Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services

1.1 Background

Cloud computing has introduced a fundamental shift in the way information system services are delivered, and the Government of Canada (GC) is positioning itself to use this alternative service delivery model. Cloud adoption will ensure that the GC can continue to sustain service excellence during a period of increased demand for online services and timely access to accurate information.

The adoption of cloud services will result in GC information being electronically transferred from data stores located on GC premises, where this information resides today, to commercial public cloud environments, where the information will be stored and accessed by users. The protection of information in electronic form will be accomplished through the implementation of data security, which includes the protection of the availability, integrity, and confidentiality of data at rest, in transit and in use.

Cryptographic data protection is a core component of the protection of information in electronic form; however, its implementation in cloud services can be a challenging endeavour. Cloud service providers (CSPs) offer several cryptographic capabilities and options that their consumers need to understand, enable and configure correctly. Furthermore, when deploying their cloud-based services, GC departments and agencies must ensure that they comply with the cryptographic data protection requirements specified by the Treasury Board of Canada Secretariat (TBS) and the Communications Security Establishment (CSE).

1.2 Document purpose and scope

The purpose of this document is to help GC departments and agencies use cryptography to protect sensitive GC data in their cloud-based deployments.

The guidance provided in this document applies to:

• Protected A and Protected B GC data
• GC data that have a security category of low and medium for integrity

GC organizations must use this document in conjunction with the:

• Direction for Secure Use of Commercial Cloud Services: Security Policy Implementation Notice
• Government of Canada Cloud Risk Management Approach and Procedures
• Guidance on Cloud Service Cryptography (ITSP.50.106)

GC organizations also need to account for other implementation-specific considerations, including the:

• security category of the GC service being implemented
• proper alignment with enterprise architecture and enterprise security architecture
• solution requirements and constraints (for example, performance)
• threat mitigation objectives
• target residual risks

1.3 Audience

This document will be of value to:

• service delivery managers who are responsible for risks to the security of GC information
• chief information officers, other senior IT officials and IT security officials who are responsible for evaluating the suitability of information system products and services for GC use
• information management officers who are responsible for the lifecycle management of GC information
• information system practitioners and information system security practitioners who are responsible for implementing, operating and maintaining cloud-based GC services

2.1 Requirements

The requirements for cryptographic data protection in the GC are specified in Appendix B to the Treasury Board’s Directive on Security Management. Subsection B.2.3.6.3 of Appendix B states the following:

Use encryption and network safeguards to protect the confidentiality of sensitive data transmitted across public networks, wireless networks or any other network where the data may be at risk of unauthorized access.

However, these requirements are insufficient to appropriately protect sensitive GC data in commercial cloud services. Sensitive GC data must be encrypted to protect both the data’s confidentiality and integrity in the cloud while they are in transit, at rest and in use. These additional data protection requirements are:

• specified in GC cloud security control profiles
• taken into account in this document

At the time of writing, there were no practical implementations for the cryptographic protection of data in use. See Appendix D for more information on the protection of data in use that are stored in cloud services.

2.2 Cryptographic algorithms

GC organizations must use CSE-approved cryptographic algorithms and protocols in their cloud-based deployments, as outlined in:

• CSE’s ITSP.40.111 Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information
• CSE’S ITSP.40.062 Guidance on Securely Configuring Network Protocols

For assurance purposes, in ITSP.40.111, CSE recommends using cryptographic modules that have been validated under the Cryptographic Module Validation Program for compliance with the US National Institute of Standards and Technology’s (NIST) Security Requirements for Cryptographic Modules (FIPS 140-2).

2.3 Baseline security controls

Table 1 lists the security controls and security control enhancements for the cryptographic protection of GC data that are selected in the Government of Canada Cloud Security Control Profile for Cloud-based GC Services. These security controls and security control enhancements form the baseline for the protection of GC data up to and including Protected B, medium integrity and medium availability (PBMM).

3.1 Key management system

GC organizations must implement a key management system for the cryptographic protection used in their cloud-based services. Failure to adequately manage encryption keys can lead to a range of administrative and security problems including the loss of critical data. Considerations for the management of encryption keys include:

• where and how keys are generated and stored
• how keys are distributed and protected
• how keys and data are recovered if they become lost
• when and how keys are destroyed

CSE recommends that GC organizations follow the guidance and recommendations in the following publications to implement key management systems:

• Guidance on Cloud Service Cryptography (ITSP.50.106)
• NIST Special Publication 800-57, Part 1, Revision 4, Recommendation for Key Management, Part 1: General
• NIST Special Publication 800-57, Part 2, Revision 1, Recommendation for Key Management, Part 2: Best Practices for Key Management Organizations
• NIST Special Publication 800-57, Part 3, Revision 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
• NIST Special Publication 800-130, A Framework for Designing Cryptographic Key Management Systems
• NIST Special Publication 800-152, A Profile for US Federal Cryptographic Key Management Systems

Related controls: SC-12, SC-12(1), SC-12(2), SC-12(3).

