UNCLASSIFIED / NON CLASSIFIÉ
Enabling Secure #GCDigital A Continuous Security Approach
Presentation by Po Tea-Duncan A/Executive Director, Cyber Security Division Office of the Chief Information Officer Government of Canada
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ
1 The Context
2 The Cyber Security Landscape
3 Continuous Security
4 Digital Identity
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ
The Context UNCLASSIFIED / NON CLASSIFIÉ Laying the digital foundation
Government Policy on Digital of Canada's Service and Operations Digital Vision Digital Strategic Plan
“The new Policy on Service and Digital sets the foundation for the future of digital government in Canada. We’re doing the hard work behind the scenes to set in place the conditions for truly client- centered service design and delivery, and to deliver better services to Canadians.” The Honorable Joyce Murray, Minister of Digital Government (2 August 2019)
Iterate and Work in the Use open Address Build in Empower staff DIGITAL Design with Be good data Design ethical Collaborate improve open by standards and security and accessibility to deliver users stewards services widely STANDARDS frequently default solutions privacy risks from the start better services
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Building a vision for delivering services that are secure, accessible and easy to use
Transform Consolidate Maintain pace with change
Transform how government does Consolidate several existing policy Enables the Government of Canada business by: instruments into a single set of rules to maintain pace with change in the • Managing and protecting data and and guidelines for the integrated digital era through the responsible information management of: use of delegated authorities • Being open and transparent • Service delivery • Leveraging new technology to • Information and data improve operations and service • Technology and cyber security delivery
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Treasury Board Policy Framework
The IT security control under the Policy on Government Security is operationalized under the Policy on Service and Digital. Directive Directive on Security Management Security Screening Control
Information Technology Security Control • Service Physical Security Control Policy on Policy on • Information and Data Business Continuity Management Control • Information Technology Government Service • Cyber Security Information Management Security • Accessibility Control Security Security in Contracts and Other and Digital • Privacy Arrangements Control • Official Languages Security Event Management Control
Security Awareness and Training Control
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Working together to improve cyber security
Shared Services Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil telecommunications partagés Security Establishment des télécommunications Secretariat du Trésor du Canada CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du Conseil du Trésor du Canada 7 UNCLASSIFIED / NON CLASSIFIÉ Key Stakeholders
NATIONAL SPECIALIZED GOVERNMENT-WIDE DEPARTMENTAL Public Safety DND GAC ISED TBS All departments and CSIS CSE PSPC DRDC CSE/CCCS agencies RCMP PCO CRTC SSC
Federal government Federal government Federal government Federal government departments with departments with departments with departments remain responsibilities for specialized responsibilities for responsible for their national cyber responsibilities for government-wide departmental cyber security cyber security cyber security security
Treasury Board of Canada Secretariat Secrétariat du ConseilTreasury duBoard Trésor of Canada du CanadaSecrétariat du Conseil Treasury Board of Canada Secretariat Secretariat du Trésor du Canada 8 UNCLASSIFIED / NON CLASSIFIÉ Cyber Security is a Shared Responsibility
TBS, the Canadian Centre for Cyber Security as an agency under CSE, and SSC combine to form the GC IT Security Tripartite, established to develop and maintain a coordinated and collaborative approach to enterprise IT Security
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ
GC Cyber Security Management Process
Goal: Maintain visibility of enterprise cyberthreat and risk environment through continuous monitoring and ensuring the effective management of GC cyber security events
GC Situational Awareness
Reporting and Communications
IDENTIFY PROTECT DETECT RESPOND RECOVER
• Identify and • Implement • Detect and • Responding to • Recover from manage measures to understand cyber security cyber security security risks reduce security cyber security incidents incidents risks events
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ
The Cyber Security Landscape UNCLASSIFIED / NON CLASSIFIÉ National Cyber Threat Assessment 2020: An Evolving Threat Landscape
TreasuryTreasury Board Board of of Canada Canada Secretariat Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Today…
The “Castle and Moat” Approach to Securing the Enterprise
“Anywhere, Anytime Access”
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ User Needs
Security versus User Expectations
Users will find a way…
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ
Continuous Security UNCLASSIFIED / NON CLASSIFIÉ Pillars for Securing #GCDigital
Policy People Process Technology
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Evolving the security paradigm
Zero Trust
Users Devices Networks Applications Monitoring
Ongoing automated User device security event Identification and Segmentation and identification and Protection of management and authentication, control of verification, user assets including user behaviour least privilege network devices device applications and analysis; real-time access, two-factor and infrastructure management services correlation, threat authentication assessment and response
Data
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Build-in security. Shift left.
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Case Study: Tracker 2.0
✓ Collaborative effort between TBS and CCCS ✓ Agile delivery ✓ Continuous integration/continuous deployment (CI/CD) ✓ Security by design ✓ Work in the open - https://github.com/canada- ca/tracker. ✓ Hosted in cloud ✓ Leverages open source software and tools
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ
Digital Identity UNCLASSIFIED / NON CLASSIFIÉ Canada’s Digital Identity Vision: You only have to sign in once to deal with government
SIGN IN CANADA Trusted
Pan-Canadian Trust Framework
Credential Broker Service GCKey (Banking)
Legacy GC Credentials
The Government of Canada is enabling a digital identity ecosystem for the nation to: • be leveraged by all GC departments and agencies, other jurisdictions in Canada (provinces, territories, municipalities) and Canadian partners (private sector & other countries) • deliver services and issue digital identities to Canadians so they can access services seamlessly, anytime, anywhere and on any device. UNCLASSIFIED / NON CLASSIFIÉ Guiding Principles
Canadians at the One front door, Secure and heart of the No one left no wrong door Trusted service behind
Respect Build one Iterative, jurisdictional and ecosystem for adaptive, and program the benefit of all modular accountability
Shared Services partagas partagés Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil Security Establishment des télécommunications CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du ConseilSecretariat du Trésor du Canadadu Trésor du Canada22 UNCLASSIFIED / NON CLASSIFIÉ Establishing Trust
The Pan-Canadian Trust Framework (PCTF) is • A model that consists of a set of agreed-on concepts, definitions, processes, conformance criteria, and an assessment approach to enable trust. • A framework that relates and applies existing standards, policies, guidelines, and practices, and where such standards and policies do not exist, specifies additional criteria. • Facilitates a common approach between the public sector and the private sector.
Shared Services Services partagés Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil Security Establishment des télécommunications CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du ConseilSecretariat du Trésor du Canadadu Trésor du Canada23 UNCLASSIFIED / NON CLASSIFIÉ Case Study: Trusted Digital Identity Pilots
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Key Takeaways
Security as a business enabler
Address security and privacy risks from the outset
Design services that are resilient
Apply a defence-in-depth, layered security approach
Collaborate & communicate
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ
THANK YOU! Contact us [email protected]
Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada