Guidance for the communications security of SECRET Information (ITSB-79)

Purpose

The purpose of this bulletin is to inform the Government of Canada (GC) of the Communications Security Establishment Canada's (CSEC) guidance regarding the use of commercial technologies to safeguard the communications of classified information Classified informationA Government of Canada label for specific types of sensitive data that, if compromised, could cause harm to the national interest (e.g. national defence, relationships with other countries, economic interests). at the level of SECRET within a departmental local enclave.

CSEC has determined that specific Commercial-Off-The-Self (COTS) Virtual Private Network Virtual private networkA private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN. (VPN VPNSee virtual private network. ) devices can provide adequate protection for the communications security of SECRET information being transmitted within the confines of a departmental local enclave.

This technical safeguard should facilitate the implementation of a departmental SECRET network that is based on users operating a thin-client desktop configuration within a departmental unclassified operations zone and connecting to a back-end security zone where the processing and storing of the SECRET information occurs.

Background

CSEC, as the GC lead security agency for developing and promulgating COMSEC COMSECCommunications security (COMSEC) is the discipline of preventing unauthorized access to telecommunications information in readable form, while still delivering the information to the intended recipients. COMSEC is comprised of multiple disciplines such as Cryptographic security, EMSEC (Emission security), Transmission security, and Physical security. related policy for classified information, has recently concluded an analysis regarding the usage of commercial cryptosystems when safeguarding classified information at the SECRET level. Specifically, the use of COTS products were examined in regards to safeguarding the communication of SECRET information within a departmental local enclave.

A departmental local enclave is defined as a site with a single physical perimeter PerimeterThe boundary between two network security zones through which traffic is routed. that maintains a common set of security policies (physical, personnel and Information Technology (IT)) under a single authority. External to the enclave represents where communications occur that extend past the perimeter, for example the Secure Channel Network (SC Net).

Secure platform for application delivery

CSEC is partnering with Public Works and Government Services Canada (PWGSC) to deliver cost effective solutions for departmental SECRET networks. PWGSC offers a solution that can be tailored to departmental needs. This offering by PWGSC is titled Secure Platform for Application Delivery (SPAD).

Recommendations

The analysis concluded:

  • Communications security external to a local departmental enclave - that departments continue to use the current CSEC approved technical solution, which is a Type 1 cryptographic device.
  • Communications security within a local departmental enclave – with the maturity and capability of available commercial technologies, specific commercially available VPN solutions can be used to adequately secure the communications of SECRET information.

itsb79

 

Description of alternative technical solution for departmental enclaves

Departments who plan to deploy a SECRET network are advised to begin their Threat and Risk Assessments (TRA TRASee threat and risk assessment. ) early in the Requirements stage. The appropriate steps to conduct for the TRA are described in the Harmonized TRA Methodology, available on the CSEC website. Subject to the findings of the TRA, CSEC specified COTS VPN devices may be used.

Departments are advised to use CSEC recommended COTS VPN solutions available from CSEC upon request. COTS VPN solutions are also available through PWGSC's SPAD offering for departmental Secret networks. Any COTS VPN solutions will need to be configured, operated, and maintained according to CSEC guidance.

Contacts and assistance

IT Security Client Services
Communications Security Establishment Canada
PO Box 9703, Terminal
Ottawa, ON K1G 3Z4
By email: itsclientservices@cse-cst.gc.ca
Telephone: 613-991-7654

Originally signed by

Toni Moffa
Deputy Chief, IT Security

Date: 2011-07-07

Date modified: