UNCLASSIFIED / NON CLASSIFIÉ Enabling Secure #GCDigital A Continuous Security Approach Presentation by Po Tea-Duncan A/Executive Director, Cyber Security Division Office of the Chief Information Officer Government of Canada Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ 1 The Context 2 The Cyber Security Landscape 3 Continuous Security 4 Digital Identity Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ The Context UNCLASSIFIED / NON CLASSIFIÉ Laying the digital foundation Government Policy on Digital of Canada's Service and Operations Digital Vision Digital Strategic Plan “The new Policy on Service and Digital sets the foundation for the future of digital government in Canada. We’re doing the hard work behind the scenes to set in place the conditions for truly client- centered service design and delivery, and to deliver better services to Canadians.” The Honorable Joyce Murray, Minister of Digital Government (2 August 2019) Iterate and Work in the Use open Address Build in Empower staff DIGITAL Design with Be good data Design ethical Collaborate improve open by standards and security and accessibility to deliver users stewards services widely STANDARDS frequently default solutions privacy risks from the start better services Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Building a vision for delivering services that are secure, accessible and easy to use Transform Consolidate Maintain pace with change Transform how government does Consolidate several existing policy Enables the Government of Canada business by: instruments into a single set of rules to maintain pace with change in the • Managing and protecting data and and guidelines for the integrated digital era through the responsible information management of: use of delegated authorities • Being open and transparent • Service delivery • Leveraging new technology to • Information and data improve operations and service • Technology and cyber security delivery Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Treasury Board Policy Framework The IT security control under the Policy on Government Security is operationalized under the Policy on Service and Digital. Directive on Security ManagementSecurityon Directive Security Screening Control Information Technology Security Control • Service Physical Security Control Policy on Policy on • Information and Data Business Continuity Management Control • Information Technology Government Service • Cyber Security Information Management Security • Accessibility Control Security Security in Contracts and Other and Digital • Privacy Arrangements Control • Official Languages Security Event Management Control Security Awareness and Training Control Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Working together to improve cyber security Shared Services Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil telecommunications partagés Security Establishment des télécommunications Secretariat du Trésor du Canada CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du Conseil du Trésor du Canada 7 UNCLASSIFIED / NON CLASSIFIÉ Key Stakeholders NATIONAL SPECIALIZED GOVERNMENT-WIDE DEPARTMENTAL Public Safety DND GAC ISED TBS All departments and CSIS CSE PSPC DRDC CSE/CCCS agencies RCMP PCO CRTC SSC Federal government Federal government Federal government Federal government departments with departments with departments with departments remain responsibilities for specialized responsibilities for responsible for their national cyber responsibilities for government-wide departmental cyber security cyber security cyber security security Treasury Board of Canada Secretariat Secrétariat du ConseilTreasury duBoard Trésor of Canada du CanadaSecrétariat du Conseil Treasury Board of Canada Secretariat Secretariat du Trésor du Canada 8 UNCLASSIFIED / NON CLASSIFIÉ Cyber Security is a Shared Responsibility​ TBS, the Canadian Centre for Cyber Security as an agency under CSE, and SSC combine to form the GC IT Security Tripartite, established to develop and maintain a coordinated and collaborative approach to enterprise IT Security Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ GC Cyber Security Management Process Goal: Maintain visibility of enterprise cyberthreat and risk environment through continuous monitoring and ensuring the effective management of GC cyber security events GC Situational Awareness Reporting and Communications IDENTIFY PROTECT DETECT RESPOND RECOVER • Identify and • Implement • Detect and • Responding to • Recover from manage measures to understand cyber security cyber security security risks reduce security cyber security incidents incidents risks events Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ The Cyber Security Landscape UNCLASSIFIED / NON CLASSIFIÉ National Cyber Threat Assessment 2020: An Evolving Threat Landscape TreasuryTreasury Board Board of of Canada Canada Secretariat Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Today… The “Castle and Moat” Approach to Securing the Enterprise “Anywhere, Anytime Access” Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ User Needs Security versus User Expectations Users will find a way… Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Continuous Security UNCLASSIFIED / NON CLASSIFIÉ Pillars for Securing #GCDigital Policy People Process Technology Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Evolving the security paradigm Zero Trust Users Devices Networks Applications Monitoring Ongoing automated User device security event Identification and Segmentation and identification and Protection of management and authentication, control of verification, user assets including user behaviour least privilege network devices device applications and analysis; real-time access, two-factor and infrastructure management services correlation, threat authentication assessment and response Data Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Build-in security. Shift left. Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Case Study: Tracker 2.0 ✓ Collaborative effort between TBS and CCCS ✓ Agile delivery ✓ Continuous integration/continuous deployment (CI/CD) ✓ Security by design ✓ Work in the open - https://github.com/canada- ca/tracker. ✓ Hosted in cloud ✓ Leverages open source software and tools Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Digital Identity UNCLASSIFIED / NON CLASSIFIÉ Canada’s Digital Identity Vision: You only have to sign in once to deal with government SIGN IN CANADA Trusted Pan-Canadian Trust Framework Credential Broker Service GCKey (Banking) Legacy GC Credentials The Government of Canada is enabling a digital identity ecosystem for the nation to: • be leveraged by all GC departments and agencies, other jurisdictions in Canada (provinces, territories, municipalities) and Canadian partners (private sector & other countries) • deliver services and issue digital identities to Canadians so they can access services seamlessly, anytime, anywhere and on any device. UNCLASSIFIED / NON CLASSIFIÉ Guiding Principles Canadians at the One front door, Secure and heart of the No one left no wrong door Trusted service behind Respect Build one Iterative, jurisdictional and ecosystem for adaptive, and program the benefit of all modular accountability Shared Services partagas partagés Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil Security Establishment des télécommunications CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du ConseilSecretariat du Trésor du Canadadu Trésor du Canada22 UNCLASSIFIED / NON CLASSIFIÉ Establishing Trust The Pan-Canadian Trust Framework (PCTF) is • A model that consists of a set of agreed-on concepts, definitions, processes, conformance criteria, and an assessment approach to enable trust. • A framework that relates and applies existing standards, policies, guidelines, and practices, and where such standards and policies do not exist, specifies additional criteria. • Facilitates a common approach between the public sector and the private sector. Shared Services Services partagés Communications Centre de la sécurité Treasury Board of Canada Secrétariat du Conseil Security Establishment des télécommunications CanadaTreasury BoardCanada of Canada Secretariat Secrétariat du ConseilSecretariat du Trésor du Canadadu Trésor du Canada23 UNCLASSIFIED / NON CLASSIFIÉ Case Study: Trusted Digital Identity Pilots Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ Key Takeaways Security as a business enabler Address security and privacy risks from the outset Design services that are resilient Apply a defence-in-depth, layered security approach Collaborate & communicate Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada UNCLASSIFIED / NON CLASSIFIÉ THANK YOU! Contact us [email protected] Treasury Board of Canada Secretariat Secrétariat du Conseil du Trésor du Canada.