Category Archives: public sector

Digital ID needs be ‘as easy as Uber’ says Ontario Digital Service deputy minister

Ontario is the latest province to signal its intent to allow citizens to prove their identity with the help of a digital wallet, but experts say a lot of work remains before the service can be widely used.

The post Digital ID needs be 'as easy as Uber' says Ontario Digital Service deputy minister first appeared on IT World Canada.

Scaling up in rural Canada: BC tech firm’s success a blueprint for growth outside of big tech’s shadow

One of North America’s largest Salesforce consulting and app development firms is betting big on rural Canada, a move its chief executive officer thinks other small enterprises should mimic to help Canada accelerate its overdue transition to a knowledge economy.

Nelson, B.C. native Greg Malpass founded Traction on Demand (ToD) in 2007, and since hiring his first employee in 2010, ToD has ballooned to a headcount of nearly 1,000. Along the way, Malpass managed to open a branch office in his hometown, saving the financially-struggling local Royal Canadian Legion branch in the process by purchasing the building. ToD and the Legion are sharing the space. As Nelson’s ToD team gradually grew, recruiters began favouring a strong enthusiasm and willingness to learn just as much as a technical background.

“We searched for people that had some sort of technology background, maybe working remotely and yearning for a bit of an office experience. But on the other side, we just said we’ll go find smart people that haven’t had an opportunity to work in technology yet and train them,” Malpass explained in an interview.

ToD discovered local forestry, construction, and mining industries were brimming with multi-talented individuals who quickly picked up the required skills need to develop, analyze, and market the firm’s solutions. The Salesforce platform is immense and used by many kinds of customers. ToD helps enhance the platform experience by packaging its software into SaaS applications, making them accessible at a standard price for a broader audience.

Salesforce Q2 2021 earnings still paint a picture of an immovable object in the customer relationship management space. Subscription and support revenues for the quarter were US$4.84 billion, an increase of 29 per cent year-over-year. In Canada, every business regardless of the sector is investing in new software services to become more intelligent, oftentimes attainable only through a giant software vendor.

For some businesses, these investments were uncharted territory and sudden pivots from the local data centres and internally developed tools that dominated IT administrators’ attention. With remote work as the new normal for businesses globally, IT teams have been given a seat at the decision-making table, says Andrew Caprara, president of managed services provider Softchoice. “They have the ears of the executive team like never before,” he said during a recent virtual roundtable event hosted by Cisco.

Also:

Canada is cramming years worth of modernization into months, but experts say the country’s scale-up problem lingers [IT Business Canada]

 

ToD has been riding the software wave for years and is fast approaching some important milestones.

“We’ve moved into a new chapter of growth. In the next 18 months, we plan to bring 800+ new hires into the fold. We’ve already had 41 new starts in the last few weeks, and another 20 starting in the next two weeks. We are also actively exploring new locations,” Malpass told us in a follow-up email recently.

According to the municipality’s director of economic development and tourism, Gary Schatz, Princeton, B.C. was one of those locations.

“There would be phenomenal interest locally,” Schatz told IT World Canada, referring to the prospect of a ToD branch opening up in Princeton. But before it can take serious steps towards partnering with ToD, Princeton has a serious housing crisis to address first, Schatz explained.

Malpass is aware of this problem too, and it’s certainly not isolated to Princeton. It’s one of the factors the firm and its employees – most of whom are based in Canada – have been taking into consideration while scoping out possible future satellite offices. The plan is to build offices closer to where people live and consolidate existing office infrastructure where possible. Malpass has noticed more of the team moving out of the city, especially over the past eight months.

The majority of Nelson’s talent comes from what he calls “talent conversion,” essentially the organic growth of the team thanks to the talent well from industries and educational institutions nearby. But scaling up organically instead of selling out is not something many organizations in Canada are in a position to do, he says.

Getting the same incentives as Amazon and Microsoft

Canada hasn’t been able to produce a unicorn company (businesses with a valuation that’s $1 billion or greater) since the messaging company Kik – which recently got slapped with a $5 million penalty from the United States’ Securities Exchange Commission – earned its horn in 2015. Also, Canada ranks 22nd in the Bloomberg 2020 innovation index. Not exactly top tier.

“To scale a business, you need access to stable growing customers, strong investment in creating talent, and ensuring new arrivals to our nation are set up to pursue valuable work,” Malpass wrote in an email, adding an emphasis on STEM education is a plus. “It also helps to have an economic system that allows for maximum retention capital for reinvestment into growth, appropriate incentives for investors and policy and programs that invest in innovation with similar constructs to that of venture markets.”

A recent report from KPMG and B.C. Tech suggests B.C.’s technology sector continues to contribute more to the provincial economy than traditional sectors, such as forestry and oil and gas, but it’s still dominated by small firms and has “significant room to grow when compared to US jurisdictions.” While the province’s tech ecosystem continues to thrive overall, its third consecutive B grade stems from a scale-up gap. “Because BC tech companies have long tended to stay small or sell too early, they haven’t grown into the large companies that anchor a tech ecosystem.”

Tech CEOs have become increasingly frustrated about the scale-up gap. Malpass was recently one of 133 tech CEOs who signed an open letter to Justin Trudeau, demanding the federal government implement new ideas and ecosystems that help Canadian scaleups become global powerhouses and commercialize home-grown IP.

The federal government recently signalled its intention to tax big tech during its throne speech, a promise critics have scoffed at since the last time it was made in 2019, New Democrat MP Charlie Angus told Yahoo! Finance.

“The digital giants have not been paying anywhere close to a reasonable rate of tax in Canada, and that’s a problem. We’re seeing the Liberals now acknowledge that, but they’ve acknowledged that many times and have done nothing on it. I think they’re deeply in awe of the power of Silicon Valley to the detriment of Canada,” he told the publication, adding tax policies would be used to reinvest in local companies.

“Beyond specific policies though, you also need CEOs, founders and leaders to believe in the stability and longevity of these programs, so they will take the ultimate risk to scale-up vs sell-out,” Malpass wrote. “We are asking our government to believe the same. We want their procurement policies to reinforce this and ensure long-standing programs remain in place. We want them to reinvest in success as opposed to focusing on those who ‘need’ it. We want them to provide Canadian-controlled organizations with the same incentives they offer Amazon, Microsoft, etc.”

Big tech incentives come in various shapes and sizes. In December 2018, Ontario’s auditor Bonnie Lysyk issued a report saying Sidewalk Labs — owned, along with Google, by Alphabet Inc. — had a leg up on other firms competing on a request for proposals (RFP) to be Waterfront Toronto’s innovation and funding partner and help build the city’s first 12-acre “smart neighbourhood” in Toronto’s Quayside region. Sidewalk Labs received more information from Waterfront Toronto prior to the RFP than other parties that would be responding to the RFP, indicated the report. Shortly after, Ann Cavoukian, executive director of the Global Privacy and Security by Design Centre, resigned from her position as a privacy advisor for Sidewalk Labs after the project did not guarantee anonymity with a provision to let people remove their identity from a publicly viewable database called the Civic Data Trust.

Sidewalk Labs has since pulled the plug on the project, leaving the land open for business, although there is no current timeline in place for when a new request for proposals will be tendered for Quayside, according to The Star.

Emil Sylvester Ramos, co-founder of Iris R&D Group, an AI-camera tech firm from Ontario, has had some recent success with public sector RFPs. The firm teamed up with Orangeville earlier this year to detect potholes in the road and alert officials to clusters of people with smart cameras. It has a similar working relationship with The City of Guelph. However, companies like theirs can still get caught in the same vicious cycle of getting “swallowed” by big tech somewhere in the growth process, Ramos revealed.

“Canadian IPs get developed by SMEs here and are funded by the federal or provincial government. Then after that whole R&D phase, you have Google coming in and buying the Canadian IP,” he explained.

Canada’s efforts to inject some life into Canada’s knowledge economy, such as Ottawa’s Innovation Superclusters Initiative, have been steps in the right direction, but that’s just it – they’re only steps, says Benjamin Bergen, executive director for the Council of Canadian Innovators.

“When you actually want to build an ecosystem that ultimately commercializes IP and data, you need to have the proper policy frameworks in place. We’ve poured money into the superclusters, but yet we don’t have the proper apparatus or tools to actually really reap the benefits of the IP and the data that’s being generated,” Bergen said. “I think that Canada has fantastic innovators, and I think the challenge that we face is a public policy framework that doesn’t have government and industry working together to create an ecosystem where these companies can be successful. If we look at countries like Isreal, Sweden, South Korea, Germany or the U.S., you have a government working with industry on a whole host of public policy issues that allow the intangible economy to succeed. In some countries, you have IT collectives and data policies that support data domestic innovators.

“And we just haven’t seen that in Canada, not just from this government, but obviously the previous government as well. And the thing is that it’s now really catching up with us, and it’s only going to be exacerbated by the COVID-19 crisis.”

A recently released survey from Microsoft Canada appears to back up Bergen’s claims. Nearly half (46 per cent) of business leaders are not confident that their company will be able to adapt to whatever the upcoming year might hold. Only half (51 per cent) are confident their business could survive the second wave or spike in coronavirus infections, and only four in ten (38 per cent) business decision-makers have changed their employee training or are specifically training their staff in the new tools and platforms their organization is now using.

“‘When I looked at the results, as a Canadian, I was pleased and then in a way concerned at the same time,” Microsoft Canada president Kevin Peesker indicated in an interview, pointing to the lack of action around employee training.

“There is an immediate need to cultivate a skilled talent pipeline to drive innovation in Canada and fuel economic recovery. Whether it’s students preparing for the future, those in the workforce keeping pace with the latest skills to drive innovation or those seeking new skills so they can pursue meaningful employment opportunities, we must ensure Canadians have access to the training they need to succeed in the digital economy.”

This summer, Microsoft announced a new global skills initiative aimed at bringing more digital skills to 25 million people worldwide by the end of this year. This was followed by an announcement in September whereby 12 post-secondary institutions joined Microsoft Canada for the “Canada Skills Program,” enabling more than 4,500 students in diploma, degree and continuing education programs to graduate with in-demand data analytics, AI and cloud certifications in the first phase of the program.

While Peesker didn’t comment directly on the open letter or Canada’s scale-up challenges, he did say companies making investments in platform services, such as the ones available through Azure, and moving beyond basic workload migration to the cloud are cracking the code to growth.

“The most foundational impact is the move around platform services,” he said. “When we talk about this compression of two years worth of digital transformation in two months, it’s been because of that understanding of the business and getting to the core of data and getting it to work for you.”

Thanks to its mastery of the Salesforce platform, ToD has also launched four freestanding and independent software companies. Malpass says stepping out of big tech’s shadow isn’t easy. On top of smart partnerships and investments in software, the key ingredient to solving Canada’s scaleup problem may not require a dominating presence in the middle of a big city anymore. Talk to local municipalities and business owners, Malpass urges others. Nelson recently opened the Nelson Innovation Centre, a hub for entrepreneurs and technology enthusiasts to collaborate. Nelson Innovation Centre manager Karen Kornelsen said the centre will be a place for tech and tech-enabled entrepreneurs and businesses to connect with one another and get the support they need through programming and referral services to “take their businesses to a new level,” according to reporting by The Nelson Daily.

“What I’ve found in all the small towns that we’ve spoken to is there’s usually a few anchor businesses and people – Rotary clubs, for example – who are a little bit more engaged in the science and technology associations,” he said. And in many cases, they have a strong desire to drive local employment.”

The post Scaling up in rural Canada: BC tech firm's success a blueprint for growth outside of big tech's shadow first appeared on IT World Canada.

Cybersecurity in the age of asymmetric warfare I An interview with Tim McCreight, chief security officer at The City of Calgary

In anticipation of the third chapter of Politik’s Interzone digital gathering in early December, we sat down with one of Canada’s most recognized names in cybersecurity.

The post Cybersecurity in the age of asymmetric warfare I An interview with Tim McCreight, chief security officer at The City of Calgary first appeared on IT World Canada.

McAfee MVISION Solutions Meet FedRAMP Cloud Security Requirements

Today’s U.S. government is in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape. To support these efforts, McAfee has pursued and received a Federal Risk and Authorization Management Program (FedRAMP) Authorization designation for McAfee MVISION for Endpoint at the moderate security impact level.

This FedRAMP Moderate designation is equivalent to DoD Impact Level 2 (IL2) and certifies that the McAfee solution has passed rigorous security requirements for the increasingly complex and expanding cloud environments of the U.S. government. The FedRAMP Moderate authorization validates the McAfee solution’s implementation of the baseline 325 NIST 800-53 controls, allowing users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).

By achieving FedRAMP Moderate Authorization for MVISION for Endpoint, McAfee can provide the command and control cyber defense capabilities government environments need to enable on-premise and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.

McAfee MVISION for Endpoint consists of three primary components: McAfee MVISION Endpoint Detection and Response (EDR), McAfee MVISION ePolicy Orchestrator (ePO) and McAfee Endpoint Security Adaptive Threat Protection with Real Protect (ENS ATP):

  • McAfee MVISION EDR simplifies investigation and response to sophisticated threat campaigns with unified detection and response (EDR) capabilities that include continuous monitoring, multi-sensor telemetry, AI-guided investigations, MITRE ATT&CK mapping and real-time hunting.
  • McAfee MVISION ePO provides a cloud-native single-pane-of-glass console to manage both McAfee and other security controls, automating workflows and prioritizing risk assessment to reduce the time and tasks required to triage, investigate and respond to security incidents.
  • McAfee ENS ATP prevents advanced malware from infecting the endpoint with integrated next-gen AV capabilities that include behavioral blocking, exploit prevention, machine learning and file-less threat defense. ENS can also diminish the impact of an attack with enhanced remediation capabilities, which, for example, can roll back the destructive effect of a ransomware attack by restoring affected files and negating the need for system reimaging.

Together, these solutions provide today’s U.S. government agencies the AI-guided endpoint threat detection, investigation and response capabilities they need to confront today’s ever evolving threats across a wide variety of devices. This important FedRAMP milestone is the latest affirmation of McAfee’s long-standing commitment to providing U.S. government agencies advanced, cloud-based cyber defenses to help them meet whatever mission they may confront today and in the future.

Other recent McAfee public sector achievements include:

  • McAfee MVISION Cloud became the first Cloud Access Security Broker (CASB) platform to be granted a FedRAMP High Impact Provisional Authority to Operate (P-ATO) from the U.S. Government’s Joint Authorization Board (JAB). This designation certified that chief information officers from the DoD, the General Services Administration (GSA) and the Department of Homeland Security (DHS) have evaluated and approved MVISION Cloud for their increasingly complex cloud environments.
  • The DoD’s Defense Innovation Unit (DIU) selected McAfee to develop a Secure Cloud Management platform around McAfee MVISION Unified Cloud Edge (UCE), which integrates its Next-Generation Secure Web Gateway, CASB and data loss prevention capabilities into one cloud-native platform.
  • McAfee is working with the DoD’s Defense Information Systems Agency (DISA) to achieve DoD compliance at Impact Levels 4 and 5 to simplify how DoD agencies can procure secure systems with confidence.

