The Canadian Centre for Cyber Security is taking stewardship of the cloud security profiles used to help organizations assess which options are best for protecting low to medium security information. The Government of Canada, through the Treasury Board Secretariat, has issued policies on how to use cloud-based infrastructure, which this new guidance aligns with and complements. But while we created this advice and guidance for the Government of Canada, it applies to any organization that wishes to move to a cloud-based environment.
Cloud-based computing is taking a bigger role in many organizations’ tech footprint every day. With more and more organizations big and small moving to a cloud-first strategy and work-from-home environment, the flexible, on-demand, scalable, and self-service components that cloud computing offers are an appealing option. But it is important to consider all aspects of what cloud computing means before jumping in.
The Cyber Centre developed guidelines to help secure cloud-based services. Each portion builds upon the last, to help get organizations to a safer and more secure cloud computing experience.
Guidance on the Security Categorization of Cloud-Based Services
Security categorization, which helps organizations identify the potential injuries that could result from compromises, is a fundamental step in protecting against the risks associated with the use of cloud computing. More protection is not always best, as it can lead to increased costs and wasted resources, but too little protection can put information and business processes at risk. Finding a solution that is just right for your organization is key, and this guidance will help you do just that.
This document also provides the recommended security control profiles for the low and medium security categories.
Guidance on defence in depth for cloud-based services
Cloud computing does not offer a simple one-size-fits-all solution to protect business assets. This is where a layered approach when implementing security controls comes in handy. Here, you will learn about defence in depth, and how this approach is used to protect against the risks associated with cloud computing.
Guidance on cloud security assessment and authorization
When it comes to moving to a cloud-based environment, organizations need to remember that it’s not just the cloud service providers who are responsible for securing different components: the organizations are too. This shared responsibility makes adopting the cloud even more complex, which is why it is important that organizations understand the overall effectiveness of their security controls and those implemented by the cloud service provider.
Guidance on cloud service cryptography
Cryptography is one of the main pillars enabling security and privacy in cloud computing, and this final document will help organizations understand how it factors in to help protect their information and privacy when moving to a cloud-based computing model. While the topic of cryptography can be quite overwhelming and complex, it is critical to understand it and pick the right solution for your purposes.
By following this guidance and implementing the layers of security necessary for your organization, cloud-based computing can safely become part of your organization’s tech toolbox.