SESSION ID: ASD-R03 WestJet’s Security Architecture Made Simple We Finally Got It Right! Richard Sillito Solution Architect, IT Security WestJet @dhoriyo #RSAC #RSAC Fort Henry Ontario #RSAC Flight Plan Applying Principals Summary The Solution Questions The Problem 3 #RSAC The Problem #RSAC What wrong with the network? #RSAC The underlying problem Zones DMZ North/South Internal Secured Internal East/West #RSAC The Threat Infiltration Discovery Extraction Large Number of Attackers Smaller Amount of Attackers Smaller Amount of Attackers Using a Large Number of Attacks Using a Standard Approach Using Normal Access Methods Very Hard to Detect or Defend Easier to Detect and Defend Exfiltration It Doesn’t Matter! You’re Too Late! Hard to Defend or Detect #RSAC Vulnerability Surface Developer Datacenter Application/Service Datacenter OS Bios Network - Link Network - Transport Network - Application Client OS Client Application Vulnerability Surface Users #RSAC Existing Datacenter – Never Worked Guests DMZ The Internet Internal Employees Trusted Users? Remote Users Untrusted Users? Contractors Secured Internal? Datacenter #RSAC The Solution #RSAC Security Architecture Made Simple (SAMS) Infrastructure Data Device Network Application & Services Elements Classification Access Identity Position Role Authorization #RSAC Security Architecture Made Simple (SAMS) Infrastructure Device Network Application & Services Backend Services Employees #RSAC Application Services Guests Application Gateway Security Architecture Made Simple (SAMS) SAMS - Infrastructure Contractor/Partner End User Devices Jump Patch Monitor Deploy Test Scan IT Administration Everywhere But the Datacenter (Untrusted) Datacenter (Trusted) SAMS – Infrastructure Logical Network View #RSAC Mail Gateway Citrix Application Gateway ApplicationServices Services Port 25 Port 443,995 Mail Gateway MS Exchange Port 443 Port 25 Port 443 Data Services Netscaler Email Services Gateway Gateway Port 443 Port 8443 Citrix Intranet Site Data ERP Services App Mobile App Provision XenDesk Reverse Proxy PortPort 8443443 XenApp SAMS – Infrastructure Logical Network View #RSAC IT Admin Jump Point Monitoring Alerting Patching #RSAC Using Core Router and Core Firewall Service A Service F Service B Service E Service C Service D 16 #RSAC Traditional Approach Pros Cons Known Technology Difficult to Scale the Solution Somewhat Flexible Minimal Training Hub Model Requires all Traffic Traverse the Core Difficult to Insert Additional Security Services 17 #RSAC The Software Defined Approach Overlay Networks Host 3 Host 2 Host 1 Service A Service F Service B Service E Service C Service D Service A Service F Service B Service E Service C Service D Service A Service F Service B Service E Service C Service D 18 #RSAC SDN/S Approach Pros Cons Easily Scaled Emerging Technology Very Flexible Standards are Not Well Defined Optimized Routing Allows Insertion of Security Services Vendor Eco Systems are Developing Monitoring Solutions are Not Well Developed Automation/Orchestration 19 #RSAC Security Architecture Made Simple (SAMS) Data Elements Classification Security Architecture Made Simple SAMS Data Data Elements Information Objects Products Fields Elements Function Macro Routine Reports XML package File Message Guest details Charge Amount Departure Time Flight Loads Revenues Metrics Reports Webservices File Transfers #RSAC #RSAC SAMS Data Example Report Security Enforced Information Objects Security Maybe Refined Data Element Security Define #RSAC Security Architecture Made Simple (SAMS) Access Identity Position Role Authorization Security Architecture Made Simple SAMS Access App/Service Role Company Role Company Position Function Within an Application or Service Function Within a Company Position the Employee was hired into Administrator Super User Standard User Auditor Safety Office Financial Office Maint. Lead ERP Admin CEO Manager, Sales Analyst III, IT #RSAC Security Architecture Made Simple SAMS Access Company Position Human Resource System Company Role Identity Management System Application or Service Role Enterprise Directory Service or Local Directory Service #RSAC #RSAC Security Architecture Made Simple (SAMS) Infrastructure Data Device Network Application Elements Classification Storage & Transmission of Data Access To Info. Access To Infrastructure Roles and Responsibilities Access Identity Position Role Authorization Products to look for (HyperLinked) #RSAC Vmware NSX Palo alto, Check Point McAfee NSM Tivoli Identity Management Arkin Net Analytics Platform (www.arkin.net) 27 #RSAC Apply Slide Consider network challenges Decide on a security strategy that will work for your organization Familiarize yourself with Software Defined Network & Security Accept that Bring Your Own Device is really your friend Figure out a plan to migrate your network Start making changes (evolution not revolution) 28 #RSAC Summary “If you can't explain it to a six year old, you don't understand it yourself.” Albert Einstein 29 #RSAC Thanks and Recognition Inspiration Thanks • Dump your DMZ by Joern Wettern • BYOD and the Death of the DMZ by Lori MacVittie • Zero Trust Model John Kindervag VMWare VTeam • Dominador DeLeon – Sr. TSA - Infrastructure Ops • Justin Domshy – Manager of Environments • Mike Gromek - Technical Architect III • Darrell Lizotte – Technical Architect III • Randy Seabrook – Manager Architecture • Derek Sharman - Sr. Analyst-Config Management • Walter Wenzl - Sr Analyst-Config Management • Michael Slavens - Security Support Analyst III • Peter Graw - Technical Architect III, IT – Infrastructure • Quentin Hall - Technical Architect III • Tao Yu - Sr. TSA Telecomm • • • • Vern Bolinius Ray Budavari Bruno Germain Darren Humphries Bosses • Cheryl Smith (Former CIO) • Dan Neal (My Boss) My Family • Patrick, Brittney, Taz #RSAC Q&A 31 #RSAC Bonus Slides 32 #RSAC Product Price Develop Technicians (Senior Analyst I, II) Strategy Manage Focus Blueprint Vision Driver Response Support (ITOC, Security Admin) Assessment Operate Detection Prevention Process People Service Development Tech Leaders (Security Analyst III) Manager Director Architecture Technology Council Business #RSAC Define Future State Start at the top and get aligned! #RSAC Define Future State Break your world down into smaller pieces #RSAC Define Future State Have an approach! #RSAC Define Future State Figure out how you’re going to get the work done #RSAC Define Future State Now put it all together #RSAC Dealing with an evolving technology Software Defined Datacenter Industry Direction Industry Direction Target Architecture Target Architecture Target Architecture Industry Direction Target Industry Architecture Direction Target Architecture Target Architecture Dev/Te st Tenant s Staging Tenants Production Tenants Second Datacenter Full SDN Network #RSAC The Evolution Software Defined Datacenter (De-mystifying the cloud) #RSAC