Afac device-security-july-7-2014v7-2

CYBER AND IT SECURITY

Architecture Framework Advisory Committee

Meeting SESSION 1

JULY 7, 2014

2

Agenda

TIME TOPICS PRESENTERS

9:00 – 9:10 Opening Remarks Benoît Long, Chair

9:10 – 9:30

Cyber and IT Security

Transformation Raj Thuppal

9:30 – 10:15 Discussion Period Moderator: Chair

Participants: All

10:15 – 10:30 Health Break

10:30 – 11:50

Device Security

Presentation &

Discussion Period

Raj Thuppal

Moderator: Chair

Participants: All

11:50 – 12:00

Closing Remarks Benoît Long, Chair

Objective for Today

• Setting the Context on Shared Services Canada Cyber and IT Security

Program

• Proposed Device Security Plan for an enterprise procurement scope

• Seek Feedback and Input

• Questions/Discussion

3

4

Today

Complex Government of Canada (GC) IT Infrastructure

IT Security as an

“add-on”

Reactive, Slow & Siloed Response

to Cyber Threats

Transforming the Government

of Canada

Future

Rationalized, Standardized

and Consolidated

IT Security Integrated into

the Design

Coordinated Proactive

Rapid Response & Recovery

Cyber and other IT security threats are constantly evolving and on-going effort is required to keep up

Context

5

Dept …

• IT Security controls based on ITSG-33 (Technical, Operational and Management)

incorporated as part of end to end IT service management of target state GC IT Services

• IT security controls established based on domain security control profile, context and GC

threat assessment and IT risk management

• Standardized, consolidated and transformed Cyber and IT Security Services

IT Security Target State IT Security Current State

Dept …

Dept …

Dept … GCNet

Data in

Use

Data at

Rest

Data at

Rest

Data in

Transit

Unified ICAM

Standardized

SOC

Multiple Identities Multiple ICAMs

Consolidated

Back office

Apps

Mission

Specific

Apps

Mission

Specific

Apps

Data at

Rest

Mission

Specific

Apps

Mission

Specific

Apps Back office

Apps Back office

Apps

Multiple

Access

Controls

Multiple

SOCs

Data in

Transit

Data in

Use

Cyber and IT Security Transformation

Multiple Identities Multiple Network

Security Controls

Unified Network

Security

Multiple Identities Multiple Device

Security

Unified Device

Security

Multiple Identities Fragmented SIEMs Unified SIEM

6

Cyber and IT Security Framework

INFRASTRUCTURE & DATA

• Aligned to Canada’s Cyber

Security Strategy (CCSS)

• Security built-in as part of

end-to-end service design

• Partnership with Treasury

Board Secretariat (TBS),

Communications Security

Establishment (CSE) Canada

and Public Safety

SSC is mandated to protect the

infrastructure and associated data-in-

transit, storage, and use.

OPERATE EVOLVE TRANSFORM

7

Conceptual End State (updated July 2013)

Service Management

• ITIL ITSM Framework • Standardized Service

Levels/Availability Levels • Inclusive of Scientific and

special purpose computing • Standardized Application

and Infrastructure Lifecycle Management

• Smart Evergreening • Full redundancy – within

data centres, between pairs, across sites

Enterprise Security

• All departments share one Operational Zone

• Domains and Zones where required

• Classified information below Top Secret

• Balance security and consolidation

• Consolidated, controlled, secure perimeters

• Certified and Accredited infrastructure

Virtualized Platforms

Off-line / Backup

Archive

Near-line

Tier 3

Tier 2

On-line Tier 1

SAN NAS

Virtualized Storage

IP PBX App. Email

WAN Node

Data Centre Core Network Domains & Zones

V.Conf. Bridge

Web

File/ Print

Database Th.Client

VDI

Internet PoP

Business Intent

• Business to Government • Government to Government • Citizens to Government

Sys. z App / DB Containers

z/OS

Any Special Purpose / Grid / HPC

Operating System

Consolidation Principles

1. As few data centres as possible

2. Locations determined objectively for the long term

3. Several levels of resiliency and availability (establish in pairs)

4. Scalable and flexible infrastructure

5. Infrastructure transformed; not ‘’fork-lifted’’ from old to new

6. Separate application development environment

7. Standard platforms which meet common requirements (no re-architecting of applications)

8. Build in security from the beginning

x86 Web / App / DB Containers

Windows

x86 Web / App / DB Containers

Linux

En

terp

ris

e

Secu

rit

y

GC Private Domain

Application Migration

• Standard platforms and product versions

• Migration guidance • Committed timeline for

product evolution

Workload Mobility

Service Level

… Service Level

Application Service Levels

Standard

Enhanced

Mission Critical

Regional Carriers

International Carriers GCNet

(3,580 buildings)

Public Cloud

Services

Internet

B2G

C2G

G2G

Regional WAN Accelerators

Virtual Private Cloud

Several, highly-secure Internet access points

Stand-alone centre for GC super-computing (HPC) – e.g. Weather

Development

Dev1 Dev2

Production

Prod3

B

U

U

Prod4

C

U

U

Production

Prod1

S

A

B

Prod2

S

B

U

Servic

e

Man

ag

em

en

t

Virtualized Services

Classified Data

Confidential

Secret

C

S

Protected Data A Protected A

B Protected B

C Protected C HPC

Sci1

8

Top Secret

Secret

Confidential

Protected C

Protected B

Protected A

Unclassified

Policy on Government

Security (PGS)

Classified

Designated

National

Interest &

Security

Corporate

or Personal

Interest

Non-Sensitive Information

(Requires Integrity & Availability)

Caveats

Official

CEO (Canadian Eyes Only)

Unofficial

For Official Use Only (FOUO)

GC Data Classification

Extremely Grave Injury – e.g., widespread loss of life, loss of continuity of government, etc.

Serious injury – e.g., political tension (int’l or fed-prov.), damage to critical infrastructure, civil disorder, etc.

Injury – e.g., damage to relations (e.g. public, industry, diplomatic, etc.), limited loss of public confidence, etc.

Extremely Grave Injury – e.g., serious physical injury/ loss of life, financial loss affecting viability, etc.

Serious injury – e.g., substantial duress to individuals, loss of competitive advantage, etc.

Injury – e.g., inconvenience, damage to Departmental relationships, degradation of public confidence

9

PREVENTION

• Trusted infrastructure products and services through supply chain integrity

• Cyber and IT Security Policies and Standards

• Security awareness and training

• Infrastructure Protection Services

• Data Protection Services

• Identity, Credentials and Access Management Services

• Secret Infrastructure Service

• Business Continuity and Emergency Management

DETECTION

• Coordination of GC-wide monitoring, detection, identification, prioritization, and reporting of IT Security incidents

• Automated, real-time threat monitoring, security information and event management and analysis

• Log analysis and investigations

• Security Assessment

• Vulnerability assessments

RESPONSE

• GC-wide coordination and remediation of IT security incidents

• Threat assessment and situational reporting

• Coordination and distribution of GC product alerts, warnings, advisories

• Forensics

• Software integrity through security configuration or replacement

• Infrastructure integrity through configuration or replacement

RECOVERY

• Highly specialized IT security incident recovery services

• Mitigation advice and guidance

• Vulnerability Remediation

• Post Incident Analysis

Cyber and IT Security Functions

10

Transformation Principles

• Trusted equipment and services through supply chain integrity

• Security by design to ensure that all aspects of security are addressed

as part of design, balancing service, security and savings

• Gradual transition from a network-based security model to data-centric

security model

• Privileged access to data will be maintained and multi-tenancy will be

built into systems where data owned by one partner cannot be seen

by another partner or by unauthorised individuals

• Security breaches in one part of the infrastructure are quickly detected

and contained without spreading to other parts of the infrastructure

• Maintain and improve the security posture as part of moving to

enterprise services (i.e., don’t reduce security).

11

1. Does the Cyber and IT Security Framework, transformation

principles and associated functions sufficiently address the Cyber

and IT Security challenges associated with moving from

department specific networks to a cloud infrastructure?

Question

Device Security

12

AFAC Consultation Roadmap

STRATEGY KEY ACTIVITIES

2014–15

AFAC INPUT

Recommendations

for Strategic

Questions

Guiding Principles/

Best Practices

Experience/Case

Studies

Risks/Success

Factors

Common

Requirements/

Service Strategy

Service Bundles

and Delivery

Model

Licensing models

and Solutions

End-state Service

Strategy

Enterprise

Software

Procurement

Functional

Direction

• Meetings

• Demos

• Written

Submissions

Formal

Industry

Engage-

ment

July 7

TBD

13

Device Security Defined

What is Device Security?

• Device security refers to the protection of Government of Canada (GC) devices that are used to store and process data through the use of various information technology (IT) safeguard services.

What GC Devices are we looking to Protect?

• Backend devices (Data Server Infrastructure)

• Frontend devices (Traditional personal computers, laptops, Thin-Clients/Virtual Deployments)

• Mobile Devices (Smartphones, Tablets)

• ~569,000 devices (~100,000 data centre devices, ~469,000 workplace technology devices)

Why do we need Device Security?

• Safeguard GC devices and data from various forms of malware and intrusion

• Maintain the confidentiality, integrity and availability of infrastructure information assets

14

Strategic Context

15

• Enhance security services required to mitigate from evolving

threats

• Support for security service integration with new cloud and

mobile technologies

• Support Treasury Board’s IT Policy Implementation Notice

(ITPIN) implementation regarding the secure use of portable

data storage devices within the Government of Canada

• Lack device security software enterprise procurement vehicle

• Existing device security software licenses renewal to maintain

operations (e.g. Keeping the Lights On)

• Multiple device security disparate solutions and policy

application

• Standardization to drive efficiencies and cost savings across

the GC

Increase Security

Improve Service

Generate Savings

Proposed Device Security Services

Security Service Description

Antivirus Is protective software designed to defend your computer against

malicious software (viruses)

Antispyware Software that controls advertisements (called adware) or software that

tracks personal or sensitive information

Host Intrusion Detection

/ Prevention Systems

Software package which monitors a single host for suspicious activity by

analyzing events occurring

Data Loss Prevention Network/endpoint services that control what data end users can transfer

in/out of the network

Application Firewall Firewall which controls input, output and/or access from, to, or by an

application or service

Application Whitelisting Software programs that operate up to the Application Layer of the OSI

Model; and protect the integrity of the system by filtering the requests for

application-based information.

Encryption A technology which protects information by converting it into unreadable

code that cannot be deciphered easily by unauthorized people.

16

Questions:

1. Have all essential functions covered? Should other functions be considered?

2. Should these functions be bundled separately or combined ?

Device Security Strategy

Current-State Distributed

• Multiple disparate management systems

and products/technologies across depts.

• Network-Centric Security

End-State Centralized

• Reduced management infrastructure

leveraging SSC Community Cloud

• Data-Centric Security

17

Questions:

1. Should the same service set be used for both the legacy environment and the new SSC enterprise cloud service?

2. Given vendor specific signatures, should multi-vendor procurement be considered?

3. Should the scope of the procurement cover both data center devices and workplace technology devices?

18

Other questions?

19

INFRASTRUCTURE & DATA

Technical, physical, personnel, management and other security controls to proactively protect the confidentiality, integrity and availability of information and IT assets

Continuous monitoring of systems to rapidly detect IT incidents after or as they occur

Corrective controls to respond to IT incidents and to exchange incident-related information with designated lead departments in a timely fashion

PDRR & PPSI Models

Security Frameworks

Governance, Risk Management, Compliance (GRC)

Corrective controls to restore essential capabilities within agreed time constraints and availability requirements in a manner that preserves the integrity of evidence

Aligned with NIST Framework

Competencies, roles & responsibilities, culture, org. chart, and capacity

Supply Chain Integrity, Security Assessment & Authorization, Security-by-Design, IT Service Management

Privilege Management Infrastructure (PMI), GC Secret Infrastructure (GCSI), Network and Device Security, Security Operations Centre (SOC)

Policies and instruments, information repository, Approved Security Products List (ASPL)

GC ESA Focus Areas

20

Awareness & Training

Ph

ysic

al S

ecu

rity

Security in Contracting

Pers

on

nel S

ecu

rity

Business C

ontinuity

Strengthen

Defensive

Capabilities

Strengthen

Defensive

Capabilitie

s

Conso

lidat

ion

Standardization

Transformation

Moder

nizat

ion

End User Device

Security

Compute and

Storage Services

Security

Network and

Communications

Security

Security

Operations

Policy and

Compliance

Monitoring

Application

Security

Data Security

Identity,

Credential and

Access

Management

Strengthen

Defensive

Capabilities

ESA Focus Areas

helps to:

Manage the

complex problem

space

Promotes a

defense-in-depth

layered security

approach

Considers both

technical and non-

technical aspects