CYBER AND IT SECURITY

DEVICE SECURITY – SESSION #2

Architecture Framework Advisory Committee

September 8, 2014

1

TIME TOPICS PRESENTERS

9:00 – 9:15 Opening RemarksShirley Ivan Acting Chair

9:15 – 10:00Cyber and IT Security Transformation Framework & Discussion Period

Raj ThuppalModerator: ChairParticipants: All

Raj Thuppal

Agenda

2

10:00 – 10:45Device Security Approach &Discussion Period

Raj ThuppalModerator: ChairParticipants: All

10:45 – 11:00 Health Break

11:00 – 11:45Cloud Security Strategy &Discussion Period

Raj ThuppalModerator: ChairParticipants: All

11:45 – 12:00Closing RemarksNext Meeting: October 27

Shirley Ivan Acting Chair

Objective for Today

• Present the way forward for the Cyber and IT Security

Transformation Framework and the Device Security Approach

based on what Shared Services Canada (SSC) heard during

session #1 of this topic at the Architecture Framework

Advisory Committee (AFAC) meeting of July 7, 2014

• Seek feedback on Cloud Security Strategy

• Discussion period and next steps

3

Cyber and IT Security Transformation PDRR FrameworkPDRR Framework

4

What SSC Heard from AFAC

PPREVENTION:REVENTION:

• Should include risk management

• Include IT Security policies and standards into the system/application development

domain

• Qualify the “Business Continuity and Emergency Management” to be clear it

address the planning, while the execution would be in Detect, Respond or

Recovery

• IT Security Standard and Policies will continuously evolve due to threat changes

DDETECTION:ETECTION:

• Proposal to add behavioural analysis as a contributor towards detection and could

be included under “behavioural“.

RRESPONSE & ESPONSE & RRECOVERY: ECOVERY:

• Implement automated responses to incidents as often as possible, when

technologies and/or situations allow

• Leverage real-time intelligence from other government departments, national and

international partners and industry

5

OTHER FEEDBACK:OTHER FEEDBACK:

• Manage security as “an ever changing and evolving” service to support a constantly changing threat landscape

• Develop metrics to measure progress and well performing environment

• “Network centric to data centric” raise the need to look at “location awareness – geo-fencing”

What SSC Heard from AFAC Continued

awareness – geo-fencing”

• Data centric model raise requirement on data encryption

• Recognize that there will be “breaches” – leverage containment

• Consider the micro-segmentation approach

• Data access and multi-tenancy have a dependency on identity management

6

Updated Prevention, Detection, Response, Recovery (PDRR) Model

7

Proposed Way Forward

• Use the PDRR as initial framework, detailed draft document to

be developed.

• Develop performance indicator and metrics

• Continue consulting the industry

• Update framework annually • Update framework annually

8

Questions

1. Does the framework cover all necessary cyber and IT

security functions and related aspects?

2. Are there any additional input/feedback on proposed

framework?

9

Device Security

10

What SSC Heard from AFAC

In Scope:• Devices – data centre (DC) and

workplace technology devices (WTD)

• 94 departments and agencies across

the Government of Canada (GC)

Out of Scope:

• Perimeter, network and data security

Device Security Transformation

Data Centric Security

11

• Perimeter, network and data security Data Centric Security

Cloud and Mobile

What SSC Heard from AFAC

• Address “legacy” requirements separately from “end state”

• De-couple procurements for DC and WTD as their security requirements are different

• Security continuously evolving to meet endlessly changing landscape

• Transition from network to data centric approach

• Cloud Security increases requirements for data encryption

• Build a centralised public key infrastructure (PKI)/certificate authorities• Build a centralised public key infrastructure (PKI)/certificate authorities

• Leverage “location based” data access (e.g. no Protected B in a public zone)

• Develop and enforce hardening and standards

• Metrics are crucial – defines how success is measured

• Look into behavioural security analysis for advanced attack detection

• Investigate sandbox and isolation techniques (micro-segmentation)

12

Revised Device Security Strategy

• Address legacy requirements by leveraging existing

procurement vehicles

• De-couple data centre and WTD device security strategy

efforts

• Develop a Cloud Security Strategy• Develop a Cloud Security Strategy

• Holistic approach across IT Security domains

• Integrate Security services & strategies

• Data Centric Approach

• Continue consulting industry

13

Question

1. Are there any additional input/feedback to ensure that the

functions described are adequately addressed for legacy

and enterprise services?

14

Cloud SecurityInitial ViewInitial View

15

Security Principles

• Trusted equipment and services through supply chain integrity

• Security by design to ensure that all aspects of security are addressed as part

of design, balancing service, security and savings

• Gradual transition from a network-based security model to data-centric security

model - apply security controls as close to the data as practical

• Privileged access to data will be maintained and multi-tenancy will be built into

16

• Privileged access to data will be maintained and multi-tenancy will be built into

systems where data owned by one partner cannot be seen by another partner

or by unauthorised individuals

• Security breaches in one part of the infrastructure are quickly detected and

contained without spreading to other parts of the infrastructure

• Maintain and improve the security posture as part of moving to enterprise

services (i.e., don’t reduce security).

Data States in the Government of Canada Cloud

Telecom Domain

GC PerimeterOutsourced Domain

Private Cloud

Vendor

LAN

Data In Transit

Data In Use (DIU)

Data In Storage (DIS)

Uncontrolled Domain

Data In Use (DIU)

Data In Storage (DIS)

1717

Data Centre Domain

Government of Canada DomainUnclassified/Protected A/Protected B

Telecom Domain

Distributed Computing Environment Domain

…Data Centre 1 Data Centre n

Workplace Technology Devices

Data In Use (DIU)Data In Storage (DIS)

Data In Use (DIU)Data In Storage (DIS)

N.B. GFE = Government Furnished Equipment

Technical Security Services within the Cloud

Telecom Domain

GC PerimeterOutsourced Domain

Private Cloud

Vendor

LAN

4. S

ecu

rity

Mo

nit

ori

ng

&

Secu

rity

Man

ag

em

en

t S

erv

ices

1. Infrastructure Protection Services2. Data Protection Services3. Privilege Management Services

1. Infrastructure Protection Services

2. Data Protection Services

3. Privilege Management Services

Uncontrolled Domain

18

Data Centre Domain

Government of Canada DomainUnclassified/Protected A/Protected B

Telecom Domain

Distributed Computing Environment Domain

…Data Centre 1 Data Centre n

Workplace Technology Devices

4. S

ecu

rity

Mo

nit

ori

ng

&

Secu

rity

Man

ag

em

en

t S

erv

ices

1. Infrastructure Protection Services2. Data Protection Services3. Privilege Management Services

3. Privilege Management Services5. ICAM – End User

Technical Security Services

• Technical Security Services (TSS) divided into five groupings, as follows:

1. Infrastructure protection services

2. Data protection services

3. Privilege management services3. Privilege management services

4. Security monitoring services

5. Identity, credential and access management services (ICAM)

and previously discussed with AFAC members

19

TSS 1: Infrastructure Protection Services

• Prevent and detect unauthorized access, misuse,

modification, and denial of service attacks

• Establish the required boundary that divides the trusted from

the untrusted

• Perimeter/border defense services

• Intrusion detection and prevention services

• Wired/wireless protection services

• Content management services

• Anti-virus/malware services

• End point management services

20

TSS 2: Data Protection Services

• Manage and safeguard information when being used, stored

and transmitted

• Data lifecycle management, including the backup, archiving

and restoration of data

• Apply controls when critical data is leaving the environment • Apply controls when critical data is leaving the environment

via data loss prevention (DLP) technologies

• Data encryption (in-storage and in-transit )

• Encryption keys and their management

21

TSS 3: Privilege Management Services

• Manage the administrative privileges pertaining identity,

credential and access within the SSC domain including

Partner administrators

• This service is distinct from, but highly aligned with the

ICAM, which has a Government of Canada (GC) scope for

end users end users

• Enforce the concepts of ensuring the right people or systems,

have the right access to the right resources at the right time for

the right reasons and can be used to enforce privacy

22

TSS 4: Security Monitoring Services

• Track, collate and analyze network and system events in order

to identify threats/breaches and issue alerts

• Security Information and Event Monitoring (SIEM) software

• Event logging/audit service

• Threat and vulnerability management services• Threat and vulnerability management services

23

Questions

1. What additional principles should be considered for a GC

cloud security?

2. Does the technical service groupings adequately cover all

aspects of IT and data security ?

3. Are there other models and or groupings that could be

leveraged?leveraged?

4. To ensure adequate security posture of the GC infrastructure

services, are there additional considerations that the GC

should consider as part of cloud security strategy?

5. Understanding that the security services will be composed of

multiple vendors’ suites, what considerations SSC should

take in developing the service definitions and specifications.

24

Questions and Closing Remarks

25