3.2 Key management models

Table 2 describes 3 key management models and some considerations when determining which model to select. GC organizations should consult ITSP.50.106 to determine which key management model is best suited for their cloud-based deployments.

3.3 Hardware security module

A hardware security module (HSM) is a hardware device that protects and manages cryptographic keys for strong authentication. The functions of an HSM that are relevant to this document are secure cryptographic key generation, key storage and key management.

The use of HSMs enhances the security aspects of key management, enabling the effective protection of cryptographic keys throughout their lifecycle.

3.4 Key management responsibilities

Whether the CSP or the GC organization is responsible for key management depends on which key management model is selected. GC organizations must be aware of the distribution of responsibilities under each model to ensure that they correctly satisfy the security controls of the GC PBMM cloud profile.

Under models 1 and 2, a GC organization relinquishes all or some control over key management operations to the CSP. Model 1 requires no investment on the GC side because the CSP controls all key management operations in the cloud service environment and model 2 requires some investment on the GC side.

Under model 3, a GC organization has full control of key management operations except during use, which occurs in the public cloud environment. Model 3 requires an investment in people, processes and technology on the GC side in order to implement and maintain the key management capability.

When selecting an underlying CSP for a specific cloud-based GC service, GC organizations must consider:

• the key management models that are available
• the advantages, disadvantages and risks associated with each model

GC organizations must also ensure that they correctly implement the key management operations that they are responsible for.

The key management operations that GC organizations may be responsible for are described in Table 3. For full coverage of a key’s lifecycle, key management operations were selected from the following sources:

• NIST Special Publication 800-57
• CSE ITSP.40.111
• Open Web Application Security Project (OWASP) Key Management Cheat Sheet

The distribution of key management responsibilities for each of the key management models are provided in Appendix B.

3.5 Related security controls and mechanisms

Using the tables in Appendix B and Appendix C, GC organizations can identify the security controls and mechanisms that are related to key management that they need to implement.

4.1 Use cases

One of the key security considerations when planning the implementation of a cloud-based GC service will come from the cryptographic use cases. The more common of these use cases include:

• protect data at rest in the cloud
• protect data at rest on a virtual disk
• protect data in transit between a cloud-based GC service and external users (for example, citizens)
• protect data in transit using a private, dedicated connection
• protect cloud service management data in transit using a private, dedicated connection
• process encrypted data in the cloud

Appendix D provides implementation considerations for each of these cryptographic use cases along with deployment examples and a list of the prescribed security controls.

4.2 Security control dependencies

While this document covers the set of security controls that are prescribed for the cryptographic protection of sensitive GC data, cryptography alone is insufficient to appropriately protect data while it is in transit, at rest and in use in information systems. GC organizations therefore need to rely on the correct implementation of other prescribed security controls to ensure appropriate protection. These security controls include without limitations:

• the security categorization of GC data
• the identification and authentication of users and processes
• the enforcement of access authorizations based on separation of duties and least privilege
• the protection of storage media
• the capability to respond to data breaches and other data-related incidents
• the capability to restore data in support of availability
• the logging, monitoring, and auditing of data access and use

4.3 System development lifecycle

GC organizations need to implement cryptography in commercial cloud services according to their departmental system development lifecycle (SDLC) process. CSE provides guidance on the SDLC process in Annex 2 of ITSG-33.

4.4 Encryption keys in shared resources

The distribution of responsibility matrix in Appendix B shows that, within cloud environments, the use of encryption keys remains under the control of CSPs in all 3 key management models. While in use in public cloud environments, encryption keys are exposed to compromise in shared hardware resources through various attack methods. The risks associated with these threats were assessed in the TBS position paper entitled GC Cloud Initiative: Rationale for the Protection Against Exploits of Shared Resources (accessible only on the Government of Canada network). The results show that the expected residual risks from these types of threats fall within the threat protection objectives of the GC PBMM cloud profile.

4.5 Crypto-shredding attacks

Having GC data encrypted at rest in public cloud environments exposes the data to crypto-shredding attacks. In a crypto-shredding attack, a threat actor deletes data by deleting or overwriting the encryption keys under which the data is encrypted. Regardless of the key management model, GC organizations need to consider this threat and, if it is relevant to their cloud-based GC deployment, they need to ensure that the CSP or the GC organization maintains appropriate backup copies of the encryption keys to enable recovery.

4.6 Multi-cloud deployments

At the time of writing, it was not entirely clear whether data encrypted with keys managed by CSPs can be ported from one cloud environment to another cloud environment. GC organizations should consider the portability of encrypted data in their multi-cloud GC service deployments.