SESSION ID:

#RSAC

Richard Sillito

WestJet’s

Security Architecture Made Simple

We Finally Got It Right!

ASD-R03

Solution Architect, IT Security

WestJet

@dhoriyo

#RSAC

Fort Henry Ontario

#RSAC

Flight Plan

3

The Problem

The Solution

Applying Principals

Summary

Questions

#RSAC

The Problem

#RSAC

What wrong with the network?

#RSAC

The underlying problem

No

rth/So

uth

East/West

DMZ

Internal

Secured Internal

Zones

#RSAC

The Threat

Infiltration Discovery Extraction Exfiltration

Large Number of Attackers

Using a Large

Number of Attacks

Very Hard to

Detect or Defend

Smaller Amount of Attackers

Using a Standard

Approach

Easier to Detect and

Defend

Smaller Amount of Attackers

Using Normal

Access Methods

Hard to Defend or Detect

It Doesn’t Matter!

You’re Too Late!

#RSAC

Vulnerability Surface

Developer

Datacenter Application/Service

Datacenter OS

Bios

Network - Link

Network - Transport

Network - Application

Client OS

Client Application

Users

Vulnerability Surface

#RSAC

The Internet

Datacenter

Existing Datacenter – Never Worked

Trusted Users?

DM

Z

Inte

rnal

Bac

ken

d

Serv

ices

Employees

Contractors

Secured Internal? Untrusted Users?

Guests Remote

Users

#RSAC

The Solution

#RSAC

Security Architecture Made Simple (SAMS)

Infrastructure Device

Network

Application &

Services

Access Identity

Position

Role

Authorization

Data Elements

Classification

#RSAC

Security Architecture Made Simple (SAMS)

Infrastructure Device

Network

Application &

Services

#RSAC

Datacenter (Trusted)

Security Architecture Made Simple (SAMS)

SAMS - Infrastructure

Everywhere But the Datacenter (Untrusted)

IT Administration

Ap

plic

atio

n

Gat

eway

Ap

plic

atio

n

Serv

ices

Bac

ken

d

Serv

ices

End User Devices

Guests

Employees

Contractor/Partner

Jump

Deploy

Patch

Test

Monitor

Scan

#RSAC

Mail Gateway

Email Gateway

Port 25

Citrix

Netscaler XenApp

XenDesk Provision

Port 443

SAMS – Infrastructure

Logical Network View

Mail Gateway Port 25

Citrix Port 443

Data Services

Services Gateway

Mobile App

Reverse Proxy

Port 443

Data Services Port 443

Application Gateway

Services

MS Exchange Port 443,995

Intranet Site Port 8443

ERP App Port 8443

Application

Services

#RSAC

SAMS – Infrastructure

Logical Network View IT Admin

Jump Point

Monitoring

Alerting

Patching

#RSAC

Using Core Router and Core Firewall

16

Service A

Service F

Service E

Service D

Service C

Service B

#RSAC

Traditional Approach

Pros

Known Technology

Somewhat Flexible

Minimal Training

Cons

Difficult to Scale the Solution

Hub Model Requires all Traffic

Traverse the Core

Difficult to Insert Additional

Security Services

17

#RSAC

The Software Defined Approach

18

Ho

st 1

Service A

Service F

Service E

Service D

Service C

Service B

Ho

st 2

Service A

Service F

Service E

Service D

Service C

Service B

Ho

st 3

Service A

Service F

Service E

Service D

Service C

Service B

Ove

rlay

Net

wo

rks

#RSAC

SDN/S Approach

Pros

Easily Scaled

Very Flexible

Optimized Routing

Allows Insertion of Security

Services

Automation/Orchestration

Cons

Emerging Technology

Standards are Not Well Defined

Vendor Eco Systems are

Developing

Monitoring Solutions are Not Well

Developed

19

#RSAC

Security Architecture Made Simple (SAMS)

Data Elements

Classification

#RSAC

Security Architecture Made Simple

SAMS Data

Products

Reports XML package

File Message

Reports Webservices File Transfers

Information Objects

Function

Macro Routine

Flight Loads Revenues Metrics

Data Elements

Fields

Elements

Guest details Charge Amount Departure Time

#RSAC

SAMS Data

Example

Security

Define Data

Element

Information

Objects

Report

Security

Maybe

Refined

Security

Enforced

#RSAC

Security Architecture Made Simple (SAMS)

Access Identity

Position

Role

Authorization

#RSAC

Security Architecture Made Simple

SAMS Access

Company Position

Position the

Employee was hired into

CEO Manager, Sales

Analyst III, IT

Company Role

Function

Within a Company

Safety Office Financial Office

Maint. Lead ERP Admin

App/Service Role

Function Within an

Application or Service

Administrator Super User

Standard User Auditor

#RSAC

Security Architecture Made Simple

SAMS Access

Application or Service Role

Enterprise Directory Service or Local Directory Service

Company Role

Identity Management System

Company Position

Human Resource System

#RSAC

Security Architecture Made Simple (SAMS)

Infrastructure Device

Network

Application

Access Identity

Position

Role

Authorization

Data Elements

Classification

Access

To

Info.

Access

To

Infrastructure

Storage &

Transmission

of Data

Roles

and

Responsibilities

#RSAC Products to look for (HyperLinked)

Vmware NSX

Palo alto, Check Point

McAfee NSM

Tivoli Identity Management

Arkin Net Analytics Platform (www.arkin.net)

27

#RSAC

Apply Slide

Consider network challenges

Decide on a security strategy that will work for your organization

Familiarize yourself with Software Defined Network & Security

Accept that Bring Your Own Device is really your friend

Figure out a plan to migrate your network

Start making changes (evolution not revolution)

28

#RSAC

Summary

“If you can't explain it to a six year old, you don't understand it

yourself.”

Albert Einstein

29

#RSAC

Thanks and Recognition

VMWare • Vern Bolinius • Ray Budavari • Bruno Germain • Darren Humphries Bosses • Cheryl Smith (Former CIO) • Dan Neal (My Boss)

My Family • Patrick, Brittney, Taz

Thanks VTeam • Dominador DeLeon – Sr. TSA - Infrastructure Ops • Justin Domshy – Manager of Environments • Mike Gromek - Technical Architect III • Darrell Lizotte – Technical Architect III • Randy Seabrook – Manager Architecture • Derek Sharman - Sr. Analyst-Config Management • Walter Wenzl - Sr Analyst-Config Management • Michael Slavens - Security Support Analyst III • Peter Graw - Technical Architect III, IT – Infrastructure • Quentin Hall - Technical Architect III • Tao Yu - Sr. TSA Telecomm

Inspiration

• Dump your DMZ by Joern Wettern • BYOD and the Death of the DMZ by Lori MacVittie • Zero Trust Model John Kindervag

#RSAC

Q & A

31

#RSAC

Bonus Slides

32

#RSAC

Ass

essm

ent

Service Development

Driver

Vision

Blueprint

Focus

Manage P

reve

nti

on

Det

ecti

on

Res

po

nse

Business

Architecture

Director

Manager

Technology Council

Tech Leaders (Security Analyst III)

Develop Technicians (Senior Analyst I, II)

Strategy P

rod

uct

Peo

ple

Pro

cess

Pri

ce

Operate Support (ITOC, Security Admin)

#RSAC

Define Future State

Start at the top and get aligned!

#RSAC

Define Future State

Break your world down into smaller pieces

#RSAC

Define Future State

Have an approach!

#RSAC

Define Future State

Figure out how you’re going to get the work done

#RSAC

Define Future State

Now put it all together

#RSAC

Dealing with an evolving technology

Software Defined Datacenter

Target

Architecture Industry

Direction

Dev/Te

st

Tenant

s

Staging

Tenants Production

Tenants

Second

Datacenter

Full SDN

Network

Industry

Direction

Industry

Direction

Industry

Direction

Target

Architecture

Target

Architecture

Target

Architecture

Target

Architecture Target

Architecture

#RSAC

The Evolution

#RSAC

Software Defined Datacenter

(De-mystifying the cloud)