Afac device-security-july-7-2014v7-2


Published on

Shared Services Canada’s Architectural Framework Advisory Committee launched industry consultations on its IT Security Program.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Afac device-security-july-7-2014v7-2

  1. 1. CYBER AND IT SECURITY Architecture Framework Advisory Committee Meeting SESSION 1 JULY 7, 2014
  2. 2. 2 Agenda TIME TOPICS PRESENTERS 9:00 – 9:10 Opening Remarks Benoît Long, Chair 9:10 – 9:30 Cyber and IT Security Transformation Raj Thuppal 9:30 – 10:15 Discussion Period Moderator: Chair Participants: All 10:15 – 10:30 Health Break 10:30 – 11:50 Device Security Presentation & Discussion Period Raj Thuppal Moderator: Chair Participants: All 11:50 – 12:00 Closing Remarks Benoît Long, Chair
  3. 3. Objective for Today • Setting the Context on Shared Services Canada Cyber and IT Security Program • Proposed Device Security Plan for an enterprise procurement scope • Seek Feedback and Input • Questions/Discussion 3
  4. 4. 4 Today Complex Government of Canada (GC) IT Infrastructure IT Security as an “add-on” Reactive, Slow & Siloed Response to Cyber Threats Transforming the Government of Canada Future Rationalized, Standardized and Consolidated IT Security Integrated into the Design Coordinated Proactive Rapid Response & Recovery Cyber and other IT security threats are constantly evolving and on-going effort is required to keep up Context
  5. 5. 5 Dept … • IT Security controls based on ITSG-33 (Technical, Operational and Management) incorporated as part of end to end IT service management of target state GC IT Services • IT security controls established based on domain security control profile, context and GC threat assessment and IT risk management • Standardized, consolidated and transformed Cyber and IT Security Services IT Security Target StateIT Security Current State Dept … Dept … Dept … GCNet Data in Use Data at Rest Data at Rest Data in Transit Unified ICAM Standardized SOC Multiple Identities Multiple ICAMs Consolidated Back office Apps Mission Specific Apps Mission Specific Apps Data at Rest Mission Specific Apps Mission Specific AppsBack office Apps Back office Apps Multiple Access Controls Multiple SOCs Data in Transit Data in Use Cyber and IT Security Transformation Multiple IdentitiesMultiple Network Security Controls Unified Network Security Multiple IdentitiesMultiple Device Security Unified Device Security Multiple Identities Fragmented SIEMs Unified SIEM
  6. 6. 6 Cyber and IT Security Framework INFRASTRUCTURE & DATA • Aligned to Canada’s Cyber Security Strategy (CCSS) • Security built-in as part of end-to-end service design • Partnership with Treasury Board Secretariat (TBS), Communications Security Establishment (CSE) Canada and Public Safety SSC is mandated to protect the infrastructure and associated data-in- transit, storage, and use. OPERATE EVOLVE TRANSFORM
  7. 7. 7 Conceptual End State (updated July 2013) Service Management • ITIL ITSM Framework • Standardized Service Levels/Availability Levels • Inclusive of Scientific and special purpose computing • Standardized Application and Infrastructure Lifecycle Management • Smart Evergreening • Full redundancy – within data centres, between pairs, across sites Enterprise Security • All departments share one Operational Zone • Domains and Zones where required • Classified information below Top Secret • Balance security and consolidation • Consolidated, controlled, secure perimeters • Certified and Accredited infrastructure Virtualized Platforms Off-line / Backup Archive Near-line Tier 3 Tier 2 On-line Tier 1 SAN NAS Virtualized Storage IP PBX App. Email WAN Node Data Centre Core Network Domains & Zones V.Conf. Bridge Web File/ Print Database Th.Client VDI Internet PoP Business Intent • Business to Government • Government to Government • Citizens to Government Sys. z App / DB Containers z/OS Any Special Purpose / Grid / HPC Operating System Consolidation Principles 1. As few data centres as possible 2. Locations determined objectively for the long term 3. Several levels of resiliency and availability (establish in pairs) 4. Scalable and flexible infrastructure 5. Infrastructure transformed; not ‘’fork-lifted’’ from old to new 6. Separate application development environment 7. Standard platforms which meet common requirements (no re-architecting of applications) 8. Build in security from the beginning x86 Web / App / DB Containers Windows x86 Web / App / DB Containers Linux Enterprise Security GC Private Domain Application Migration • Standard platforms and product versions • Migration guidance • Committed timeline for product evolution Workload Mobility Service Level … Service Level Application Service Levels Standard Enhanced Mission Critical Regional Carriers International CarriersGCNet (3,580 buildings) Public Cloud Services Internet B2G C2G G2G Regional WAN Accelerators Virtual Private Cloud Several, highly- secure Internet access points Stand-alone centre for GC super- computing (HPC) – e.g. Weather Development Dev1 Dev2 Production Prod3 B U U Prod4 C U U Production Prod1 S A B Prod2 S B U Service Management Virtualized Services Classified Data Confidential Secret C S Protected Data A Protected A B Protected B C Protected C HPC Sci1
  8. 8. 8 Top Secret Secret Confidential Protected C Protected B Protected A Unclassified Policy on Government Security (PGS) Classified Designated National Interest & Security Corporate or Personal Interest Non-Sensitive Information (Requires Integrity & Availability) Caveats Official CEO (Canadian Eyes Only) Unofficial For Official Use Only (FOUO) GC Data Classification Extremely Grave Injury – e.g., widespread loss of life, loss of continuity of government, etc. Serious injury – e.g., political tension (int’l or fed-prov.), damage to critical infrastructure, civil disorder, etc. Injury – e.g., damage to relations (e.g. public, industry, diplomatic, etc.), limited loss of public confidence, etc. Extremely Grave Injury – e.g., serious physical injury/ loss of life, financial loss affecting viability, etc. Serious injury – e.g., substantial duress to individuals, loss of competitive advantage, etc. Injury – e.g., inconvenience, damage to Departmental relationships, degradation of public confidence
  9. 9. 9 PREVENTION • Trusted infrastructure products and services through supply chain integrity • Cyber and IT Security Policies and Standards • Security awareness and training • Infrastructure Protection Services • Data Protection Services • Identity, Credentials and Access Management Services • Secret Infrastructure Service • Business Continuity and Emergency Management DETECTION • Coordination of GC-wide monitoring, detection, identification, prioritization, and reporting of IT Security incidents • Automated, real-time threat monitoring, security information and event management and analysis • Log analysis and investigations • Security Assessment • Vulnerability assessments RESPONSE • GC-wide coordination and remediation of IT security incidents • Threat assessment and situational reporting • Coordination and distribution of GC product alerts, warnings, advisories • Forensics • Software integrity through security configuration or replacement • Infrastructure integrity through configuration or replacement RECOVERY • Highly specialized IT security incident recovery services • Mitigation advice and guidance • Vulnerability Remediation • Post Incident Analysis Cyber and IT Security Functions
  10. 10. 10 Transformation Principles • Trusted equipment and services through supply chain integrity • Security by design to ensure that all aspects of security are addressed as part of design, balancing service, security and savings • Gradual transition from a network-based security model to data-centric security model • Privileged access to data will be maintained and multi-tenancy will be built into systems where data owned by one partner cannot be seen by another partner or by unauthorised individuals • Security breaches in one part of the infrastructure are quickly detected and contained without spreading to other parts of the infrastructure • Maintain and improve the security posture as part of moving to enterprise services (i.e., don’t reduce security).
  11. 11. 11 1. Does the Cyber and IT Security Framework, transformation principles and associated functions sufficiently address the Cyber and IT Security challenges associated with moving from department specific networks to a cloud infrastructure? Question
  12. 12. Device Security 12
  13. 13. AFAC Consultation Roadmap STRATEGY KEY ACTIVITIES 2014–15 AFAC INPUT  Recommendations for Strategic Questions  Guiding Principles/ Best Practices  Experience/Case Studies  Risks/Success Factors Common Requirements/ Service Strategy Service Bundles and Delivery Model Licensing models and Solutions End-state Service Strategy Enterprise Software Procurement Functional Direction • Meetings • Demos • Written Submissions Formal Industry Engage- ment July 7 TBD 13
  14. 14. Device Security Defined What is Device Security? • Device security refers to the protection of Government of Canada (GC) devices that are used to store and process data through the use of various information technology (IT) safeguard services. What GC Devices are we looking to Protect? • Backend devices (Data Server Infrastructure) • Frontend devices (Traditional personal computers, laptops, Thin- Clients/Virtual Deployments) • Mobile Devices (Smartphones, Tablets) • ~569,000 devices (~100,000 data centre devices, ~469,000 workplace technology devices) Why do we need Device Security? • Safeguard GC devices and data from various forms of malware and intrusion • Maintain the confidentiality, integrity and availability of infrastructure information assets 14
  15. 15. Strategic Context 15 • Enhance security services required to mitigate from evolving threats • Support for security service integration with new cloud and mobile technologies • Support Treasury Board’s IT Policy Implementation Notice (ITPIN) implementation regarding the secure use of portable data storage devices within the Government of Canada • Lack device security software enterprise procurement vehicle • Existing device security software licenses renewal to maintain operations (e.g. Keeping the Lights On) • Multiple device security disparate solutions and policy application • Standardization to drive efficiencies and cost savings across the GC Increase Security Improve Service Generate Savings
  16. 16. Proposed Device Security Services Security Service Description Antivirus Is protective software designed to defend your computer against malicious software (viruses) Antispyware Software that controls advertisements (called adware) or software that tracks personal or sensitive information Host Intrusion Detection / Prevention Systems Software package which monitors a single host for suspicious activity by analyzing events occurring Data Loss Prevention Network/endpoint services that control what data end users can transfer in/out of the network Application Firewall Firewall which controls input, output and/or access from, to, or by an application or service Application Whitelisting Software programs that operate up to the Application Layer of the OSI Model; and protect the integrity of the system by filtering the requests for application-based information. Encryption A technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. 16 Questions: 1. Have all essential functions covered? Should other functions be considered? 2. Should these functions be bundled separately or combined ?
  17. 17. Device Security Strategy Current-State Distributed • Multiple disparate management systems and products/technologies across depts. • Network-Centric Security End-State Centralized • Reduced management infrastructure leveraging SSC Community Cloud • Data-Centric Security 17 Questions: 1. Should the same service set be used for both the legacy environment and the new SSC enterprise cloud service? 2. Given vendor specific signatures, should multi-vendor procurement be considered? 3. Should the scope of the procurement cover both data center devices and workplace technology devices?
  18. 18. 18 Other questions?
  19. 19. 19 INFRASTRUCTURE & DATA Technical, physical, personnel, management and other security controls to proactively protect the confidentiality, integrity and availability of information and IT assets Continuous monitoring of systems to rapidly detect IT incidents after or as they occur Corrective controls to respond to IT incidents and to exchange incident-related information with designated lead departments in a timely fashion PDRR & PPSI Models Security Frameworks Governance, Risk Management, Compliance (GRC) Corrective controls to restore essential capabilities within agreed time constraints and availability requirements in a manner that preserves the integrity of evidence Aligned with NIST Framework Competencies, roles & responsibilities, culture, org. chart, and capacity Supply Chain Integrity, Security Assessment & Authorization, Security- by-Design, IT Service Management Privilege Management Infrastructure (PMI), GC Secret Infrastructure (GCSI), Network and Device Security, Security Operations Centre (SOC) Policies and instruments, information repository, Approved Security Products List (ASPL)
  20. 20. GC ESA Focus Areas 20 Awareness & Training PhysicalSecurity Security in Contracting PersonnelSecurity Business Continuity Strengthen Defensive Capabilities Strengthen Defensive Capabilitie s C onsolidation Standardization Transform ation M odernization End User Device Security Compute and Storage Services Security Network and Communications Security Security Operations Policy and Compliance Monitoring Application Security Data Security Identity, Credential and Access Management Strengthen Defensive Capabilities ESA Focus Areas helps to:  Manage the complex problem space  Promotes a defense-in-depth layered security approach  Considers both technical and non- technical aspects