Please see the following for more information on McAfee’s efforts in the FedRAMP mission:

The post McAfee MVISION Solutions Meet FedRAMP Cloud Security Requirements appeared first on McAfee Blogs.

Goodbye PIPEDA? Canada’s privacy commissioner to gain power to recommend stiff fines under proposed legislation

This morning, the Canadian government announced that the federal privacy commissioner will gain the ability to recommend companies be fined for not complying with updated and stiffer privacy legislation.

Innovation Minister Navdeep Bains told reporters the commissioner will have broad order-making powers under the proposed new Consumer Privacy Protection Act (CPPA), including the ability to force an organization to comply with requests and order a company to stop collecting data or using personal information. If passed, the CPPA would replace the Personal Information Protection and Electronic Documents Act (PIPEDA).

Bains said the commissioner will be able to recommend fines to a new body called the Personal Information and Data Protection Tribunal. The fines that the tribunal could levy would be the strongest among G7 nations —  up to 5 per cent of global revenue or CAD$25 million, whichever is greater, for the most serious offences, he explained. For less serious offences the maximum fines could be up to 3 percent of global revenue or CAD$10 million.

By comparison, the maximum fine levied under the European Union’s General Data Protection Regulation (GDPR) is up to 4 per cent of a company’s global revenue.

 

Also:

Canada has ‘clearly fallen behind’ other countries in privacy law, says privacy commissioner 

 

Bains talked in general terms to reporters about the proposed legislation, which had just been introduced to Parliament and wasn’t publicly available for detailed examination. For example, it wasn’t immediately known how the tribunal will be constituted. It could be similar to the federal Competition Bureau Tribunal, an independent enforcement agency that enforces the Competition Act.

Bains said the CPPA would ensure that when Canadians go online and are asked to give consent to have their personal data used, it will be in “plain simple language” and not a 30-page legal document. “It will mean greater transparency. That means Canadians will better understand how their data is collected and how that data is used.”

Canadians will also be able to demand an organization let them take the personal data it has collected and transfer or share it elsewhere– from one bank to another, for example. They will also have a chance to demand that an organization delete or destroy personal information if they withdraw consent.

Bains tried to portray the new legislation as good for business, suggesting it will improve Canadian residents’ confidence to buy goods and services online.

“It enables businesses to have the predictability they need to pursue responsible innovation. And because Canadians will have more trust [online] that will enable businesses to make investments, they need to leverage the data in a meaningful way to grow their businesses, create jobs, access markets and become more competitive and productive.”

The proposed CPPA also has new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence. Businesses would have to be transparent about using such systems to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.

The legislation will clarify that de-identified information (data that doesn’t have a person’s name) must be protected and that it can be used without an individual’s consent only under certain circumstances.

The CPPA would give Canadians the ability to demand that their information on social media platforms be permanently deleted. When consent is withdrawn, or information is no longer necessary, Canadians can demand that their information be destroyed. The privacy commissioner will have the ability to order a social media company to comply and even order it to stop collecting data or using personal information.

The new legislation and changes to existing legislation are wrapped up under a new Digital Charter Implementation Act.

In an interview Halifax privacy lawyer David Fraser of the McInnes Cooper law firm said it’s fair to separate the Privacy Commissioner’s fine-making ability from a tribunal, which would actually levy fines and give reasons. That would make it similar to the Competition Bureau Tribunal, he said.

AT NOON TODAY GOVERNMENT OFFICIALS WERE SCHEDULED TO HOLD A TECHNICAL BRIEFING FOR REPORTERS, SO THERE’S MORE TO COME

 

The post Goodbye PIPEDA? Canada's privacy commissioner to gain power to recommend stiff fines under proposed legislation first appeared on IT World Canada.

SOTI launches SOTI Aerospace in collaboration with Ryerson University

Business mobility and IoT firm SOTI today announced a $20 million investment in Canada’s technology ecosystem to fund its new aerospace division, SOTI Aerospace, in the country.

The post SOTI launches SOTI Aerospace in collaboration with Ryerson University first appeared on IT World Canada.

Look who’s speaking at Technicity GTA

The key to understanding any situation is to speak with people who are in the thick of doing the work. With that in mind, when ITWC decided to shine the light on public sector IT innovation in the GTA, we reached out to the individuals and organizations that are working in the trenches to improve…

The post Look who’s speaking at Technicity GTA first appeared on IT World Canada.

