Enabling Secure #Gcdigital a Continuous Security Approach

UNCLASSIFIED / NON CLASSIFIÉ

Enabling Secure #GCDigital A Continuous Security Approach

Presentation by Po Tea-Duncan A/Executive Director, Cyber Security Division Office of the Chief Information Officer Government of Canada

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ

1 The Context

2 The Cyber Security Landscape

3 Continuous Security

4 Digital Identity

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ

The Context UNCLASSIFIED / NON CLASSIFIÉ Laying the digital foundation

Government Policy on Digital of Canada's Service and Operations Digital Vision Digital Strategic Plan

“The new Policy on Service and Digital sets the foundation for the future of digital government in Canada. We’re doing the hard work behind the scenes to set in place the conditions for truly client- centered service design and delivery, and to deliver better services to Canadians.” The Honorable Joyce Murray, Minister of Digital Government (2 August 2019)

Iterate and Work in the Use open Address Build in Empower staff DIGITAL Design with Be good data Design ethical Collaborate improve open by standards and security and accessibility to deliver users stewards services widely STANDARDS frequently default solutions privacy risks from the start better services

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Building a vision for delivering services that are secure, accessible and easy to use

Transform Consolidate Maintain pace with change

Transform how government does Consolidate several existing policy Enables the Government of Canada business by: instruments into a single set of rules to maintain pace with change in the • Managing and protecting data and and guidelines for the integrated digital era through the responsible information management of: use of delegated authorities • Being open and transparent • Service delivery • Leveraging new technology to • Information and data improve operations and service • Technology and cyber security delivery

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Treasury Board Policy Framework

The IT security control under the Policy on Government Security is operationalized under the Policy on Service and Digital. Directive Directive on Security Management Security Screening Control

Information Technology Security Control • Service Physical Security Control Policy on Policy on • Information and Data Business Continuity Management Control • Information Technology Government Service • Cyber Security Information Management Security • Accessibility Control Security Security in Contracts and Other and Digital • Privacy Arrangements Control • Official Languages Security Event Management Control

Security Awareness and Training Control

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Working together to improve cyber security

Shared Services Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil telecommunications partagés Security Establishment des télécommunications Secretariat du Trésor du Canada CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du Conseil du Trésor du Canada 7 UNCLASSIFIED / NON CLASSIFIÉ Key Stakeholders

NATIONAL SPECIALIZED GOVERNMENT-WIDE DEPARTMENTAL Public Safety DND GAC ISED TBS All departments and CSIS CSE PSPC DRDC CSE/CCCS agencies RCMP PCO CRTC SSC

Federal government Federal government Federal government Federal government departments with departments with departments with departments remain responsibilities for specialized responsibilities for responsible for their national cyber responsibilities for government-wide departmental cyber security cyber security cyber security security

Treasury Board of Canada Secretariat Secrétariat du ConseilTreasury duBoard Trésor of Canada du CanadaSecrétariat du Conseil Treasury Board of Canada Secretariat Secretariat du Trésor du Canada 8 UNCLASSIFIED / NON CLASSIFIÉ Cyber Security is a Shared Responsibility

TBS, the Canadian Centre for Cyber Security as an agency under CSE, and SSC combine to form the GC IT Security Tripartite, established to develop and maintain a coordinated and collaborative approach to enterprise IT Security

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ

GC Cyber Security Management Process

Goal: Maintain visibility of enterprise cyberthreat and risk environment through continuous monitoring and ensuring the effective management of GC cyber security events

GC Situational Awareness

Reporting and Communications

IDENTIFY PROTECT DETECT RESPOND RECOVER

• Identify and • Implement • Detect and • Responding to • Recover from manage measures to understand cyber security cyber security security risks reduce security cyber security incidents incidents risks events

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ

The Cyber Security Landscape UNCLASSIFIED / NON CLASSIFIÉ National Cyber Threat Assessment 2020: An Evolving Threat Landscape

TreasuryTreasury Board Board of of Canada Canada Secretariat Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Today…

The “Castle and Moat” Approach to Securing the Enterprise

“Anywhere, Anytime Access”

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ User Needs

Security versus User Expectations

Users will find a way…

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ

Continuous Security UNCLASSIFIED / NON CLASSIFIÉ Pillars for Securing #GCDigital

Policy People Process Technology

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Evolving the security paradigm

Zero Trust

Users Devices Networks Applications Monitoring

Ongoing automated User device security event Identification and Segmentation and identification and Protection of management and authentication, control of verification, user assets including user behaviour least privilege network devices device applications and analysis; real-time access, two-factor and infrastructure management services correlation, threat authentication assessment and response

Data

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Build-in security. Shift left.

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Case Study: Tracker 2.0

✓ Collaborative effort between TBS and CCCS ✓ Agile delivery ✓ Continuous integration/continuous deployment (CI/CD) ✓ Security by design ✓ Work in the open - https://github.com/canada- ca/tracker. ✓ Hosted in cloud ✓ Leverages open source software and tools

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ

Digital Identity UNCLASSIFIED / NON CLASSIFIÉ Canada’s Digital Identity Vision: You only have to sign in once to deal with government

Pan-Canadian Trust Framework

Credential Broker Service GCKey (Banking)

Legacy GC Credentials

The Government of Canada is enabling a digital identity ecosystem for the nation to: • be leveraged by all GC departments and agencies, other jurisdictions in Canada (provinces, territories, municipalities) and Canadian partners (private sector & other countries) • deliver services and issue digital identities to Canadians so they can access services seamlessly, anytime, anywhere and on any device. UNCLASSIFIED / NON CLASSIFIÉ Guiding Principles

Canadians at the One front door, Secure and heart of the No one left no wrong door Trusted service behind

Respect Build one Iterative, jurisdictional and ecosystem for adaptive, and program the benefit of all modular accountability

Shared Services partagas partagés Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil Security Establishment des télécommunications CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du ConseilSecretariat du Trésor du Canadadu Trésor du Canada22 UNCLASSIFIED / NON CLASSIFIÉ Establishing Trust

The Pan-Canadian Trust Framework (PCTF) is • A model that consists of a set of agreed-on concepts, definitions, processes, conformance criteria, and an assessment approach to enable trust. • A framework that relates and applies existing standards, policies, guidelines, and practices, and where such standards and policies do not exist, specifies additional criteria. • Facilitates a common approach between the public sector and the private sector.

Shared Services Services partagés Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil Security Establishment des télécommunications CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du ConseilSecretariat du Trésor du Canadadu Trésor du Canada23 UNCLASSIFIED / NON CLASSIFIÉ Case Study: Trusted Digital Identity Pilots

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Key Takeaways

Security as a business enabler

Address security and privacy risks from the outset

Design services that are resilient

Apply a defence-in-depth, layered security approach

Collaborate & communicate

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ

THANK YOU! Contact us [email protected]

Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada