SlideShare a Scribd company logo

AFAC session 2 - September 8, 2014

K
KBIZEAU

Shared Services Canada - Architecture Framework Advisory Committee Meeting on September 8, 2014 (Device Security)

Technology
1 of 25
Download to read offline
CYBER AND IT SECURITY DEVICE SECURITY – SESSION #2 Architecture Framework Advisory Committee September 8, 2014 1
TIME TOPICS PRESENTERS 9:00 – 9:15 Opening Remarks Shirley Ivan Acting Chair 9:15 – 10:00 Cyber and IT Security Transformation Framework & Discussion Period Raj Thuppal Moderator: Chair Participants: All Raj Thuppal Agenda 2 10:00 – 10:45 Device Security Approach & Discussion Period Moderator: Chair Participants: All 10:45 – 11:00 Health Break 11:00 – 11:45 Cloud Security Strategy & Discussion Period Raj Thuppal Moderator: Chair Participants: All 11:45 – 12:00 Closing Remarks Next Meeting: October 27 Shirley Ivan Acting Chair
Objective for Today • Present the way forward for the Cyber and IT Security Transformation Framework and the Device Security Approach based on what Shared Services Canada (SSC) heard during session #1 of this topic at the Architecture Framework Advisory Committee (AFAC) meeting of July 7, 2014 • Seek feedback on Cloud Security Strategy • Discussion period and next steps 3
Cyber and IT Security Transformation PDRR Framework 4
What SSC Heard from AFAC PREVENTION: • Should include risk management • Include IT Security policies and standards into the system/application development domain • Qualify the “Business Continuity and Emergency Management” to be clear it address the planning, while the execution would be in Detect, Respond or Recovery • IT Security Standard and Policies will continuously evolve due to threat changes DETECTION: • Proposal to add behavioural analysis as a contributor towards detection and could be included under “behavioural“. RESPONSE & RECOVERY: • Implement automated responses to incidents as often as possible, when technologies and/or situations allow • Leverage real-time intelligence from other government departments, national and international partners and industry 5
What SSC Heard from AFAC Continued OTHER FEEDBACK: • Manage security as “an ever changing and evolving” service to support a constantly changing threat landscape • Develop metrics to measure progress and well performing environment • “Network centric to data centric” raise the need to look at “location awareness – geo-fencing” • Data centric model raise requirement on data encryption • Recognize that there will be “breaches” – leverage containment • Consider the micro-segmentation approach • Data access and multi-tenancy have a dependency on identity management 6
Updated Prevention, Detection, Response, Recovery (PDRR) Model 7
Proposed Way Forward • Use the PDRR as initial framework, detailed draft document to be developed. • Develop performance indicator and metrics • Continue consulting the industry • Update framework annually 8
Questions 1. Does the framework cover all necessary cyber and IT security functions and related aspects? 2. Are there any additional input/feedback on proposed framework? 9
Device Security 10
What SSC Heard from AFAC Device Security Transformation In Scope: • Devices – data centre (DC) and workplace technology devices (WTD) • 94 departments and agencies across the Government of Canada (GC) Out of Scope: • Perimeter, network and data security Data Centric Security 11 Cloud and Mobile
What SSC Heard from AFAC • Address “legacy” requirements separately from “end state” • De-couple procurements for DC and WTD as their security requirements are different • Security continuously evolving to meet endlessly changing landscape • Transition from network to data centric approach • Cloud Security increases requirements for data encryption • Build a centralised public key infrastructure (PKI)/certificate authorities • Leverage “location based” data access (e.g. no Protected B in a public zone) • Develop and enforce hardening and standards • Metrics are crucial – defines how success is measured • Look into behavioural security analysis for advanced attack detection • Investigate sandbox and isolation techniques (micro-segmentation) 12
Revised Device Security Strategy • Address legacy requirements by leveraging existing procurement vehicles • De-couple data centre and WTD device security strategy efforts • Develop a Cloud Security Strategy • Holistic approach across IT Security domains • Integrate Security services & strategies • Data Centric Approach • Continue consulting industry 13
Question 1. Are there any additional input/feedback to ensure that the functions described are adequately addressed for legacy and enterprise services? 14
Cloud Security Initial View 15
Security Principles • Trusted equipment and services through supply chain integrity • Security by design to ensure that all aspects of security are addressed as part of design, balancing service, security and savings • Gradual transition from a network-based security model to data-centric security model - apply security controls as close to the data as practical • Privileged access to data will be maintained and multi-tenancy will be built into 16 systems where data owned by one partner cannot be seen by another partner or by unauthorised individuals • Security breaches in one part of the infrastructure are quickly detected and contained without spreading to other parts of the infrastructure • Maintain and improve the security posture as part of moving to enterprise services (i.e., don’t reduce security).
Data States in the Government of Canada Cloud GC Perimeter Telecom Domain Vendor Outsourced Domain Private Cloud LAN Data In Transit Data In Use (DIU) Data In Storage (DIS) Data In Use (DIU) Data In Storage (DIS) Uncontrolled Domain 17 … Data Centre 1 Data Centre n Data In Use (DIU) Data In Storage (DIS) Data Centre Domain Workplace Technology Devices Distributed Computing Environment Domain Government of Canada Domain Unclassified/Protected A/Protected B Data In Use (DIU) Data In Storage (DIS) N.B. GFE = Government Furnished Equipment
Technical Security Services within the Cloud GC Perimeter Telecom Domain Vendor 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Outsourced Domain Private Cloud LAN 4. Security Monitoring & Security Management Services 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Uncontrolled Domain 18 … Data Centre 1 Data Centre n 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Data Centre Domain 3. Privilege Management Services 5. ICAM – End User Workplace Technology Devices Distributed Computing Environment Domain Government of Canada Domain Unclassified/Protected A/Protected B
Technical Security Services • Technical Security Services (TSS) divided into five groupings, as follows: 1. Infrastructure protection services 2. Data protection services 3. Privilege management services 4. Security monitoring services 5. Identity, credential and access management services (ICAM) and previously discussed with AFAC members 19
TSS 1: Infrastructure Protection Services • Prevent and detect unauthorized access, misuse, modification, and denial of service attacks • Establish the required boundary that divides the trusted from the untrusted • Perimeter/border defense services • Intrusion detection and prevention services • Wired/wireless protection services • Content management services • Anti-virus/malware services • End point management services 20
TSS 2: Data Protection Services • Manage and safeguard information when being used, stored and transmitted • Data lifecycle management, including the backup, archiving and restoration of data • Apply controls when critical data is leaving the environment via data loss prevention (DLP) technologies • Data encryption (in-storage and in-transit ) • Encryption keys and their management 21
TSS 3: Privilege Management Services • Manage the administrative privileges pertaining identity, credential and access within the SSC domain including Partner administrators • This service is distinct from, but highly aligned with the ICAM, which has a Government of Canada (GC) scope for end users • Enforce the concepts of ensuring the right people or systems, have the right access to the right resources at the right time for the right reasons and can be used to enforce privacy 22
TSS 4: Security Monitoring Services • Track, collate and analyze network and system events in order to identify threats/breaches and issue alerts • Security Information and Event Monitoring (SIEM) software • Event logging/audit service • Threat and vulnerability management services 23
Questions 1. What additional principles should be considered for a GC cloud security? 2. Does the technical service groupings adequately cover all aspects of IT and data security ? 3. Are there other models and or groupings that could be leveraged? 4. To ensure adequate security posture of the GC infrastructure services, are there additional considerations that the GC should consider as part of cloud security strategy? 5. Understanding that the security services will be composed of multiple vendors’ suites, what considerations SSC should take in developing the service definitions and specifications. 24
Questions and Closing Remarks 25

