Q&A with Bell’s director of Olympic architecture

Bell, the official telecommunications partner for the Games, has been
working in partnership with the Vancouver Organizing Committee (VANOC)
to not only deliver the communications services required for the Games,
but also to provide a security solution that will safeguard its network
and Web presence from virtual intruders, equipment malfunctions, human
error and natural disasters.
The telecommunications network ”“ the Games’ first all Internet Protocol
(IP) network ”“ will carry all voice, data, image and broadcast traffic.
This will also be the most mobile of any Games, with 15,000 attendees
able to access the network anywhere within the Games’ venues via
smartphones and laptops. And that provides some unique security
challenges.
Canadian Security talked to Simon Edgett, Bell’s director of Olympic architecture, about the 2010 Winter Games network.


Canadian Security: What security services will you be providing?

Edgett: We did the end-to-end design of the technical infrastructure
for providing services between all the different venues. We have a
whole set of services that are similar to what we deliver every day to
enterprises, but they’ve been custom-built for the Games to be slightly
unique in that environment. A lot of it is voice-over-IP, telephony
services, point-to-point data services and the Vancouver2010.com Web
portal. One of the key things from a security perspective is we
considered security as a design criteria. A lot of the time people want
to think about security when they’re well along their plans of
implementing a network or setting up their business, but we added
security right from Day One as a design component. We looked at how to
minimize all the interconnection points to the outside world, and
anywhere we didn’t connect to a trusted user group, that’s where we’d
put in a firewall and intrusion detection, and each of those we manage
in terms of who accesses it.


Canadian Security: What is the size of the team you’re working with?

Edgett: We’ll require over 400 individuals to execute not just managing
and securing the network, but also the technicians we put in every
single venue, so we’ve done a huge internal recruitment process where
we’ll take our top performers from across the country and temporarily
relocate them to Vancouver for the Games. We’ve just finished 16
world-class events over the first quarter [of 2009] and we’ve been
testing all the services we’ve put in. Since we launched the network 12
months ahead of schedule we’ve been able to use the same network for
delivering services for these world-class events.

Canadian Security: Do you work hand-in-hand with the physical security team?

Edgett: Not directly. We have a lot of experience with physical
infrastructure ”“ 125 years of experience securing our own assets. There
are aspects of physical security inside venues and outside venues.
Portions of it are coordinated between many partners and portions of it
we really leave to VANOC.

---

Canadian Security: This will be the most mobile Games, with 15,000
users able to access the network. What were some of the challenges in
putting together a network to deal with this requirement?

Edgett: By delivering the first all IP Games, people can purchase a
service, whether it’s a point service or access to the Internet, and
they have mobility within all the Olympic venues. From a security
perspective, one of the things we had to consider because of that
mobility was admission control. So if you think of normal security, you
would secure things from an application perspective, so to access your
financial systems, you’d have to have the right user ID and password.
But because of the nature of mobility where we have these users coming
from all over the place, we added edge admission controls, so we
actually verify the user’s credentials before they’re allowed to access
any resources. They log in and they have access to absolutely nothing
except for a network-based system that asks them for their ID and
password, and then determines what resources they have access to.
Pushing that security from an application-based [perspective] right out
to the edge really helps us eliminate a lot of the risks.
Application-based security is great, as long as all the users are going
to the right portion to enter their user ID and password, but it
certainly has a risk of exposing any vulnerabilities, because that
means the systems running those applications have to be accessible to
the user in order to get to that login page. So by using admission
controls we’re really able to isolate them down to a small subset in
order to keep out all non-authorized users.

Canadian Security: Are you then able to do security audits that will detect intrusions?


Edgett: That would be the other aspect. Where this really becomes
important is the Vancouver2010.com Web portal ”“ doing ongoing audits,
penetration and intrusion testing. We’re not just looking for the top
10 viruses and vulnerabilities you’d get from any of the virus company
Web sites, but we really focus on the heuristics of things that have a
higher probability, so if a vulnerability is found in the future, this
is the type of access you’d have to a system [compromised by that type
of vulnerability]. So we really look at not only the knowns, but even
the unknowns ”“ we can’t determine them, but we look at the probability.

Canadian Security: With the Web portal, what threats do you anticipate
”“ do hackers go after operations like this because it is such a
high-profile event?

Edgett: We look at a bunch of things ”“ virtual intruders to equipment
malfunction. So part of our design criteria is how we build in enough
redundancy, not only for equipment malfunction but also the scalability
to deal with what I think is probably the biggest risk, especially from
the Web presence ”“ a huge trend of denial of service attacks on the
Internet. It’s certainly been key for us to tie into a content
distribution network to ensure we have over 30,000 servers all across
the globe that are each hosting all the content. And we take that one
step further ”“ rather than having just one data centre, we have two
fully diverse data centres. By having two different points, each of
those are distributing content all over the globe, and that really
helps protect us from denial of service attacks.

---

Canadian Security: That also helps with disaster recovery?

Edgett: That ties into a huge part of protecting ourselves against
natural or non-natural disasters. We’ve put a lot of time into securing
the design of the network, not only from a logical security
[perspective], but removing single points of failure. So where we’d
normally put in one, we’ve put in two. While the Games are huge, it’s
really not that different from what we do every day for enterprise and
small/medium business customers. The biggest difference is we do it in
two weeks.

Canadian Security: How will you deal with cyber-attacks?

Edgett: It’s really a combination of considering security as one of our
design criteria, and then applying all of those [technologies], because
any one in isolation isn’t enough. It’s about where you put firewalls,
where you do intrusion detection and how you act on it, what business
procedures you put in place when you do detect something, and also how
you deal with audits. We find from our professional services
organization that [involving security] in the design criteria usually
means that it’s less expensive and more integrated than if we come in
and try to figure out how to add security. Often organizations will
have a cyber-incident and that’s when they do audits and look at
changing practices.

Canadian Security: What kind of hours do you expect to put in during the Games?

Edgett: During the Games, we’ll be co-located at VANOC’s operations
centre. We have a dedicated section for all of the telecommunications
services, and we’ll have a team of experts in security and data
networking monitoring the network. Not to steal the Maytag thing, but
we hope to be sitting there twiddling our thumbs. We’re doing all of
the work now so that during Games-time, while the hours will be long
because we want everyone to be there 24×7, we don’t anticipate having a lot of work to do.