a third party.
A traditional IT environment for hosting legacy applications that cannot be deployed to a cloud environment.
- Hybrid cloud or IT environment
A combination of the above models. This model takes a pragmatic approach to integrating legacy technology with cloud technology.
The National Institute of Standards and Technology defines 3 cloud service models:
Software as a service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure.
Platform as a service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services and tools supported by the provider.
Infrastructure as a service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer can deploy and run arbitrary software, including operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure, but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
Source: Peter Mell and Timothy Grance. The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology (PDF, 83.8 KB) (NIST Special Publication 800-145). Gaithersburg: National Institute of Standards and Technology, U.S. Department of Commerce, , pages 2 to 3.
Cloud computing has the potential to deliver agile, flexible and cost-effective IT services. In the cloud-computing delivery model, the GC collaborates with the provider on many aspects of security and privacy and establishes a level of trust with the provider. GC departments and agencies that use cloud services do, however, remain accountable for the confidentiality, integrity and availability of IT services and of related information that a cloud-service provider hosts. Departments and agencies will adopt a structured risk-management approach that takes into account the integration of cloud services into their IT services.
The GC maintains security control profiles for various security categories. The control profiles are usually provided by Communications Security Establishment Canada and then tailored by departments to their specific use. In the case of cloud-based services, the security control profiles are tailored to public cloud environments and recognize that the provider and the consumer share responsibility for security.
Cloud security certifications provide visibility and transparency in the cloud service provider’s security practices. This visibility is achieved through an audit or assessment that a professional third-party assessment organization conducts against a security control framework.
Consumers of the service can then use these certifications to ensure that key security requirements are being met.
International Organization for Standardization ISO 27001 is a popular certification program that many cloud service providers use.
Security categorization is the process of assigning a security category to information resources, assets or services based on the degree of injury that could reasonably be expected to result from their compromise.
Information is identified and categorized based on the degree of injury that could be expected to result from the compromise of its confidentiality, availability or integrity.
To enhance the repeatability and agility of the assessment process, the GC has mapped its security controls to internationally recognized security certifications (for example, ISO 27001, FedRAMP (the U.S. Federal Risk and Authorization Management Program), and Service Organization Controls that are already held by cloud service providers). The cloud service providers can then reuse these certifications to provide the GC with the required security evidence. Mapping security controls to internationally recognized certifications reduces the time and cost of ensuring security compliance, and increases the GC’s security.
Cloud adoption principles
Different deployment and service-delivery models will provide, to varying extents, the benefits the GC is seeking from cloud. The GC’s cloud adoption strategy therefore requires that CIOs consider the public cloud deployment model and the software-as-a-service (SaaS) delivery model first because they offer the greatest benefits to the GC (see Figure 1). (See the Why cloud? section for details on the benefits).
The following cloud adoption principles will ensure that the benefits of cloud adoption are maximized without compromising the confidentiality and privacy of Canadians’ data.
- Cloud services are identified and evaluated as the principal delivery option when initiating IT investments, initiatives, strategies and projects.
- Using the Government of Canada Right Cloud Selection Guidance to guide their decision, departmental and agency CIOs will select one of the following deployment models, in the following order of priority:
- public cloud
- hybrid cloud
- private cloud
- Departmental and agency CIOs will select one of the following cloud service models, in the following order of priority:
- software as a service (SaaS)
- platform as a service (PaaS)
- infrastructure as a service (IaaS)
- In considering how to manage security risks, departments and agencies must follow the GC Cloud Security Risk Management Approach and Procedures and the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN).
- Departments and agencies may deploy solutions that have data-categorization requirements that fall outside of a particular cloud security control profile, as described in the Government of Canada Security Control Profile for Cloud-Based GC IT Services,with appropriate risk-mitigation measures that have been developed in consultation with GC security partners.
- To ensure, to the greatest extent possible, the GC’s continuous access to sensitive data, departments and agencies must comply with the Direction for Electronic Data Residency.
- To ensure business continuity and to manage risks, departments and agencies will develop an appropriate exit strategy before using cloud services.
- Departments and agencies should consider portability and interoperability of services when designing cloud-based solutions.
Creating a cloud workforce
The current transformation in the GC, including the adoption of this strategy, is changing the business and IT landscape. To be properly positioned to help business owners understand how cloud can enhance program delivery, IT professionals will need enhanced skills.
CIOs must understand the changing environment, undertake the necessary workforce planning, and invest in their workforce by providing their IT professionals with the necessary learning and developmental opportunities.
CIOs are encouraged to appoint a cloud leader to direct a core team to address the organizational changes brought on by cloud. For the adoption of cloud to succeed, the GC must build a cloud ecosystem that has both skilled employees and experienced private-sector professional services. The professional services industry that serves the GC must be ready to provide teams with skills and experience in cloud. The transition from the physical to the virtual will provide IT professionals in the GC with exciting new opportunities and competencies.
Cloud centres of excellence
As their adoption of cloud matures, departments and agencies are investing in cloud centres of excellence to create a hub for cloud talent. The adoption of cloud brings new challenges, and these centres of excellence can help tackle these challenges. Departments and agencies take on new roles such as governing, monitoring and optimizing consumption of pay-as-you-go services. Other roles such as operations and security are expanding. New ways of organizing work, such as development and operations (“DevOps”), require champions.
