The Queensland Enterprise Security Architecture Workshop we ran on 11 March 2013 exceeded expectations. The event was oversubscribed at 30+ attendees, who represented a variety of industry sectors, e.g., energy, insurance, banking, airlines, and many government agencies. Some attendees presented newly completed enterprise security solutions that had achieved the desired business benefits. Others presented work-in-progress, or proposed architectures, and received ample feedback from their peers. Overall, the Workshop certainly met its objectives. Some highlights appear below:
One organisation presented a successful BYOD (“bring your own device”) architecture, and deployment. The approach essentially extended the Internet into their physical premises. Users could then connect their personal (BYOD) device to this network extension. After that, they can access any web-enabled application currently accessible from the Internet, or use virtual desktop technology to access corporate applications that are not web enabled.
Another organisation presented a hybrid cloud architecture and some associated interesting security challenges. The attendees provided advice regarding the configuration of the network security domains and what impact this would have on identity and access management solutions. Where an organisation’s private clouds are essentially an extension of the corporate network, existing IDAM methods were considered to be generally suitable. However where they are not part of the same network, an identity federation approach, e.g., via SAML, would be effective. The capabilities of Amazon Web Service infrastructure was also discussed, including DR approaches, the integration of cloud/on-site infrastructure monitoring systems, and AWS’s light weight workflow system, which could automatically transport event logs for performance analysis. It became clear that very few enterprises were currently using cloud providers (like AWS) to host significant portions of their IT infrastructure.
The discussion then moved on to SCADA where an organisation presented its architecture and sought assistance relating to remote access to SCADA infrastructure. Fortunately, there were attendees that had extensive experience with the separation of SCADA and corporate networks and hence could provide advice regarding network segmentation and isolation. One attendee noted that remote access to virtual desktops played a key role in limiting the access and actions of staff connected to their SCADA networks.
A presentation on ensuring the integrity of electronic funds transfer throughout a multistage workflow was given by an attendee from the financial services industry. The attendees addressed the key security requirement, namely the integrity of the instructions to transfer funds. They also gave advice regarding the use of classic PKI techniques, i.e., digital signatures, to ensure integrity throughout the entire workflow.
An attendee from the government sector presented his organisation’s requirements for an enterprise-grade, multipurpose, secure file transfer system. He described a number of common uses cases, e.g., user2user, app2app, and business2business, that his organisation wished to support. Attendees suggested a few products that might address some, or all, of these use cases. Some attendees had implemented solutions for one or two of the use cases, but no one had implemented a single enterprise product to address all three use cases.
Following the key security architecture presentations, the attendees took some time to discuss how formal risk management, and compliance standards, could be used to obtain approvals (and funding) to progress security infrastructure improvements.
It was great to see everyone so engaged and sharing insights and experience. We received a number of requests from attendees for more workshops of this type. I would like to thank everyone who attended for their participation, and especially BCC’s Adrian Lush, Mario Ferraro, and Daniel Thomas, for their assistance with organising and delivering the workshop.
If you missed this workshop, or would like to engage security architects from across the Asia-Pacific region, you should consider joining us for the Australian national Enterprise Security Architecture Workshop. This workshop will be held as part of the 2013 AusCERT conference at the Gold Coast (check out the “tutorials” section of the conference website). There will certainly be more informative and inspiring ESA conversation. I hope to see you there!
