westjet’s - where the world talks security · session id: #rsac richard sillito westjet’s...
TRANSCRIPT
SESSION ID:
#RSAC
Richard Sillito
WestJet’s
Security Architecture Made Simple
We Finally Got It Right!
ASD-R03
Solution Architect, IT Security
WestJet
@dhoriyo
#RSAC
The Threat
Infiltration Discovery Extraction Exfiltration
Large Number of Attackers
Using a Large
Number of Attacks
Very Hard to
Detect or Defend
Smaller Amount of Attackers
Using a Standard
Approach
Easier to Detect and
Defend
Smaller Amount of Attackers
Using Normal
Access Methods
Hard to Defend or Detect
It Doesn’t Matter!
You’re Too Late!
#RSAC
Vulnerability Surface
Developer
Datacenter Application/Service
Datacenter OS
Bios
Network - Link
Network - Transport
Network - Application
Client OS
Client Application
Users
Vulnerability Surface
#RSAC
The Internet
Datacenter
Existing Datacenter – Never Worked
Trusted Users?
DM
Z
Inte
rnal
Bac
ken
d
Serv
ices
Employees
Contractors
Secured Internal? Untrusted Users?
Guests Remote
Users
#RSAC
Security Architecture Made Simple (SAMS)
Infrastructure Device
Network
Application &
Services
Access Identity
Position
Role
Authorization
Data Elements
Classification
#RSAC
Datacenter (Trusted)
Security Architecture Made Simple (SAMS)
SAMS - Infrastructure
Everywhere But the Datacenter (Untrusted)
IT Administration
Ap
plic
atio
n
Gat
eway
Ap
plic
atio
n
Serv
ices
Bac
ken
d
Serv
ices
End User Devices
Guests
Employees
Contractor/Partner
Jump
Deploy
Patch
Test
Monitor
Scan
#RSAC
Mail Gateway
Email Gateway
Port 25
Citrix
Netscaler XenApp
XenDesk Provision
Port 443
SAMS – Infrastructure
Logical Network View
Mail Gateway Port 25
Citrix Port 443
Data Services
Services Gateway
Mobile App
Reverse Proxy
Port 443
Data Services Port 443
Application Gateway
Services
MS Exchange Port 443,995
Intranet Site Port 8443
ERP App Port 8443
Application
Services
#RSAC
Using Core Router and Core Firewall
16
Service A
Service F
Service E
Service D
Service C
Service B
#RSAC
Traditional Approach
Pros
Known Technology
Somewhat Flexible
Minimal Training
Cons
Difficult to Scale the Solution
Hub Model Requires all Traffic
Traverse the Core
Difficult to Insert Additional
Security Services
17
#RSAC
The Software Defined Approach
18
Ho
st 1
Service A
Service F
Service E
Service D
Service C
Service B
Ho
st 2
Service A
Service F
Service E
Service D
Service C
Service B
Ho
st 3
Service A
Service F
Service E
Service D
Service C
Service B
Ove
rlay
Net
wo
rks
#RSAC
SDN/S Approach
Pros
Easily Scaled
Very Flexible
Optimized Routing
Allows Insertion of Security
Services
Automation/Orchestration
Cons
Emerging Technology
Standards are Not Well Defined
Vendor Eco Systems are
Developing
Monitoring Solutions are Not Well
Developed
19
#RSAC
Security Architecture Made Simple
SAMS Data
Products
Reports XML package
File Message
Reports Webservices File Transfers
Information Objects
Function
Macro Routine
Flight Loads Revenues Metrics
Data Elements
Fields
Elements
Guest details Charge Amount Departure Time
#RSAC
SAMS Data
Example
Security
Define Data
Element
Information
Objects
Report
Security
Maybe
Refined
Security
Enforced
#RSAC
Security Architecture Made Simple
SAMS Access
Company Position
Position the
Employee was hired into
CEO Manager, Sales
Analyst III, IT
Company Role
Function
Within a Company
Safety Office Financial Office
Maint. Lead ERP Admin
App/Service Role
Function Within an
Application or Service
Administrator Super User
Standard User Auditor
#RSAC
Security Architecture Made Simple
SAMS Access
Application or Service Role
Enterprise Directory Service or Local Directory Service
Company Role
Identity Management System
Company Position
Human Resource System
#RSAC
Security Architecture Made Simple (SAMS)
Infrastructure Device
Network
Application
Access Identity
Position
Role
Authorization
Data Elements
Classification
Access
To
Info.
Access
To
Infrastructure
Storage &
Transmission
of Data
Roles
and
Responsibilities
#RSAC Products to look for (HyperLinked)
Vmware NSX
Palo alto, Check Point
McAfee NSM
Tivoli Identity Management
Arkin Net Analytics Platform (www.arkin.net)
27
#RSAC
Apply Slide
Consider network challenges
Decide on a security strategy that will work for your organization
Familiarize yourself with Software Defined Network & Security
Accept that Bring Your Own Device is really your friend
Figure out a plan to migrate your network
Start making changes (evolution not revolution)
28
#RSAC
Summary
“If you can't explain it to a six year old, you don't understand it
yourself.”
Albert Einstein
29
#RSAC
Thanks and Recognition
VMWare • Vern Bolinius • Ray Budavari • Bruno Germain • Darren Humphries Bosses • Cheryl Smith (Former CIO) • Dan Neal (My Boss)
My Family • Patrick, Brittney, Taz
Thanks VTeam • Dominador DeLeon – Sr. TSA - Infrastructure Ops • Justin Domshy – Manager of Environments • Mike Gromek - Technical Architect III • Darrell Lizotte – Technical Architect III • Randy Seabrook – Manager Architecture • Derek Sharman - Sr. Analyst-Config Management • Walter Wenzl - Sr Analyst-Config Management • Michael Slavens - Security Support Analyst III • Peter Graw - Technical Architect III, IT – Infrastructure • Quentin Hall - Technical Architect III • Tao Yu - Sr. TSA Telecomm
Inspiration
• Dump your DMZ by Joern Wettern • BYOD and the Death of the DMZ by Lori MacVittie • Zero Trust Model John Kindervag
#RSAC
Ass
essm
ent
Service Development
Driver
Vision
Blueprint
Focus
Manage P
reve
nti
on
Det
ecti
on
Res
po
nse
Business
Architecture
Director
Manager
Technology Council
Tech Leaders (Security Analyst III)
Develop Technicians (Senior Analyst I, II)
Strategy P
rod
uct
Peo
ple
Pro
cess
Pri
ce
Operate Support (ITOC, Security Admin)
#RSAC
Dealing with an evolving technology
Software Defined Datacenter
Target
Architecture Industry
Direction
Dev/Te
st
Tenant
s
Staging
Tenants Production
Tenants
Second
Datacenter
Full SDN
Network
Industry
Direction
Industry
Direction
Industry
Direction
Target
Architecture
Target
Architecture
Target
Architecture
Target
Architecture Target
Architecture