What are the requirements for using cloud services with Specified Information?

Answer

Cloud services must meet all CPCSC requirements with shared responsibility between providers and customers ensuring data sovereignty, security controls, and compliance.

Cloud computing offers significant operational and economic benefits, but introduces unique security challenges when handling specified information. CPCSC requirements apply to cloud environments just as they do to on-premise systems, requiring organizations to carefully evaluate cloud services and implement appropriate controls.

Understanding cloud security requirements helps executives make informed decisions about cloud adoption while maintaining compliance and protecting sensitive information.

Cloud Security Challenges

Cloud computing fundamentally changes security models in several ways. Shared responsibility divides security obligations between cloud providers (responsible for securing infrastructure, physical facilities, and foundational services) and customers (responsible for securing their data, applications, configurations, access management, and everything they build on cloud infrastructure).

The division point varies by service model—Infrastructure-as-a-Service (IaaS) like AWS EC2 gives customers more responsibility, while Software-as-a-Service (SaaS) like Microsoft 365 means providers handle more security. Multi-tenancy means customer systems coexist on shared infrastructure with other customers, requiring robust isolation to prevent cross-tenant data leakage.

Data sovereignty becomes complex when cloud providers operate globally and data may be stored or processed in multiple jurisdictions, potentially including countries where Canada prefers not to have sensitive information.

Loss of physical control means organizations can't physically inspect data centers or implement physical security themselves. Vendor lock-in can make moving data to different providers difficult if security or compliance issues arise. Visibility limitations may prevent customers from conducting certain security assessments of provider infrastructure.

Organizations must understand these challenges and address them through provider selection, contract terms, and security architecture.

ITSP.10.171 Cloud Security Requirements

While ITSP.10.171 doesn't have a separate "cloud" section, its requirements apply to cloud environments. All security requirements must be satisfied whether systems are on-premise or cloud-based—cloud adoption doesn't reduce obligations.

The System and Services Acquisition family requires organizations to document security functional requirements when acquiring systems or services, conduct risk assessments when engaging external service providers, and establish terms and conditions for information system services. Organizations must identify which security requirements will be satisfied by cloud providers vs. customer responsibility.

Cloud providers handling specified information must satisfy the same security requirements as would apply to on-premise systems—the cloud provider essentially acts as an extension of the organization's security program. Supply chain risk management requirements apply to cloud providers as critical suppliers.

Organizations must assess provider security capabilities, monitor provider security performance, and maintain oversight of provider security obligations. The key principle is that while cloud providers may implement many controls, the contracting organization retains responsibility for ensuring all requirements are met and specified information is protected.

Data Sovereignty and Jurisdiction

Data sovereignty is critical for specified information in cloud environments. Treasury Board policies generally require that Protected information remain under Canadian legal jurisdiction, meaning stored in Canada, processed by systems in Canada, and controlled by entities subject to Canadian law.

Cloud providers often operate globally with data potentially stored or processed in multiple countries including the United States or other foreign jurisdictions where different legal frameworks apply. Foreign governments might compel cloud providers to disclose data without Canadian legal process. Organizations must evaluate whether cloud services meet data sovereignty requirements.

Canada-based cloud regions offered by major providers (AWS Canada, Azure Canada, Google Cloud Montreal) provide Canadian infrastructure, but organizations must verify through contracts and configurations that data remains in Canadian regions exclusively and isn't replicated internationally.

Cloud providers should commit contractually to store and process specified information only in Canada and notify customers if legal demands for data disclosure arise. For highly sensitive specified information, organizations might need to use Canadian cloud providers exclusively rather than foreign providers with Canadian regions.

This is a complex area requiring legal review of specific contracts and cloud architectures—organizations should document sovereignty analysis and obtain legal concurrence before placing specified information in cloud services.

Cloud Provider Security Assessment

Organizations must assess cloud provider security capabilities before using them for specified information. The following aspects should be evaluated:

• Provider certifications including ISO 27001, SOC 2 Type II, CSA STAR, and FedRAMP demonstrate independent validation of security programs—request current certification reports
• Security documentation should be reviewed including security architecture, encryption implementations, access controls, incident response procedures, and disaster recovery capabilities
• Contractual commitments regarding security obligations, customer rights to audit, breach notification timelines, and data return or destruction should be negotiated
• Technical validation through vulnerability assessments or penetration testing may be limited by provider restrictions, but organizations should maximally exercise available validation rights
• Customer references from other organizations using provider for sensitive workloads provide insights into practical security
• Ongoing monitoring of provider security includes reviewing provider security bulletins, tracking security incidents affecting provider, and participating in provider security forums

Organizations should maintain relationship managers with cloud providers who can address security questions and facilitate security reviews. Level 2 CPCSC assessors will examine cloud provider assessments and expect documented analysis demonstrating providers satisfy security requirements.

Cloud Service Models and Security Implications

Different cloud service models have different security implications:

• Infrastructure-as-a-Service (IaaS) like virtual machines and storage gives customers maximum control and responsibility—customers must harden operating systems, install security tools, manage patching, configure networks, and implement most security controls, with providers responsible mainly for physical security and infrastructure security
• Platform-as-a-Service (PaaS) like database services or application platforms divides responsibility—providers handle more security including patching underlying infrastructure, while customers configure platform security settings and manage application security
• Software-as-a-Service (SaaS) like Microsoft 365 or Salesforce means providers implement most security controls with customers responsible primarily for access management, data classification, and proper configuration of security features

Generally, IaaS provides most control but requires most security expertise and effort, while SaaS is simpler but provides less control and requires trusting provider security.

For specified information, IaaS may be preferable because it allows implementing required controls directly rather than depending entirely on provider implementations. Organizations should select service models appropriate to their security requirements, internal capabilities, and risk tolerance, documenting analysis of security responsibilities for each service used.

Cloud Configuration Security

A leading cause of cloud breaches is misconfiguration—cloud platforms are powerful but complex, and insecure defaults or configuration errors create vulnerabilities. Common misconfigurations include the following:

• Overly permissive access controls allowing public internet access to resources that should be private
• Failure to enable encryption for data at rest or in transit
• Inadequate logging and monitoring missing security events
• Excessive permissions granted to users or applications beyond what's needed
• Security groups or firewalls too permissive allowing unnecessary network access
• Unpatched instances running vulnerable software
• Insecure API configurations

Organizations must implement cloud security posture management through the following approaches:

• Cloud Security Posture Management (CSPM) tools that continuously scan cloud environments for misconfigurations and policy violations
• Infrastructure-as-code that defines secure configurations programmatically rather than manual clicking in consoles
• Automated compliance checks that verify configurations match security baselines
• Regular security reviews of cloud architectures
• Mandatory training for personnel configuring cloud services

Cloud providers offer native security assessment tools (AWS Security Hub, Azure Security Center, Google Security Command Center) that identify common issues—these should be deployed and findings remediated.

Encryption in Cloud Environments

Encryption is critical for protecting specified information in cloud environments. Organizations should implement the following encryption measures:

• Encryption at rest protects data stored in cloud storage, databases, or virtual machine volumes from unauthorized access including by cloud provider personnel or adversaries who compromise infrastructure—use cloud provider encryption features or customer-managed encryption tools
• Encryption in transit protects data as it moves between customer locations and cloud services or between cloud services—use TLS 1.2 or higher for all connections
• Key management is crucial—organizations must decide whether to use cloud provider key management services or manage keys independently (customer-managed keys provide stronger control but more operational burden)
• Customer-managed encryption keys means even cloud provider administrators cannot access data without customer involvement
• Encryption of backups and snapshots ensures data remains protected even in archival storage
• Envelope encryption techniques use data encryption keys to encrypt data and separate key encryption keys to encrypt the data encryption keys, with key encryption keys potentially stored outside cloud environment for maximum security

Organizations handling highly sensitive specified information should implement defense-in-depth encryption including application-level encryption, database encryption, file system encryption, and network encryption to ensure data is protected even if one layer fails.

Cloud Access Security Brokers (CASBs)

CASBs provide visibility and control over cloud service usage. They sit between users and cloud services, intercepting and analyzing traffic. CASB capabilities include the following:

• Discovery of shadow IT cloud services being used without IT approval
• Visibility into what data is being uploaded to cloud services
• Data loss prevention to prevent uploading specified information to unauthorized cloud services or sharing it improperly
• Threat protection detecting compromised accounts or malicious activity
• Compliance monitoring enforcing organizational policies on cloud service usage
• Encryption or tokenization of sensitive data before it reaches cloud services

CASBs can operate in different modes including inline proxy mode where all traffic flows through CASB, API-based mode connecting to cloud services via APIs for out-of-band monitoring, or hybrid combining both approaches.

For organizations using multiple cloud services for specified information, CASBs provide centralized security management and visibility that would be difficult to achieve through individual cloud service native security features. They're particularly valuable for SaaS security where customers have limited ability to implement controls within the SaaS application itself.

Cloud Incident Response and Forensics

Incident response in cloud environments requires different approaches than on-premise. Challenges include the following:

• Limited access to underlying infrastructure for forensics
• Ephemeral nature of cloud resources that may be terminated or automatically replaced
• Distributed logging across multiple cloud services
• Provider limitations on forensic imaging or low-level analysis

Organizations should develop cloud-specific incident response procedures including the following elements:

• Pre-established relationships with cloud provider security teams
• Knowledge of provider incident response support capabilities
• Automated snapshot and logging retention before resources are terminated
• Use of cloud-native forensic capabilities
• Documentation of evidence collection procedures acceptable to cloud providers

Centralized log management that aggregates logs from all cloud services to external SIEM ensures logs are preserved even if cloud resources are compromised or terminated. Cloud access and activity monitoring detects compromised accounts or unusual API usage.

Many cloud providers offer dedicated security incident response support—understand what's available and how to engage it. Organizations should practice incident response in cloud environments through tabletop exercises and simulations to identify gaps before real incidents occur.

Hybrid and Multi-Cloud Security

Many organizations use hybrid architectures combining on-premise and cloud systems, or multi-cloud using multiple cloud providers. This increases complexity. Organizations should implement the following security measures:

• Consistent security policies across environments prevents gaps where specified information might be less protected in one environment
• Identity and access management that spans environments provides unified authentication and authorization
• Network security architecture to securely connect environments without creating vulnerabilities
• Unified monitoring and logging across all environments for security visibility
• Data classification and protection that follows data regardless of location

Organizations should architect hybrid and multi-cloud environments intentionally with security considered upfront, rather than allowing organic growth that creates security inconsistency. Reference architectures, automated deployment templates, and strong governance help maintain security across complex multi-cloud environments.

Learn More

For additional information on cloud security requirements, consult these resources:

• Protecting Specified Information (ITSP.10.171)
• Treasury Board Directive on Security Management
• Canadian Program for Cyber Security Certification