During the pandemic, governments have needed to move quickly to respond to the changing world around them, while striving for continuity of services. However, when solutions are slow to come online, the delays put valuable resources and data at risk.
For this very reason, the Government of Canada (GC) set guardrails for government organizations utilizing cloud services for their workloads. These standards are an essential part of data security for organizations looking to host infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), or platform-as-a-service (PaaS) workloads in the cloud.
To help agencies adhere to these Government of Canada standards, we’re proud to announce that we’ve developed a GC Cloud Guardrails solution based on OSS technology and the new Asset Inventory API as well as Open Policy Agent controls. The solution includes 12 guardrails to help government agencies move to the cloud in the GC-specified 30-day period (or less upon receipt of an enrollment under the GC Cloud Services Agreement). The guardrails help ensure everything is in place before onboarding begins, including implementing a preliminary baseline set of controls within cloud-based environments and providing data validation tools.
The three guardrails covered here reference the most rigorous security for data location, data at rest, and data in transit. We’ve taken these standards and made them simple and quick to implement. Each guardrail plays an important part in keeping Canada’s data sovereign, and we’ve added extra considerations to help the process be as efficient and consistent as possible.
Keeping your data solely in Canada
On September 14, we launched a new Google Cloud Region in Toronto to augment the existing Montreal region, and ensure Canadian data stays in Canada. The Canadian Directive on Service and Digital states Government of Canada organizations have a responsibility for “ensuring computing facilities located within the geographic boundaries of Canada or the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C, or as Classified.” These standards will keep Canadian data in Canada and make up GC Cloud Guardrail #5. The latest Google Cloud data center in Toronto meets all these requirements. All regulated industries across the provinces can use it, and we follow strict data tagging policies to ensure data is only stored and moved through approved geographic locations. We’ve also added data location and tagging tools designed to accelerate the process of setting and managing data location.
Default protection for data at rest
For public sector organizations, data at rest is often more valuable to malicious actors than data in transit. This is the case for many reasons, but one of the most common is that data at rest is where vast databases of identifying or highly classified information sit untouched for long periods of time. For this reason, GC Cloud Guardrail #6 helps government organizations keep all data at rest protected and encrypted by default, without any action from the customer, using one or more encryption mechanisms. We’ve madehigh levels of encryption the default for data at rest, while still giving you the flexibility to choose your encryption.
Extra protection for data in transit
Data at rest may often be more valuable, but data in transit can be more vulnerable because data is at a higher risk of hijacking by malicious actors while it is moving across networks. Calling data to and from Google Cloud needs to be as secure a process as possible, and GC Cloud Guardrail #7 helps ensure this happens by making Communications Security Established (CSE)-approved encryption the default.
Unencrypted data-in-transit is one of the biggest security blunders any organization can make. One of the key parts of this guardrail is to ensure that never happens to you. Google Cloud uses CSE-approved cryptographic algorithms and protocols, meeting or exceeding Canadian security standards and simplifying selecting encryption for our users. We also encrypt all access to cloud services. That means every possible path your data can take from point A to point B is fully protected.
Up and running within 30 days
Although it’s called the 30-Day Guardrail process, several Canadian Government departments using Google Cloud have deployed the guardrails and passed the approvals process in a matter of days. To minimize downtime, we designed the validation process to be as speedy as possible with our Guardrails data validation tools. Approval of the guardrails is needed before using Google Cloud, and we know delays can cost time, money, and put security at risk. The 30-day process minimizes all of these and helps you get onboarding fast.
Ready when you are, Canada
GC Cloud guardrails are crucial to the continued protection of Canadian data and help ensure data stays solely within Canada, eliminate configuration drift with meticulous tracking, and minimize the risk of valuable data being stolen. We’re committed to making sure that vital protection is maintained. We’re ready for you, and you aren’t alone. Dozens of organizations have already gone through the guardrails process for Google Cloud, and we’ve even created a community for users to share their stories on our Public Sector Connect page.
Cloud BlogRead More