Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN)

6.1.1 Security categorization

Before using cloud services to support departmental programs and services, departments must identify and categorize information based on the degree of injury that could be expected to result from a compromise of its confidentiality, integrity and availability.^{Footnote 3} A security categorization tool is available to support departments in performing this activity.

6.1.2 Baseline security controls

Departments must apply graduated safeguards that are commensurate with the risks to their information and IT assets, with more rigorous safeguards as asset values, service delivery requirements, and threats to confidentiality, availability or integrity increase.^{Footnote 4} Security control profiles can be established to support this requirement.

A baseline security control profile is a set of IT security controls that an organization establishes as minimum mandatory requirements for its information systems. By adhering to a standardized set of security controls, departments can:

• identify and assess risks
• develop strategies to appropriately mitigate risks

The The Government of Canada Security Control Profile for Cloud-Based GC IT Services is available as a starting point for departments. It sets out the baseline security controls recommended for implementation by CSPs and GC departments in order to appropriately protect cloud-based services that have a security category of Protected B, medium integrity and medium availability. It also documents the context in which these security controls are expected to be implemented.

For information and IT assets that have a security category other than Protected B, or a medium category for integrity or availability, a different set of baseline security controls is likely required. Annex 1 ofCSE’s ITSG-33 IT Security Risk Management: A Lifecycle Approach provides guidance in this regard.

6.1.3 Third-party assurance

Departments do not have direct control over all the security controls in a cloud-based service. Neither do they have sufficient visibility into the design, development and installation of those security controls. Consequently, alternative security assessment approaches need to be applied. Departments can leverage independent reporting such as the following to establish third-party assurance when physical inspection and audit by departments is not feasible or practical:

• ISO/IEC 27001
• ISO/IEC 27017
• ISO/IEC 27018
• Federal Risk and Authorization Management Program (FedRAMP)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR)
• AICPA Service Organization Controls (SOC) audit reports or certifications

A third-party certification requires an independent third party that is bound to be objective and to apply professional standards to the evidence it reviews and produces.

CSPs are expected to clearly document the security controls and features implemented within their cloud services to help the GC understand the security controls within its scope of responsibility. Such controls include those inherited by the CSP. For example, a software provider using an infrastructure provider to deliver a software as a service (SaaS) offering will inherit security controls from the infrastructure provider. In this case, the CSP is expected to obtain assurance that the underlying infrastructure as a service (IaaS) or platform as a service (PaaS) offering being leveraged for the SaaS offering has:

• implemented the appropriate controls within its scope
• obtained valid third-party industry certifications or audit reports

To support this process, the GC will assess CSP security control implementation evidence centrally, in collaboration with appropriate lead security agencies. These assessments will highlight residual risks and suggest additional risk mitigations.

6.1.4 Security assessment and authorization

Departments must perform security assessment and authorization of their information systems or services before approving them for operation.^{Footnote 5} In the context of cloud, this responsibility extends to any additional security controls being implemented to satisfy departmental requirements (as per section 6.1.2 of this document).

Understanding the overall effectiveness of security controls is essential in determining and managing the residual risks under which a cloud-based service will be operating. Prioritizing security at the beginning of a project life cycle and building security in cloud-based services from the outset are also effective ways to streamline security assessment and ensure successful authorization.

Departments that are seeking to consume cloud services can leverage the results of GC-assessed CSPs (as per section 6.1.3 of this document) to support risk-based decisions. These assessments can be reviewed in conjunction with the security assessments performed for security controls that departments are responsible for implementing.

6.1.5 Continuous monitoring

Departments must continuously manage the security risks to their information and IT assets throughout the life of their programs and services.^{Footnote 6} Such management includes continuously monitoring cloud-based services as an essential component of an effective IT security strategy. Continuous monitoring encompasses activities such as:

• monitoring threats and vulnerabilities
• reviewing the results of system monitoring
• self-assessment and internal audits
• developing corrective action plans where necessary to remediate deficiencies

Using GC-provided services, such as those from SSC’s Security Operations Centre, can help departments meet some of these requirements.

CSPs are expected to continuously monitor their cloud services in order to detect changes in the security posture of the cloud service environment, including:

• monitoring their security controls
• assessing security controls regularly
• demonstrating that the security posture is continuously acceptable

6.2.1 Secure development and implementation

Departments must address security requirements and adjust security requirements throughout all the stages of the system development life cycle, including:

• at the earliest stages of planning and review^{Footnote 8}
• as part of a cloud exit strategy

Cloud-based services are expected to be designed and developed following industry best practices (for example, SAFECode Fundamental Practices for Secure Software Development, ISO/IEC 27034 and OWASP) in order to minimize security issues that could:

• compromise GC information
• cause a loss of service
• enable other malicious activity

Using sensitive or protected data for testing and development instances or applications within cloud services requires appropriate authorization and compensating controls.

