Skip to Main Content
Skip to Navigation
Accessibility Statement
Home Technology Cloud Public cloud Security and privacy

Security and privacy

Our public cloud landing zones meet B.C. government security and privacy standards. It’s your responsibility to ensure that your applications and data also meet these standards.

Last updated on

Landing zone guardrails

The B.C. government landing zones in AWS and Azure have built-in security guardrails to meet B.C. government privacy and security standards. These guardrails apply to all project sets and control which tools and services you can use in the public cloud. They also restrict where you can host data. 

Understand the guardrails AWS and Azure use for security and compliance.

Data hosting location

Data and application in the B.C. government landing zones in AWS and Azure must be hosted in Canadian data centres to comply with B.C. government security and privacy standards. 

Security and privacy assessments

You must complete a Security Threat and Risk Assessment (STRA) and Privacy Impact Assessment (PIA) for each product you host in the public cloud. Check the Government of Canada’s Cloud Service Catalogue for services that have been previously assessed to streamline your work. These services assessed in the GC Cloud Service Catalogue meet B.C. government security standards. 

If you use an unassessed service from the Cloud Service Catalogue, you must complete a STRA and PIA with support from your ministry’s security and privacy officers.   

Our team has completed STRA and PIA assessments for the AWS and Azure landing zones. We also conduct regular security assessments to ensure these landing zones are compliant with B.C. Government standards. In partnership with OCIO’s Cybersecurity and Digital Trust, we provide continuous security scanning and monitoring of the OCIO public cloud landing zones. 

Ensure your applications and data meet B.C. Government security and privacy standards. Every new project in the public cloud must have a STRA and PIA. Connect with our security and privacy teams at cloud.securityprivacy@gov.bc.ca to help with resources and related assessments. 

Security tools in the public cloud

The B.C. government landing zones in AWS and Azure offer security tools to identify vulnerabilities, monitor threats and protected your applications. By using these pre-configured environments, you’ll get enhanced security, compliance and automation. This helps your team focus on building and innovating your projects.

Security tools for AWS users

When you use the B.C. government AWS landing zone, you get access to powerful security tools to help monitor, manage and protect your workloads. AWS Security Hub is included by default. Other tools are paid separately.  

  • AWS Security Hub. Helps keep your cloud environment by spotting potential security issues, checking for best practices and fixing some problems automatically 
  • AWS Key Management Service (AWS KMS). Creates, manages and controls cryptographic keys or secret codes that lock or unlock sensitive information across your applications and AWS services 
  • AWS Secrets Manager. Manages, retrieves and rotates database credentials, Application Programming Interface (API) keys and other secrets throughout their lifecycles 
  • AWS Certificate Manager (ACM). Provisions, manages and deploys public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM removes the time-consuming manual process of purchasing, uploading and renewing SSL/TLS certificates 
  • AWS CloudWatch. Collects and visualizes real-time logs, metrics and event data in automated dashboards to streamline your infrastructure and application maintenance 
  • AWS CloudTrail. Monitors and records account activity across your AWS infrastructure. This gives you control over storage, analysis and remediation actions 
  • AWS WAF. It is a web application firewall. Protects against common web exploits and bots that can affect availability, compromise security or consume excessive resources 
  • AWS Detective. Simplifies security investigations and helps security teams conduct faster and more effective examinations. With the Amazon Detective prebuilt data aggregations, summaries and context, you can quickly analyze and determine the nature and extent of possible security issues 

Security tools for Azure users

The B.C. government Azure landing zone includes Microsoft Defender for Cloud. This provides you with continuous security assessments, proactive threat detection and centralized security management. All other tools are paid separately. 

  • Microsoft Defender for Cloud. Provides continuous assessment, threat detection and security management for Azure resources and hybrid environments  
  • Azure Key Vault. Securely stores and manages cryptographic keys, secrets and certificates used by applications 
  • Azure Monitor. Collects, analyses and acts on telemetry data from cloud and on-premises environments to optimize performance and security 
  • Azure Activity Log. Tracks and records control-pane events and chances across Azure resources. This provides visibility into who accesses what and when 
  • Azure Web Application Firewall (WAF). Protects web application from SQL injection, cross-site scripting and other vulnerabilities by filtering and monitoring HTTP requests 
  • Azure Sentinel. Delivers security analytics and threat detection through a cloud-native security information and event management (SIEM) platform