MLSE-tier venue, zero-trust redesign for event week

The problem

A flagship Canadian venue — MLSE-tier, hundreds of events per year, simultaneous concerts, broadcast feeds, and corporate operations on the same physical building — engaged us after an internal AV team flagged that the touring lighting console for a major concert had been visible from the attendee Wi-Fi.

The console wasn’t compromised. But the fact that it was reachable was enough to escalate the question from “should we patch this?” to “should the whole network be different?”

The constraint

Three constraints stacked:

1. The venue runs every week. There is no maintenance window large enough to redo cabling or re-architect a flat L2 network without affecting a paying event.
2. The crew tier has to work across tours. Every touring production walks in with their own AV gear and expects to plug in and configure within an afternoon. A zero-trust redesign that turns crew onboarding into a multi-hour ticket queue is unshippable.
3. Broadcast contracts have hard SLAs. Lost feed minutes during a televised event are quantified in dollar amounts in the contract. The cutover plan had to make broadcast a first-class concern, not an afterthought.

The approach

We designed in eight weeks; we cut over in four.

Phase 1 — Tier definition (week 1)

We mapped every device class in the venue and assigned it to one of four tiers:

• Corporate — back-office systems, ticket sales, finance, HR.
• Broadcast — TV, radio, streaming, scoreboard, PA mix.
• Crew — touring production’s lighting and AV control planes, intercoms, console networks.
• Attendee — guest Wi-Fi, vendor POS, mobile order kiosks.

The tier boundary is the only object in the network design that everyone in the venue agreed on without revisiting. Once those four buckets were named, downstream decisions became near-mechanical.

Phase 2 — VLAN + VRF design (week 2–4)

Each tier got a dedicated VLAN with no transit between tiers at the switching layer. We layered VRFs over the routed core so each tier’s routing table is genuinely separate — a misconfiguration on the corporate side cannot accidentally leak a route into broadcast.

Inter-tier policy is enforced at the firewall and is deny-by-default. The only inter-tier flows that exist today are the ones that were named, justified, and approved in writing.

Phase 3 — Crew identity (week 4–6)

The most fragile part of the design was crew onboarding. Touring productions are scoped in hours, not days, and a security architecture that turns the crew-tier port into a captive portal would have failed within the first month.

We landed on per-engineer SSO with time-boxed sessions: the touring production lead pre-registers their crew with the venue 48 hours before load-in, the venue’s identity provider issues short-lived credentials tied to the event window, and the credentials expire at strike. Crew tier port access uses 802.1X with credential pass-through. From the crew’s perspective: they plug in, authenticate once on their laptop, and it works.

Phase 4 — Cutover (week 9–12)

Cutover was sequenced over four consecutive event weeks, broadcast-first:

• Week 9 — Broadcast VLAN cut over during a low-stakes mid-week event. Backup paths to the old flat network remained for one event cycle as a safety net.
• Week 10 — Crew tier cut over with the touring production for that week’s main show pre-briefed on the new identity workflow.
• Week 11 — Corporate tier cut over outside event hours.
• Week 12 — Attendee tier last, because attendee Wi-Fi is the most resilient to brief disruption and the most user-noticeable if it goes wrong.

Each week’s cutover had a documented rollback to the previous flat-network state, executable inside 15 minutes. We used the rollback exactly zero times.

The outcome

• Network segmentation: flat L2 → four-tier VLAN + VRF design.
• AV control plane exposure: reachable from attendee Wi-Fi → isolated, no cross-tier reachability.
• Crew access: shared credentials → per-engineer SSO, time-boxed.
• Event-night uptime post-cutover: 100% across four consecutive major shows.

The crew identity workflow is the part the venue is proudest of. It is the part that makes the security architecture survive contact with operational reality — and it is the part competitors can’t copy by buying a firewall.

What we’d say to another venue

A flat network in a multi-tier venue isn’t a bug — it’s the natural state of a building that grew up event by event over twenty years. The work isn’t replacing the network. It’s naming the tiers, naming the inter-tier policy, and finding the one or two operational workflows (crew onboarding, broadcast cutover, vendor POS provisioning) where the segmentation has to be invisible to be acceptable.

If the security architecture forces every operator to think about it every day, it won’t survive event week. If it forces them to think about it once at onboarding and never again, it will.