aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Engineering
  • Solutions

Meet Canadian Compliance Requirements With Protected B Landing Zone

  • aster.cloud
  • April 21, 2022
  • 4 minute read

The Canadian government’s security guidance for cloud environments outlines a standardized set of security controls to protect data and workloads in the cloud. The security guidance, known as the Security Control Profile for Cloud-based GC Services, also outlines security controls and profiles from a different publication, the IT Security Risk Management: A Lifecycle Approach (ITSG-33).

The ITSG-33 publication has made Protected B Medium Integrity Medium Availability (PBMM) a key compliance measure for the Canadian government and crown corporations.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

As part of our commitment to serving the Canadian government with the security capabilities and controls they need, we’ve developed a set of open-source recommendations  that map Google Cloud capabilities and security settings to Canadian Protected B regulatory requirements to help our customers place their sensitive data in the cloud. With the Google Cloud landing zones, we’re helping to ensure Canada has the easy-to-administrate, cost-effective, and more secure cloud environment needed for your biggest projects.

Cloud environments built for Canada

Google Cloud’s Protected B landing zones are a set of codified recommendations focused on establishing Google Cloud projects, Identity Access Management (IAM), networking, naming schemes, and security settings in line with regulatory requirements and best practices. Using these as a baseline, Canadian public sector customers are better positioned to quickly meet their compliance requirements.

Google Cloud has published a Terraform-based Infrastructure-as-Code (IaC) template on Github to ensure the foundational settings, policies, and folder structures are correctly configured in alignment with the Annex 4A – Profile 1 (PBMM and ITSG-33).

Codified, built-in security

Landing zones enable a secure environment that is quick to deploy, easy to administer, and provides cost savings for organizations. To make our templates easily understandable, we’ve selected the open-source infrastructure-agnostic IaC tooling provided by HashiCorp’s Terraform. Terraform gives organizations the flexibility to adopt a DevSecOps methodology within their infrastructure. It also provides a security foundation by allowing the IaC to be modified, versioned, change controlled, and automatically provisioned.

Read More  Skaffold V2 GA: Further Enhancing Developer Productivity

The template and instructions on how to use landing zones can be found on GitHub.

Included security controls

There are effectively three different types of security controls described in ITSG-33 documentation:

  • Technical security controls implemented using technology, such as firewalls.
  • Operational security controls implemented using human processes, such as manual procedures.
  • Management security controls focused on the management of IT security and IT security risks.

Within the landing zone template, we’ve focused on controls that can be represented via code. Addressed controls fall into these primary families:

  • Access Control (AC)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

 

How it works

The landing zone deployment phases

 

To deploy the landing zone, a user with Organizational Administrator privileges will need access to a shell terminal with the Google Cloud (gcloud) CLI, JSON Query (jq) and Terraform installed (which can be done in Google Cloud’s integrated terminal, Cloud Shell). As part of the initial bootstrap script, a si­­­ngle project will be created. This Google Cloud project will be used to set up the landing zone core infrastructure, network infrastructure, automated pipeline, code repository, logging and bunkering aggregation capabilities, and security policies via infrastructure as code automation. After deployment completes, workloads can be deployed in alignment with IT and regulatory policies. This can include leveraging the Cloud Build & Cloud Source Repo (CICD) pipeline established as part of the landing zone bootstrapping.

Read More  TecPal Takes Smart Appliances Global With Google Cloud

Several Terraform modules are used to establish the required controls for meeting PBMM requirements:

Landing Zone Modules 

 

The landing zone can be applied with either a Google Cloud organizational node (default and illustrated below), or with a folder as the root node of the landing zone.

Organizational Structure

 

 

 

How to deploy it

  • Have a shell environment with the required prerequisites installed (Cloud Shell can be used for this)
  • Clone repo from https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding
  • Update the relevant .auto.tfvars files as indicated in the README.MD file within the repo
  • From bash, run the bootstrap.sh script from the environments/bootstrap/ directory. The script will prompt for the domain and user that will be deploying the bootstrap resources.

