What is the Cloud? (DDN1-A02)

What is Cloud?

In a technology context, when most people hear the phrase “in the cloud,” they think of photos syncing between phones or documents saved to an online drive. But for the Government of Canada (GC), the cloud represents something much bigger: a fundamental shift in how public services are designed, secured, delivered and funded. Cloud computing is an important part of modern digital government, but is not always the default solution. It also represents a financial and operational shift. Instead of buying and owning information technology systems (capital spending), departments increasingly rent computing services (operating spending). This means that:

• costs are no longer upfront and fixed, but ongoing and variable
• spending must be monitored continuously, not just annually
• departments reduce technical debt (outdated hardware and software), since the infrastructure is regularly updated by providers

Cloud computing is widely used across many sectors. According to the Telus Canadian Cloud Security Study, more than half of Canadian organizational data is already stored in the cloud.

Yet the cloud also brings risks. In the past year, 89% of Canadian organizations experienced at least one cloud security incident, with human error, known vulnerabilities, and misconfigurations topping the list of causes.

Understanding how cloud computing works and where our responsibilities lie are essential for protecting sensitive information. This article outlines the implications of cloud security for the public service, providing the knowledge needed to navigate cloud basics, benefits, and responsibilities confidently.

What is cloud computing?

Cloud computing is the delivery of information technology (IT) services (software, storage, databases, applications) over the internet. A simple way to understand this notion is to think of cloud computing as renting instead of owning.

Why does cloud knowledge matter?

The cloud is one of several tools the GC can use to support modern digital services. People in Canada increasingly expect government services to be convenient, reliable, timely and secure. They also expect public funds to be managed responsibly.

Meeting these expectations depends on choosing the right tools and hosting approaches for each situation. In some cases, that may include cloud computing. In other cases, it may involve on-premise systems, hybrid environments or other technology choices.

Even if employees never configure systems or work directly with cloud technology, having a basic understanding of how cloud computing works is increasingly important. Most of us are already using cloud services every day in our personal lives when we stream movies, shop online, scroll through social media, or do our banking. In our professional lives we're also using cloud services to collaborate with colleagues, access tools, store and share documents, attend virtual meetings, manage workflows and deliver digital services.

Understanding the basics of cloud computing helps employees better understand how modern systems are designed, delivered and maintained. Services like passport processing, employment insurance, tax filings, and health benefit approvals rely on a combination of technologies and infrastructure choices, which may include cloud computing, on-premise systems, or hybrid environments.

Regardless of the roles of employees in an organization, cloud literacy helps them:

• understand how digital services are supported
• recognize security and privacy responsibilities
• make informed decisions about how tools are used
• understand when cloud computing may or may not be appropriate
• support better, risk-informed decisions

As cloud services often involve ongoing, usage-based costs, this awareness also supports more responsible and efficient use of public resources.

Why and when to use the cloud?

The cloud offers important advantages, but it is not always the best fit. The goal is not to move everything to the cloud, but to choose the right environment for each situation.

When appropriate, the cloud enables the GC to:

• access ready-built technology and services instead of building from scratch
• reduce implementation timelines
• scale services quickly during high demand
• use modern practices like DevOps to improve speed and quality
• benefit from standardized, continuously updated platforms
• enable cost optimisation through more efficient use of platform services

In plainer terms, it means departments can focus more on delivering services and less on managing infrastructure.

When the cloud may not be the best fit

In some cases, other hosting options may be more appropriate because of:

• systems with strict controls or security requirements
• legacy systems that are difficult to migrate
• situations where costs are more predictable with existing infrastructure
• operational needs requiring full control over environments

How the cloud actually works

Under the hood, cloud services are powered by massive data centres, which are warehouse-sized facilities filled with thousands of servers. These data centres are located around the world, including in Canada.

When the GC uses the cloud:

• applications run on servers hosted by third-party cloud service providers (CSPs)
• data is stored in their cloud-based databases
• network, firewalls, and infrastructure have their physical components managed by the CSP, while the GC focuses on the software and virtual components
• users can access services through their browser, as they would with most web applications

Cloud deployment models: Where is the cloud located?

Cloud environments come in different forms depending on security needs, costs, and operational requirements. According to GC security guidance, departments must choose the right model based on the sensitivity of the information.