The GC will publish guidance for creating cloud centres of excellence in the GC. That guidance will be based on:
- consultations with GC experts about their experiences in creating cloud centres of excellence
- existing industry guidance on this topic
Roles and responsibilities
In 2011, by order-in-council, SSC was mandated to exclusively provide services for email, networks, data centres and, later, workplace technology devices. IT roles and responsibilities were re-aligned to support SSC’s service delivery.
As cloud adoption in the GC has grown, it has become clear that the self-service and elastic attributes of public cloud lend themselves to a different set of roles and responsibilities where departments have great autonomy over cloud platforms. However, the benefits that centralized, shared services can provide cannot be ignored. The GC Enterprise Architecture Review Board will therefore review all proposals for cloud-based, enterprise-wide services and decide when service in the cloud will be mandatory or optional for departments. Decisions about roles and responsibilities for cloud will be recorded as part of a matrix and made available to departments and agencies.
Consistent with the cloud adoption principles set out earlier, the following outlines the breakdown of roles and responsibilities for key security, business and operational activities between the Treasury Board of Canada Secretariat, Shared Services Canada, Public Services and Procurement Canada and departments and agencies:
- Treasury Board of Canada Secretariat (TBS) is responsible for GC enterprise governance, strategy and policy for cloud services, including oversight and risk assessment of cloud service requests from GC departments.
- Shared Services Canada (SSC) is responsible for providing a light-touch cloud-brokering service by implementing contracts with cloud service providers and thereby enabling departments to use a self-service model for provisioning and managing cloud resources (for example, compute, storage, platforms).
In a light-touch brokering model, once an organization is administratively on-boarded to a source of supply, that organization can access features of that service, including self-service provisioning. The cloud service broker will monitor usage of these services, including consumption. The broker will also provide an inventory of virtual assets. The goal is to provide organizations with the features to maintain self-service, agility, automation and elasticity while still maintaining centralized visibility of the services.
- Public Services and Procurement Canada (PSPC) may also implement contracts for cloud services. PSPC will work closely with SSC to leverage PSPC’s capabilities and to collaboratively build contracting terms and security requirements.
- Departments and agencies are responsible for security categorization, security control profile selection, deployment and service model selection, exit strategy, service authorization, and continuous management of the cloud service to ensure that business and security requirements are met. It is departmental and agency CIOs who select the cloud deployment and service models.
Canadian public sector community cloud
Under the auspices of the Public Service Chief Information Officer Council, the GC, in partnership with other levels of government in Canada, will sponsor the creation of a Canadian public sector community cloud (CPSCC). The CPSCC will consist ofpublic cloud services that have security controls that the GC has accredited and that have been made available to all Canadian public sector organizations through a marketplace.
The community cloud is not meant to be a unique offering for the Canadian public sector, but rather a compliance framework for commercially available public cloud offerings.
The benefits of the CPSCC include the following:
- Procure once, buy many times
Procuring one qualified vehicle open to a wide spectrum of buyers ensures that less effort is spent on buying services and that more effort is dedicated to using services.
- Economies of scale
By acting collectively, the Canadian public sector can increase its buying power, resulting in lower prices.
Different levels of government often share business lines, for example, health care and policing. By collaborating, one level of government may inherit the solutions adopted by another level.
- Controlling cloud sprawl
Data will be stored in a constrained number of clouds, which will reduce data-governance risks. Integration efforts can focus on a few cloud providers that store the majority of data.
All publicly funded institutions in Canada:
- federal government
- provincial and territorial governments
The adoption of cloud, while still nascent, is accelerating. The awarding of contracts by SSC following a tender notice issued in 2016 for unclassified cloud services has given departments and agencies access to a wide variety of services. This access has allowed departments and agencies to explore platforms for application development, elastic computing and storage for both research and enterprise use. It has also given them access to emerging technologies such as artificial intelligence and the Internet of Things. More important, it has allowed departments and agencies to build the skills and governance models needed for their cloud journey. Departments have begun to invest in cloud centres of excellence. A cloud centre of excellence is a dedicated team that, among other things, forecasts demand, monitors and optimizes consumption, and designs cloud-native solutions.
On the process side, departments have begun to experiment with DevOps for organizing teams and agile methodologies. It is the individual departments and agencies that will continue to explore new ways to use cloud as an enabler for digital services. This experimentation will build momentum now that enabling policy for processing and storing protected data in the cloud is available.
PSPC will join SSC in making available new sources of supply for cloud services that will support the processing of protected data. The lessons learned from procuring public cloud services at the unclassified level will be applied to protected cloud services. SSC will also build network connections directly to major cloud service providers and thereby remove stress from internet connections and ensure a higher degree of availability for cloud-based services.
TBS will lead a multi-departmental working group focused on collaborating with other governments globally and with industry to build guidance, processes, procedures, automation and templates in an effort to ease cloud adoption.
Finally, the GC Enterprise Architecture Review Board will provide a governance forum for steering cloud adoption.
Report a problem or mistake on this page
- Date modified: