Information system services have come a long way. They are now more flexible and agile than ever before. And part of this is due to cloud computing. Cloud computing allows individuals and businesses to use applications without having to perform installations. Cloud computing also allows people to access personal files from any computer with an internet connection.
Under the surge of cloud computing, the Government of Canada (GC) must release direct control over many aspects of information involving privacy and security. This involves giving more trust to cloud service providers (CSPs). Even so, GC organizations who use cloud services will still be held accountable for the integrity and confidentiality of the information.
We’ll be discussing how GC agencies and departments are cracking down on cloud security in order to handle risks in an effective manner.
GC Approach To Cloud Security Risk Management
Cloud services have become readily available to individuals and organizations. Even the Government of Canada uses cloud service providers on a regular basis. GC is still ultimately responsible for risks involved with CSPs. Here’s the approach that GC takes in order to manage the security risks involved with using cloud services.
Perform Security Categorization
This involves characterizing different business activities. Activities are categorized by their injury levels from compromise. This is with respect to the security goals of availability, integrity, and confidentiality.
Selecting Appropriate Security Controls
This is done by creating a security control profile. This profile helps protect information systems by taking specific security measures based off of the business activities.
Security Assessments & Authorization
GC will conduct constant security assessments to assure that the information systems are meeting security requirements. Also, senior organizational officials will need to give authorization for specific operations involving information systems.
This is an extension of the implementation of security measures. GC will monitor any deviations in cloud security and make efficient changes when necessary.
GC Procedures For Cloud Security Risk Management
The Government of Canada is expected to follow certain procedures when moving their services to the cloud. This section will cover more details involved with the approaches listed above.
Selecting Security Control Profiles
GC will need to select the correct control profiles for executing specific purposes. This involves validating the applicability of business context, technical context, and threat context. Cloud profiles of GC will specify minimum standards for security control.
Selecting Deployment & Service Models
GC selects proper deployment models by researching different aspects of cloud services. These aspects include service availability, security categories, and information system workloads.
Assessing Security Control
This is performed by the GC security assessor. This individual will test the implementation of security controls by examining security assessment evidence from the CSP. If the CSP has no evidence, then the security assessor will need to take matters into his/her own hands.
Risk management and governance activities will help accomplish the authorization of cloud services. This leads to the declaration of efficiency of a specific information system. Information will be handed over from project teams to operational teams.