1. CYBER AND IT SECURITY
DEVICE SECURITY – SESSION #2
Architecture Framework Advisory Committee
September 8, 2014
1
2. TIME TOPICS PRESENTERS
9:00 – 9:15 Opening Remarks
Shirley Ivan
Acting Chair
9:15 – 10:00
Cyber and IT Security
Transformation Framework &
Discussion Period
Raj Thuppal
Moderator: Chair
Participants: All
Raj Thuppal
Agenda
2
10:00 – 10:45
Device Security Approach &
Discussion Period
Moderator: Chair
Participants: All
10:45 – 11:00 Health Break
11:00 – 11:45
Cloud Security Strategy &
Discussion Period
Raj Thuppal
Moderator: Chair
Participants: All
11:45 – 12:00
Closing Remarks
Next Meeting: October 27
Shirley Ivan
Acting Chair
3. Objective for Today
• Present the way forward for the Cyber and IT Security
Transformation Framework and the Device Security Approach
based on what Shared Services Canada (SSC) heard during
session #1 of this topic at the Architecture Framework
Advisory Committee (AFAC) meeting of July 7, 2014
• Seek feedback on Cloud Security Strategy
• Discussion period and next steps
3
4. Cyber and IT Security Transformation
PDRR Framework
4
5. What SSC Heard from AFAC
PREVENTION:
• Should include risk management
• Include IT Security policies and standards into the system/application development
domain
• Qualify the “Business Continuity and Emergency Management” to be clear it
address the planning, while the execution would be in Detect, Respond or
Recovery
• IT Security Standard and Policies will continuously evolve due to threat changes
DETECTION:
• Proposal to add behavioural analysis as a contributor towards detection and could
be included under “behavioural“.
RESPONSE & RECOVERY:
• Implement automated responses to incidents as often as possible, when
technologies and/or situations allow
• Leverage real-time intelligence from other government departments, national and
international partners and industry
5
6. What SSC Heard from AFAC Continued
OTHER FEEDBACK:
• Manage security as “an ever changing and evolving” service to support a
constantly changing threat landscape
• Develop metrics to measure progress and well performing environment
• “Network centric to data centric” raise the need to look at “location
awareness – geo-fencing”
• Data centric model raise requirement on data encryption
• Recognize that there will be “breaches” – leverage containment
• Consider the micro-segmentation approach
• Data access and multi-tenancy have a dependency on identity
management
6
8. Proposed Way Forward
• Use the PDRR as initial framework, detailed draft document to
be developed.
• Develop performance indicator and metrics
• Continue consulting the industry
• Update framework annually
8
9. Questions
1. Does the framework cover all necessary cyber and IT
security functions and related aspects?
2. Are there any additional input/feedback on proposed
framework?
9
11. What SSC Heard from AFAC
Device Security Transformation
In Scope:
• Devices – data centre (DC) and
workplace technology devices (WTD)
• 94 departments and agencies across
the Government of Canada (GC)
Out of Scope:
• Perimeter, network and data security
Data Centric Security
11
Cloud and Mobile
12. What SSC Heard from AFAC
• Address “legacy” requirements separately from “end state”
• De-couple procurements for DC and WTD as their security requirements are different
• Security continuously evolving to meet endlessly changing landscape
• Transition from network to data centric approach
• Cloud Security increases requirements for data encryption
• Build a centralised public key infrastructure (PKI)/certificate authorities
• Leverage “location based” data access (e.g. no Protected B in a public zone)
• Develop and enforce hardening and standards
• Metrics are crucial – defines how success is measured
• Look into behavioural security analysis for advanced attack detection
• Investigate sandbox and isolation techniques (micro-segmentation)
12
13. Revised Device Security Strategy
• Address legacy requirements by leveraging existing
procurement vehicles
• De-couple data centre and WTD device security strategy
efforts
• Develop a Cloud Security Strategy
• Holistic approach across IT Security domains
• Integrate Security services & strategies
• Data Centric Approach
• Continue consulting industry
13
14. Question
1. Are there any additional input/feedback to ensure that the
functions described are adequately addressed for legacy
and enterprise services?
14
16. Security Principles
• Trusted equipment and services through supply chain integrity
• Security by design to ensure that all aspects of security are addressed as part
of design, balancing service, security and savings
• Gradual transition from a network-based security model to data-centric security
model - apply security controls as close to the data as practical
• Privileged access to data will be maintained and multi-tenancy will be built into
16
systems where data owned by one partner cannot be seen by another partner
or by unauthorised individuals
• Security breaches in one part of the infrastructure are quickly detected and
contained without spreading to other parts of the infrastructure
• Maintain and improve the security posture as part of moving to enterprise
services (i.e., don’t reduce security).
17. Data States in the Government of Canada Cloud
GC Perimeter
Telecom Domain
Vendor
Outsourced Domain
Private Cloud
LAN
Data In Transit
Data In Use (DIU)
Data In Storage (DIS)
Data In Use (DIU)
Data In Storage (DIS)
Uncontrolled Domain
17
…
Data Centre 1 Data Centre n
Data In Use (DIU)
Data In Storage (DIS)
Data Centre Domain
Workplace Technology Devices
Distributed Computing Environment Domain
Government of Canada Domain
Unclassified/Protected A/Protected B
Data In Use (DIU)
Data In Storage (DIS)
N.B. GFE = Government Furnished Equipment
18. Technical Security Services within the Cloud
GC Perimeter
Telecom Domain
Vendor
1. Infrastructure Protection Services
2. Data Protection Services
3. Privilege Management Services
Outsourced Domain
Private Cloud
LAN
4. Security Monitoring &
Security Management Services
1. Infrastructure Protection Services
2. Data Protection Services
3. Privilege Management Services
Uncontrolled Domain
18
…
Data Centre 1 Data Centre n
1. Infrastructure Protection Services
2. Data Protection Services
3. Privilege Management Services
Data Centre Domain
3. Privilege Management Services
5. ICAM – End User
Workplace Technology Devices
Distributed Computing Environment Domain
Government of Canada Domain
Unclassified/Protected A/Protected B
19. Technical Security Services
• Technical Security Services (TSS) divided into five groupings,
as follows:
1. Infrastructure protection services
2. Data protection services
3. Privilege management services
4. Security monitoring services
5. Identity, credential and access management services (ICAM)
and previously discussed with AFAC members
19
20. TSS 1: Infrastructure Protection Services
• Prevent and detect unauthorized access, misuse,
modification, and denial of service attacks
• Establish the required boundary that divides the trusted from
the untrusted
• Perimeter/border defense services
• Intrusion detection and prevention services
• Wired/wireless protection services
• Content management services
• Anti-virus/malware services
• End point management services
20
21. TSS 2: Data Protection Services
• Manage and safeguard information when being used, stored
and transmitted
• Data lifecycle management, including the backup, archiving
and restoration of data
• Apply controls when critical data is leaving the environment
via data loss prevention (DLP) technologies
• Data encryption (in-storage and in-transit )
• Encryption keys and their management
21
22. TSS 3: Privilege Management Services
• Manage the administrative privileges pertaining identity,
credential and access within the SSC domain including
Partner administrators
• This service is distinct from, but highly aligned with the
ICAM, which has a Government of Canada (GC) scope for
end users
• Enforce the concepts of ensuring the right people or systems,
have the right access to the right resources at the right time for
the right reasons and can be used to enforce privacy
22
23. TSS 4: Security Monitoring Services
• Track, collate and analyze network and system events in order
to identify threats/breaches and issue alerts
• Security Information and Event Monitoring (SIEM) software
• Event logging/audit service
• Threat and vulnerability management services
23
24. Questions
1. What additional principles should be considered for a GC
cloud security?
2. Does the technical service groupings adequately cover all
aspects of IT and data security ?
3. Are there other models and or groupings that could be
leveraged?
4. To ensure adequate security posture of the GC infrastructure
services, are there additional considerations that the GC
should consider as part of cloud security strategy?
5. Understanding that the security services will be composed of
multiple vendors’ suites, what considerations SSC should
take in developing the service definitions and specifications.
24