1 SESSION ID: ASD-R03 WestJet s Security Architecture Made Simple We Finally Got It Right! Richard Sillito Solution Architect, IT Security
2 Fort Henry Ontario
3 Flight Plan Applying Principals The Solution Summary The Problem Questions 3
4 The Problem
5 What wrong with the network?
6 The underlying problem Zones DMZ North/South Internal Secured Internal East/West
7 The Threat Infiltration Discovery Extraction Exfiltration Large Number of Attackers Smaller Amount of Attackers Smaller Amount of Attackers Using a Large Number of Attacks Using a Standard Approach Using Normal Access Methods It Doesn t Matter! You re Too Late! Very Hard to Detect or Defend Easier to Detect and Defend Hard to Defend or Detect
8 Vulnerability Surface Vulnerability Surface Developer Datacenter Application/Service Datacenter OS Bios Network - Link Network - Transport Network - Application Client OS Client Application Users
9 DMZ Internal Existing Datacenter Never Worked Employees The Internet Guests Remote Users Untrusted Users? Secured Internal? Datacenter Contractors Trusted Users?
10 The Solution
11 Security Architecture Made Simple (SAMS) Infrastructure Device Network Application & Services Data Elements Classification Access Identity Position Role Authorization
13 Application Gateway Application Services Backend Services Security Architecture Made Simple (SAMS) SAMS - Infrastructure Guests Employees Contractor/Partner End User Devices Jump Patch Monitor Everywhere But the Datacenter (Untrusted) Deploy Test IT Administration Datacenter (Trusted) Scan
14 SAMS Infrastructure Logical Network View Application Gateway Application Services Services Mail Gateway Citrix Port 25 Port 443,995 Mail Gateway MS Exchange Port 443 Port 25 Port 443 Data Services Netscaler XenApp Port 443 Port 8443 Citrix Intranet Site XenDesk Services Gateway Provision Mobile App Reverse Proxy Port Port ERP Data App Services
15 SAMS Infrastructure Logical Network View IT Admin Jump Point Monitoring Alerting Patching
16 Using Core Router and Core Firewall Service F Service A Service B Service E Service D Service C 16
17 Traditional Approach Pros Known Technology Somewhat Flexible Minimal Training Cons Difficult to Scale the Solution Hub Model Requires all Traffic Traverse the Core Difficult to Insert Additional Security Services 17
18 Host 3 Overlay Networks Host 2 Host 1 The Software Defined Approach Service F Service A Service B Service E Service D Service C Service F Service A Service B Service E Service D Service C Service F Service A Service B Service E Service D Service C 18
19 SDN/S Approach Pros Easily Scaled Very Flexible Optimized Routing Allows Insertion of Security Services Automation/Orchestration Cons Emerging Technology Standards are Not Well Defined Vendor Eco Systems are Developing Monitoring Solutions are Not Well Developed 19
20 Security Architecture Made Simple (SAMS) Data Elements Classification
21 Security Architecture Made Simple SAMS Data Data Elements Information Objects Products Fields Elements Function Macro Routine Reports XML package File Message Guest details Charge Amount Departure Time Flight Loads Revenues Metrics Reports Webservices File Transfers
22 SAMS Data Example Report Security Enforced Information Objects Security Maybe Refined Data Element Security Define
23 Security Architecture Made Simple (SAMS) Access Identity Position Role Authorization
24 Security Architecture Made Simple SAMS Access App/Service Role Company Role Company Position Function Within an Application or Service Function Within a Company Position the Employee was hired into Administrator Super User Standard User Auditor Safety Office Financial Office Maint. Lead ERP Admin CEO Manager, Sales Analyst III, IT
25 Security Architecture Made Simple SAMS Access Company Position Human Resource System Company Role Identity Management System Application or Service Role Enterprise Directory Service or Local Directory Service
26 Security Architecture Made Simple (SAMS) Infrastructure Device Network Application Access To Infrastructure Storage & Transmission of Data Access To Info. Access Identity Position Role Authorization Data Elements Classification Roles and Responsibilities
27 Products to look for (HyperLinked) Vmware NSX Palo alto, Check Point McAfee NSM Tivoli Identity Management Arkin Net Analytics Platform (www.arkin.net) 27
28 Apply Slide Consider network challenges Decide on a security strategy that will work for your organization Familiarize yourself with Software Defined Network & Security Accept that Bring Your Own Device is really your friend Figure out a plan to migrate your network Start making changes (evolution not revolution) 28
29 Summary If you can't explain it to a six year old, you don't understand it yourself. Albert Einstein 29
30 Thanks and Recognition Inspiration Dump your DMZ by Joern Wettern BYOD and the Death of the DMZ by Lori MacVittie Zero Trust Model John Kindervag Thanks VTeam Dominador DeLeon Sr. TSA - Infrastructure Ops Justin Domshy Manager of Environments Mike Gromek - Technical Architect III Darrell Lizotte Technical Architect III Randy Seabrook Manager Architecture Derek Sharman - Sr. Analyst-Config Management Walter Wenzl - Sr Analyst-Config Management Michael Slavens - Security Support Analyst III Peter Graw - Technical Architect III, IT Infrastructure Quentin Hall - Technical Architect III Tao Yu - Sr. TSA Telecomm VMWare Vern Bolinius Ray Budavari Bruno Germain Darren Humphries Bosses Cheryl Smith (Former CIO) Dan Neal (My Boss) My Family Patrick, Brittney, Taz
31 Q & A 31
32 Bonus Slides 32
33 Price Product People Process Prevention Detection Assessment Response Service Development Operate Support (ITOC, Security Admin) Develop Technicians (Senior Analyst I, II) Strategy Manage Focus Blueprint Vision Driver Tech Leaders (Security Analyst III) Manager Director Architecture Technology Council Business
