Canadian Government Executive - Volume 26 - Issue 05

January/February 2021 // Canadian Government Executive / 9 cybersecurity widespread this breach is, but also how ill- prepared the American government was to detect and respond. The SolarWinds breach represents a pin- nacle point in our collective cybersecurity history. Without proper action and deeper investigation into its implications, govern- ment bodies and authorities will continue to remain ill-equipped to properly man- age, detect and respond in ways that do not compromise domestic or global public sec- tor entities. But perhaps more importantly, this cybersecurity incident serves as a time- ly warning of what a breach of this size and magnitude could mean for Canadian gov- ernment institutions north of the border. It also raises an important question: How can the Canadian government at all three lev- els enable its workforce to prepare, combat and manage these types of security risks? Calls to action can longer remain a gesture Data breaches have become all too fa- miliar. From the Equifax breach in 2017 that exposed the personal information of nearly 8,000 Canadians to the Desjardins breach of 2019, when several employees of the company stole the personal data of 4.2 million members , the ability of orga- nizations to protect personal information is becoming difficult. Additionally, with the continuous news cycles reinforcing the damaging effects of malicious actors gaining access to sensitive information, calls for substantive action can longer be ignored. This is compounded by growing distrustful sentiment harbored by Cana- dians as to how safe their information is being stored by companies. The SolarWinds breach reinvigorates the conversation around the need to re- inforce the usage of a zero-trust environ- ment, which government institutions will need to embrace in a post-SolarWinds world. The concept of zero trust is simple: “never trust, always verify.” In practical terms, this means the development of a protect surface is identified. This surface is comprised of a network’s most valuable and critical information, assets, and appli- cations. From there, the ability to monitor how traffic moves along an organization can be created. Controls can be levied to safeguard the protect surface through a gateway that permits legitimate applica- tions from gaining access. The benefits of this model allow for important applications and workloads to be accessed from any location, which provides for a highly dynamic shift