Government of Canada Cloud Adoption Strategy

Note to readers

To contact us or to receive a PDF version of the Government of Canada’s Cloud Adoption Strategy, Security Control Profile for Cloud-based Government of Canada IT Services, or the Government of Canada Right Cloud Selection Guidance, please send your request to Public Enquiries.

Table of Contents

What is Cloud Computing?

Cloud computing can be compared to public utilities used to deliver commodities such as gas, water or electricity. Instead of acquiring and operating computing infrastructure, such as storage and servers, computing power is purchased from the utility provider. Much like the electricity flowing into a home, cloud computing is on-demand, metered to rising and falling needs of the consumer, and priced on the basis of what is consumed. The cost of the infrastructure used to deliver the commodity is amortized across the charges to the consumer. Cloud computing (the cloud) offers:

  • economies of scale;
  • on-demand provisioning;
  • elasticity (grows and shrinks according to the client’s needs);
  • offerings governed by service-level agreements; and
  • security (professional auditing and assessment of the provider’s security process).

Introduction

Cloud computing introduces a fundamental shift in the delivery of IT services. The Government of Canada (GC) needs to be ready to leverage this new IT service-delivery model. Cloud adoption will ensure that the GC can maintain IT service excellence during a period of increasing demand for online services and timely access to accurate information by Canadians.

This strategy is designed for those whose participation will be critical to the success of this new approach: leaders who oversee IT service delivery, program managers who use IT services to enable their programs, and the cloud industry, which supplies services to the public sector. This document describes the GC’s strategy for adopting cloud services by focusing on:

  • the Right Cloud adoption strategy: an approach to cloud adoption recognizing that no single cloud or non-cloud deployment model can meet all of the GC’s requirements;
  • an approach to managing security risks that is tailored to the cloud: ensuring the safeguarding of Canadians’ data and privacy;
  • a series of adoption principles: providing guidance to chief information officers as they adopt cloud services; and
  • the future vision for a Canadian public sector community cloud: a program to bring together Canadian public sector buyers with public cloud-service providers, brokered and security-assessed by the GC.

Why Cloud?

Canadians have come to expect that the government will deliver online services with the same quality of user-experience that they get from commercial service offerings such as financial institutions, online shopping and social media. Canadians also expect that the government will deliver these services with the agility and speed necessary to keep pace with changing legislation and government service offerings. Finally, Canadians expect that the cost of applications and infrastructure is minimized. Pressure exists on CIOs to deliver on all of these expectations, but they often find that advances in one area result in a regression in another. Public cloud services offer benefits that enable CIOs to make significant advances in all of these areas, as follows:

Service performance:
Self-service provisioning of computing resources can dramatically reduce the time to meet a requirement. Metrics-based service levels that are contractually enforced help ensure consistent performance levels.
Security:
Cloud-service providers hold Internationally recognized security certifications that are assessed by third-party security professionals. These certifications include robust security features that would be a challenge for any one consumer to fund individually.
Innovation:
New features are being continuously deployed, and the costs are amortized across a global service customer base. New technologies such as social media, mobile platforms and analytic tools are all available through subscriptions without large capital investments.
Agility:
Rapid access is available to multi-featured computing resources at the required capacity to carry out projects from planning to full operation.
Elasticity:
Commoditized services can grow and shrink with the level of demand; consumers pay only for what is needed for the time it is needed.

Background

The ongoing transformation of the GC’s IT landscape will allow the GC to meet the challenge of offering a modern, robust technology service. In 2011, the majority of IT infrastructure was consolidated under the management of a single organization: Shared Services Canada (SSC). In 2012, the Report on the State of Aging IT Across the Government of Canada emphasized the need to plan for the investment and eventual replacement of legacy applications. Blueprint 2020 focuses on themes of agility, collaboration and the smart use of technology. Citizens continue to demand more IT-enabled services from their government and through new channels such as social media.