34 Define Future State Start at the top and get aligned!
35 Define Future State Break your world down into smaller pieces
36 Define Future State Have an approach!
37 Define Future State Figure out how you re going to get the work done
38 Define Future State Now put it all together
39 Dealing with an evolving technology Software Defined Datacenter Target Architecture Industry Direction Target Architecture Industry Direction Target Architecture Industry Direction Industry Target Direction Architecture Target Architecture Target Architecture Dev/Te st Tenant s Staging Tenants Production Tenants Second Datacenter Full SDN Network
40 The Evolution
41 Software Defined Datacenter (De-mystifying the cloud)
Implementing a Hybrid Cloud Strategy Using vcloud Air, VMware NSX and vrealize Automation TECHNICAL WHITE PAPER Table of Contents Purpose and Overview.... 3 Executive Summary.... 3 The Conceptual Architecture....
Hybrid: The Next Generation Cloud Interviews Among CIOs of the Fortune 1000 and Inc. 5000 IT Solutions Survey Wakefield Research 2 EXECUTIVE SUMMARY: Hybrid The Next Generation Cloud M ost Chief Information
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Workbook EXIN Cloud Computing Foundation Edition May 2012 2 Colophon Title: EXIN CLOUD Computing Foundation Workbook Authors: Johannes W. van den Bent (CLOUD-linguistics) and Martine van der Steeg (The
Sponsored by McAfee Next-Generation Datacenters = Next-Generation Security May 2013 A SANS Whitepaper Written by Dave Shackleford Introduction to Virtualization: The Stack and Components Page 2 Virtualization
Going Beyond Mobile Device Management - Leveraging NAC for Mobile Devices events.techtarget.com G. Mark Hardy, CISSP, CISM President, National Security Corporation email@example.com +1.410.933.9333
Payment and Security Experts Implementing PCI A Guide for Network Security Engineers Updated For PCI Data Security Standard Version 1.2.1 Tom Arnold, CISSP, ISSMP, CFS, CPISM/A, PCI/QSA Partner, PSC Sponsored
PHYSICAL SECURITY OVER INFORMATION TECHNOLOGY GUIDANCE DOCUMENT March 2014 This guidance document has been produced by CPNI in conjunction with MWR InfoSecurity. Disclaimer Reference to any specific commercial
Top 10 SIEM Implementer s Checklist Operationalizing Information Security Compliments of AccelOps www.accelops.com Table of Contents Executive Summary....................................................................
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
The 2015 Endpoint and Mobile Security Buyer s Guide Version 3.0 Released: July 6, 2014 Securosis, LLC 515 E. Carefree Highway Suite #766 Phoenix, AZ 85085 T 602-412-3051 firstname.lastname@example.org www.securosis.com
Network World and Robin Layland present The 2013 Next Generation Firewall Challenge Next Generation Firewalls provide the needed protection against Advance Evasion Techniques 2013 The 2013 Next Generation
Secure Enterprise Mobility Management The system integrator point of view www.unisystems.com 1 Mobility is Top of Mind Mobility Is Top of Mind 50% of Companies Have Adopted Companywide Mobility Strategy*
Whitepaper : Cloud Based Backup for Mobile Users and Remote Sites The Organisational Challenges We propose three key organizational principles for assessing backup Security Control Performance Functional
Addressing Evolving Threats & Responses in a MITA 3.0 World Robert Myles, CISSP, CISM National Practice Manager, State & Local Government 1 Founded in 1982 IPO in 1989 Approximately 21,500 Employees Operations
DATA CENTER DESIGN White Paper JAN KREMER CONSULTING SERVICES Data Center Design White Paper Page 1 TABLE OF CONTENTS 1. INTRODUCTION... 4 1.1. DOCUMENT OUTLINE... 4 2. GENERAL DESIGN PRINCIPLES... 5 2.1.
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
Datacenter Migration and Implementation using VMware David A. Smith, MCSE No part of this paper may be reproduced or distributed without the express written consent of its author David A Smith. Copyright
Vision & High Level Design Overview OpenDI Release 1 October 2008 v1.6 J. Carolan, J. Kirby, L. Springer, J. Stanford http://opendi.kenai.com Abstract This document provides a high level overview of the
PRODUCING YOUR NETWORK SECURITY POLICY JULY 2007 Frederick M. Avolio Avolio Consulting Steve Fallin D. Scott Pinzon, CISSP, NSA-IAM Watchguard Technologies, Inc. WatchGuard Technologies, Inc. www.watchguard.com
VMware vcloud Networking and Security Efficient, Agile and Extensible Software-Defined Networks and Security BROCHURE Overview Organizations worldwide have gained significant efficiency and flexibility
Defending Small and Medium Sized Businesses with Cloud-Managed Security Contents Introduction 3 Social Networking Could Mean Compromised Networks 4 Blended Threats More Blended than Ever 5 The Cloud Revolution
Securing Traditional and Cloud-Based Datacenters With Next-generation Firewalls February 2015 Table of Contents Executive Summary 3 Changing datacenter characteristics 4 Cloud computing depends on virtualization
Whitepaper Addressing the Threat Within: Rethinking Network Security Deployment Introduction Cyber security breaches are happening at an industrial scale. The unabated volume of cyber breaches along with