Security Alberta Tim McCreight, CISO – Government of Alberta Moderator: Moderator: Illena Armstrong, editor-in-chief,

SC Magazine

WARNING

This Speaker may contain coarse language, personal opinions and occasional scenes of

nudity and is rated for adult audiences.

Viewer discretion is advised.

Outline

• Quick Intro• The past…• …meets the Auditors• Issues & Threats• Progress made• Looking ahead• Q&A

Quick Intro

• Almost 30 years in Information Systems, Physical and IT security

• Certifications in both Physical and IT Security…

• Audit experience, too!• Interesting

combination…

The Past

The Past – con’t

• Each division responsible for security

• Each area spent based on their perception of risk…

• Some areas mature, others – not

• Not conducive to sharing…

Meets the Auditors

Meets the Auditors

• OAG Report in 2008 identified major issues:– Identified flaws in the

federated model for IT Security

– Individual departments not following one central approach

– No overall area responsible for security

Issues and Threats

Issues and Threats – con’t

• Coordinating across multiple divisions

• Budget• Resources• Moving to web-centric

services:– Citizen’s portal– Identity & Access

Management– Reliance on Social

Media

• Increased scrutiny from public, etc.

• Malware and blended threats

• Mix of new/old technologies

• Coordinating with multiple service providers…

Progress Made

Progress Made – con’t

• Created Directives:– Based on ISO– Endorsed by Sr.

Management– Identified “rules of the road”

for IS Security

• Created central monitoring and surveillance program

• Developed forensic examination capabilities

• Sought industry-leading Managed Security Services

• Began reaching out to other security/risk groups

• Focused on enforcement• Began cleanup of ID’s,

privileges and access control

• Linked with Corporate Architecture

Progress Made – con’t

• Focused on education:– Online eLearning

course– Online brochure

• Got a seat at the table for:– Social Media policy– Overarching Security

Policy

Looking Ahead

Looking Ahead – con’t

• Goal: protect the data/core:– Never win the endpoint security game– User behavior still an issue…

• How to achieve this state:– Virtualization– Enhanced Security Operations Centre (SOC)– BYOC– Intelligent traffic scanning

Embracing Virtualization

• Move toward this cautiously..

• Focus on removing the endpoint issues:– Locked down session– Roles based control– Forced path to apps– Use technology to

meet business requirements

Enhanced SOC

• Integrate SOC into all IT components:– MSS– Network

• Boundary• Internal

– Wireless– Virtual environment

• Desktops• Servers

– Physical systems

BYOC

• What if we didn’t care what you used to:– Access email– Connect to applications– Generally, work!

• Bring Your Own Computer!

• Secure, virtual containers• App store…• RBAC/fine-grained

control• No data left behind…

Intelligent Traffic Scanning

• A virtual world has challenges:– Tough to prove segregation

• Need to build Defense in Depth:– Escalating trust levels– Finite access control– More mgmt

scanning/logging– Scanning active/dormant

VM’s– Monitor, authenticate and

authorize…

Questions?

Thank You!

Tim McCreight, CISSP CPP CISA

Chief Information Security Officer

Government of Alberta

tim.mccreight@gov.ab.ca