Recommended

Advanced Data Center Security
Advanced Data Center SecurityAdvanced Data Center Security
Advanced Data Center Security
manoharparakh
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
Tony DeGonia (LION)
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 
Itir oct0714-network security-en
Itir oct0714-network security-enItir oct0714-network security-en
Itir oct0714-network security-en
KBIZEAU
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015
Shah Sheikh
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
Maganathin Veeraragaloo
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
edwardstudyemai
 

Recommended

Advanced Data Center Security
Advanced Data Center SecurityAdvanced Data Center Security
Advanced Data Center Security
manoharparakh
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
Tony DeGonia (LION)
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
AlgoSec
 
Itir oct0714-network security-en
Itir oct0714-network security-enItir oct0714-network security-en
Itir oct0714-network security-en
KBIZEAU
 
DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015DTS Solution - Outsourcing Outlook Dubai 2015
DTS Solution - Outsourcing Outlook Dubai 2015
Shah Sheikh
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
Maganathin Veeraragaloo
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
edwardstudyemai
 
Cloud computing risk assesment
Cloud computing risk assesment Cloud computing risk assesment
Cloud computing risk assesment
Ahmad El Tawil
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
Monchai Phaichitchan
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Alan Yau Ti Dun
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
Kyle Lai
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
What's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security ThreatWhat's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security Threat
Alan Yau Ti Dun
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
Dan Michaluk
 
Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1
Maganathin Veeraragaloo
 
386sum08ch8 (1)
386sum08ch8 (1)386sum08ch8 (1)
386sum08ch8 (1)
Syeda Quratul-ain
 
Robert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight sessionRobert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight session
Government Technology and Services Coalition
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
Precisely
 
Vendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event ManagementVendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event Management
Info-Tech Research Group
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment report
Ahmad El Tawil
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Unanet
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813
Kinetic Potential
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
North Texas Chapter of the ISSA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
Kimberly Simon MBA
 
Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
Resilient Systems
 
Slideshared 27-3-2015- iucee- iot- webinar
Slideshared 27-3-2015- iucee- iot- webinarSlideshared 27-3-2015- iucee- iot- webinar
Slideshared 27-3-2015- iucee- iot- webinar
Ravindra Dastikop
 

More Related Content

What's hot

Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Alan Yau Ti Dun
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
Kyle Lai
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
Precisely
 
Vendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event ManagementVendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event Management
Info-Tech Research Group
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Unanet
 

What's hot (20)

Cloud computing risk assesment
Cloud computing risk assesment Cloud computing risk assesment
Cloud computing risk assesment
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
CISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architectureCISSP - Chapter 3 - System security architecture
CISSP - Chapter 3 - System security architecture
 
What's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security ThreatWhat's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security Threat
 
The privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analyticsThe privacy and security implications of AI, big data and predictive analytics
The privacy and security implications of AI, big data and predictive analytics
 
Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1Securing ever growing and complex business systems v1 1
Securing ever growing and complex business systems v1 1
 
386sum08ch8 (1)
386sum08ch8 (1)386sum08ch8 (1)
386sum08ch8 (1)
 
Robert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight sessionRobert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight session
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
 
Vendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event ManagementVendor Landscape: Security Information and Event Management
Vendor Landscape: Security Information and Event Management
 
Cloud computing risk assesment report
Cloud computing risk assesment reportCloud computing risk assesment report
Cloud computing risk assesment report
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813What is a cybersecurity assessment 20210813
What is a cybersecurity assessment 20210813
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
NTXISSACSC2 - Advanced Persistent Threat (APT) Life Cycle Management Monty Mc...
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 

Viewers also liked

Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
Resilient Systems
 
Cyber Security Architecture - A Systems Approach December 05 2012
Cyber Security Architecture - A Systems Approach December 05 2012Cyber Security Architecture - A Systems Approach December 05 2012
Cyber Security Architecture - A Systems Approach December 05 2012
Joseph Hennawy
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
Stephen Lahanas
 