How CASB and EDR Protect Federal Agencies in the Age of Work from Home

Malicious actors are increasingly taking advantage of the burgeoning at-home workforce and expanding use of cloud services to deliver malware and gain access to sensitive data. According to an Analysis Report (AR20-268A) from the Cybersecurity and Infrastructure Security Agency (CISA), this new normal work environment has put federal agencies at  risk of falling victim to cyber-attacks that exploit their use of Microsoft Office 365 (O365) and misuse their VPN remote access services.

McAfee’s global network of over a billion threat sensors affords its threat researchers the unique advantage of being able to thoroughly analyze dozens of cyber-attacks of this kind. Based on this analysis, McAfee supports CISA’s recommendations to help prevent adversaries from successfully establishing persistence in agencies’ networks, executing malware, and exfiltrating data. However, McAfee also asserts that the nature of this environment demands that additional countermeasures be implemented to quickly detect, block and respond to exploits originating from authorized cloud services.

Read on to learn from McAfee’s analysis of these attacks and understand how federal agencies can use cloud access security broker (CASB) and endpoint threat detection and response (EDR) solutions to detect and mitigate such attacks before they have a chance to inflict serious damage upon their organizations.

The Anatomy of a Cloud Services Attack

McAfee’s analysis supports CISA’s findings that adversaries frequently attempt to gain access to organizations’ networks by obtaining valid access credentials for multiple users’ O365 accounts and domain administrator accounts, often via vulnerabilities in unpatched VPN servers. The threat actor will then use the credentials to log into a user’s O365 account from an anomalous IP address, browse pages on SharePoint sites, and then attempt to download content. Next, the cyberthreat actor would connect multiple times from a different IP address to the agency’s Virtual Private Network (VPN) server, and eventually connect successfully.

Once inside the network, the attacker could:

  • Begin performing discovery and enumerating the network
  • Establish persistence in the network
  • Execute local command line processes and multi-stage malware on a file server
  • Exfiltrate data

Basic SOC Best Practices

McAfee’s comprehensive analysis of these attacks supports CISA’s proposed  best practices to prevent or mitigate such cyber-attacks. These recommendations include:

  • Hardening account credentials with multi-factor authentication,
  • Implementing the principle of “least privilege” for data access,
  • Monitoring network traffic for unusual activity,
  • Patching early and often.

While these recommendations provide a solid foundation for a strong cybersecurity program, these controls by themselves may not go far enough to prevent more sophisticated adversaries from exploiting and weaponizing cloud services to gain a foothold within an enterprise.

Why Best Practices Should Include CASB and EDR

Organizations will gain a running start to identifying and thwarting the attacks in question by implementing a full-featured CASB such as McAfee MVISION Cloud, and an advanced EDR solution, such as McAfee MVISION Endpoint Threat Detection and Response.

Deploying MVISION Cloud for Office 365 enables agencies’ SOC analysts to assert greater control over their data and user activity in Office 365—control that can hasten identification of compromised accounts and resolution of threats. MVISION Cloud takes note of all user and administrative activity occurring within cloud services and compares it to a threshold based either on the user’s specific behavior or the norm for the entire organization. If an activity exceeds the threshold, it generates an anomaly notification. For instance, using geo-location analytics to visualize global access patterns, MVISION Cloud can immediately alert agency analysts to anomalies such as instances of Office 365 access originating from IP addresses located in atypical geographic areas.

When specific anomalies appear concurrently—e.g., a Brute Force anomaly and an unusual Data Access event—MVISION Cloud automatically generates a Threat. In the attacks McAfee analyzed, Threats would have been generated early on since the CASB’s user behavior analytics would have identified the cyber actor’s various activities as suspicious. Using MVISION Cloud’s activity monitoring dashboard and built-in audit trail of all user and administrator activities, SOC analysts can detect and analyze anomalous behaviors across multiple dimensions to more rapidly understand what exactly is occurring when and to what systems—and whether an incident concerns a compromised account, insider threat, privileged user threat, and/or malware—to shrink the gap to remediation.

In addition, with MVISION Cloud, an agency security analyst can clearly see how each cloud security incident maps to MITRE ATT&CK tactics and techniques, which not only accelerates the entire forensics process but also allows security managers to defend against similar attacks with greater precision in the future.

Figure 1. Executed Threat View within McAfee MVISION Cloud

 

Figure 2. Gap Analysis & Investigations – McAfee MVISION Cloud Policy Recommendations

 

Furthermore, using MVISION Cloud for Office 365, agencies can create and enforce policies that prevent the uploading of sensitive data to Office 365 or downloading of sensitive data to unmanaged devices. With such policies in place, an attacker’s attempt to exfiltrate sensitive data will be mitigated.

In addition to deploying a CASB, implementing an EDR solution like McAfee MVISION EDR to monitor endpoints centrally and continuously—including remote devices—helps organizations defend themselves from such attacks. With MVISION EDR, agency SOC analysts have at their fingertips advanced analytics and visualizations that broaden detection of unusual behavior and anomalies on the endpoint. They are also able to grasp the implications of alerts more quickly since the information is presented in a format that reduces noise and simplifies investigation—so much so that even novice analysts can analyze at a higher level. AI-guided investigations within the solution can also provide further insights into attacks.

Figure 3. MITRE ATT&CK Alignment for Detection within McAfee MVISION EDR

With a threat landscape that is constantly evolving and attack surfaces that continue to expand with increased use of the cloud, it is now more important than ever to embrace CASB and EDR solutions. They have become critical tools to actively defend today’s government agencies and other large enterprises.

Learn more about the cloud-native, unified McAfee MVISION product family. Get your questions answered by tweeting @McAfee

The post How CASB and EDR Protect Federal Agencies in the Age of Work from Home appeared first on McAfee Blogs.

Canadian CEO surprised how little federal government buys from Canadian cybersecurity sector

Federal study of cybersecurity sector shows Ottawa acccounted for only eight per cent of sales in 2018. An industry association would like it to be 50 per cent

The post Canadian CEO surprised how little federal government buys from Canadian cybersecurity sector first appeared on IT World Canada.

Data-Centric Security for the Cloud, Zero Trust or Advanced Adaptive Trust?

Over the last few months, Zero Trust Architecture (ZTA) conversations have been top-of-mind across the DoD. We have been hearing the chatter during industry events all while sharing conflicting interpretations and using various definitions. In a sense, there is an uncertainty around how the security model can and should work. From the chatter, one thing is clear – we need more time. Time to settle in on just how quickly mission owners can classify a comprehensive and all-inclusive, acceptable definition of Zero Trust Architecture.

Today, most entities utilize a multi-phased security approach. Most commonly, the foundation (or first step) in the approach is to implement secure access to confidential resources. Coupled with the shift to remote and distance work, the question arises, “are my resources and data safe, and are they safe in the cloud?”

Thankfully, the DoD is in the process of developing a long-term strategy for ZTA. Industry partners, like McAfee, have been briefed along the way. It has been refreshing to see the DoD take the initial steps to clearly define what ZTA is, what security objectives it must meet, and the best approach for implementation in the real-world. A recent DoD briefing states “ZTA is a data-centric security model that eliminates the idea of trusted or untrusted networks, devices, personas, or processes and shifts to a multi-attribute based confidence levels that enable authentication and authorization policies under the concept of least privilege access”.

What stands out to me is the data-centric approach to ZTA. Let us explore this concept a bit further. Conditional access to resources (such as network and data) is a well-recognized challenge. In fact, there are several approaches to solving it, whether the end goal is to limit access or simply segment access. The tougher question we need to ask (and ultimately answer) is how to do we limit contextual access to cloud assets? What data security models should we consider when our traditional security tools and methods do not provide adequate monitoring? And is securing data, or at least watching user behavior, enough when the data stays within multiple cloud infrastructures or transfers from one cloud environment to another?

Increased usage of collaboration tools like Microsoft 365 and Teams, SLACK and WebEx are easily relatable examples of data moving from one cloud environment to another. The challenge with this type of data exchange is that the data flows stay within the cloud using an East-West traffic model. Similarly, would you know if sensitive information created directly in Office 365 is uploaded to a different cloud service? Collaboration tools by design encourage sharing data in real-time between trusted internal users and more recently with telework, even external or guest users. Take for example a supply chain partner collaborating with an end user. Trust and conditional access potentially create a risk to both parties, inside and outside of their respective organizational boundaries. A data breach whether intentional or not can easily occur because of the pre-established trust and access. There are few to no limited default protection capabilities preventing this situation from occurring without intentional design. Data loss protection, activity monitoring and rights management all come into question. Clearly new data governance models, tools and policy enforcement capabilities for this simple collaboration example are required to meet the full objectives of ZTA.

So, as the communities of interest continue to refine the definitions of Zero Trust Architecture based upon deployment, usage, and experience, I believe we will find ourselves shifting from a Zero Trust model to an Advanced Adaptive Trust model. Our experience with multi-attribute-based confidence levels will evolve and so will our thinking around trust and data-centric security models in the cloud.

 

 

The post Data-Centric Security for the Cloud, Zero Trust or Advanced Adaptive Trust? appeared first on McAfee Blogs.

FedRAMP – What’s the Big Deal?

If you are someone who works for a cloud service provider in the business of federal contracting, you probably already have a good understanding of FedRAMP. It is also likely that our regular blog readers know the ins and outs of this program.

For those who are not involved in these areas, however, this acronym may be more unfamiliar. Perhaps you have only heard of it in passing conversation with a few of your expert cybersecurity colleagues, or you are just curious to learn what all of the hype is about. If you fall into this category – read on! This blog is for you.

At first glance, FedRAMP may seem like a type of onramp to an interstate headed for the federal government – and in a way, it is.

FedRAMP stands for the Federal Risk and Authorization Management Program, which provides a standard security assessment, authorization and continuous monitoring for cloud products and services to be used by federal agencies. The program’s overall mission is to protect the data of U.S. citizens in the cloud and promote the adoption of secure cloud services across the government with a standardized approach.

Once a cloud service has successfully made it onto the interstate – or achieved FedRAMP authorization – it’s allowed to be used by an agency and listed in the FedRAMP Marketplace. The FedRAMP Marketplace is a one-stop-shop for agencies to find cloud services that have been tested and approved as safe to use, making it much easier to determine if an offering meets security requirements.

In the fourth year of the program, FedRAMP had 20 authorized cloud service offerings. Now, eight years into the program, FedRAMP has over 200 authorized offerings, reflecting its commitment to help the government shift to the cloud and leverage new technologies.

Who should be FedRAMP authorized?

Any cloud service provider that has a contract with a federal agency or wants to work with an agency in the future must have FedRAMP authorization. Compliance with FedRAMP can also benefit providers who don’t have plans to partner with government, as it signals to the private sector they are committed to cloud security.

Using a cloud service that complies with FedRAMP standards is mandatory for federal agencies. It has also become popular with organizations in the private industry, which are more often looking to FedRAMP standards as a security benchmark for the cloud services they use.

How can a cloud service obtain authorization?

There are two ways for a cloud service to obtain FedRAMP authorization. One is with a Joint Authorization Board (JAB) provisional authorization (P-ATO) and the other is through an individual agency Authority to Operate (ATO).

A P-ATO is an initial approval of the cloud service provider by the JAB, which is made up of the Chief Information Officers (CIOs) from the Department of Defense (DoD), Department of Homeland Security (DHS) and General Services Administration (GSA). This designation means that the JAB has provided a provisional approval for agencies to leverage when granting an ATO to a cloud system.

The head of an agency grants an ATO as part of the agency authorization process. An ATO may be granted after an agency sponsor reviews the cloud service offering and completes a security assessment.

Why seek FedRAMP approval?

Achieving FedRAMP authorization for a cloud service is a very long and rigorous process, but it has received high praise from security officials and industry experts alike for its standardized approach to evaluate whether a cloud service offering meets some of the strongest cybersecurity requirements.

There are several benefits for cloud providers who authorize their service with FedRAMP. The program allows an authorized cloud service to be reused continuously across the federal government – saving time, money and effort for both cloud service providers and agencies. Authorization of a cloud service also gives service providers increased visibility of their product across government with a listing in the FedRAMP Marketplace.

By electing to comply with FedRAMP, cloud providers can demonstrate dedication to the highest data security standards. Though the process for achieving FedRAMP approval is complex, it is worthwhile for providers, as it signals a commitment to security to government and non-government customers.

McAfee’s Commitment to FedRAMP

At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards. We are proud that McAfee’s MVISION Cloud is the first Cloud Access Security Broker (CASB) platform to be granted a FedRAMP High Impact Provisional Authority to Operate (P-ATO) from the U.S. Government’s Joint Authorization Board (JAB).

Currently, MVISION Cloud is in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).

MVISION Cloud allows federal organizations to have total visibility and control of their infrastructure to protect their data and applications in the cloud. The FedRAMP High JAB P-ATO designation is the highest compliance level available under FedRAMP, meaning that MVISION Cloud is authorized to manage highly sensitive government data.

We look forward to continuing to work closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.

 

The post FedRAMP – What’s the Big Deal? appeared first on McAfee Blogs.

NDAA Conference: Opportunity to Improve the Nation’s Cybersecurity Posture

As Congress prepares to return to Washington in the coming weeks, finalizing the FY2021 National Defense Authorization Act (NDAA) will be a top priority. The massive defense bill features several important cybersecurity provisions, from strengthening CISA and promoting interoperability to creating a National Cyber Director position in the White House and codifying FedRAMP.

These are vital components of the legislation that conferees should work together to include in the final version of the bill, including:

Strengthening CISA

One of the main recommendations of the Cyberspace Solarium Commission’s report this spring was to further strengthen CISA, an agency that has already made great strides in protecting our country from cyberattacks. An amendment to the House version of the NDAA would do just that, by giving CISA additional authority it needs to effectively hunt for threats and vulnerabilities on the federal network.

Bad actors, criminal organizations and even nation-states are continually looking to launch opportunistic attacks. Giving CISA additional tools, resources and funding needed to secure the nation’s digital infrastructure and secure our intelligence and information is a no-brainer and Congress should ensure the agency gets the resources it needs in the final version of the NDAA.

Promoting Interoperability

Perhaps now more than ever before, interoperability is key to a robust security program. As telework among the federal workforce continues and expands, an increased variety of communication tools, devices and networks put federal networks at risk. Security tools that work together and are interoperable better provide a full range of protection across these environments.

The House version of the NDAA includes several provisions to promote interoperability within the National Guard, military and across the Federal government. The Senate NDAA likewise includes language that requires the DoD craft regulations to facilitate DoD’s access to and utilization of system, major subsystem, and major component software-defined interfaces to advance DoD’s efforts to generate diverse and effective kill chains. The regulations and guidance would also apply to purely software systems, including business systems and cybersecurity systems. These regulations would also require acquisition plans and solicitations to incorporate mandates for the delivery of system, major subsystem, and major component software defined interfaces.