These events have challenged CIOs to make progress on renewal efforts while maintaining current operations. In addition to leveraging internal IT capacity and capabilities, CIOs must also meet the challenges of IT transformation by leveraging Cloud services.

In summer 2014, the GC began consulting the IT industry to seek their input to the GC’s Cloud Adoption Strategy. More than 60 industry organizations participated in a request for information and in subsequent face-to-face meetings with government officials. This industry engagement has been complemented by continuous discussions with other levels of government and other federal governments.

This approach to engagement has proven instrumental in influencing this adoption strategy. The common themes that emerged from the consultation process have been considered and included where appropriate. Lessons learned and approaches taken by other governments have been tailored to the Canadian context.

Cover of the Blueprint 2020 document

Blueprint 2020

“Living the Vision—Smart Use of Technology

The aim is to take advantage of affordable tools and systems that work together to support operations, especially in our work with partners and stakeholders. This means making investments that are appropriate to sound public finances and the concrete needs of Canadians, for example, by finding innovative ways to customize public services, enable networking and provide open access to information that Canadians can use to develop innovative products and services. This will also nurture a tech-savvy culture, making use of social media tools while respecting Public Service values and ethics.”

Cover of the GC IT Strategic Plan document

This strategy is a sub-component of the GC IT Strategic Plan and fulfills activities seven through ten of the Implementation Roadmap.

  • 7: Adopt Cloud Services
  • 8: Establish a cloud service broker
  • 9: Offer public cloud services
  • 10: Offer private cloud services

Guiding principle 3: Use cloud computing services.

The Vision for Cloud Adoption

The cloud adoption strategy is meant to achieve three broad goals:

  • To help bring the supply of IT service into balance with the demand for those services; and
  • To provide a consistent approach to managing the risks of cloud adoption,
  • Prepare the IT workforce for cloud

Balance Supply with Demand

The demand for IT services is outstripping the available supply of those services. Digital service delivery is driving the need for increased capabilities and increased capacity. Cloud enhances the ability of IT professionals to meet the demands of the GC’s diverse portfolio of programs and projects. Through cloud adoption, IT supply and demand can be brought into balance.

Consistent Risk Management

Cloud continues on with risks similar to those faced in the current IT landscape, including span of control, security and privacy. This strategy describes how these risks will be managed consistently, while still allowing departments and agencies to exercise flexibility based on their risk tolerance.

Prepare the Workforce

The adoption rate of cloud services is directly correlated to the rate at which IT professionals can acquire cloud skills. Successful cloud adoption will depend on developing talent and acquiring professional IT credentials.

The Right Cloud Adoption Strategy

The GC’s IT landscape reflects the past five decades of IT evolution, comprising tailored solutions, commercially acquired solutions, legacy solutions and much more. Given such diversity, a one-cloud-fits-all solution will not serve all needs. Instead, the GC will adopt a Right Cloud strategy that will enable CIOs to have a number of cloud- and non-cloud deployment models to choose from. The ability to align solutions to a particular business context will ensure that as many IT solutions as possible will migrate to the cloud.

“Departments and agencies will follow a ‘Right Cloud’ strategy – adopting cloud services when they best meet business needs. All sensitive or protected data under government control will be stored on servers that reside in Canada.”

Cloud Deployment Models

The cloud deployment models available to CIOs are described below. CIOs will receive guidance on which applications suit the cloud and how to choose among deployment models.

Public Cloud icon
Public Cloud: a commercially available offering procured and security-assessed for the use of all Canadian public sector organizations. Under this deployment model, the public sector will securely share tenancy with private companies, non-profits, and individuals.
Private Cloud icon
Private Cloud: a non-commercially available cloud offering tailored to the GC. Under this deployment model, the GC will be the only tenant residing in the cloud.
Non-Cloud icon
Non-Cloud: a traditional IT environment for hosting legacy applications that cannot be deployed to a cloud environment.