Departments must implement department-level security controls in their cloud-based services, depending on the service model being deployed. For example, if the service model is IaaS, departments will need to implement the security controls of the platform and application layers of the cloud technology stack. Even under the SaaS service model, additional security controls such as user access need to be implemented.

6.2.2 Data residency

Departments are expected to apply the Directive on Service and Digital when implementing safeguards for GC electronic data residency.

6.2.3 Identity, credential, and access management

Departments must identify and authenticate individuals and devices^{Footnote 9} to an appropriate level of assurance before being granted access to information and services hosted in cloud services. Such authentication is in accordance with the Standard on Identity and Credential Assurance and aligns with GC enterprise identity and authentication services.

Access must be restricted to personnel based on the principles of least privilege,^{Footnote 10} need to know^{Footnote 11} and segregation of duties,^{Footnote 12} and be supported through appropriate security controls. Restricting access includes:

• establishing appropriate use restrictions and device configurations
• taking into consideration the threat environment when accessing cloud services

For privileged user access to cloud-based services, the use of stronger authentication mechanisms^{Footnote 13} (for example, multi-factor authentication) must be configured. Additional security measures, such as the use of privileged access workstations and dedicated management networks, may further mitigate the risks associated with privileged access.

Refer to CSE guidance in ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems.

6.2.4 Network security

Data transiting networks must be adequately protected through the use of appropriate encryption and network safeguards.^{Footnote 14} Cloud-based services should make use of CSE-approved cryptographic algorithms and protocols, as outlined in:

• CSE’s TSP.40.111 Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information
• CSE’s ITSP.40.062 Guidance on Securely Configuring Network Protocols

Robust key management processes and procedures are also essential to protect encryption keys from being compromised or lost, which could result in unauthorized disclosure or loss of information.

All external interfaces of the cloud-based service must be identified and appropriately protected.^{Footnote 15} Management interfaces may require increased levels of protection. Refer to CSE’s guidance in:

• ITSP.80.22 Baseline Security Requirements for Network Security Zones in the Government of Canada
• ITSG-38 Network Security Zoning - Design Considerations for Placement of Services within Zones

6.2.5 Asset and configuration management

Departments must be aware of the assets they hold and their associated sensitivity and criticality.^{Footnote 16} It is essential that all assets are accounted for, regardless of location. Any changes to cloud-based services and their configurations need to be appropriately managed and consist of activities such as:

• authorizing and properly testing changes
• maintaining known and approved system and component designs, settings, parameters and attributes

When using IaaS and PaaS, the GC is responsible for implementing measures to support “hardening” (for example, disabling of all non-essential services, ports or functionality) of systems, devices and applications.^{Footnote 17} Doing so will help ensure that the following are appropriately configured:

• operating systems
• applications
• virtual hosts
• networks
• endpoint devices and services

6.2.6 Vulnerability management

Departments must continuously manage vulnerabilities in information systems.^{Footnote 18} Failing to promptly apply security-related patches and updates can result in exposed vulnerabilities and may lead to serious security incidents. These measures extend to CSPs for the cloud service components within their scope of responsibility.

When using IaaS and PaaS, the GC is responsible for performing vulnerability and patch management of its cloud-based services. An effective vulnerability and patch management process must be developed and tested as a key part of a defence-in-depth strategy.^{Footnote 19} Such a process includes:

• monitoring relevant information sources for vulnerability alerts
• implementing corrective actions in a timely manner

CSE provides additional guidance in ITSB-96 Security Vulnerabilities and Patches Explained - IT Security Bulletin for the Government of Canada and, where required, on an emergency basis.

6.2.7 Personnel security

Security screening practices must provide reasonable assurance that individuals can be trusted to safeguard government information, assets and facilities, and to reliably fulfill their duties.^{Footnote 20} Such screening includes limiting access to authorized users who have been security-screened at the appropriate level. These measures extend to CSP personnel, who by virtue of their position could:

• gain access to GC data
• have the ability to adversely affect cloud-based GC services

In order to perform duties on behalf of the GC, CSPs are expected at all times to demonstrate the measures they perform to grant and maintain the required level of security screening for CSP personnel pursuant to their access privileges to protected information. Security screening:

• must be applied in accordance with, or use an adequate risk-based approach aligned with the definition and practices in the Treasury Board Standard on Security Screening as stated for Reliability Status
• is subject to the provisions of any international information-sharing agreements

CSP conformance with the Standard on Security Screening will be:

• ascertained centrally by the GC, in collaboration with appropriate lead security agencies
• be supported by the third-party assurance process (as per section 6.1.3 of this document)

6.2.8 Physical security

In accordance with Appendix C of the Directive on Departmental Security Management,, information, assets and facilities are to be protected from unauthorized access, disclosure, modification or destruction, in accordance with their level of sensitivity, criticality and value. Appropriate physical security controls need to be implemented within facilities that are hosting GC data and IT assets in order to protect them from unauthorized access by CSP personnel and by third parties.