For too long, agencies have leveraged a grab bag of tools that each served a specific purpose, but didn’t offer broad, effective coverage. Congress has a valuable opportunity to change that and encourage more interoperable solutions that provide the security needed in today’s constantly evolving threat landscape.

Creating a National Cyber Director Position

The House version of the NDAA would establish a Senate-confirmed National Cyber Director within the White House, in charge of overseeing digital operations across the federal government. This role, a recommendation of the Cyberspace Solarium Commission, would give the federal government a single point person for all things cyber.

As former Rep. Mike Rodgers argued in an op-ed published in The Hill last month, “the cyber challenge that we face as a country is daunting and complex.” We face new threats every day. Coordinating cyber strategy across the federal government, rather than the agency by agency approach we have today, is critical to ensuring we stay on top of threats and effectively protect the nation’s critical infrastructure, intellectual property and data from an attack.

Codifying FedRAMP

The FedRAMP Authorization Act, included in the House version of the NDAA, would codify the FedRAMP program and give it a formal standing for Congressional review, a  critical step towards making the program more efficient and useful for agencies across the government. Providing this program more oversight will further validate the FedRAMP approved products from across the industry as safe and secure for federal use. The FedRAMP authorization bill also includes language that will help focus the Administration’s attention on the need to secure the vulnerable spaces between and among cloud services and applications.  Agencies need to focus on securing these vulnerabilities between and among clouds since sophisticated hackers target these seams that too often are left unprotected.

Additionally, the Pentagon has already committed to FedRAMP reciprocity. FedRAMP works – and codifying it to bring the rest of the Federal government into the program would offer an excellent opportunity for wide-scale cloud adoption, something the federal government would benefit greatly from.

We hope that NDAA conferees will consider these important cyber provisions and include them in the final version of the bill and look forward to continuing our work with government partners on important cyber issues like these.

 

 

The post NDAA Conference: Opportunity to Improve the Nation’s Cybersecurity Posture appeared first on McAfee Blogs.

Multi-Cloud Environment Challenges for Government Agencies

Between January and April of this year, the government sector saw a 45% increase in enterprise cloud use, and as the work-from-home norm continues, socially distanced teamwork will require even more cloud-based collaboration services.

Hybrid and multi-cloud architectures can offer government agencies the flexibility, enhanced security and capacity needed to achieve what they need for modernizing now and into the future. Yet many questions remain surrounding the implementation of multi- and hybrid-cloud architectures. Adopting a cloud-smart approach across an agency’s infrastructure is a complex process with corresponding challenges for federal CISOs.

I recently had the opportunity to sit with several public and private sector leaders in cloud technology to discuss these issues at the Securing the Complex Ecosystem of Hybrid Cloud webinar, organized by the Center for Public Policy Innovation (CPPI) and Homeland Security Dialogue Forum (HSDF).

Everyone agreed that although the technological infrastructure supporting hybrid and multi-cloud environments has made significant advancements in recent years, there is still much work ahead to ensure government agencies are operating with advanced security.

There are three key concepts for federal CISOs to consider as they develop multi- and hybrid-cloud implementation strategies:

  1. There is no one-size-fits-all hybrid environment

Organizations have adopted various capabilities that have unique gaps that must be filled. A clear system for how organizations can successfully fill these gaps will take time to develop. That being said, there is no one-size-fits-all hybrid or multi-cloud environment technology for groups looking to implement a cloud approach across their infrastructure.

  1. Zero-trust will continue to evolve in terms of its definition

Zero-trust has been around for quite some time and will continue to grow in terms of its definition. In concept, zero-trust is an approach that requires an organization to complete a thorough inspection of its existing architecture. It is not one specific technology; it is a capability set that must be applied to all areas of an organization’s infrastructure to achieve a hybrid or multi-cloud environment. 

  1. Strategies for data protection must have a cohesive enforcement policy

A consistent enforcement policy is key in maintaining an easily recognizable strategy for data protection and threat management. Conditional and contextual access to data is critical for organizations to fully accomplish cloud-based collaboration across teams.

Successful integration of a multi-cloud environment poses real challenges for all sectors, particularly for enterprises as large and complex as the federal government. Managing security across different cloud environments can be overwhelmingly complicated for IT staff, which is why they need tools that can automate their tasks and provide continued protection of sensitive information wherever it goes inside or outside the cloud.

At McAfee, we’ve been dedicating ourselves to solving these problems. We are excited that McAfee’s MVISION Cloud has been recognized as the first cloud access security broker (CASB) with FedRAMP High authorization. Additionally, we’ve been awarded an Other Transaction Authority by the Defense Innovation Unit to prototype a Secure Cloud Management Platform through McAfee’s MVISION Unified Cloud Edge (UCE) cybersecurity solution.

We look forward to engaging in more strategic discussions with our partners in the private and public sectors to not only discuss but also help solve the security challenges of federal cloud adoption.

The post Multi-Cloud Environment Challenges for Government Agencies appeared first on McAfee Blogs.