Security Approach

Cloud computing has the potential to deliver agile, flexible and cost-effective IT services. In the cloud-computing paradigm, the GC collaborates with the provider on many aspects of security and privacy and establishes a level of trust with the cloud provider. At the same time, GC departments and agencies that use cloud services remain accountable for the confidentiality, integrity and availability of IT services, as well as for related information that a cloud-service provider hosts. Departments and agencies will adopt a structured approach for managing risks that accounts for the integration of cloud services into their IT services to support their program objectives and outcomes.

ISO 27001 Certification logo

What are Cloud Security Certifications?

Cloud security certification programs provide visibility and transparency in the Cloud Service Provider’s security practices. This visibility is achieved through an audit or assessment that a professional third-party assessment organization conducts against a security-control framework.

Consumers of the service can then leverage these certifications to ensure key security requirements are being met.

International Standards Organization ISO 27001 is a popular certification program that many cloud service providers use.

The risk-management framework that the GC uses for managing IT security risks has the following activities:

Overview of the GC security risk management process.

  • Step 1: Perform Categorization of Data.
  • Step 2: Select the Appropriate Security Control Profile.
  • Step 3: Assess Service Against Profile and Authorize for Use.
  • Step 4: Continuously Monitor Services

These activities remain the same in a cloud environment, but the shared nature of cloud security affects who participates in and contributes to those activities.

The GC maintains security control profiles suitable for various levels of data sensitivity. These security-control profiles will be tailored to their applicability to cloud environments, while recognizing the provider and consumer’s shared security responsibility.

To enhance the repeatability and agility of the assessment process, the GC will map its security controls to internationally recognized security certifications (e.g., ISO 27001, FedRAMP and Service Organization Controls already held by cloud service providers [CSPs]). CSPs can then reuse those certifications to provide the GC with required security evidence and reduce the cost of security compliance. This approach to security has the benefit of reducing the time and effort of all involved, while increasing the GC’s security.

Cloud Service Models

The National Institute of Standards and Technology (NIST) defines three cloud service models:

Software as a Service (SaaS):
The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure.
Platform as a Service (PaaS):
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services and tools supported by the provider.
Infrastructure as a Service (IaaS):
The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer can deploy and run arbitrary software, including operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure, but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Cloud Adoption Principles

The GC’s Right Cloud adoption strategy recognizes that different deployment and service-delivery models will deliver, to varying extents, the benefits that the GC seeks from Cloud, however CIOs must weigh those benefits against their business requirements. Depending upon requirements, Public Clouds and Software-as-a-Service (SaaS) may offer the greatest benefits (see: Why Cloud? section of this document for those benefits):

Figure 01
Benefits heat map with deployment models. Text version below:
Figure 01 - Text version

Benefits heat map with deployment models along the vertical axis and service delivery model along the horizontal axis. The intersection of Public Cloud and SaaS provide the highest benefits return and private Cloud/Data Centre and IaaS provide the lowest benefits.

The following cloud adoption principles will ensure that the benefits of cloud adoption, when cloud is appropriate, are maximized without compromising the confidentiality and privacy of Canadians’ data:

  1. Departments and agencies will adopt a Right Cloud approach when investing in new projects and application renewal efforts.
  2. ‎Departments and agencies will consider the following cloud deployment models that best meet their business needs:
    1. Public Cloud
    2. Private Cloud
    3. Non-Cloud
  3. Departments and agencies will consider the following cloud service models that best meet their business needs:
    1. Software as a Service (SaaS);
    2. Platform as a Service (Paas); and
    3. Infrastructure as a Service (IaaS).
  4. In considering how to mitigate security risks, departments and agencies will categorize the data within a workload in order to guide their selection of the appropriate cloud security control profile.
  5. Departments and agencies may deploy solutions that have data-categorization requirements falling outside of a particular cloud security control profile, with appropriate risk-mitigation measures that have been developed in consultation with GC security partners.
  6. To ensure Canada’s sovereign control over its data, all sensitive or protected data under government control will be stored on servers that reside in Canada. Data in transit will be appropriately encrypted.

Data Categorization

The GC categorizes its data by performing a test of the injury that would result in the event of loss of confidentiality, integrity or availability.

  • “Loss of confidentiality” is defined as the disclosure of data without authorization.
  • “Loss of integrity” is defined as the modification of data without authorization.
  • ”Loss of availability” is defined as the deletion of data or the denial of access to the data without authorization.
Figure 02
Illustration of the relationship between level of injury and dimension of data categorization. Text version below:
Figure 02 - Text version

Illustration of the relationship between level of injury (Physical, Psychological, Financial, and Reputation) and the dimension of data categorization (Confidentiality, Integrity, and Availability) leading to the levels assigned (Protected A, B, or C and High, Medium, and Low)

A level is assigned to each dimension based on the level of injury that may result should a loss occur. For example, data may be categorized as follows: Confidentiality is Protected B, Integrity is Medium and Availability is Medium.

The Size of the Opportunity

Data sensitivity is an important factor when one needs to decide which cloud deployment model to use. The GC’s initial focus is to ensure that CSPs can be assessed to hold data up to Protected B. It is estimated that of the GC’s applications at or below the Protected B level, 45 per cent hold Protected B level, 24 per cent hold Protected A and 31 per cent hold Unclassified data.

Selecting the Appropriate Cloud Security Profile

The following matrix is provided to guide departments and agencies in selecting the appropriate cloud-security control profile. The data categorization determines the cloud security control

Cloud Security Control Profile Selection
  Low Availability Medium Availability High Availability
Low Integrity Medium Integrity High Integrity Low Integrity Medium Integrity High Integrity Low Integrity Medium Integrity High Integrity
Confidentiality Protected C High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency
Confidentiality Protected B Moderate Profile - Canadian Data Residency Moderate Profile - Canadian Data Residency High Profile - Canadian Data Residency Moderate Profile - Canadian Data Residency Moderate Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency
Confidentiality Protected A Moderate Profile - Canadian Data Residency Moderate Profile - Canadian Data Residency High Profile - Canadian Data Residency Moderate Profile - Canadian Data Residency Moderate Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency
Confidentiality Unclassified Low Profile Moderate Profile - Canadian Data Residency High Profile - Canadian Data Residency Moderate Profile - Canadian Data Residency Moderate Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency High Profile - Canadian Data Residency

Creating a Cloud Workforce

The current transformation in the GC, including the adoption of this strategy, is changing the nature of the work that IT professionals undertake. To respond to the changes, IT professionals will need enhanced skills and competencies in areas such as:

  • business acumen, to better understand the services and expectations of business partners in their departments and across government as a whole;
  • analytical capacity, to evaluate the various options for delivering IT services, based on a broad range of criteria;
  • vendor-management relations, for example, evaluate, negotiate, monitor and enforce contracts, service-level agreements, to ensure that the government receives full value for its funding and full benefits under the contracts or arrangements; and
  • new technology adapted to emerging areas such architecture and deployment of solutions to the cloud.

CIOs must understand the changing environment, undertake the necessary workforce planning, and invest in their workforce in order to provide their IT professionals with the necessary learning and developmental opportunities. For the adoption of cloud to be successful, the GC must immerse itself in a cloud ecosystem, surrounding itself with both skilled employees and experienced professional services. The professional services industry that serves the GC must be ready to provide teams with cloud skills and experience. Making the transition from the physical to the virtual will provide our IT professionals with exciting new opportunities and competencies.

Establish Cloud Leaders

Cloud Computing is a wide-reaching IT initiative. Impacts will be felt in the following areas:

  • application development
  • IT operations
  • legal services
  • finance
  • procurement
  • security
  • compliance
  • privacy
  • identity management
  • data integration
  • mobility
  • customer service

CIOs are encouraged to appoint a cloud leader to direct a cloud core team to address organizational transformation.

