Cloud Usage Profiles

February 6, 2024 · View on GitHub

Overview

The following table outlines the cloud usage identifier, profiles, descriptions and cloud service models used in the GC.

Table 1: cloud usage identifiers, profiles and service models

Identifier (ID)	Profile	Characteristics	Applicable Service Model
1	Experimentation or sandbox	Cloud-based services used for experimentation or sandbox No direct system-to-system network interconnections required with GC data centres	IaaS, PaaS, SaaS
2	Non-sensitive cloud-based services	Cloud-based services hosting non-sensitive GC content No direct system-to-system network interconnections required with GC data centres	IaaS, PaaS, SaaS
3a	Sensitive (up to Protected B) cloud-based services	Cloud-based services hosting sensitive (up to Protected B) information No direct system-to-system network interconnections required with GC data centres	IaaS, PaaS, SaaS
3b	Sensitive (up to Protected B) cloud-based services (hybrid IT – extension of GC data centres)	Cloud-based services hosting sensitive (up to Protected B) information GC cloud-based systems required to interact with systems in GC data centres Restricted environment for GC users only No external user connections to or from GC cloud-based virtual private cloud and no publicly accessible services	PaaS, SaaS
4a	Sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutions	Cloud-based services hosting sensitive (up to Protected B) information for GC-wide enterprise applications (SaaS) No direct system-to-system network interconnections required with GC data centres	SaaS
4b	Sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutions (hybrid IT – extension of GC data centres)	Cloud-based services hosting sensitive (up to Protected B) information for GC-wide enterprise applications (SaaS) GC cloud-based systems required to interact with systems in GC data centres Restricted environment for GC users only No external user connections to or from GC cloud-based virtual private cloud and no publicly accessible services	SaaS
5	GC to GC only (hybrid IT – extension of GC data centres)	Hybrid IT environment with an extension of the GC network to cloud-based virtual private cloud (up to Protected B) information GC cloud-based systems required to interact with systems in GC data centres Restricted environment for GC users only No external user connections to or from GC cloud-based virtual private cloud and no publicly accessible services	IaaS, PaaS
6	Cloud-based services with external user access and interconnection to GC data centres	Cloud-based services hosting sensitive (up to Protected B) information GC cloud-based systems required to interact with systems in GC data centres Environment accessible to GC users and external users and services Solution implemented, managed, and operated by a GC department or agency	IaaS, PaaS

Mapping guardrails to cloud usage profiles

The following table describes the applicability of the guardrails during the first 30 business days of departments getting access to their cloud account. Within each departmental cloud tenant, there will be various information systems being provided. Each cloud sub-account or resource group should be tagged with the relevant cloud usage profile to ensure that appropriate policies are applied and validation is performed.

Table 2: guardrail identifiers, service models and cloud usage profiles

Identifier (ID)	Guardrail	Applicable Service Models	Profile 1: experimentation or sandbox	Profile 2: non-sensitive cloud-based services	Profile 3a and 3b: sensitive (up to Protected B) cloud-based services	Profile 4a and 4b: sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutions	Profile 5: GC to GC only (hybrid IT – extension of GC data centres)	Profile 6: cloud-based service accessible to external users (connections to GC data centres required)
01	Protect user accounts and identities	IaaS, PaaS, SaaS	Required (minimum for privileged users)	Required	Required	Required	Required	Required
02	Manage access	IaaS, PaaS, SaaS	Required	Required	Required	Required	Required	Required
03	Secure endpoints	IaaS, PaaS, SaaS	Recommended	Required	Required	Required	Required	Required
04	Enterprise monitoring accounts	IaaS, PaaS, SaaS	Required (for billing)	Required	Required	Required	Required	Required
05	Data location	IaaS, PaaS, SaaS	Recommended	Recommended	Required (in Canada for GC storage of Protected B information and above)	Required (in Canada for GC storage of Protected B information and above)	Required (in Canada for GC storage of Protected B information and above)	Required (in Canada for GC storage of Protected B information and above)
06	Protection of data at rest	IaaS, PaaS, SaaS	Not Required	Recommended	Required	Required	Required	Required
07	Protection of data in transit	IaaS, PaaS, SaaS	Recommended	Required	Required	Required	Required	Required
08	Segment and separate	IaaS, PaaS	Required (network filtering at a minimum)	Required	Required	Required	Required	Required
09	Network security services	IaaS, PaaS, SaaS	Recommended	Required	Required	Required (Restrict to GC only)	Required (Deny External Access policy, GC only)	Required
10	Cyber defense services	IaaS, PaaS, SaaS	Not Required	Required	Required	Required	Required	Required
11	Logging and monitoring	IaaS, PaaS, SaaS	Recommended	Required	Required	Required	Required	Required
12	Configuration of cloud marketplaces	IaaS, PaaS, SaaS	Required	Required	Required	Required	Required	Required
13	Plan for continuity	IaaS, PaaS, SaaS	Not required	Required	Required	Required	Required	Required