WestJet's Security Architecture Made Simple We

advertisement
SESSION ID: ASD-R03
WestJet’s
Security Architecture Made Simple
We Finally Got It Right!
Richard Sillito
Solution Architect, IT Security
WestJet
@dhoriyo
#RSAC
#RSAC
Fort Henry Ontario
#RSAC
Flight Plan
Applying
Principals
Summary
The Solution
Questions
The Problem
3
#RSAC
The Problem
#RSAC
What wrong with the network?
#RSAC
The underlying problem
Zones
DMZ
North/South
Internal
Secured Internal
East/West
#RSAC
The Threat
Infiltration
Discovery
Extraction
Large Number
of Attackers
Smaller Amount
of Attackers
Smaller Amount
of Attackers
Using a Large
Number of
Attacks
Using a Standard
Approach
Using Normal
Access Methods
Very Hard to
Detect or
Defend
Easier to
Detect and
Defend
Exfiltration
It Doesn’t
Matter!
You’re Too Late!
Hard to Defend
or Detect
#RSAC
Vulnerability Surface
Developer
Datacenter Application/Service
Datacenter OS
Bios
Network - Link
Network - Transport
Network - Application
Client OS
Client Application
Vulnerability Surface
Users
#RSAC
Existing Datacenter – Never Worked
Guests
DMZ
The Internet
Internal
Employees
Trusted
Users?
Remote
Users
Untrusted Users?
Contractors
Secured Internal?
Datacenter
#RSAC
The Solution
#RSAC
Security Architecture Made Simple (SAMS)
Infrastructure
Data
Device
Network
Application &
Services
Elements
Classification
Access
Identity
Position
Role
Authorization
#RSAC
Security Architecture Made Simple (SAMS)
Infrastructure
Device
Network
Application &
Services
Backend
Services
Employees
#RSAC
Application
Services
Guests
Application
Gateway
Security Architecture Made Simple (SAMS)
SAMS - Infrastructure
Contractor/Partner
End User Devices
Jump
Patch
Monitor
Deploy
Test
Scan
IT Administration
Everywhere But the Datacenter (Untrusted)
Datacenter (Trusted)
SAMS – Infrastructure
Logical Network View
#RSAC
Mail
Gateway
Citrix
Application Gateway
ApplicationServices
Services
Port 25
Port 443,995
Mail
Gateway
MS
Exchange
Port 443
Port 25
Port 443
Data Services
Netscaler
Email
Services
Gateway
Gateway
Port 443
Port 8443
Citrix
Intranet
Site
Data
ERP
Services
App
Mobile
App
Provision
XenDesk
Reverse
Proxy
PortPort
8443443
XenApp
SAMS – Infrastructure
Logical Network View
#RSAC
IT Admin
Jump
Point
Monitoring
Alerting
Patching
#RSAC
Using Core Router and Core Firewall
Service A
Service F
Service B
Service E
Service C
Service D
16
#RSAC
Traditional Approach
Pros
Cons

Known Technology

Difficult to Scale the Solution

Somewhat Flexible


Minimal Training
Hub Model Requires all Traffic
Traverse the Core

Difficult to Insert Additional
Security Services
17
#RSAC
The Software Defined Approach
Overlay Networks
Host 3
Host 2
Host 1
Service A
Service F
Service B
Service E
Service C
Service D
Service A
Service F
Service B
Service E
Service C
Service D
Service A
Service F
Service B
Service E
Service C
Service D
18
#RSAC
SDN/S Approach
Pros
Cons

Easily Scaled

Emerging Technology

Very Flexible

Standards are Not Well Defined

Optimized Routing


Allows Insertion of Security
Services
Vendor Eco Systems are
Developing

Monitoring Solutions are Not Well
Developed

Automation/Orchestration
19
#RSAC
Security Architecture Made Simple (SAMS)
Data
Elements
Classification
Security Architecture Made Simple
SAMS Data
Data
Elements
Information
Objects
Products
Fields
Elements
Function
Macro
Routine
Reports
XML package
File
Message
Guest details
Charge Amount
Departure Time
Flight Loads
Revenues
Metrics
Reports
Webservices
File Transfers
#RSAC
#RSAC
SAMS Data
Example
Report
Security
Enforced
Information
Objects
Security
Maybe
Refined
Data
Element
Security
Define
#RSAC
Security Architecture Made Simple (SAMS)
Access
Identity
Position
Role
Authorization
Security Architecture Made Simple
SAMS Access
App/Service
Role
Company
Role
Company
Position
Function
Within an
Application or
Service
Function
Within a Company
Position the
Employee was hired
into
Administrator
Super User
Standard User
Auditor
Safety Office
Financial Office
Maint. Lead
ERP Admin
CEO
Manager, Sales
Analyst III, IT
#RSAC
Security Architecture Made Simple
SAMS Access
Company Position
Human Resource System
Company Role
Identity Management System
Application or Service Role
Enterprise Directory Service or
Local Directory Service
#RSAC
#RSAC
Security Architecture Made Simple (SAMS)
Infrastructure
Data
Device
Network
Application
Elements
Classification
Storage &
Transmission
of Data
Access
To
Info.
Access
To
Infrastructure
Roles
and
Responsibilities
Access
Identity
Position
Role
Authorization
Products to look for
(HyperLinked)
#RSAC

Vmware NSX

Palo alto, Check Point

McAfee NSM

Tivoli Identity Management

Arkin Net Analytics Platform (www.arkin.net)
27
#RSAC
Apply Slide

Consider network challenges

Decide on a security strategy that will work for your organization

Familiarize yourself with Software Defined Network & Security

Accept that Bring Your Own Device is really your friend

Figure out a plan to migrate your network

Start making changes (evolution not revolution)
28
#RSAC
Summary
“If you can't explain it to a six year old, you don't understand it
yourself.”
Albert Einstein
29
#RSAC
Thanks and Recognition
Inspiration
Thanks
• Dump your DMZ by Joern Wettern
• BYOD and the Death of the DMZ by Lori MacVittie
• Zero Trust Model John Kindervag
VMWare
VTeam
• Dominador DeLeon – Sr. TSA - Infrastructure Ops
• Justin Domshy – Manager of Environments
• Mike Gromek - Technical Architect III
• Darrell Lizotte – Technical Architect III
• Randy Seabrook – Manager Architecture
• Derek Sharman - Sr. Analyst-Config Management
• Walter Wenzl - Sr Analyst-Config Management
• Michael Slavens - Security Support Analyst III
• Peter Graw - Technical Architect III, IT – Infrastructure
• Quentin Hall - Technical Architect III
• Tao Yu - Sr. TSA Telecomm
•
•
•
•
Vern Bolinius
Ray Budavari
Bruno Germain
Darren Humphries
Bosses
• Cheryl Smith (Former CIO)
• Dan Neal (My Boss)
My Family
• Patrick, Brittney, Taz
#RSAC
Q&A
31
#RSAC
Bonus Slides
32
#RSAC
Product
Price
Develop
Technicians (Senior Analyst I, II)
Strategy
Manage
Focus
Blueprint
Vision
Driver
Response
Support (ITOC, Security Admin)
Assessment
Operate
Detection
Prevention
Process
People
Service Development
Tech Leaders (Security Analyst III)
Manager
Director
Architecture
Technology Council
Business
#RSAC
Define Future State

Start at the top and get aligned!
#RSAC
Define Future State
Break your world down into smaller pieces
#RSAC
Define Future State
Have an approach!
#RSAC
Define Future State
Figure out how you’re going to get the work done
#RSAC
Define Future State
Now put it all together
#RSAC
Dealing with an evolving technology
Software Defined Datacenter
Industry
Direction
Industry
Direction
Target
Architecture
Target
Architecture
Target
Architecture
Industry
Direction
Target
Industry
Architecture
Direction
Target
Architecture
Target
Architecture
Dev/Te
st
Tenant
s
Staging
Tenants
Production
Tenants
Second
Datacenter
Full SDN
Network
#RSAC
The Evolution
Software Defined Datacenter
(De-mystifying the cloud)
#RSAC
Download