CSPs are expected to demonstrate measures to ensure asset protection and resilience, such as:

• physical protection of commercial facilities that host GC data and IT assets
• controlled maintenance of information systems and their components to protect their integrity and ensure their ongoing availability
• protection of assets that store or process GC data against all forms of tampering, loss, damage or seizure

Physical protection measures:

• must be applied in accordance with, or use an adequate risk-based approach aligned with the physical security controls outlined in the Government of Canada Security Control Profile for Cloud-Based GC IT Services
• must be applied in accordance with, or use an adequate risk-based approach aligned with the practices in the Royal Canadian Mounted Police (RCMP) guidance and standards on physical security
• are subject to the provisions of any international information-sharing agreements

CSP conformance with GC physical security requirements will:

• be ascertained centrally by the GC, in collaboration with appropriate lead security agencies
• be supported by the third-party assurance process outlined in section 6.1.3 of this document

6.2.9 Service continuity

In support of IT continuity planning,^{Footnote 21}departments must take into account their cloud-based services in their contingency and disaster recovery plans. Such planning includes understanding where GC data is stored, replicated or backed up by the cloud service (where applicable, given the relevant cloud service model). CSPs are expected to define the levels of service (for example, a service level agreement) for their cloud services, which will help departments determine whether their availability and resiliency requirements will be addressed.

Cloud-based services should be designed to take into consideration suitable geographic dispersal and data replication capabilities to meet business continuity objectives. Such services can include holding a local copy of backup data in case of failure of the cloud service or related communications. A documented and tested process is required for backing up the data within the cloud-based service.^{Footnote 22} Departments can work with SSC when developing their disaster recovery plans for alternative storage and processing should a CSP experience a catastrophic event.

6.2.10 Secure acquisition

Departments must ensure that IT security requirements are addressed at every stage of contracting^{Footnote 23} when acquiring cloud services. These requirements are also subject to the provisions of any international information-sharing agreements. Centrally procured cloud services (for example, a GC cloud brokered service) must be used when available.

CSPs are expected to apply supply chain risk management practices to maintain confidence in the security of the sources of information systems and the IT components used to provide their cloud services.

CSPs are expected to prohibit unauthorized access to, use, or alteration of GC data hosted in their cloud service environments. This restriction includes implementing measures to support an exit strategy, which includes:

• the removal of all GC data by an agreed method and time frame, in alignment with CSE’s ITSP.40.006 v2 IT Media Sanitization guidance guidance
• the ability for the GC to retrieve its data in an agreed format and time frame until the exit process is complete

6.3.1 Information system monitoring

Continuously monitoring system events and performance, and including a security audit log function in all information systems,^{Footnote 25} enables the detection of incidents in support of continued delivery of services. It is essential that an adequate level of logging and reporting is configured for the scope of the cloud-based service within the GC’s responsibility. Such documentation will help:

• enable the prompt detection of suspicious activities
• facilitate investigation of and response to security incidents
• support auditing

These measures also extend to CSPs that are expected to continuously monitor the cloud-based service components within their scope of responsibility.

Retention policies for the audit log function^{Footnote 26} should be set in accordance with:

• Library and Archives Canada’s generic valuation tool for information technology
• other departmental requirements and standards

6.3.2 Security incident management

Incident management is a key element of an active defence strategy.^{Footnote 27} The GC must continue to have the ability to respond to cyber security events in a consistent, coordinated and timely manner across the GC enterprise, in alignment with the Government of Canada Cyber Security Event Management Plan (GC CSEMP) (GC CSEMP) and in coordination with the Canadian Centre for Cyber Security. 

Departments play a key role in GC-wide cyber security event management, whether directly affected by an event or not. Cloud-based services need to be accounted for within departmental incident management plans in order to ensure timely response and recovery.^{Footnote 28}

Departments provisioning cloud-based services are responsible for:

• establishing appropriate mechanisms to respond effectively to security incidents
• exchanging incident-related information with designated lead departments such as the Canadian Centre for Cyber Security, in accordance with GC incident reporting protocols^{Footnote 29} (specifically, to support the completion of incident reports and responses to Request for Actions)
• establishing mechanisms to inform service recipients of cyber security events that impact their systems or information

CSPs are expected to notify the GC when a security incident or breach of GC data or their cloud services impacts the cloud-based GC service. Such notifications should be distributed to:

• relevant departmental contacts (for example, cloud-based service owner)
• the Canadian Centre for Cyber Security