Changes

               <th>[[Technology_Trends|Technology Trends]]</th>

               <th>[[Technology_Trends|Technology Trends]]</th>

               <th> / </th>

               <th> / </th>

               <th>Blockchain</th>

               <th>Data Leak Prevention</th>

             </tr>

             </tr>

           </table>

           </table>

               <th>[[Tendances_Technologiques|Tendances Technologiques]]</th>

               <th>[[Tendances_Technologiques|Tendances Technologiques]]</th>

               <th> / </th>

               <th> / </th>

               <th>[[Tendances_Technologiques/Chaîne_de_Blocs|Chaîne de Blocs]]</th>

               <th>[[Tendances_Technologiques/Prevention_des_fuites_de_donnees|Prévention des Fuites de Données]]</th>

             </tr>

             </tr>

           </table>

           </table>

         </th>

         </th>

       </tr>

       </tr>

       <tr><td colspan="2" class="logo">[[File:Blockchain_logo.png|200px]]</td></tr>

       <tr><td colspan="2" class="logo">[[File:Data_Leak_Prevention_logo.png|200px]]</td></tr>

       <tr>

       <tr>

         <th>Status</th>

         <th>Status</th>

       <tr>

       <tr>

         <th>Initial release</th>

         <th>Initial release</th>

         <td>May 23, 2019</td>

         <td>August 6, 2019</td>

       </tr>

       </tr>

       <tr>

       <tr>

         <th>Latest version</th>

         <th>Latest version</th>

         <td>May 23, 2019</td>

         <td>February 3, 2020</td>

       </tr>

       </tr>

       <tr>

       <tr>

         <th>Official publication</th>

         <th>Official publication</th>

         <td>[[Media:EN_-_Technology_Trends_-_Blockchain.pdf|Blockchain.pdf]]</td>

         <td>[[Media:EN_-_Technology_Trends_-_Data_Leak_Prevention.pdf|Data Leak Prevention.pdf]]</td>

       </tr>

       </tr>

       <tr><td colspan="2" class="disclaimer"><table><tr>

       <tr><td colspan="2" class="disclaimer"><table><tr>

   <p>The Government of Canada (GC) has a responsibility to protect not only its data and IT assets but also that of its citizens and the data collected on or about them. Despite this, the GC itself is not free from experiencing data leaks. For example, the Canadian Revenue Agency (CRA) reported 3,763 data breaches in 2013, including incidents where taxpayer’s information were lost, compromised, or accidentally released. In order to prevent such occurrences, as well as those on both smaller and larger scales, there are various DLP protocols in place throughout the GC. Currently, DLP operations are run independently in each department. However, this is in concurrence with federal supporting policies and procedures, some of which also extend to industry.</p>

   <p>The Government of Canada (GC) has a responsibility to protect not only its data and IT assets but also that of its citizens and the data collected on or about them. Despite this, the GC itself is not free from experiencing data leaks. For example, the Canadian Revenue Agency (CRA) reported 3,763 data breaches in 2013, including incidents where taxpayer’s information were lost, compromised, or accidentally released. In order to prevent such occurrences, as well as those on both smaller and larger scales, there are various DLP protocols in place throughout the GC. Currently, DLP operations are run independently in each department. However, this is in concurrence with federal supporting policies and procedures, some of which also extend to industry.</p>

   <p>As of November 1, 2018, private Canadian  businesses and industries, along with the health sector, which are subjected to [https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html The Personal Information Protection and Electronic Documents Act] (PIPEDA), are required to report all data breaches involving personal information that may harm an individual, hold a record of all data breaches, and notify the affected individuals. The goal of this act is to assure citizens have their personal information protected by appropriate safeguards in accordance to their right to access their personal information. Similarly, the federal Privacy Act stipulates how GC departments can share and provide access to personal information on or about individual Canadian citizens and also mandates reporting of security breaches involving this data.</p>  

   <p>As of November 1, 2018, private Canadian  businesses and industries, along with the health sector, which are subjected to [https://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html The Personal Information Protection and Electronic Documents Act] (PIPEDA), are required to report all data breaches involving personal information that may harm an individual, hold a record of all data breaches, and notify the affected individuals. The goal of this act is to assure citizens have their personal information protected by appropriate safeguards in accordance to their right to access their personal information. Similarly, the federal [https://laws-lois.justice.gc.ca/eng/acts/P-21/ Privacy Act] stipulates how GC departments can share and provide access to personal information on or about individual Canadian citizens and also mandates reporting of security breaches involving this data.</p>  

