aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Engineering
  • Solutions

Meet Canadian Compliance Requirements With Protected B Landing Zone

  • aster.cloud
  • April 21, 2022
  • 4 minute read

The Canadian government’s security guidance for cloud environments outlines a standardized set of security controls to protect data and workloads in the cloud. The security guidance, known as the Security Control Profile for Cloud-based GC Services, also outlines security controls and profiles from a different publication, the IT Security Risk Management: A Lifecycle Approach (ITSG-33).

The ITSG-33 publication has made Protected B Medium Integrity Medium Availability (PBMM) a key compliance measure for the Canadian government and crown corporations.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

As part of our commitment to serving the Canadian government with the security capabilities and controls they need, we’ve developed a set of open-source recommendations  that map Google Cloud capabilities and security settings to Canadian Protected B regulatory requirements to help our customers place their sensitive data in the cloud. With the Google Cloud landing zones, we’re helping to ensure Canada has the easy-to-administrate, cost-effective, and more secure cloud environment needed for your biggest projects.

Cloud environments built for Canada

Google Cloud’s Protected B landing zones are a set of codified recommendations focused on establishing Google Cloud projects, Identity Access Management (IAM), networking, naming schemes, and security settings in line with regulatory requirements and best practices. Using these as a baseline, Canadian public sector customers are better positioned to quickly meet their compliance requirements.

Google Cloud has published a Terraform-based Infrastructure-as-Code (IaC) template on Github to ensure the foundational settings, policies, and folder structures are correctly configured in alignment with the Annex 4A – Profile 1 (PBMM and ITSG-33).

Codified, built-in security

Landing zones enable a secure environment that is quick to deploy, easy to administer, and provides cost savings for organizations. To make our templates easily understandable, we’ve selected the open-source infrastructure-agnostic IaC tooling provided by HashiCorp’s Terraform. Terraform gives organizations the flexibility to adopt a DevSecOps methodology within their infrastructure. It also provides a security foundation by allowing the IaC to be modified, versioned, change controlled, and automatically provisioned.

Read More  Alibaba Cloud Launches Data Center In South Korea

The template and instructions on how to use landing zones can be found on GitHub.

Included security controls

There are effectively three different types of security controls described in ITSG-33 documentation:

  • Technical security controls implemented using technology, such as firewalls.
  • Operational security controls implemented using human processes, such as manual procedures.
  • Management security controls focused on the management of IT security and IT security risks.

Within the landing zone template, we’ve focused on controls that can be represented via code. Addressed controls fall into these primary families:

  • Access Control (AC)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

 

How it works

The landing zone deployment phases

 

To deploy the landing zone, a user with Organizational Administrator privileges will need access to a shell terminal with the Google Cloud (gcloud) CLI, JSON Query (jq) and Terraform installed (which can be done in Google Cloud’s integrated terminal, Cloud Shell). As part of the initial bootstrap script, a si­­­ngle project will be created. This Google Cloud project will be used to set up the landing zone core infrastructure, network infrastructure, automated pipeline, code repository, logging and bunkering aggregation capabilities, and security policies via infrastructure as code automation. After deployment completes, workloads can be deployed in alignment with IT and regulatory policies. This can include leveraging the Cloud Build & Cloud Source Repo (CICD) pipeline established as part of the landing zone bootstrapping.

Read More  Samsung Upskills Their Big Data Center Teams To Transform Business

Several Terraform modules are used to establish the required controls for meeting PBMM requirements:

Landing Zone Modules 

 

The landing zone can be applied with either a Google Cloud organizational node (default and illustrated below), or with a folder as the root node of the landing zone.

Organizational Structure

 

 

 

How to deploy it

  • Have a shell environment with the required prerequisites installed (Cloud Shell can be used for this)
  • Clone repo from https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding
  • Update the relevant .auto.tfvars files as indicated in the README.MD file within the repo
  • From bash, run the bootstrap.sh script from the environments/bootstrap/ directory. The script will prompt for the domain and user that will be deploying the bootstrap resources.

Committed to serving Canada

Our landing zone template extends upon our existing 30-day Guardrails created to meet Canadian Centre for Cyber Security requirements, allowing organizations to have a compliant landing area for production workloads quickly. Visit the Terraform-based Infrastructure-as-Code (IaC) template on GitHub for more detailed deployment instructions and to learn more about meeting CCCS requirements.

 


References:

  • Government of Canada Levels of security
  • Government of Canada Security Control Profile for Cloud-based GC services
  • IT Security Risk Management Lifecycle Approach (ITSG-33)
  • Annex 4A – Profile 1 – (PROTECTED B / Medium Integrity / Medium Availability) (ITSG-33)
  • Terraform.io
  • Cloud-ready in Under 30 Days: accelerate safe and efficient Cloud onboarding with guardrails from Google Cloud
  • GC Cloud Guardrails Checks for Google Cloud Platform (GitHub)
  • PBMM on GCP Onboarding (GitHub)

 

 

By: Mike Craigen (Customer Engineer, Public Sector, Google Cloud)
Source: Google Cloud Blog


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Canada
  • Compliance
  • Google Cloud
  • Landing Zone
  • Security
  • Terraform
You May Also Like
View Post
  • Engineering

Just make it scale: An Aurora DSQL story

  • May 29, 2025
oracle-ibm
View Post
  • Solutions
  • Technology

Google Cloud and Philips Collaborate to Drive Consumer Marketing Innovation and Transform Digital Asset Management with AI

  • May 20, 2025
View Post
  • Engineering
  • Technology

Guide: Our top four AI Hypercomputer use cases, reference architectures and tutorials

  • March 9, 2025
View Post
  • Computing
  • Engineering

Why a decades old architecture decision is impeding the power of AI computing

  • February 19, 2025
View Post
  • Engineering
  • Software Engineering

This Month in Julia World

  • January 17, 2025
View Post
  • Engineering
  • Software Engineering

Google Summer of Code 2025 is here!

  • January 17, 2025
View Post
  • Data
  • Engineering

Hiding in Plain Site: Attackers Sneaking Malware into Images on Websites

  • January 16, 2025
View Post
  • Computing
  • Design
  • Engineering
  • Technology

Here’s why it’s important to build long-term cryptographic resilience

  • December 24, 2024

Stay Connected!
LATEST
  • 1
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 2
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 5
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 7
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 8
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 9
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 10
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Understand how Windows Server 2025 PAYG licensing works
    • May 20, 2025
  • By the numbers: How upskilling fills the IT skills gap
    • May 21, 2025
  • 3
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 4
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 5
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.