WestJet s Security Architecture Made Simple We Finally Got It Right!

Transcription

1 SESSION ID: ASD-R03 WestJet s Security Architecture Made Simple We Finally Got It Right! Richard Sillito Solution Architect, IT Security

2 Fort Henry Ontario

3 Flight Plan Applying Principals The Solution Summary The Problem Questions 3

4 The Problem

5 What wrong with the network?

6 The underlying problem Zones DMZ North/South Internal Secured Internal East/West

7 The Threat Infiltration Discovery Extraction Exfiltration Large Number of Attackers Smaller Amount of Attackers Smaller Amount of Attackers Using a Large Number of Attacks Using a Standard Approach Using Normal Access Methods It Doesn t Matter! You re Too Late! Very Hard to Detect or Defend Easier to Detect and Defend Hard to Defend or Detect

8 Vulnerability Surface Vulnerability Surface Developer Datacenter Application/Service Datacenter OS Bios Network - Link Network - Transport Network - Application Client OS Client Application Users

9 DMZ Internal Existing Datacenter Never Worked Employees The Internet Guests Remote Users Untrusted Users? Secured Internal? Datacenter Contractors Trusted Users?

10 The Solution

11 Security Architecture Made Simple (SAMS) Infrastructure Device Network Application & Services Data Elements Classification Access Identity Position Role Authorization

12 Security Architecture Made Simple (SAMS) Infrastructure Device Network Application & Services

13 Application Gateway Application Services Backend Services Security Architecture Made Simple (SAMS) SAMS - Infrastructure Guests Employees Contractor/Partner End User Devices Jump Patch Monitor Everywhere But the Datacenter (Untrusted) Deploy Test IT Administration Datacenter (Trusted) Scan

14 SAMS Infrastructure Logical Network View Application Gateway Application Services Services Mail Gateway Citrix Port 25 Port 443,995 Mail Gateway MS Exchange Port 443 Port 25 Port 443 Data Services Netscaler XenApp Port 443 Port 8443 Citrix Intranet Site XenDesk Services Gateway Provision Mobile App Reverse Proxy Port Port ERP Data App Services

15 SAMS Infrastructure Logical Network View IT Admin Jump Point Monitoring Alerting Patching

16 Using Core Router and Core Firewall Service F Service A Service B Service E Service D Service C 16

17 Traditional Approach Pros Known Technology Somewhat Flexible Minimal Training Cons Difficult to Scale the Solution Hub Model Requires all Traffic Traverse the Core Difficult to Insert Additional Security Services 17

18 Host 3 Overlay Networks Host 2 Host 1 The Software Defined Approach Service F Service A Service B Service E Service D Service C Service F Service A Service B Service E Service D Service C Service F Service A Service B Service E Service D Service C 18

19 SDN/S Approach Pros Easily Scaled Very Flexible Optimized Routing Allows Insertion of Security Services Automation/Orchestration Cons Emerging Technology Standards are Not Well Defined Vendor Eco Systems are Developing Monitoring Solutions are Not Well Developed 19

20 Security Architecture Made Simple (SAMS) Data Elements Classification

21 Security Architecture Made Simple SAMS Data Data Elements Information Objects Products Fields Elements Function Macro Routine Reports XML package File Message Guest details Charge Amount Departure Time Flight Loads Revenues Metrics Reports Webservices File Transfers

22 SAMS Data Example Report Security Enforced Information Objects Security Maybe Refined Data Element Security Define

23 Security Architecture Made Simple (SAMS) Access Identity Position Role Authorization

24 Security Architecture Made Simple SAMS Access App/Service Role Company Role Company Position Function Within an Application or Service Function Within a Company Position the Employee was hired into Administrator Super User Standard User Auditor Safety Office Financial Office Maint. Lead ERP Admin CEO Manager, Sales Analyst III, IT

25 Security Architecture Made Simple SAMS Access Company Position Human Resource System Company Role Identity Management System Application or Service Role Enterprise Directory Service or Local Directory Service

26 Security Architecture Made Simple (SAMS) Infrastructure Device Network Application Access To Infrastructure Storage & Transmission of Data Access To Info. Access Identity Position Role Authorization Data Elements Classification Roles and Responsibilities

27 Products to look for (HyperLinked) Vmware NSX Palo alto, Check Point McAfee NSM Tivoli Identity Management Arkin Net Analytics Platform ( 27

28 Apply Slide Consider network challenges Decide on a security strategy that will work for your organization Familiarize yourself with Software Defined Network & Security Accept that Bring Your Own Device is really your friend Figure out a plan to migrate your network Start making changes (evolution not revolution) 28

29 Summary If you can't explain it to a six year old, you don't understand it yourself. Albert Einstein 29

30 Thanks and Recognition Inspiration Dump your DMZ by Joern Wettern BYOD and the Death of the DMZ by Lori MacVittie Zero Trust Model John Kindervag Thanks VTeam Dominador DeLeon Sr. TSA - Infrastructure Ops Justin Domshy Manager of Environments Mike Gromek - Technical Architect III Darrell Lizotte Technical Architect III Randy Seabrook Manager Architecture Derek Sharman - Sr. Analyst-Config Management Walter Wenzl - Sr Analyst-Config Management Michael Slavens - Security Support Analyst III Peter Graw - Technical Architect III, IT Infrastructure Quentin Hall - Technical Architect III Tao Yu - Sr. TSA Telecomm VMWare Vern Bolinius Ray Budavari Bruno Germain Darren Humphries Bosses Cheryl Smith (Former CIO) Dan Neal (My Boss) My Family Patrick, Brittney, Taz

31 Q & A 31

32 Bonus Slides 32

33 Price Product People Process Prevention Detection Assessment Response Service Development Operate Support (ITOC, Security Admin) Develop Technicians (Senior Analyst I, II) Strategy Manage Focus Blueprint Vision Driver Tech Leaders (Security Analyst III) Manager Director Architecture Technology Council Business

34 Define Future State Start at the top and get aligned!

35 Define Future State Break your world down into smaller pieces

36 Define Future State Have an approach!

37 Define Future State Figure out how you re going to get the work done

38 Define Future State Now put it all together

39 Dealing with an evolving technology Software Defined Datacenter Target Architecture Industry Direction Target Architecture Industry Direction Target Architecture Industry Direction Industry Target Direction Architecture Target Architecture Target Architecture Dev/Te st Tenant s Staging Tenants Production Tenants Second Datacenter Full SDN Network

40 The Evolution

41 Software Defined Datacenter (De-mystifying the cloud)