/ Gouvernement du Canada

Search

Network Security Services

Objective

Establish external and internal network perimeters and monitor network traffic.

Applicable Service Models

IaaS, PaaS, SaaS

Mandatory Requirements

Activity	Validation
<ul><li>EEnsure that egress and ingress points to and from GC cloud-based environments are managed and monitored.</li></ul>	<ul><li>Confirm the policy for limiting the number of public Internet Protocols (IPs).</li></ul>
<ul><li>Implement network boundary protection mechanisms for all external facing interfaces that enforce a deny-all or allow-by-exception policy.</li></ul>	<ul><li>Confirm the policy for network boundary protection.</li></ul>
<ul><li>Perimeter security services, such as boundary protection, intrusion prevention services, proxy services and TLS traffic inspection, must be enabled based on risk profile according to GC secure connectivity requirements and CSE guidance.</li></ul>	<ul><li>Confirm policy for limiting to authorized source IP addresses (for example, GC IP addresses).</li></ul>
<ul><li>Ensure that access to cloud storage services is protected and restricted to authorized security zones or networks, users, and services.</li></ul>	<ul><li>Confirm that storage accounts are not exposed to the public.</li></ul>

Additional Considerations

Activity	Validation
<ul><li>Use centrally provisioned network security services where available.</li></ul>	<ul><li>Confirm whether the department is intending to establish dedicated and secure connections to on-premise resources.</li></ul>

References

Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01, subsection 6.2.4
Cyber Centre’s top 10 IT security actions, number 1
network security zoning guidance in Baseline Security Requirements for Network Security Zones (ITSP.80.022) and Network Security Zoning (ITSG-38)
Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104), subsection 4.3

AC-3, AC‑4, SC‑7, SC‑7(5), SI-4, SI-4(18)

Page details

Date modified: