afac device-security-july-7-2014v7-2
DESCRIPTION
Shared Services Canada’s Architectural Framework Advisory Committee launched industry consultations on its IT Security Program.TRANSCRIPT
CYBER AND IT SECURITY
Architecture Framework Advisory Committee
Meeting SESSION 1
JULY 7, 2014
2
Agenda
TIME TOPICS PRESENTERS
9:00 – 9:10 Opening Remarks Benoît Long, Chair
9:10 – 9:30
Cyber and IT Security
Transformation Raj Thuppal
9:30 – 10:15 Discussion Period Moderator: Chair
Participants: All
10:15 – 10:30 Health Break
10:30 – 11:50
Device Security
Presentation &
Discussion Period
Raj Thuppal
Moderator: Chair
Participants: All
11:50 – 12:00
Closing Remarks Benoît Long, Chair
Objective for Today
• Setting the Context on Shared Services Canada Cyber and IT Security
Program
• Proposed Device Security Plan for an enterprise procurement scope
• Seek Feedback and Input
• Questions/Discussion
3
4
Today
Complex Government of Canada (GC) IT Infrastructure
IT Security as an
“add-on”
Reactive, Slow & Siloed Response
to Cyber Threats
Transforming the Government
of Canada
Future
Rationalized, Standardized
and Consolidated
IT Security Integrated into
the Design
Coordinated Proactive
Rapid Response & Recovery
Cyber and other IT security threats are constantly evolving and on-going effort is required to keep up
Context
5
Dept …
• IT Security controls based on ITSG-33 (Technical, Operational and Management)
incorporated as part of end to end IT service management of target state GC IT Services
• IT security controls established based on domain security control profile, context and GC
threat assessment and IT risk management
• Standardized, consolidated and transformed Cyber and IT Security Services
IT Security Target State IT Security Current State
Dept …
Dept …
Dept … GCNet
Data in
Use
Data at
Rest
Data at
Rest
Data in
Transit
Unified ICAM
Standardized
SOC
Multiple Identities Multiple ICAMs
Consolidated
Back office
Apps
Mission
Specific
Apps
Mission
Specific
Apps
Data at
Rest
Mission
Specific
Apps
Mission
Specific
Apps Back office
Apps Back office
Apps
Multiple
Access
Controls
Multiple
SOCs
Data in
Transit
Data in
Use
Cyber and IT Security Transformation
Multiple Identities Multiple Network
Security Controls
Unified Network
Security
Multiple Identities Multiple Device
Security
Unified Device
Security
Multiple Identities Fragmented SIEMs Unified SIEM
6
Cyber and IT Security Framework
INFRASTRUCTURE & DATA
• Aligned to Canada’s Cyber
Security Strategy (CCSS)
• Security built-in as part of
end-to-end service design
• Partnership with Treasury
Board Secretariat (TBS),
Communications Security
Establishment (CSE) Canada
and Public Safety
SSC is mandated to protect the
infrastructure and associated data-in-
transit, storage, and use.
OPERATE EVOLVE TRANSFORM
7
Conceptual End State (updated July 2013)
Service Management
• ITIL ITSM Framework • Standardized Service
Levels/Availability Levels • Inclusive of Scientific and
special purpose computing • Standardized Application
and Infrastructure Lifecycle Management
• Smart Evergreening • Full redundancy – within
data centres, between pairs, across sites
Enterprise Security
• All departments share one Operational Zone
• Domains and Zones where required
• Classified information below Top Secret
• Balance security and consolidation
• Consolidated, controlled, secure perimeters
• Certified and Accredited infrastructure
Virtualized Platforms
Off-line / Backup
Archive
Near-line
Tier 3
Tier 2
On-line Tier 1
SAN NAS
Virtualized Storage
IP PBX App. Email
WAN Node
Data Centre Core Network Domains & Zones
V.Conf. Bridge
Web
File/ Print
Database Th.Client
VDI
Internet PoP
Business Intent
• Business to Government • Government to Government • Citizens to Government
Sys. z App / DB Containers
z/OS
Any Special Purpose / Grid / HPC
Operating System
Consolidation Principles
1. As few data centres as possible
2. Locations determined objectively for the long term
3. Several levels of resiliency and availability (establish in pairs)
4. Scalable and flexible infrastructure
5. Infrastructure transformed; not ‘’fork-lifted’’ from old to new
6. Separate application development environment
7. Standard platforms which meet common requirements (no re-architecting of applications)
8. Build in security from the beginning
x86 Web / App / DB Containers
Windows
x86 Web / App / DB Containers
Linux
En
terp
ris
e
Secu
rit
y
GC Private Domain
Application Migration
• Standard platforms and product versions
• Migration guidance • Committed timeline for
product evolution
Workload Mobility
Service Level
… Service Level
Application Service Levels
Standard
Enhanced
Mission Critical
Regional Carriers
International Carriers GCNet
(3,580 buildings)
Public Cloud
Services
Internet
B2G
C2G
G2G
Regional WAN Accelerators
Virtual Private Cloud
Several, highly-secure Internet access points
Stand-alone centre for GC super-computing (HPC) – e.g. Weather
Development
Dev1 Dev2
Production
Prod3
B
U
U
Prod4
C
U
U
Production
Prod1
S
A
B
Prod2
S
B
U
Servic
e
Man
ag
em
en
t
Virtualized Services
Classified Data
Confidential
Secret
C
S
Protected Data A Protected A
B Protected B
C Protected C HPC
Sci1
8
Top Secret
Secret
Confidential
Protected C
Protected B
Protected A
Unclassified
Policy on Government
Security (PGS)
Classified
Designated
National
Interest &
Security
Corporate
or Personal
Interest
Non-Sensitive Information
(Requires Integrity & Availability)
Caveats
Official
CEO (Canadian Eyes Only)
Unofficial
For Official Use Only (FOUO)
GC Data Classification
Extremely Grave Injury – e.g., widespread loss of life, loss of continuity of government, etc.
Serious injury – e.g., political tension (int’l or fed-prov.), damage to critical infrastructure, civil disorder, etc.
Injury – e.g., damage to relations (e.g. public, industry, diplomatic, etc.), limited loss of public confidence, etc.
Extremely Grave Injury – e.g., serious physical injury/ loss of life, financial loss affecting viability, etc.
Serious injury – e.g., substantial duress to individuals, loss of competitive advantage, etc.
Injury – e.g., inconvenience, damage to Departmental relationships, degradation of public confidence
9
PREVENTION
• Trusted infrastructure products and services through supply chain integrity
• Cyber and IT Security Policies and Standards
• Security awareness and training
• Infrastructure Protection Services
• Data Protection Services
• Identity, Credentials and Access Management Services
• Secret Infrastructure Service
• Business Continuity and Emergency Management
DETECTION
• Coordination of GC-wide monitoring, detection, identification, prioritization, and reporting of IT Security incidents
• Automated, real-time threat monitoring, security information and event management and analysis
• Log analysis and investigations
• Security Assessment
• Vulnerability assessments
RESPONSE
• GC-wide coordination and remediation of IT security incidents
• Threat assessment and situational reporting
• Coordination and distribution of GC product alerts, warnings, advisories
• Forensics
• Software integrity through security configuration or replacement
• Infrastructure integrity through configuration or replacement
RECOVERY
• Highly specialized IT security incident recovery services
• Mitigation advice and guidance
• Vulnerability Remediation
• Post Incident Analysis
Cyber and IT Security Functions
10
Transformation Principles
• Trusted equipment and services through supply chain integrity
• Security by design to ensure that all aspects of security are addressed
as part of design, balancing service, security and savings
• Gradual transition from a network-based security model to data-centric
security model
• Privileged access to data will be maintained and multi-tenancy will be
built into systems where data owned by one partner cannot be seen
by another partner or by unauthorised individuals
• Security breaches in one part of the infrastructure are quickly detected
and contained without spreading to other parts of the infrastructure
• Maintain and improve the security posture as part of moving to
enterprise services (i.e., don’t reduce security).
11
1. Does the Cyber and IT Security Framework, transformation
principles and associated functions sufficiently address the Cyber
and IT Security challenges associated with moving from
department specific networks to a cloud infrastructure?
Question
Device Security
12
AFAC Consultation Roadmap
STRATEGY KEY ACTIVITIES
2014–15
AFAC INPUT
Recommendations
for Strategic
Questions
Guiding Principles/
Best Practices
Experience/Case
Studies
Risks/Success
Factors
Common
Requirements/
Service Strategy
Service Bundles
and Delivery
Model
Licensing models
and Solutions
End-state Service
Strategy
Enterprise
Software
Procurement
Functional
Direction
• Meetings
• Demos
• Written
Submissions
Formal
Industry
Engage-
ment
July 7
TBD
13
Device Security Defined
What is Device Security?
• Device security refers to the protection of Government of Canada (GC) devices that are used to store and process data through the use of various information technology (IT) safeguard services.
What GC Devices are we looking to Protect?
• Backend devices (Data Server Infrastructure)
• Frontend devices (Traditional personal computers, laptops, Thin-Clients/Virtual Deployments)
• Mobile Devices (Smartphones, Tablets)
• ~569,000 devices (~100,000 data centre devices, ~469,000 workplace technology devices)
Why do we need Device Security?
• Safeguard GC devices and data from various forms of malware and intrusion
• Maintain the confidentiality, integrity and availability of infrastructure information assets
14
Strategic Context
15
• Enhance security services required to mitigate from evolving
threats
• Support for security service integration with new cloud and
mobile technologies
• Support Treasury Board’s IT Policy Implementation Notice
(ITPIN) implementation regarding the secure use of portable
data storage devices within the Government of Canada
• Lack device security software enterprise procurement vehicle
• Existing device security software licenses renewal to maintain
operations (e.g. Keeping the Lights On)
• Multiple device security disparate solutions and policy
application
• Standardization to drive efficiencies and cost savings across
the GC
Increase Security
Improve Service
Generate Savings
Proposed Device Security Services
Security Service Description
Antivirus Is protective software designed to defend your computer against
malicious software (viruses)
Antispyware Software that controls advertisements (called adware) or software that
tracks personal or sensitive information
Host Intrusion Detection
/ Prevention Systems
Software package which monitors a single host for suspicious activity by
analyzing events occurring
Data Loss Prevention Network/endpoint services that control what data end users can transfer
in/out of the network
Application Firewall Firewall which controls input, output and/or access from, to, or by an
application or service
Application Whitelisting Software programs that operate up to the Application Layer of the OSI
Model; and protect the integrity of the system by filtering the requests for
application-based information.
Encryption A technology which protects information by converting it into unreadable
code that cannot be deciphered easily by unauthorized people.
16
Questions:
1. Have all essential functions covered? Should other functions be considered?
2. Should these functions be bundled separately or combined ?
Device Security Strategy
Current-State Distributed
• Multiple disparate management systems
and products/technologies across depts.
• Network-Centric Security
End-State Centralized
• Reduced management infrastructure
leveraging SSC Community Cloud
• Data-Centric Security
17
Questions:
1. Should the same service set be used for both the legacy environment and the new SSC enterprise cloud service?
2. Given vendor specific signatures, should multi-vendor procurement be considered?
3. Should the scope of the procurement cover both data center devices and workplace technology devices?
18
Other questions?
19
INFRASTRUCTURE & DATA
Technical, physical, personnel, management and other security controls to proactively protect the confidentiality, integrity and availability of information and IT assets
Continuous monitoring of systems to rapidly detect IT incidents after or as they occur
Corrective controls to respond to IT incidents and to exchange incident-related information with designated lead departments in a timely fashion
PDRR & PPSI Models
Security Frameworks
Governance, Risk Management, Compliance (GRC)
Corrective controls to restore essential capabilities within agreed time constraints and availability requirements in a manner that preserves the integrity of evidence
Aligned with NIST Framework
Competencies, roles & responsibilities, culture, org. chart, and capacity
Supply Chain Integrity, Security Assessment & Authorization, Security-by-Design, IT Service Management
Privilege Management Infrastructure (PMI), GC Secret Infrastructure (GCSI), Network and Device Security, Security Operations Centre (SOC)
Policies and instruments, information repository, Approved Security Products List (ASPL)
GC ESA Focus Areas
20
Awareness & Training
Ph
ysic
al S
ecu
rity
Security in Contracting
Pers
on
nel S
ecu
rity
Business C
ontinuity
Strengthen
Defensive
Capabilities
Strengthen
Defensive
Capabilitie
s
Conso
lidat
ion
Standardization
Transformation
Moder
nizat
ion
End User Device
Security
Compute and
Storage Services
Security
Network and
Communications
Security
Security
Operations
Policy and
Compliance
Monitoring
Application
Security
Data Security
Identity,
Credential and
Access
Management
Strengthen
Defensive
Capabilities
ESA Focus Areas
helps to:
Manage the
complex problem
space
Promotes a
defense-in-depth
layered security
approach
Considers both
technical and non-
technical aspects