Q&A with Andy Travers on the Unique Security Requirements of Government Agencies 

The Government of Canada selected Fortinet to secure its IT infrastructure. Fortinet's Andy Travers shares some perspective on the unique security requirements of government agencies. 

Fortinet has a longstanding history of working with the Canadian market. What is unique about Fortinet’s approach that has made it become a security partner of choice for businesses and agencies across the country? 

First of all, Fortinet has a proud Canadian heritage. Significant elements of our product development, our threat research and customer service teams, as well as our data center operations all reside in Canada. And we have a substantial presence across both public and private sector organizations in Canada.

With respect to what’s unique about our approach, I would say it’s Fortinet’s vision for security. We have an intense focus on building market-leading security technologies and solutions that deliver reliable, secure, and cost-effective IT security infrastructure services designed to fully align with customer and partner requirements without compromising performance.

We also have a long history of working with the Canadian government, including securing a number of infrastructure projects that have been released by Shared Service Canada - the IT service provider for the departments and agencies of the government of Canada for email, networks, data centers, and most of the IT and security procurement.

Shared Services Canada (SSC) continues to implement their cybersecurity strategy focused on assuring supply chain integrity, continuous network availability, and delivering cyber defense and protection services. The contract award to Fortinet for this is another step forward in Canada’s move towards standardization, consolidation and improved security.

Today, Fortinet announced that the Government of Canada has selected the company to safeguard its IT infrastructure. What are some of the unique requirements of securing distributed government networks across 100 departments and agencies? 

There are a number of unique requirements for securing distributed government networks. While network security has been consolidated under a single shared services agency (SSC), it still serves over 100 unique, individual departments, which can each range in size from the equivalent of a medium to large enterprise. Some have hundreds of locations across the globe. Each department also has a different mandate to fill, and must serve employees, citizens, non-citizens, partners, and businesses around the world.

This also requires protecting thousands of applications that provide services to millions of users across the globe, including both Canadian and non-Canadian citizens. Most of these services need to be accessible around the clock and the world. Since these applications provide critical services, and often contain useful or valuable information, they are often targets of attacks. In recent years, there have been several public disclosures of attacks on the Canadian government infrastructure, whether through denial of service or access, or abstraction of valuable information.

This IT infrastructure also handles very critical state services that Canadian business is dependent upon, whether for tax, research and development, intellectual property protection, or other similarly important communications.

How do compliance and regulatory mandates make securing government IT infrastructures particularly challenging? 

The Communications Security Establishment Canada (CSEC) publishes its Information Technology Security Guidance (ITSG) that outlines in detail the measures that must be undertaken to mitigate risk and exposure of government information assets at both the departmental and information level. This ITSG guidance typically finds its way into procurement requirements and is very detailed. In addition to architectural and technological requirements, all vendors must ensure supply chain integrity of the solutions being delivered to the federal government. Fortinet works closely with the government to understand these requirements and ensure compliance with such programs.

With the establishment of a shared services agency, many different, disparate mandates had to be addressed and consolidated. This was especially challenging, as each department's mission and goals are unique. However, since SSC is responsible for all standard infrastructures across departments, they are working towards implementing a common approach that can be applied to the entire infrastructure depending on the information classification levels. As Shared Services works through its transformation towards its targeted end state, it needs an agile, scalable security infrastructure that can provide the appropriate controls in a timely manner across its departments that are operating at different levels of security and information protection maturity levels.

What is top of mind for government agencies as they architect their IT infrastructure today and into the future? 

I would say that there are a couple of critical infrastructure capabilities that are top of mind for government agencies. First, having an open and collaborative government is becoming increasingly important. What I mean by this is being able to easily and securely share non-sensitive information between departments, as well as engage and collaborate with citizens through applications and services is a key requirement for government departments today. Additionally, it goes without saying, but cybersecurity, privacy, and trust are paramount. Protecting information, services and infrastructures as well as ensuring privacy to build and maintain trust is critical for all government agencies as they architect their IT infrastructure today with an eye towards the future.