(Back)
The following table outlines the cloud usage identifier, profiles, descriptions and cloud service models used in the GC.
| Identifier (ID) | Profile | Characteristics | Applicable Service Model |
|---|---|---|---|
| 1 | Experimentation or sandbox |
|
IaaS, PaaS, SaaS |
| 2 | Non-sensitive cloud-based services |
|
IaaS, PaaS, SaaS |
| 3a | Sensitive (up to Protected B) cloud-based services |
|
IaaS, PaaS, SaaS |
| 3b | Sensitive (up to Protected B) cloud-based services (hybrid IT – extension of GC data centres) |
|
PaaS, SaaS |
| 4a | Sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutions |
|
SaaS |
| 4b | Sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutions (hybrid IT – extension of GC data centres) |
|
SaaS |
| 5 | GC to GC only (hybrid IT – extension of GC data centres) |
|
IaaS, PaaS |
| 6 | Cloud-based services with external user access and interconnection to GC data centres |
|
IaaS, PaaS |
The following table describes the applicability of the guardrails during the first 30 business days of departments getting access to their cloud account. Within each departmental cloud tenant, there will be various information systems being provided. Each cloud sub-account or resource group should be tagged with the relevant cloud usage profile to ensure that appropriate policies are applied and validation is performed.
| Identifier (ID) | Guardrail | Applicable Service Models | Profile 1: experimentation or sandbox | Profile 2: non-sensitive cloud-based services | Profile 3a and 3b: sensitive (up to Protected B) cloud-based services | Profile 4a and 4b: sensitive (up to Protected B) cloud-based services for GC-wide SaaS solutions | Profile 5: GC to GC only (hybrid IT – extension of GC data centres) | Profile 6: cloud-based service accessible to external users (connections to GC data centres required) |
|---|---|---|---|---|---|---|---|---|
| 01 | Protect user accounts and identities | IaaS, PaaS, SaaS | Required (minimum for privileged users) | Required | Required | Required | Required | Required |
| 02 | Manage access | IaaS, PaaS, SaaS | Required | Required | Required | Required | Required | Required |
| 03 | Secure endpoints | IaaS, PaaS, SaaS | Recommended | Required | Required | Required | Required | Required |
| 04 | Enterprise monitoring accounts | IaaS, PaaS, SaaS | Required (for billing) | Required | Required | Required | Required | Required |
| 05 | Data location | IaaS, PaaS, SaaS | Recommended | Recommended | Required (in Canada for GC storage of Protected B information and above) | Required (in Canada for GC storage of Protected B information and above) | Required (in Canada for GC storage of Protected B information and above) | Required (in Canada for GC storage of Protected B information and above) |
| 06 | Protection of data at rest | IaaS, PaaS, SaaS | Not Required | Recommended | Required | Required | Required | Required |
| 07 | Protection of data in transit | IaaS, PaaS, SaaS | Recommended | Required | Required | Required | Required | Required |
| 08 | Segment and separate | IaaS, PaaS | Required (network filtering at a minimum) | Required | Required | Required | Required | Required |
| 09 | Network security services | IaaS, PaaS, SaaS | Recommended | Required | Required | Required (Restrict to GC only) | Required (Deny External Access policy, GC only) | Required |
| 10 | Cyber defense services | IaaS, PaaS, SaaS | Not Required | Required | Required | Required | Required | Required |
| 11 | Logging and monitoring | IaaS, PaaS, SaaS | Recommended | Required | Required | Required | Required | Required |
| 12 | Configuration of cloud marketplaces | IaaS, PaaS, SaaS | Required | Required | Required | Required | Required | Required |
| 13 | Plan for continuity | IaaS, PaaS, SaaS | Not required | Required | Required | Required | Required | Required |