Networking Standards And Protocols
Networking Standards And ProtocolsNetworking Standards And Protocols
Networking Standards And Protocols
Steven Cahill
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
Aeman Khan
 

Viewers also liked (13)

Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
 
Slideshared 27-3-2015- iucee- iot- webinar
Slideshared 27-3-2015- iucee- iot- webinarSlideshared 27-3-2015- iucee- iot- webinar
Slideshared 27-3-2015- iucee- iot- webinar
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)
 
Cyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovationCyber-Physical Systems - contradicting requirements as drivers for innovation
Cyber-Physical Systems - contradicting requirements as drivers for innovation
 
Cyber Security Architecture - A Systems Approach December 05 2012
Cyber Security Architecture - A Systems Approach December 05 2012Cyber Security Architecture - A Systems Approach December 05 2012
Cyber Security Architecture - A Systems Approach December 05 2012
 
Cyber Physical System: Architecture, Applications and Research Challenges
Cyber Physical System: Architecture, Applications and Research ChallengesCyber Physical System: Architecture, Applications and Research Challenges
Cyber Physical System: Architecture, Applications and Research Challenges
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Cyber Security for Digital-Era
Cyber Security for Digital-EraCyber Security for Digital-Era
Cyber Security for Digital-Era
 
Network Automation in Support of Cyber Defense
Network Automation in Support of Cyber DefenseNetwork Automation in Support of Cyber Defense
Network Automation in Support of Cyber Defense
 
Networking Standards And Protocols
Networking Standards And ProtocolsNetworking Standards And Protocols
Networking Standards And Protocols
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
 

Similar to AFAC session 2 - September 8, 2014

Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
Withum
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
Cloud Standards Customer Council
 
Cloud and challenges isacakenya
Cloud and challenges isacakenyaCloud and challenges isacakenya
Cloud and challenges isacakenya
Tonny Omwansa
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Cloud Standards Customer Council
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
Abdul Khan
 

Similar to AFAC session 2 - September 8, 2014 (20)

Webinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST ComplianceWebinar: Critical Steps For NIST Compliance
Webinar: Critical Steps For NIST Compliance
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE project
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Cloud and challenges isacakenya
Cloud and challenges isacakenyaCloud and challenges isacakenya
Cloud and challenges isacakenya
 
Cloud computing 10 cloud security advantages and challenges
Cloud computing 10 cloud security advantages and challengesCloud computing 10 cloud security advantages and challenges
Cloud computing 10 cloud security advantages and challenges
 
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
Managing Trustworthy Big-data Applications in the Cloud with the ATMOSPHERE P...
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
 
Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptx
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
4831586.ppt
4831586.ppt4831586.ppt
4831586.ppt
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
 

More from KBIZEAU

Pablo sobrino smart-dps presentation to itac - march 4-2014 - english
Pablo sobrino smart-dps presentation to itac - march 4-2014 - englishPablo sobrino smart-dps presentation to itac - march 4-2014 - english
Pablo sobrino smart-dps presentation to itac - march 4-2014 - english
KBIZEAU
 
SSC PSAB Policy w/Multiyear Performance Objectives
SSC PSAB Policy w/Multiyear Performance ObjectivesSSC PSAB Policy w/Multiyear Performance Objectives
SSC PSAB Policy w/Multiyear Performance Objectives
KBIZEAU
 

More from KBIZEAU (20)

Annual Check Up: One Year Follow-Up Regarding Shared Services Canada, IT Mode...
Annual Check Up: One Year Follow-Up Regarding Shared Services Canada, IT Mode...Annual Check Up: One Year Follow-Up Regarding Shared Services Canada, IT Mode...
Annual Check Up: One Year Follow-Up Regarding Shared Services Canada, IT Mode...
 
Review of the Collaborative Procurement Process
Review of the Collaborative Procurement ProcessReview of the Collaborative Procurement Process
Review of the Collaborative Procurement Process
 
Delivering Public Sector Innovation
Delivering Public Sector InnovationDelivering Public Sector Innovation
Delivering Public Sector Innovation
 
Leveraging Procurement for Socio-Economic Benefits - Presentation by Acting C...
Leveraging Procurement for Socio-Economic Benefits - Presentation by Acting C...Leveraging Procurement for Socio-Economic Benefits - Presentation by Acting C...
Leveraging Procurement for Socio-Economic Benefits - Presentation by Acting C...
 
Government of Canada Integrated IT Planning Presetation
Government of Canada Integrated IT Planning PresetationGovernment of Canada Integrated IT Planning Presetation
Government of Canada Integrated IT Planning Presetation
 
Hill timesarticle sharedservicescanada
Hill timesarticle sharedservicescanadaHill timesarticle sharedservicescanada
Hill timesarticle sharedservicescanada
 
Itir oct0714-afac report-en
Itir oct0714-afac report-enItir oct0714-afac report-en
Itir oct0714-afac report-en
 
Ssac summary-report-2014-en
Ssac summary-report-2014-enSsac summary-report-2014-en
Ssac summary-report-2014-en
 
Transformation overview-final-oct-7-2014
Transformation overview-final-oct-7-2014Transformation overview-final-oct-7-2014
Transformation overview-final-oct-7-2014
 
Ssac summary-report-2014-en
Ssac summary-report-2014-enSsac summary-report-2014-en
Ssac summary-report-2014-en
 
2014 sept-9-shared-services-canada
2014 sept-9-shared-services-canada2014 sept-9-shared-services-canada
2014 sept-9-shared-services-canada
 
Ssc 2014 2015 integrated business plan
Ssc 2014 2015 integrated business planSsc 2014 2015 integrated business plan
Ssc 2014 2015 integrated business plan
 
2014 june-11-transformation-plan-update-en
2014 june-11-transformation-plan-update-en2014 june-11-transformation-plan-update-en
2014 june-11-transformation-plan-update-en
 
2014 june-11-update-on-ssc-priorities-and-activities-en
2014 june-11-update-on-ssc-priorities-and-activities-en2014 june-11-update-on-ssc-priorities-and-activities-en
2014 june-11-update-on-ssc-priorities-and-activities-en
 
Shared Services Canada - Architect Framework Advisory Committee WTD Session 5...
Shared Services Canada - Architect Framework Advisory Committee WTD Session 5...Shared Services Canada - Architect Framework Advisory Committee WTD Session 5...
Shared Services Canada - Architect Framework Advisory Committee WTD Session 5...
 
Network Solutions Supply Chain Industry Day_May28_2014_Consolidated
Network Solutions Supply Chain Industry Day_May28_2014_ConsolidatedNetwork Solutions Supply Chain Industry Day_May28_2014_Consolidated
Network Solutions Supply Chain Industry Day_May28_2014_Consolidated
 
Shared Services Canada - Reports on Plans and Priorities 2014-2015
Shared Services Canada - Reports on Plans and Priorities 2014-2015Shared Services Canada - Reports on Plans and Priorities 2014-2015
Shared Services Canada - Reports on Plans and Priorities 2014-2015
 
Pablo sobrino smart-dps presentation to itac - march 4-2014 - english
Pablo sobrino smart-dps presentation to itac - march 4-2014 - englishPablo sobrino smart-dps presentation to itac - march 4-2014 - english
Pablo sobrino smart-dps presentation to itac - march 4-2014 - english
 
SSC PSAB Policy w/Multiyear Performance Objectives
SSC PSAB Policy w/Multiyear Performance ObjectivesSSC PSAB Policy w/Multiyear Performance Objectives
SSC PSAB Policy w/Multiyear Performance Objectives
 
Workplace Technology Devices (WTD) Initiative
Workplace Technology Devices (WTD) InitiativeWorkplace Technology Devices (WTD) Initiative
Workplace Technology Devices (WTD) Initiative
 

Recently uploaded

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 

Recently uploaded (20)

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 

AFAC session 2 - September 8, 2014

  • 1. CYBER AND IT SECURITY DEVICE SECURITY – SESSION #2 Architecture Framework Advisory Committee September 8, 2014 1
  • 2. TIME TOPICS PRESENTERS 9:00 – 9:15 Opening Remarks Shirley Ivan Acting Chair 9:15 – 10:00 Cyber and IT Security Transformation Framework & Discussion Period Raj Thuppal Moderator: Chair Participants: All Raj Thuppal Agenda 2 10:00 – 10:45 Device Security Approach & Discussion Period Moderator: Chair Participants: All 10:45 – 11:00 Health Break 11:00 – 11:45 Cloud Security Strategy & Discussion Period Raj Thuppal Moderator: Chair Participants: All 11:45 – 12:00 Closing Remarks Next Meeting: October 27 Shirley Ivan Acting Chair
  • 3. Objective for Today • Present the way forward for the Cyber and IT Security Transformation Framework and the Device Security Approach based on what Shared Services Canada (SSC) heard during session #1 of this topic at the Architecture Framework Advisory Committee (AFAC) meeting of July 7, 2014 • Seek feedback on Cloud Security Strategy • Discussion period and next steps 3
  • 4. Cyber and IT Security Transformation PDRR Framework 4
  • 5. What SSC Heard from AFAC PREVENTION: • Should include risk management • Include IT Security policies and standards into the system/application development domain • Qualify the “Business Continuity and Emergency Management” to be clear it address the planning, while the execution would be in Detect, Respond or Recovery • IT Security Standard and Policies will continuously evolve due to threat changes DETECTION: • Proposal to add behavioural analysis as a contributor towards detection and could be included under “behavioural“. RESPONSE & RECOVERY: • Implement automated responses to incidents as often as possible, when technologies and/or situations allow • Leverage real-time intelligence from other government departments, national and international partners and industry 5
  • 6. What SSC Heard from AFAC Continued OTHER FEEDBACK: • Manage security as “an ever changing and evolving” service to support a constantly changing threat landscape • Develop metrics to measure progress and well performing environment • “Network centric to data centric” raise the need to look at “location awareness – geo-fencing” • Data centric model raise requirement on data encryption • Recognize that there will be “breaches” – leverage containment • Consider the micro-segmentation approach • Data access and multi-tenancy have a dependency on identity management 6
  • 7. Updated Prevention, Detection, Response, Recovery (PDRR) Model 7
  • 8. Proposed Way Forward • Use the PDRR as initial framework, detailed draft document to be developed. • Develop performance indicator and metrics • Continue consulting the industry • Update framework annually 8
  • 9. Questions 1. Does the framework cover all necessary cyber and IT security functions and related aspects? 2. Are there any additional input/feedback on proposed framework? 9
  • 11. What SSC Heard from AFAC Device Security Transformation In Scope: • Devices – data centre (DC) and workplace technology devices (WTD) • 94 departments and agencies across the Government of Canada (GC) Out of Scope: • Perimeter, network and data security Data Centric Security 11 Cloud and Mobile
  • 12. What SSC Heard from AFAC • Address “legacy” requirements separately from “end state” • De-couple procurements for DC and WTD as their security requirements are different • Security continuously evolving to meet endlessly changing landscape • Transition from network to data centric approach • Cloud Security increases requirements for data encryption • Build a centralised public key infrastructure (PKI)/certificate authorities • Leverage “location based” data access (e.g. no Protected B in a public zone) • Develop and enforce hardening and standards • Metrics are crucial – defines how success is measured • Look into behavioural security analysis for advanced attack detection • Investigate sandbox and isolation techniques (micro-segmentation) 12
  • 13. Revised Device Security Strategy • Address legacy requirements by leveraging existing procurement vehicles • De-couple data centre and WTD device security strategy efforts • Develop a Cloud Security Strategy • Holistic approach across IT Security domains • Integrate Security services & strategies • Data Centric Approach • Continue consulting industry 13
  • 14. Question 1. Are there any additional input/feedback to ensure that the functions described are adequately addressed for legacy and enterprise services? 14
  • 16. Security Principles • Trusted equipment and services through supply chain integrity • Security by design to ensure that all aspects of security are addressed as part of design, balancing service, security and savings • Gradual transition from a network-based security model to data-centric security model - apply security controls as close to the data as practical • Privileged access to data will be maintained and multi-tenancy will be built into 16 systems where data owned by one partner cannot be seen by another partner or by unauthorised individuals • Security breaches in one part of the infrastructure are quickly detected and contained without spreading to other parts of the infrastructure • Maintain and improve the security posture as part of moving to enterprise services (i.e., don’t reduce security).
  • 17. Data States in the Government of Canada Cloud GC Perimeter Telecom Domain Vendor Outsourced Domain Private Cloud LAN Data In Transit Data In Use (DIU) Data In Storage (DIS) Data In Use (DIU) Data In Storage (DIS) Uncontrolled Domain 17 … Data Centre 1 Data Centre n Data In Use (DIU) Data In Storage (DIS) Data Centre Domain Workplace Technology Devices Distributed Computing Environment Domain Government of Canada Domain Unclassified/Protected A/Protected B Data In Use (DIU) Data In Storage (DIS) N.B. GFE = Government Furnished Equipment
  • 18. Technical Security Services within the Cloud GC Perimeter Telecom Domain Vendor 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Outsourced Domain Private Cloud LAN 4. Security Monitoring & Security Management Services 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Uncontrolled Domain 18 … Data Centre 1 Data Centre n 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Data Centre Domain 3. Privilege Management Services 5. ICAM – End User Workplace Technology Devices Distributed Computing Environment Domain Government of Canada Domain Unclassified/Protected A/Protected B
  • 19. Technical Security Services • Technical Security Services (TSS) divided into five groupings, as follows: 1. Infrastructure protection services 2. Data protection services 3. Privilege management services 4. Security monitoring services 5. Identity, credential and access management services (ICAM) and previously discussed with AFAC members 19
  • 20. TSS 1: Infrastructure Protection Services • Prevent and detect unauthorized access, misuse, modification, and denial of service attacks • Establish the required boundary that divides the trusted from the untrusted • Perimeter/border defense services • Intrusion detection and prevention services • Wired/wireless protection services • Content management services • Anti-virus/malware services • End point management services 20
  • 21. TSS 2: Data Protection Services • Manage and safeguard information when being used, stored and transmitted • Data lifecycle management, including the backup, archiving and restoration of data • Apply controls when critical data is leaving the environment via data loss prevention (DLP) technologies • Data encryption (in-storage and in-transit ) • Encryption keys and their management 21
  • 22. TSS 3: Privilege Management Services • Manage the administrative privileges pertaining identity, credential and access within the SSC domain including Partner administrators • This service is distinct from, but highly aligned with the ICAM, which has a Government of Canada (GC) scope for end users • Enforce the concepts of ensuring the right people or systems, have the right access to the right resources at the right time for the right reasons and can be used to enforce privacy 22
  • 23. TSS 4: Security Monitoring Services • Track, collate and analyze network and system events in order to identify threats/breaches and issue alerts • Security Information and Event Monitoring (SIEM) software • Event logging/audit service • Threat and vulnerability management services 23
  • 24. Questions 1. What additional principles should be considered for a GC cloud security? 2. Does the technical service groupings adequately cover all aspects of IT and data security ? 3. Are there other models and or groupings that could be leveraged? 4. To ensure adequate security posture of the GC infrastructure services, are there additional considerations that the GC should consider as part of cloud security strategy? 5. Understanding that the security services will be composed of multiple vendors’ suites, what considerations SSC should take in developing the service definitions and specifications. 24
  • 25. Questions and Closing Remarks 25