How Government of Canada Shared Services can utilize Amazon Public Cloud

Canadian Government Shared Services standards envision inclusion and usage of public Cloud providers like Amazon Web Services in Government infrastructure. Government documents ( IT Shared Services Security Domain & Zones Architecture document ) specify that standard and guidelines contained in this document should be transposable to the use of similar shared services offered through a public cloud provider under contract to the GC.

We will have a look at how specific Canadian Government requirements can be easily, comprehensively and immediately addressed by superb Amazon Web Services infrastructure. We will start by looking at Canadian Government requirements from more generic guidelines to very specific, detailed specification and describe  corresponding AWS features.

Above mentioned document specifies that:

A security domain is an environment or context that includes a set of resources and a set of entities that have the right to access the resources as defined by a common security policy and administered by a single authority. 

A network security zone is a networking environment with a well-defined boundary, a Network Security Zone Authority, and a standard level of susceptibility to network threats. The concept of network security zones is generally applied during the implementation of a security domain as a way to satisfy some of the domain policy requirements.

Shared Services involvement with departmental IT is at various levels of engagement – from providing email service  to complete set of data center services ( network, storage, application, database ). In Cloud parlance intent is for Shared Services to provide IaaS, PaaS and SaaS services to internal clients.

Dedicated IT on  above picture would be government departmental IT organization. Hosting provider is Shared Services ( or Public Cloud provider like Amazon Web Services, under contract to Government of Canada ).

Network security zone as defined by Government of Canada is easily implemented by ready-made, available on demand, scalable Amazon Virtual Private Centre. Customer’s  Network on picture below would be Government Agency Departmental IT which can extend into AWS using Amazon VPC feature.

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a private, isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. With Amazon VPC, you can define a virtual network topology that closely resembles a traditional network that you might operate in your own datacenter. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

Government standards envision that:

The client may also require (and have control over the configuration of) perimeters between the tiers of the application architecture (e.g. between their application RZ -restricted zone and their database RZ). 

Amazon Web Services Multi-Tier Security Architecture is configurable to limit access between tiers. You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

IT Shared Services

Security Domain & Zones



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: