Cloud shared security responsibility model
|This site replaces the former Compute Canada documentation site, and is now being managed by the Digital Research Alliance of Canada.
Ce site remplace l'ancien site de documentation de Calcul Canada et est maintenant géré par l'Alliance de recherche numérique du Canada.
Canada’s advanced research computing environment includes several cloud platforms for research. This document’s purpose is to describe the responsibilities of the cloud team who administers our cloud platforms; the responsibilities of the many research teams who use these platforms; and shared responsibilities between both. Security in the cloud is the responsibility of the research teams. Security of the cloud is the responsibility of our our cloud support team.
Research team responsibilities: Security in the cloud
Research teams are responsible for the following:
- implementing security controls to protect the confidentiality, integrity, and availability of their research data;
- installing, configuring, and managing their virtual machines, as well as their operating systems, services and applications;
- applying updates and security patches on a timely basis;
- configuring security group rules that limit the services exposed to the Internet;
- implementing and testing backup and recovery procedures;
- ensuring the principle of least privilege is followed when granting access.
Cloud team responsibilities: Security of the cloud
The cloud support team is responsible for the following:
- protecting our cloud platforms;
- configuring and managing these compute, storage, database, and networking capabilities;
- applying updates and security patches applicable to the cloud platform on a timely basis;
- ensuring the environmental and physical security of the cloud infrastructure.
Our cloud support team does not support or manage virtual machines. However, if a virtual machine is adversely impacting others, it may be shut down and locked by the team. In these cases, the research team may be asked to provide remediation plans before access to the virtual machine is restored. This is so that others are protected.
If you have any questions about this model please contact firstname.lastname@example.org.
For more information please see the following resources: