Cloud Usage Profiles

A summary of the different types of cloud usage is outlined in the description of the profile in the table below:

Ref #	Profile	Characteristics	Applicable Service Model	Connection Type
1	Experimentation/Sandbox	Cloud-based services used for experimentation/sandbox No direct system to system network interconnections required with GC data centers	IaaS, PaaS, SaaS	Type 1 - EIS/IIS
2	Non-sensitive cloud-based services	Cloud-based services hosting non-sensitive GC content No direct system to system network interconnections required with GC data centers	IaaS, PaaS, SaaS	Type 1 - EIS/IIS
3	Sensitive (up to PB) cloud-based services	Cloud-based services hosting sensitive (up to Protected B) information No direct system to system network interconnections required with GC data centers	IaaS, PaaS, SaaS	Type 1 - EIS/IIS
4	Sensitive (up to PB) cloud-based services for GC-wide SaaS Solutions	Cloud-based services hosting sensitive (up to Protected B) information for GC-wide enterprise applications (SaaS) No direct system to system network interconnections required with GC data centers	SaaS	Type 2 - IXP
5	GC to GC only (Hybrid IT - extension of GC Data Centers)	Hybrid IT environment with an extension of GC network to cloud-based virtual private cloud (up to Protected B) information GC cloud-based systems required to interact with systems in GC data centers Restricted environment to GC users only No external user connections to/from GC cloud-based virtual private cloud and no publicly accessible services	IaaS, PaaS	Type 3 - CXP
6	Cloud-based services with External user access and interconnection to GC data centers	Cloud-based services hosting sensitive (up to Protected B) information GC cloud-based systems required to interact with systems in GC data centers Environment accessible for both GC users and External users and services Solution implemented, managed and operated by a GC department/agency	IaaS, PaaS	Type 3 - CXP

Applicability of Guardrails to Cloud Usage Profiles

The following table outlines the applicability of the guardrails to the cloud usage profiles.

ID	Cloud Guardrails	Applicable Service Model	Profile 1 - Experimentation/Sandbox	Profile 2 - Non-sensitive cloud-based services	Profile 3 - Sensitive (up to PB) cloud-based services	Profile 4-Sensitive (up to PB) cloud-based services for GC-wide SaaS solutions	Profile 5 - GC to GC only (Hybrid IT- Extension of GC Data Centers)	Profile 6 - Cloud-based Service Accessible to External users (Connections to GC Data centers required)
01	Protect root / global admins account	IaaS, PaaS, SaaS	Required	Required	Required	Required	Required	Required
02	Management of administrative privileges	IaaS, PaaS, SaaS	Required	Required	Required	Required	Required	Required
03	Cloud console access	IaaS, PaaS, SaaS	Recommended	Required	Required	Required	Required	Required
04	Enterprise monitoring accounts	IaaS, PaaS, SaaS	Required (for billing)	Required	Required	Required	Required	Required
05	Data location	IaaS, PaaS, SaaS	Recommended	Recommended	Required (in Canada for GC storage of PB and above)	Required (in Canada for GC storage of PB and above)	Required (in Canada for GC storage of PB and above)	Required (in Canada for GC storage of PB and above)
06	Protection of data-at-rest	IaaS, PaaS, SaaS	Not Required	Recommended	Required	Required	Required	Required
07	Protection of data-in-transit	IaaS, PaaS, SaaS	Recommended	Required	Required	Required	Required	Required
08	Segment and separate	IaaS, PaaS	Required (network filtering at a minimum)	Required	Required	Required	Required	Required
09	Network security services	IaaS, PaaS, SaaS	Recommended	Required	Required	Required (Restrict to GC only)	Required (Deny External Access policy - GC only)	Required
10	Cyber defense services	IaaS, PaaS, SaaS	Not Required	Required	Required	Required	Required	Required
11	Logging and monitoring	IaaS, PaaS, SaaS	Recommended	Required	Required	Required	Required	Required
12	Configuration of cloud marketplaces	IaaS, PaaS, SaaS	Required	Required	Required	Required	Required	Required