Establishing a GC Cloud Broker

Cloud service brokers act as intermediaries between cloud service providers and cloud consumers. Cloud service brokers have the expertise to procure cloud services, manage relationships with providers, manage billing, and monitor consumption of services. Instead of choosing the Right Cloud solution for a given business context, which is a task left to chief information officers, cloud service brokers provide chief information officers with a menu of services to choose from. The GC cloud broker will provide a low-touch cloud-brokering service by implementing contracts with cloud service providers, thereby enabling departments to use a self-service model for provisioning cloud resources (e.g., compute, storage, platforms). As the GC cloud broker, Shared Services Canada will have responsibility for configuring the cloud environments as extensions of end-state data centres with a catalogue of cloud resources pre-configured to the GC’s OS hardening standards and network topology. Public cloud environments authorized to process and store data at the unclassified level, followed by Protected B, will be priorities for procurement.

Canadian Public Sector Community Cloud

Under the auspices of the Public Service Chief Information Officer Council, the GC in partnership with other Canadian public sector governments will sponsor the creation of a Canadian Public Sector Community Cloud (CPSCC). The CPSCC will consist of public cloud services with security that the GC has accredited and that has been made available to all Canadian public sector organizations through a marketplace.

Components of the Canadian Public Sector Community Cloud;

  1. Canadian Public Sector Buyer,
  2. Public Cloud Service Providers,
  3. GC-Assessed Security,
  4. Register in the Cloud Marketplace,
  5. Governance

It is important to note that the community cloud is not meant to be a unique offering for the Canadian public sector, but rather a compliance framework for commercially available public cloud offerings.

The benefits of the CPSCC include:

Procure once, buy many times:
Procuring one qualified vehicle open to a wide spectrum of buyers ensures that less effort is spent on buying services and more effort is dedicated to using services.
Economies of Scale:
By acting collectively, the Canadian public sector can increase its buying power, resulting in lower prices.
Collaboration:
Different levels of government often share business lines such as health care and policing. By collaborating, one level of government may inherit the solutions of another level.
Controlling Cloud Sprawl:
Data will be stored in a constrained number of clouds, thereby reducing data-governance risks. Integration efforts can be focused on a few cloud providers that store the majority of data.

Who are the Canadian public sector buyers?

All publicly funded institutions residing within Canada.

  • Federal Government
  • Provincial and Territorial Governments
  • Municipalities
  • Universities
  • Schools
  • Hospitals

The Next Steps

This strategy provides stakeholders within and outside the GC with its direction for driving cloud adoption. Executive sponsorship will be crucial to the success of this strategy. In the coming months, the Treasury Board of Canada Secretariat (TBS) will provide direction to departments with policy, IT service delivery, security and procurement mandates to align their activities to this strategy.

Along with the publication of this strategy, TBS will make available the following tools:

  • Right Cloud Selection Guidance, to advise CIOs on the criteria to consider when selecting a cloud or non-cloud deployment model;
  • Data Categorization Tool, to assist with the categorization of business activities and data;
  • GC Moderate Security Control Profile, for cloud-based GC IT services and related information having a security category of Protected B, medium integrity, and medium availability; and
  • Guideline on Cloud Security Risk Management Approach and Procedures, to provide details of the process described in the “Security Approach” section of this document.

Aligned with SSC’s cloud-service broker role, procurement for public cloud services capable of securely handling unclassified data has already begun. Within twelve months of publication of this strategy, SSC will have procured additional public cloud services capable of securely handling data of classifications up to Protected B inclusive. The services procured will be made available first to the GC, then to other levels of government. This capability will help fulfill the vision of a Canadian public sector community cloud.

Departmental CIOs may have the greatest ability to drive this strategy forward. They are the executives who regularly interface with those delivering programs and services for Canadians. It is these programs that set the requirement for IT services, and it is CIOs who can offer cloud as a solution. Lastly, the cloud industry has an important role to play in educating IT professionals on how to leverage their service offering to provide greater value to Canadians.

References

Report a problem or mistake on this page
Please select all that apply:

Privacy statement

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: