CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

Transcription

1 CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION Architecture Framework Advisory Committee November 4,

2 Agenda TIME TOPICS PRESENTERS 9:00 9:15 Opening Remarks and Introductions Shirley Ivan, Chair (interim) Wade Daley, Vice-chair 9:15 10:05 Presentation Simon Levesque, Senior Director, Cyber and IT Security 10:05 10:15 Health Break 10:15 11:45 Discussion Period Moderator: Chair Participants: All 11:45 11:55 Closing Remarks and Next Meeting Shirley Ivan, Chair (interim) 2

3 Objectives for Today Brief recapitulation of the last meeting (September 8, 2014) Present a proposed Government of Canada (GC) Cloud Security Strategy based upon what Shared Services Canada (SSC) heard from AFAC during the session of September 8, 2014 Finalize the recommendations and advice from AFAC to conclude the consultation roadmap 3

4 SHARED SERVICES CANADA OUTCOMES AFAC MEETINGS Workplace Technology Devices Cyber and IT Security Framework and Device Security Jan 20 Feb 24 Mar 14 Apr 16 May 26 July 7 Sept 8 Nov Context: AFAC Meetings and Topics Enterprise Architecture library available on SSC Internet site Feb 2014 Cyber and IT Framework and device security defined Sept 2014 Cloud Security Report to IT Infrastructure Roundtable Cloud Security Strategy Next Meeting Future Meeting Topics timing to be confirmed* 2015 Architecture standards SSC Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) Directories IT security standards 4

5 AFAC Consultation Roadmap AFAC INPUT Recommendations for strategic questions Guiding Principles/ Best Practices July 7 Sept 8 Nov 4 STRATEGY Cyber and IT Security Framework/device security Cloud Security Strategy (including device security) KEY ACTIVITIES Framework and End-state Service Strategy Experience/Case Studies Risks/Success Factors To Be Determined Service Bundles and Delivery Model Enterprise Procurement Meetings Demos Written submissions Formal Industry Engagement Licensing Models and Solutions Functional Direction 5

6 Background: AFAC Engagement History Previous AFAC Engagements SSC initially set context on cyber and IT security programs and received feedback from members on: SSC Security Framework (Prevention, Detection, Response, Recovery) GC device security approach Overall procurement strategy SSC Alignment Integrated ICT industry advice by: including feedback in last version of the SSC Security Framework presented to IT Infrastructure Roundtable on October 7, 2014; moving from independent service silos (network and device security) to holistic GC Cloud Security ; and separating procurement activities to better support program requirements. 6

7 SSC Security Framework: Cyber and IT Security Functions PREVENTION DETECTION DETECTION RESPONSE RESPONSE RECOVERY RECOVERY Trusted infrastructure products and services through supply chain integrity Cyber and IT security (including privacy) policies and standards Security awareness and training Infrastructure protection services Data protection services Identity, Credentials and Access Management services Secret infrastructure services Business continuity and emergency management Coordination of GC-wide monitoring, detection, identification, prioritization and reporting of IT security incidents Automated, real-time threat monitoring, security information and event management and analysis Log analysis and investigations Security and privacy assessments Vulnerability assessments GC-wide coordination and remediation of IT security incidents Threat assessment and situational reporting Coordination and distribution of GC product alerts, warnings and advisories Forensics Software integrity through security configuration or replacement Infrastructure integrity through configuration or replacement Highly specialized IT security incident recovery services Mitigation advice and guidance Vulnerability remediation Post-incident analysis SECURITY MANAGEMENT Governance Innovation Engagement Risk Management 7

8 Security Principles Trusted equipment and services through supply chain integrity Security and privacy by design to ensure that all aspects of security are addressed as part of design, balancing service, security and savings Gradual enhancement from a network-based security model to include application and data-centric security apply security controls as close to the data as practical Privileged access to data will be maintained and multi-tenancy will be built into systems where sensitive data owned by one partner cannot be seen by another partner or by unauthorized individuals Security breaches in one part of the infrastructure are quickly detected and contained without spreading to other parts of the infrastructure Maintain and improve the security posture as part of moving to enterprise services (i.e. don t reduce security) Security life-cycle management with multiple vendors strategy 8

9 Technical Security Services Within a Domain Uncontrolled Domain GC Perimeter Vendor 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Outsourced Domain Private Cloud LAN 1. Infrastructure Protection Services 2. Data Protection Services 5. ICAM End User Workplace Technology Devices Telecom Domain Distributed Computing Environment Domain 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Data Centre 1 Data Centre n 1. Infrastructure Protection Services 2. Data Protection Services 3. Privilege Management Services Data Centre Domain 4. Security Monitoring and Security Management Services Government of Canada Domain Unclassified / Protected A / Protected B 9

10 Technical Security Services: Subservices Infrastructure protection services Data protection services Privilege management services Security monitoring services Perimeter/border defence services Intrusion detection and prevention services Wired/wireless protection services Content management services Anti-virus/malware services End point management service Data encryption (in storage and in transit) Encryption keys and their management Identity reconciliation service Authorization services Authentication and credential services Privileges usage management services Event logging and auditing services Incident management services Compliance, threat and vulnerability assessment services Identity Credential Access Management (ICAM) Identity management Align and assist in GC ICAM delivery 10

11 SSC Procurement Activities The GC cloud spans facilities, already collaborating with industry Strategy for GC Cloud Leverage existing and upcoming SSC procurement activities Data Centre Server and Storage Infrastructure Network Solutions Supply Chain Workplace Technology Devices (TBD) Creation of distinct activities for remaining cloud security services: Security monitoring and security management (TBD) Data protection services (TBD) GC ICAM Release 1 (TBD) 11

12 Questions 1. Is SSC s approach for the proposed Security Framework and Cloud Security Strategy positioned for success? 2. Will the proposed principles contribute to continuous improvement of security services? 3. Will the proposed and upcoming procurement strategies allow SSC to maintain momentum of security transformation? 12

13 Next Steps Elaborate and define the functions as part of SSC s enterprise services Develop service strategies and a multi-year roadmap toward the implementation of the enterprise services Develop associated organizational roles and responsibilities and costing framework 13

14 Questions 14