   <p>Since the GC relies extensively on IT to provide its services, the Operational Security Standard from Management of Information Technology Security (MITS) as well as the Operational Security Standard – Business Continuity (BCP) Program defines a baseline of security requirements which federal departments and agencies must fulfill to ensure the security of information are under their control. Those prevention safeguards include incorporating identification and authentication in all networks and systems, authorization and access control to restrict accessibility on a “need to know” basis, proper cryptographic and encryption protocols, and emanations security methods such as TEMPEST. In the event of a data breach, the Policy on Government Security (PGS) establishes a mechanism to coordinate the response and recovery. Since the data breaches are primarily caused by people, the Canadian Centre for Cyber Security offers up-to-date publications as part of an awareness campaign.</p>

   <p>Since the GC relies extensively on IT to provide its services, the Operational Security Standard from [http://publications.gc.ca/site/archivee-archived.html?url=http://publications.gc.ca/collections/collection_2018/sct-tbs/BT39-20-2004-eng.pdf Management of Information Technology Security (MITS)] as well as the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=12324 Operational Security Standard – Business Continuity (BCP) Program] defines a baseline of security requirements which federal departments and agencies must fulfill to ensure the security of information are under their control. Those prevention safeguards include incorporating identification and authentication in all networks and systems, authorization and access control to restrict accessibility on a “need to know” basis, proper cryptographic and encryption protocols, and emanations security methods such as TEMPEST. In the event of a data breach, the [https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=16578 Policy on Government Security (PGS)] establishes a mechanism to coordinate the response and recovery. Since the data breaches are primarily caused by people, the Canadian Centre for Cyber Security offers up-to-date publications as part of an awareness campaign.</p>

   <p class="expand mw-collapsible-content">The Government of Canada’s Cloud Adoption Strategy, as well as the Strategic Plan for Information Management and Information Technology 2017 to 2021 outlines a move towards increasing the use of cloud services for data storage and processing. Outsourcing to private clouds presents a certain level of risk if vendors are not vigilant against cyberattacks or if malicious themselves. The GC has developed various strategies, guidelines and best practices in order to mitigate the risks around cloud and Cloud Service Providers (CSPs). For example, the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice outlines measures such as third-party independent assurances, encryption and cryptographic algorithm, and vulnerability alerts, amongst others, as part of its attempt to minimize risk and heighten data loss prevention.</p>

   <p class="expand mw-collapsible-content">[https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services/government-canada-cloud-adoption-strategy.html The Government of Canada’s Cloud Adoption Strategy], as well as the [https://www.canada.ca/en/treasury-board-secretariat/services/information-technology/strategic-plan-2017-2021.html Strategic Plan for Information Management and Information Technology 2017 to 2021] outlines a move towards increasing the use of cloud services for data storage and processing. Outsourcing to private clouds presents a certain level of risk if vendors are not vigilant against cyberattacks or if malicious themselves. The GC has developed various strategies, guidelines and best practices in order to mitigate the risks around cloud and Cloud Service Providers (CSPs). For example, the [https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/direction-secure-use-commercial-cloud-services-spin.html Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice] outlines measures such as third-party independent assurances, encryption and cryptographic algorithm, and vulnerability alerts, amongst others, as part of its attempt to minimize risk and heighten data loss prevention.</p>

   <p class="expand mw-collapsible-content">As with other nations, creating an open, collaborative, and accessible government is of prime importance to the Government of Canada. As described in the Digital Operations and Strategic Plan (DOSP), it holds that sharing data and information with Canadians and businesses with help to grow the economy and allow for more active participation in public life. Open portals and open information can present a more open possibility of breaches and attacks, however. Therefore, moves towards open government must involve DLP controls. Making data and information more open has inherent risks – it exposes networks, systems, devices and data, including personal information, to accidental or malicious breaches. As such, robust IT security protocols in the GC are of paramount importance. A layered security approach, such as the use of trusted access, protected assets, secure protocols by default and continuous monitoring are already in effect and will continue to be implemented in the GC.</p>

   <p class="expand mw-collapsible-content">As with other nations, creating an open, collaborative, and accessible government is of prime importance to the Government of Canada. As described in the [https://www.canada.ca/en/government/system/digital-government/digital-operations-strategic-plan-2018-2022.html#ToC8 Digital Operations and Strategic Plan (DOSP)], it holds that sharing data and information with Canadians and businesses with help to grow the economy and allow for more active participation in public life. Open portals and open information can present a more open possibility of breaches and attacks, however. Therefore, moves towards open government must involve DLP controls. Making data and information more open has inherent risks – it exposes networks, systems, devices and data, including personal information, to accidental or malicious breaches. As such, robust IT security protocols in the GC are of paramount importance. A layered security approach, such as the use of trusted access, protected assets, secure protocols by default and continuous monitoring are already in effect and will continue to be implemented in the GC.</p>

   <h2>Implications for Government Agencies</h2>

   <h2>Implications for Government Agencies</h2>

   <h3>Shared Services Canada (SSC)</h3>

   <h3>Shared Services Canada (SSC)</h3>

   <h4>Value Proposition</h4>

   <h4>Value Proposition</h4>

   <p>Blockchain offers a numbers of benefits to the Government of Canada, such as a reduction in costs and complexity, trusted record keeping and user-centric privacy control. It offers significant opportunities in terms of a single source for public records, support for multiple contributors and a technology ideal for multi-jurisdictional interactions. Due to its decentralized, collaborative nature, it potentially aligns well with policies and practices around Open Government, which aim to make Government services, data, and digital records more accessible to Canadians.</p>

   <p>The value proposition of DLP relates directly to SSC’s mandate to design and operate a secure IT infrastructure that protects GC data and technology assets. The primary business value in implementing a DLP strategy is the reduction of risks and impacts associated with data leaks. These incidents often affect an organization in the following aspects:</p>

   <p>By eliminating the duplication and reducing the need for intermediaries, blockchain technology could be used by SSC to speed-up aspects of service delivery. A challenge for SSC in terms of blockchain will be to identify which enterprise solutions emerge as leaders and how they deal with privacy, confidentiality, auditability, performance and scalability.</p>

   <ul>

    <li><b>Operational:</b> A data breach often causes an interruption of services until the investigation process is concluded – this can take weeks or months, costing an organization business or other resources in the meantime. DLP ensures redundancies are put in place to counteract important data losses, thereby avoiding cost to operational resources to remediate lost data. In 2015, SSC implemented the [http://myssc-monspc.ssc-spc.gc.ca/en/worktools-processes/policy-instruments/it/use-usb Directive on the Use of USB and Other External Storage Devices] to help manage these sorts of risks. All of SSC’s electronic assets have a DLP software-based tool that monitors the use of unauthorized devices on the network. This prevents removal of data from the SCC system or prevent infecting the system with any malware, viruses or other malicious entities. A second phase of SSC’s DLP program is in the planning stages and will monitor enterprise data in motion and at rest – this is already in place in terms of secret data, however.</li>

    <li><b>Reputational:</b> Data losses affect the reputation and damages the brand. Often, organizations will see a drop in their valuation, which results in potential loss of future revenue, their competitive advantage, and their market shares. Consequently, the consumer trust in the organization also experiences a decrease which can have large-scale ramifications in short and long-term revenues. Having a DLP solution helps disassociate the user’s concern for safety and builds clients’ trust.</li>

  </ul>

   <p class="expand mw-collapsible-content">Currently, a number of Government agencies are engaged in Blockchain in a number of ways. Maybe SSC could support the following departments in their initiatives to explore how Blockchain can help solve these issues:

   <h4>Challenges</h4>

  </p>

   <h4>Challenges</h4>

   <p>Integrating a DLP solution in the infrastructure is a complex undertaking, involving many components such as a database analyzer, an email system, a web proxy, etc. Adding to the complexity, data security and DLP initiatives face several difficulties as a result of the modern technological landscape. When it comes to integrating a DLP solution, there are several challenges and issues that are relevant to SSC:</p>

   <p class="expand mw-collapsible-content">There are weaknesses in terms of technological complexity, intensive computational and storage demands and a requirement for common software across all nodes. There are significant challenges particularly important within a governmental process. Truly digital assets with a single copy can be destroyed and a government network housing such assets would represent a very public target for malicious actors.<ref>Vallée, J.-C. L. (April 2018). <i>[Vallée, J.-C. L. (April 2018). <i>[https://www.conferenceboard.ca/temp/7dc77c07-7e5a-4be6-ad6d-7d1070f9ac20/9591_Cautious%20Optimism_BR.pdf Adopting Blockchain to Improve Canadian Government Digital Services].</i> Retrieved on 23 May 2019 Adopting Blockchain to Improve Canadian Government Digital Services].</i> Retrieved on 23 May 2019</ref></p>

    

    <li><b>Complex DLP integration:</b> Generally, enforcing DLP technologies is complex, varies depending on the organization’s network architecture, and requires to work across many components such as security, networking, infrastructure, email, web, endpoint, storage, databases. Deploying, configuring, and managing these DLP systems is also complicated. In order to fully protect an IT infrastructure, it is important to employ a holistic approach, however organizations often do not have a clear strategy toward DLP and balancing new ways of working.</li>

    <li><b>User Awareness and Engagement:</b> Organizations face several challenges of control over their employees’ actions. It’s common for employees to lack awareness, accountability and responsibility for their actions. Some training and awareness campaigns do not focus enough on protecting sensitive data and using security tools like file encryption. There is also a general sense that there is no risk involved in breaking the rules.</li>

  </ul>

   <p class="expand mw-collapsible-content">It is important to remember that Blockchain, while a technological innovation in transactional business and chain of digital custody, is not a single solution to transactional challenges facing the GC.</p>

   <p class="expand mw-collapsible-content">The following trends will continue to be a challenge for IT service providers in protecting data:</p>

   <p class="inline">The amount of time and energy required to maintain the blockchain and create new blocks is not small and this is a frequent criticism of the technology. Conventional database entry, such as using SQL, takes only milliseconds, compared to blockchain, which takes several minutes. Due to the length of time required as well as the need for multiple computers to verify the blocks, blockchains consume an enormous amount of energy.</p><p class="expand inline mw-collapsible-content"> However, as technology advances, the blockchain consensus process takes closer to three minutes with Ethereum, which is currently among the most advanced blockchains available.xxiii Even older blockchains, such as Bitcoin, are still faster than traditional financial transactions, such as the stock exchange, which can take days to be verified and finalized. Despite this, services or transactions that require rapid speed, may not be suitable for blockchain.</p>

   <ul class="expand mw-collapsible-content">

  <p class="inline-spacer"></p>

    <li><b>Emerging Consumerism:</b> The availability of computing devices and connectivity to the internet anywhere at any time has its benefits. Unfortunately, it facilitates the disclosure of personal or proprietary information by providing several exit points to the web. Policies like “Bring Your Own Device” (BYOD) are vulnerable to loss of physical assets such as laptops and end users may unintentionally spread confidential information through social media. </li>

  <p class="inline">There are also some concerns with respect to privacy. Since blockchain is built on the premise of decentralization and transparency, the data within the chain is technically available for anyone on the network, provided they have the computational power and knowledge to gain access. Instead of being identified on the network by name, users have encryption keys, which is a list of seemingly random numbers and letters.</p><p class="expand inline mw-collapsible-content"> While more private than a name or other demographic information, users could still be identified by their keys over time. Also, any data contained within a block that may have personal information that an individual wishes to keep private, such as medical records for example, may not be well suited for a blockchain as it will be transparent and visible to other users.<ref>Diedrich, H. (2016). <i>Ethereum: Blockchains, Digital Assets, Smart Contracts, Decentralized Autonomous Organizations.</i> Scotts Valley: CreateSpace Independent Publishing Platform.</ref></p>

    <li><b>Business Continuity and Disaster Recovery:</b> The technological climate forces organizations to have 24/7/365 system availability. Outages interrupting the continuity of IT services could cause financial and reputational loss.</li>

    <li><b>Persistence of Cybercrime:</b> Since data has real world value, cyberattacks are becoming more frequent and more sophisticated. While the majority of attacks are from external sources, The Verizon study estimates that 15% of the attacks involved insiders losing or stealing devices, transferring data to personal storage, etc.</li>

  </ul>

   <h4>Considerations</h4>

   <h4>Considerations</h4>

   <p>In a traditional transaction, all stakeholders have to keep a record of the transaction and in the case of a discrepancy, it was more difficult / costly to determine the accuracy of a record. As a result, Blockchain may offer significantly higher returns for each investment dollar spent than that of traditional internal investments. However, to doing so, it means collaborating with customers, citizens, suppliers and competitors in new ways.<ref>Treasury Board of Canada, Blockchain: Ideal Use Cases for the Government of Canada, 5. </ref></p>

   <p>As with any program or tool, it is necessary to align policies with controls. The GC already has various policies in place pertaining to IM/IT infrastructure, including the security of these resources and information. However, if an organization has policies in place that prohibit or monitor certain activities but a control is not yet in place, or completely absent, then data leak still poses a large risk to the organization. Security policies exist but departmental compliance and control implementation remains an issue.</p>

  <p>Although DLP protocols and controls have already been implemented into much of SSC’s IT infrastructure, there are some areas in which improvements should be considered. With government-wide strategies around “Open Government” and “cloud computing,” SSC will face increasing need to adapt DLP tools into these platforms as they evolve and expand.</p>

 

  <p class="expand mw-collapsible-content">Once aligned with policies, which may change and evolve as time goes on and technology advances, SSC must be prepared for its DLP controls to change with it. Leading experts in the area of DLP define DLP as a dynamic process, not an end-state. A robust DLP program is an opportunity to work with stakeholders and set the expectation that protocols should change and be adjusted over time. DLP must also be considered when the network architecture and tools change, SSC should evaluate how security checks are integrated into new projects.</p>

   <p class="inline">Further research is needed to understand the potential impacts that blockchain could have on SSC as a service provider as well on the usage amounts the GC would require. SSC should consider the identification of client areas where blockchain may be leveraged. It may be required that client departments self-identify spaces which could benefit from blockchain processes.</p><p class="expand inline mw-collapsible-content"> A challenge for SSC will be to identify which partner organizations and enterprise solutions require priority blockchain pilot projects as well as be able to identify departments that emerge as leaders and how they deal with privacy, confidentiality, auditability, performance and scalability.</p>

   <p>Furthermore, while SSC will play a main role in procuring DLP tools for departments and delivery these services, the protection of data requires a team effort. Collaboration in terms of monitoring, surveillance, and the granting of access to local or departmental networks and resources will be needed. Also, engaging stakeholders helps to identify vulnerabilities that may otherwise be missed. A mindset of collective responsibility is a best practice for ensuring the most effectiveness of DLP.</p>

   <p>Lastly, SSC and the GC should consider the capacity issues in resources, network capabilities, and time required to create and maintain blockchain networks on its own. Blockchain is not a pedestrian technology, it will require dedicated teams that are appropriately resourced and financed in order for the technology to be deployed as any other service. SSC may wish to consider looking for private sector companies that specialize in providing Blockchain as a Service (BaaS), and determine the risk and cost benefits of outsourcing this process altogether.</p>

   <p>One way of helping to achieve buy-in around DLP as an ongoing process, as well as creating a culture of collective responsibility, could be for SSC, along with its partner departments in the GC, to establish “Security Champions”. The GC has introduced a national champion, Mr. David Jean, the GC’s Champion of Security, to be the link between departmental security and national security interests, with respect to all forms of threats or safety issues, not only those related to cybersecurity. However, cyber-specific champions could also be introduced at a more local level and advance DLP “on the ground” as suggested in the [https://www.canada.ca/content/dam/ssc-spc/documents/IT-Transformation-Plan-Consultations-Report-2016.pdf Summer-Fall 2016 Consultations: Information technology Transformation Plan – What We Heard Final Report]. Such employees can help promote the importance of security protocols and behaviours, and can be an important part of the DLP framework.</p>

   <h2>Hype Cycle</h2>

   <p class="expand mw-collapsible-content">However, DLP tools and processes cannot work in isolation of systems and users. Without proper operationalization, DLP runs the risk of offering a false sense of security and merely becoming a risk generator. [http://myssc-monspc.ssc-spc.gc.ca/en/worktools-processes/integrated-business-planning/CITS#toc251 The SSC Departmental Plan of the Cyber and IT Security] program identifies the following five risks with respect to cybersecurity, of which DLP is a part:</p>

   <div class="container">

   <ul class="expand mw-collapsible-content">

     <div class="row">

     <li><b>Resource Capacity:</b> SSC may not have the adequate financial and human resources to improve services and to introduce the latest technologies to counteract cyber threats.</li>

      <div class="col-sm-8">[[File:EN_Technology_Trends_-_Blockchain_Hype_Cycle_2018.png|center]]</div>

    <li><b>Aging IT Systems:</b> Current IT infrastructure is at risk of failing due to its end of life.</li>

    <li><b>Cyber and IT Security:</b> SSC is at risk of not being able to respond efficiently to IT security and cyber security threats, which would result in proprietary information being compromised and disaster recovery activities being impeded. </li>

    <li><b>Service Delivery and Management:</b> SSC’s enterprise tools and processes are at risk of not being able to improve the delivery of services to partner organizations. </li>

    <li><b>Availability and Quality of Information:</b> Lack of availability and integrity of information will impede effective planning and decision-making.</li>

            <th>English</th>

   </ul>

            <th>Français</th>

          </tr>

            <td>Figure 1. Hype Cycle for Blockchain Technologies, 2018</td>

            <td>Figure 1. Rapport Hype Cycle sur les technologies de la chaîne de blocs, 2018</td>

          </tr>

            <td>Distributed Storage in Blockchain</td>

            <td>Stockage distribué dans la chaîne de blocs</td>

            <td>Decentralized Applications</td>

            <td>Peak of Inflated Exepctations</td>

            <td>Trough of Disillusionment</td>

          <tr>

            <td>Slope of Enlightenment</td>

            <td>Plateau of Productivity</td>

            <td>As of July 2018</td>

            <td>Plateau will be reached:</td>

    </div>

   </div>

   <h2>References</h2>

   <h2>References</h2>

</div>

</div>