Access to modern technology is essential to departments responsible for protecting Canadians and defending national interests. However, the current digital policies Canadian government departments use to enforce compliance standards have resulted in the building of “digital fortresses.” Also known as “government clouds,” these “fortresses” allow only data, applications, and devices within a specific network perimeter to be protected and monitored. Unfortunately, as department leaders have sent their employees home to work because of COVID-19, there is no longer a firm perimeter inside which all activity can occur.
In addition, this approach doesn’t fully address the risks that frequently exist inside the network. Traditional security practices have led to security protocols that mimic these fortress walls. The walls may meet compliance standards, but they don’t necessarily achieve better security, nor do they allow agencies to gain the maximum benefit of modern, cloud-based tools.
“Agencies should be able to interface with the public cloud and have access to all the latest and greatest capabilities—features, security, performance, scale, availability, and support—and not have to give up those compliance capabilities that you’re looking for.” –Chris Johnson, Global Compliance Product Lead, Google Cloud
The promise of government clouds is that they could offer more security; but they are often run in specialized data centers that lag behind the latest developments in cybersecurity. “This impacts the government’s access to critical new technologies, whether that’s data analytics, AI, machine learning, or even the next generation of security protections,” explained Jeanette Manfra, Senior Director for Risk and Compliance at Google Cloud, in a recent conversation on public sector compliance with Chris Johnson, Google Cloud Global Compliance Product Lead.[1] “Cloud environments built like this are isolated fortresses. It’s rigid. It’s not optimized for constant modernization,” said Manfra. This fortress method no longer provides the security it once did, nor does it provide the modern agility that government departments need.
A Better Way: The Zero Trust Approach
More than 10 years ago, Google made zero trust the standard for the entire company with our BeyondCorp single sign-on solution.[2] BeyondCorp allows for single sign-on, access control policies, access proxy, and user- and device-based authentication and authorization. The goal with BeyondCorp was simple but vast: every single employee should have the capability to work securely, no matter their location or network. To achieve this, we designed security systems where the location of the network no longer has any additional value as a defence.[3]
At the core of a zero trust approach is the idea that implicit trust in any single component of a complex, interconnected system can create significant security risks. Instead, trust needs to be established via multiple mechanisms and continuously verified. Zero trust effectively removes the requirement of a security perimeter because it doesn’t automatically assume those who are able to gain access to the inside are trusted. By checking every connection and device every time, we’re able to be more flexible while avoiding insider threats. For government departments, this is a tremendous benefit: insider threats can be more damaging than outside attacks.[4]
Compliance without Compromise
“For most major cloud providers, the only option to offer services that are compliant with government [compliance] standards is to create a separate government cloud for any government contact,” says Manfra. This means there are few data centers and many of these have administrative access issues and support problems. At Google Cloud, and for Canada in particular, we’re able to work with stringent public sector compliance requirements without compromising on the best parts of the commercial cloud with our Guardrails, Landing Zones, and Assured Workloads solutions:
- Guardrails — The Government of Canada has set guardrails for government organizations utilizing cloud services for their workloads. They are considered an essential part of data security for organizations looking to host infrastructure-as-a-service (IaaS), software-as-a-service (SaaS), or platform-as-a-service (PaaS) workloads in the cloud. Google Cloud’s GC Cloud guardrails solution allows government departments to move to the cloud, ensuring security measures are in place before onboarding begins, including implementing a preliminary baseline set of controls within cloud-based environments and providing data validation tools.
- Landing Zones — Landing Zones entail a broader set of ITSG-33 controls than guardrails. They allow for projects based on data with a Protected-B classification to move from ideation to production. Again, Google Cloud has built out an automated deployment and verification process that will shorten the time to get from start to Security Assessment and Authorization (SA&A) approved deployments.[5],[6]
- Assured Workloads — Assured Workloads allow you to confidently configure storage and access to sensitive data to meet compliance requirements from the Google Cloud Console, essentially an extension of the Landing Zones. It enables agencies to choose security settings while we put the cloud controls in place. Assured Workloads can meet stringent compliance standards without compromising on the best parts of the commercial cloud. This includes giving departments full control of where their data is stored and processed and ensuring any Google Cloud support personnel you work with also meet compliance standards.
Minimizing Misconfiguration Errors
Misconfiguration problems are a common source of security breaches for agencies. To remedy this, we’ve designed Assured Workloads to simplify the configuration process, allowing for fewer user errors. “It’s easy for agencies to feel that if they just use the government cloud configuration, they’re compliant and secure. This, however, is a dangerous assumption to make,” says Johnson. “A lot of work needs to go into securing, making sure the environment is compliant.”[7] Assured Workloads doesn’t eliminate the need to do that work. Instead, it simplifies the process into steps, which reduces the risk. This simplified experience increases security and decreases the risk of running compliant workloads at scale.
Shared Fate, Secure Outcomes
At Google, we’re moving from shared responsibility to shared fate. We want our customers to understand the risks of moving to the cloud and how we’re mitigating them rather than the simple, transactional nature of shared responsibility. Shared fate means investing in our customer’s success. Guardrails, Landing Zones, and Assured Workloads are helping us with that investment by reducing both the cost and risk of running compliant workloads in a public cloud environment.
For more information on how Google Cloud can help the Canadian public sector modernize its compliance, visit our Canada Public Sector Solutions page: g.co/cloud/pscanada.
[1] Prieto, D., Manfra, J. (2021, March 30). How Google Cloud can help the Public Sector embrace zero trust, https://cloud.google.com/blog/topics/public-sector/how-google-cloud-can-help-public-sector-embrace-zero-trust.
[2] BeyondCorp Zero Trust Enterprise, https://cloud.google.com/beyondcorp.
[3] Prieto, D., Manfra, J. (2021, March 30). How Google Cloud can help the Public Sector embrace zero trust, https://cloud.google.com/blog/topics/public-sector/how-google-cloud-can-help-public-sector-embrace-zero-trust.
[4] Goldstein, J. (2020, July 16). What Are Insider Threats and How Can You Mitigate Them?, What Are Insider Threats and How Can You Mitigate Them? (securityintelligence.com)
[5] Vergadia, P., Holmes, W. (2020, September 29). Highway to the landing zone: Google Cloud migration made easy, https://cloud.google.com/blog/topics/developers-practitioners/google-cloud-migration-made-easy.
[6] Reed, J. (2021, August 3). Get in Sync: Consistent Kubernetes with new anthos Config Management features, https://cloud.google.com/blog/products/containers-kubernetes/anthos-config-management-config-controller-available-on-gke.
[7] Prieto, D., Manfra, J. (2021, March 30). How Google Cloud can help the Public Sector embrace zero trust, https://cloud.google.com/blog/topics/public-sector/how-google-cloud-can-help-public-sector-embrace-zero-trust.