Annex B: Data Security

Overview

The primary purpose of the Data Security (DAT) Enterprise Security Focus Area (ESFA) is to enable protection of data/information throughout the GC enterprise, and beyond. As the GC moves towards a data-centric, or information-centric approach to securing GC data, this part of the architecture becomes the centre piece of securing data as it flows between GC components, is stored and processed internally and externally (e.g., commercial cloud services), and is shared outside the confines of the GC enterprise with contractors, foreign governments, and other external organizations. The adoption of data-centric solutions allows the notion of zones and enclaves to fade as the description and protection of data are embedded in data objects themselves and processed on secure EUDs.

The goal of the DAT ESFA is to identify the architectural elements that will allow the GC enterprise to adopt a “protect the data” strategy as the enterprise evolves in the future. To meet this goal, GC enterprise data must be:

• Self-describing to provide meaning and interpretation instructions to humans and machines;

• Self-defending to protect at the data level without dependence on a device, OS, application, or network;

• Protected as it changes between unstructured forms and structured forms, business contexts, and moves in and out of applications;

• Protected consistently throughout the enterprise and the data lifecycle.

Components

The components within the DAT ESFA are shown in the image below and summarized in a table in the ESADD Annex B: Data Security (DAT) document. The list of example technologies for each component contains examples of the types of technical solutions that embody the functions of that component.

Context

The image below shows the context of Data Security (DAT) within the context of the GC enterprise. As shown, DAT interacts with most of the ESFAs as well as several of the external entities. Please read the ESADD Annex B: Data Security (DAT) document for descriptions of the various GC Enterprise External Entities (i.e. external business services, commercial application provider, etc.

A table further exploring the nature of each interface and the security considerations associated with each interfacing element and DAT can be found in the ESADD Annex B: Data Security (DAT) document.

For more information on Data Security, please read the ESADD Annex B: Data Security (DAT) document.

Perspectives

This section describes the DAT functions in more detail, including current technology, trends in the industry around DAT functions, the data lifecycle, and risks to GC enterprise data to set the stage for the required security functionality.

For more information about this, please read the following sections which can be expanded by clicking on 'Expand' on the far right.

Data Security (DAT) Target Security Architecture

The GC is transforming the GC Enterprise information technology infrastructure to lower costs, serve the user community, and increase security through consistency and consolidation. To achieve this goal, the GC is driving several initiatives relevant to the Data Security ESFA including:

• Data centre, network, and services consolidation
• Common categorization and classification guidance
• Moving from net-centric to information-centric security
• Implementing enterprise level controls, including the prevention of the unauthorized use and release of sensitive information

As discussed in the Data Security Perspectives section, there are several mechanisms and technologies emerging to aid in these initiatives. This section looks at the trends in the industry and presents a target GC Enterprise based on an information-centric security view.

The key elements of the DAT target architecture are driven by the information-centric features of self-describing, self-defending data. In the target architecture, self-describing data means metadata is securely associated with all data objects in the enterprise. The metadata completely describes each data object, including:

• Description: Data sensitivity level, keywords and tags, how to use the data, contact information
• Provenance: Who created the data, when it was created, where it was created, how it was created, who modified the data, when it was modified, who accessed the data
• Rights: Who can access the data, what can be done with the data

The metadata is securely bound to the data object and is used by endpoints to discover data objects in the enterprise, enforce data usage rights and security policies, and establish the level of trust to place in the data.

The goal of self-defending data is to sever the tie between data security and the platform or network hosting the data. This allows the data to move outside the bounds of a network enclave or zone, yet maintain strict access controls to prevent unauthorized access to the data. In the target DAT architecture, this type of data protection is implemented with encryption. The encryption strength is based on the sensitivity level of the protected data. The encryption mechanism supports multiple sensitivities within a single data object by encrypting information at different sensitivity levels with different keys. Self-defending data objects are discussed in more detail in the ESADD Annex B: Data Security (DAT) document.

The adoption of information-centric solutions allows the notion of zones and enclaves to fade as the description and protection of the data objects are embedded in the data objects themselves and processed on secure endpoints. The target architecture for DAT is shown in the image on the right. Refer to the ESA Architectural Components section of the ESADD Annex B: Data Security (DAT) document for detailed descriptions of the components depicted in the image on the right.

The data and services aspects of the GC Enterprise are fully collapsed from an infrastructure perspective. The interface to the public domain and the management functions of the OPS ESFA are still shown as independent zones. The management functions reside in a restricted zone to orchestrate the GC Core Network and Private Cloud and maintain an enterprise-wide view. The public access zone is kept separate, as the GC has no control over the adoption of trusted endpoints by the general population.

In order to implement an end-to-end, information-centric information system, several enabling technologies are required to realize the vision:

1. Updated application, OS, middleware, etc. that support the trusted path and the specialized processing of self-describing, self-defending data objects,
2. High trust endpoints suitable for accessing sensitive information, potentially at multiple security levels,
3. Centralized management, yet allow limited disconnected operations,
4. Trained users and automated processes to apply metadata, rights management, and provenance records to data objects,
5. Scalability to support all users and partners of the enterprise.

The target architecture is a goal that will take many years to achieve. The rest of this section covers a notional set of steps to show transition states on the way to information-centric security. The likely stasis point for the GC Enterprise is a combination of information-centric and net-centric solution, because, even with an enterprise-wide information-centric deployment, the need for highly secure enclaves may persist.

For more information on the DAT target security architecture, please read the ESADD Annex B: Data Security (DAT) document.

ESADD Annex B: Data Security (DAT) Pattern Diagrams

For the Pattern Diagrams for Data Security (DAT) from the ESADD Annex B: Data Security (DAT) document, please visit the ESA Pattern Diagram Repository.

List of ESADD Annex B Pattern Diagrams

• Pattern PN-DAT-001 Monitor File Activity

• Pattern PN-DAT-003 Create Protected Data Object

References

• ESADD Annex B: Data Security (DAT)
• GC ESA Description Document Main Body
• ESA Pattern Diagram Repository
• Network and Communications ESFA