The GC Accelerators — Accelerating the Secure Adoption of Cloud Services
Blog co-created with Po T
Over the past few years, the Government of Canada’s (GC) cloud adoption journey has often focused on dispelling myths and breaking down the barriers to leveraging cloud computing technology. Key focus areas have been the security of the Cloud Service Providers (CSP) and establishing contracting vehicles to facilitate access to cloud. We are at a point in our journey where we’ve gained confidence in the security practices and services offered by cloud providers. However, in the context of cloud, risk management is based on a model of shared responsibility between the provider and us, the consumer. The recent Capital One data breach is an example of the importance the consumer’s role in managing risks.
“Capital One said that the breach was not the fault of AWS. Instead, Capital One had “improperly configured a firewall” – a problem that Capital One fixed when the company discovered it, according to Bloomberg. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”
With that in mind, now it’s our turn. GC departments and agencies leveraging cloud services continue to be accountable and responsible for continuously manage the security risks to their information and IT assets throughout the life of their programs and services. Thus, an end-to-end “Protected B” system requires not only the provider to implement security controls, but also the GC consumer. The layers of the technology stack that are secure by the provider vs consumer changes with the cloud service model; SaaS having the smallest scope of responsibility for the customer.
Gartner estimates that by 2022 95% of security breaches in the cloud will be caused by the customer, not the provider.
This is where the GC Accelerators come in. By offering pre-configured, infrastructure-as-code(IaC) “templates”, departments can:
- Reusable and repeatable design patterns
- Reduce the time required to configure and achieve compliance for an I/PaaS environment with security built into the design
- Reduce duplicative effort between departments adopting similar cloud services
Why Infrastructure as Code?
The Accelerators are a bundling of Infrastructure-as-Code (IaC). IaC allows code that describes infrastructure to be managed with the same tools and processes as application code. IaC is important for enforcing configuration management in a P/IaaS environment. What at one time required physical infrastructure can now be accomplished through a declarative language such as Terraform, CloudFormation, or ARM templates. This goes a long what to managing risks by ensuring tasks are repeatable, automated, and audit-able.
Departments have, on their own, been taking provider templates, modifying, and sharing them amongst themselves. The GC Accelerators takes the next step in providing departments with infrastructure-as-code AND supporting compliance documentation, deployable to major cloud environments, to help the department meet security controls within their scope of the shared responsibility model.
Accelerators have been created for two providers so far. They can be found in GitHub here:
GC Accelerator for Azure – https://github.com/canada-ca/accelerators_accelerateurs-azure
GC Accelerator for AWS – https://github.com/canada-ca/accelerators_accelerateurs-aws
It is important to note these references will help to accelerate the establishment of a baseline environment, but it does not complete it. The Department is responsible for the security of the application components of information system solutions that projects are implementing on top of cloud services.
Creating A Community
Now that the GC Accelerators exists as a product, the next step is to grow that product. We want departments to contribute back as a community-based, project.
Further, Shared Services Canada (SSC) and Treasury Board of Canada Secretariat are co-chairing a technical working group to discuss a product roadmap for the Accelerators and continue to drive out key decisions. Items to discuss include:
- Addition platform configurations that could be added (i.e. Container services)
- SSC provided foundational services (i.e network and identity)
- Common application architectures (i.e. SAP)
Finally, we want to work with the Digital Academy to produce tutorials to departments on how to use the Accelerators.
Where to Start
Start by obtaining a cloud account and launching the GC Accelerators. Then take one application and deploy. Iterate and evolve.
Note: The authors would like to acknowledge key contributions to making the GC Accelerators possible including Terence Cummins (TBS) and Bernard Maltais (PSPC)