• A public cloud is a cloud service that any organization can use once its security has been reviewed and approved. The physical infrastructure is fully managed outside the organization, and physical resources are securely shared among private companies, non-profits and individuals.
• A private cloud is designed for a single organization. In this model, the Government of Canada is the sole user of the cloud. Private clouds can be hosted either on government premises or off site, and they can be managed by the government or a trusted third party. This model gives the government more control over its infrastructure and computing resources.
• A community cloud is a shared cloud environment used by several organizations with common privacy, security, or regulatory needs. It can be managed by one of the organizations or by a third party and may be hosted on or off premises. This type of cloud allows organizations with similar requirements to share infrastructure and costs, although it is less commonly used in government.
• A hybrid cloud combines different types of clouds with varying levels of security. This model lets organizations take advantage of multiple service providers and choose the most efficient and secure option for each specific business need.

Cloud service models

The National Institute of Standards and Technology defines three types of cloud service models: Infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

Note that these are useful conceptual models; they do not always reflect how services are offered in practice. Many cloud services combine elements of multiple models.

Infrastructure as a service (IaaS)

Infrastructure as a service provides basic computing resources like processing power, storage, and networking. The CSP manages the underlying physical infrastructure like the data centre, physical servers and hardware. The department manages what sits on top of that infrastructure.

In this model:

• The CSP manages the physical infrastructure.
• The department configures and manages the operating system, applications and many security controls.
• The department has more flexibility, but also more responsibility for maintenance, updates and configuration.

Example: virtual machines, load balancers, networks, public internet protocol addresses.

Think of it like leasing land with an empty building on it. The structure is there, but the department is responsible for designing the inside, installing the systems, setting up rooms, securing access and maintaining how the space is used.

Platform as a service (PaaS)

Platform as a service provides a managed environment where departments can build, deploy or run applications without managing the underlying servers, operating systems, storage or networking infrastructure. With PaaS, the cloud service provider manages the technical foundation. The department focuses on the application, data, configuration, access, security setting and how the service is used.

• The CSP manages the infrastructure and platform.
• The department manages the application, data, access and configuration.
• The department has less infrastructure maintenance, but is still responsible for security, privacy, identity, data management and application design.

Example: managed databases, application hosting platforms, managed storage accounts.

Think of it like leasing a building that already has usable rooms, electricity, plumbing and core systems in place. The department does not need to build or maintain those features, but it still decides how the space is used, who has access, what is stored there and how it is configured.

Software as a service (SaaS)

Software as a service provides ready to use applications hosted and managed by the cloud service provider. With SaaS, the department usually accesses the service through a web browser or an application. The cloud service provider manages the infrastructure, platform and application. The department is still responsible for how the service is configured and used, including user access, information management, privacy, security settings and data handling.

• The CSP manages infrastructure, the platform, and application.
• The department manages users, permissions, configuration and how information is used.
• The department has less technical maintenance, but is still responsible for governance, security and appropriate use.

Example: GC-wide tools like Microsoft 365, Slack, DocuSign, Dropbox, Salesforce.

Think of it like leasing a furnished office or apartment that is ready to use. The space, furniture and basic services are already provided, but the department still decides who can enter, how the space is used and what information is kept there.

Rather than focusing only on the service model, departments should focus on understanding who is responsible for what. Each model changes the balance of responsibility between the cloud service provider and the department.

How does the GC choose a cloud provider?

The GC does not simply pick the most popular or cheapest vendor. Instead, it begins by determining the most appropriate hosting solution based on business needs, security requirements, and value. Due to strict security, privacy, and compliance requirements, this process is not carried out by individual programs alone. Departments work closely with their chief information officer and follow government-wide strategies and frameworks.

The strategy: choosing the right environment

The 2024 Application Hosting Strategy emphasizes a right workload, right environment approach, moving away from a cloud-first mindset.

Using the GC Hosting Services Portal, departments evaluate applications based on:

• public cloud
• private cloud
• hybrid environments
• traditional on-premise infrastructure

The goal is to ensure that each solution provides the best overall value and risk profile, and not simply to default to cloud computing.

The security: securing the chosen solution

Once a hosting solution is chosen, the GC Cloud Security Risk Management Approach, managed by the Canadian Centre for Cyber Security, ensures the platform meets strict requirements before use.