Committed to serving Canada

Our landing zone template extends upon our existing 30-day Guardrails created to meet Canadian Centre for Cyber Security requirements, allowing organizations to have a compliant landing area for production workloads quickly. Visit the Terraform-based Infrastructure-as-Code (IaC) template on GitHub for more detailed deployment instructions and to learn more about meeting CCCS requirements.

 


References:

  • Government of Canada Levels of security
  • Government of Canada Security Control Profile for Cloud-based GC services
  • IT Security Risk Management Lifecycle Approach (ITSG-33)
  • Annex 4A – Profile 1 – (PROTECTED B / Medium Integrity / Medium Availability) (ITSG-33)
  • Terraform.io
  • Cloud-ready in Under 30 Days: accelerate safe and efficient Cloud onboarding with guardrails from Google Cloud
  • GC Cloud Guardrails Checks for Google Cloud Platform (GitHub)
  • PBMM on GCP Onboarding (GitHub)

 

 

By: Mike Craigen (Customer Engineer, Public Sector, Google Cloud)
Source: Google Cloud Blog


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Canada
  • Compliance
  • Google Cloud
  • Landing Zone
  • Security
  • Terraform
You May Also Like
View Post
  • Engineering
  • Technology

Apple supercharges its tools and technologies for developers to foster creativity, innovation, and design

  • June 9, 2025
View Post
  • Engineering

Just make it scale: An Aurora DSQL story

  • May 29, 2025
oracle-ibm
View Post
  • Solutions
  • Technology

Google Cloud and Philips Collaborate to Drive Consumer Marketing Innovation and Transform Digital Asset Management with AI

  • May 20, 2025
View Post
  • Engineering
  • Technology

Guide: Our top four AI Hypercomputer use cases, reference architectures and tutorials

  • March 9, 2025
View Post
  • Computing
  • Engineering

Why a decades old architecture decision is impeding the power of AI computing

  • February 19, 2025
View Post
  • Engineering
  • Software Engineering

This Month in Julia World

  • January 17, 2025
View Post
  • Engineering
  • Software Engineering

Google Summer of Code 2025 is here!

  • January 17, 2025
View Post
  • Data
  • Engineering

Hiding in Plain Site: Attackers Sneaking Malware into Images on Websites

  • January 16, 2025

Stay Connected!
LATEST
  • 1
    Pure Accelerate 2025: All the news and updates live from Las Vegas
    • June 18, 2025
  • 2
    ‘This was a very purposeful strategy’: Pure Storage unveils Enterprise Data Cloud in bid to unify data storage, management
    • June 18, 2025
  • What is cloud bursting?
    • June 18, 2025
  • 4
    There’s a ‘cloud reset’ underway, and VMware Cloud Foundation 9.0 is a chance for Broadcom to pounce on it
    • June 17, 2025
  • What is confidential computing?
    • June 17, 2025
  • Oracle adds xAI Grok models to OCI
    • June 17, 2025
  • Fine-tune your storage-as-a-service approach
    • June 16, 2025
  • 8
    Advanced audio dialog and generation with Gemini 2.5
    • June 15, 2025
  • 9
    A Father’s Day Gift for Every Pop and Papa
    • June 13, 2025
  • 10
    Global cloud spending might be booming, but AWS is trailing Microsoft and Google
    • June 13, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Google Cloud, Cloudflare struck by widespread outages
    • June 12, 2025
  • What is PC as a service (PCaaS)?
    • June 12, 2025
  • 3
    Crayon targets mid-market gains with expanded Google Cloud partnership
    • June 10, 2025
  • By the numbers: Use AI to fill the IT skills gap
    • June 11, 2025
  • 5
    Apple services deliver powerful features and intelligent updates to users this autumn
    • June 11, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.