Cloud environment operate under a shared responsibility model: Cloud service providers are responsible for the security of the cloud (for example, physical infrastructure, physical security and network security). GC departments are responsible for security in the cloud (for example, access controls, secure configuration, auditing and logging, network access rules, monitoring, incident response, patching and vulnerability management). Even when using cloud services, government departments remain accountable for protecting their data and ensuring proper configuration.

How the GC protects its autonomy

While full digital autonomy is not realistic in a globally connected environment, the Government of Canada applies a range of measures to mitigate the risks that affect its sovereignty. These controls ensure that Canadian data and systems remain under federal authority and can operate reliably despite global dependencies.

Procurement controls: the GC uses law and policy to set the rules for how providers handle our data. It uses standardized contracts that force service providers to follow Canadian privacy and security laws. This ensures that the Crown (meaning, the federal government) is always the one legally accountable for the data, not the company providing the hardware. The government is working on even stronger contract language to protect against deplatforming (where a provider suddenly cuts off service) and to ensure that data remains private even as artificial intelligence technology evolves.

Supply controls: the goal here is to avoid putting all the eggs in one basket. To avoid over-reliance on a single vendor and ensure service continuity, the GC manages its supply chain by diversifying its supplier base, and applying consistent security and integrity standards. The GC vets every supplier through security assessments and promotes the use of open standards to support interoperability. The GC is focused on improving its backup plans to ensure that if a global provider fails, it has alternate paths to maintain operations.

Technical controls: these are the digital locks that keep information safe and systems running. The GC uses secure system designs, encryption to protect data whether it is being stored or sent over the internet, and continuous monitoring to detect and respond to incidents. To further reduce reliance on proprietary technologies, the GC is exploring vendor-neutral formats and controlled environments, and preparing for future challenges, like quantum computing, by evolving its encryption standards to ensure long-term data security.

Protecting Canada's autonomy in the cloud

In a world where digital systems are globally interconnected, the GC must ensure it can operate independently and securely. This broader concept is known as digital sovereignty, the capacity to exercise autonomy over digital assets, regardless of where the technology is developed or hosted. For a detailed overview, consult the Digital Sovereignty: A Framework to improve digital readiness of the Government of Canada. It ensures that the GC can maintain operational resilience, system integrity, and institutional control over its entire digital landscape.

These considerations apply across all hosting models.

Key risks and challenges associated with sovereignty

• Dependencies of technology supplier chains can be used by foreign governments as leverage against Canada.
• Technology services are frequently provided by a small number of global companies. This creates concentration risk, where a change in a vendor's service or a geopolitical event could interrupt government operations.
• Increased reliance on external providers can make it more challenging for the GC to maintain the in-house expertise needed to design, manage and secure its own systems.

Conclusion

The evolution of hosting in the GC is not about moving everything to the cloud, but about making informed, risk-based decisions about where and how systems should operate. Cloud computing introduces new opportunities for speed, scalability, and innovation, while also changing how technology is funded, managed, and secured. It allows access to ready-built solutions and modern practices, but it must be used where it provides clear value.

In many cases, using the cloud could be the right choice. In other cases, on-premise or hybrid solutions may be more appropriate. The goal is to select the option that best meets business needs, security requirements, and long-term sustainability. Understanding how hosting decision are made, including when cloud hosting is and is not appropriate helps ensure that digital services remain reliable, secure, and aligned with public expectations.

Cloud computing is a powerful tool, but it is informed decision-making, strong governance, and everyday practices that ultimately protect the integrity of Government of Canada systems and maintain the trust of the people they serve.

Resources

• Article | Digital Sovereignty: A Framework to improve digital readiness of the Government of Canada
• Guide | Guideline on Service and Digital
• Course | GC Cloud Basic (DDN104)
• Video | GC Cloud: Cloud Service Models (DDN2-V42)
• Program | GC Cloud: Unlocking Modern Government Learning Path (DDN1-PA1)
• Learning path | GC Cloud Learning Path
• Guide | 2024 Application Hosting Strategy
• Research study | TELUS Canadian Cloud Security Study (study is available after filling out the form on the web page)
• Guide | IT security risk management: A lifecycle approach (ITSG-33)