AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Transcription

1 AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs WITH PALO ALTO NETWORKS AND REAN CLOUD 1

2 INTRODUCTION EXECUTIVE SUMMARY Organizations looking to provide developers with a free-range development environment often face difficulties when trying to ensure these environments are secure. In order to overcome these security challenges, while still keeping up with the fast pace of changes in cloud environments, organizations need to adopt a DevSecOps mindset. Integrating security into DevOps processes help organizations ensure security is built into their environment, rather than added on as an after-thought. This also eliminates bottlenecks that commonly occur between development and security teams when developers try to spin up new environments. By automating security of current and new environments, your engineering team can focus on developing and testing new applications without worrying about security. SOLUTION OVERVIEW Palo Alto Networks and REAN Cloud have partnered together to offer an automated security solution on AWS. REAN Cloud automates the deployment of Palo Alto Networks VM-Series Firewall into developer VPCs, based on the configuration that works best for your organizations. This ebook explores the unique partnership between Palo Alto Networks and REAN Cloud, and how the two companies work together to help you adopt a DevSecOps mindset and eliminate the friction between your development and security teams. 2

3 SECURITY ON AWS AWS was designed with security as the highest priority and provides customers with a network architecture that was developed to meet the requirements of even the most security sensitive organizations. With over 50 compliance programs available, AWS helps you meet regulatory requirements across a multitude of industries. By leveraging AWS, you gain a high standard of security, without the costs and maintenance associated with having to manage your own on-premises facility. While Amazon Web Services (AWS) is responsible for the security of the cloud, it is up to organizations to secure their environments and applications in the cloud. Customer Data Platform, Applications, Identity and Access Management Customer Responsible for Security IN the cloud Operating System, Network & Firewall Configuration Client-side Data Encryption and Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) AWS Responsible for Security OF the cloud Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions 3

4 WHY PALO ALTO NETWORKS Palo Alto Networks VM-Series next generation firewalls expand the protection of your AWS deployments by identifying and controlling application traffic, and preventing attacks within those traffic flows. When deployed on an Amazon Elastic Compute Cloud (Amazon EC2) instance in your Amazon Virtual Private Cloud (Amazon VPC), the VM-Series enables you to reduce your threat footprint by limiting suspicious applications, regardless of communication port, that can access your AWS environment. Palo Alto Networks enables you to automate your security solution with the VM-Series for more agile and scalable workload security, while reducing the chance of vulnerabilities caused by human error. Palo Alto Networks VM-Series provides you with comprehensive visibility and control into applications and workloads, and the traffic that moves throughout. Features include: Complete Application Visibility Complete visibility into all applications traversing your VPC and the content within. Application Segmentation Cordon off applications within or between CPCs to prevent malware propagation and address diverse and demanding compliance regulations. Threat Prevention Apply application-specific threat prevention policies to block known and unknown threats. Centralized Management Manage security configurations from a single, central platform to streamline your policy updates. Touchless Deployment and Policy Updates Deploy, scale, and automate your VM-Series firewall to eliminate security induced operational friction. Scalability and Resiliency Scale your security solution independently of your workloads and operate at the speed of the cloud. User-Based Access Control Grant and deny access to users based on their identity to control network traffic between workloads and applications. 4

5 WHY REAN CLOUD REAN Cloud, an AWS Premier Consulting Partner, has deep experience in supporting enterprise IT infrastructures and applications in cloud environments. With their DevOps methodologies, REAN Cloud will help you break out of monolithic servers and deliver specific functionality and benefits to a wide variety of deployment end points. REAN Cloud has a multitude of features, ranging from server bootstrapping to multi-cloud deployments, to help you develop a continuous integration, continuous delivery (CICD) workflow pipeline. REAN Cloud follows a series of steps that helps your organization fully adopt a DevOps culture: TEST-DRIVEN DEPLOYMENT AUTOMATED DEPLOYMENTS AUTOMATED OPERATIONS METRICS FOCUSED PLATFORM CONTINUOUS SECURITY & COMPLIANCE 5

6 HOW IT WORKS Together, REAN Cloud and Palo Alto Networks offer a solution that seeks to eliminate the friction between development and security. When you leverage Palo Alto Networks and REAN Cloud together, you gain a security solution that enables your developers to quickly and freely create new environments, without compromising your organization s security. REAN Cloud begins by creating a controlled VPC. This VPC is automated to accept new VPN connections from VPCs that developers spin up. Then, Palo Alto Networks VM-Series Firewall provides application-level segmentation policies that enable you to control traffic between your VPCs. This feature, along with the web-application threat prevention features, are leveraged to manage network access and traffic monitoring, to ensure the control VPC is secure. Once the controlled VPC is secured, REAN Cloud uses an orchestration tool, such as Jenkins, to pull the configuration data of the VPC and store it in an Amazon Simple Storage Service (Amazon S3) bucket. Along with the configuration data, a bootstrap image of your ideal firewall is created. The process of bootstrapping involves creating a golden image of a firewall that is fully configured, with policies and routing already in place, that can be stored and extracted as needed. Having the control VPC and bootstrap image stored in S3 buckets mean that you can keep deploying secure applications, within the same VPC or within other VPCs, without having to configure new security policies. The combination of REAN Cloud s DevOps mindset, and the comprehensive security provided by Palo Alto Networks VM-Series Firewall, enables you to limit AWS permissions for developers and testers, without affecting productivity, through the power of automation. Now, you can cultivate an environment in which developers and engineers can quickly and securely spin up VPCs as needed, with the push of a button. 6

7 HOW IT WORKS (CONT.) Automating the VM-Series Firewall The below reference architecture depicts an environment in which REAN Cloud automated Palo Alto Networks VM-Series Firewall 7

8 CUSTOMER USE CASE: GIGAMON Gigamon provides customers with pervasive visibility traversing across entire networks. The Gigamon Visibility Platform makes it easier for companies to manage, secure, and understand their data in motion, and enables stronger security and improved network performance. CHALLENGE Gigamon extended their development engineering environment to AWS to take advantage of its flexibility and scalability. Soon after, Gigamon discovered that by providing development and test engineering teams with virtually unlimited cloud resources, they were introducing new vulnerabilities by not restricting traffic moving into and out of their environment. Gigamon s DevOps team wanted to operate freely and move at the speed of the cloud, but they were unsure of how to do so in a secure manner. SOLUTION Gigamon worked with REAN Cloud to define and develop a simple, automated solution that would enable Gigamon s developers to provision an AWS VPC protected by the Palo Alto Networks VM-Series Firewall. REAN Cloud implemented this solution by developing a control VPC that would accept new VPN connections from VPCs developers were spinning up. REAN Cloud then leveraged Jenkins, an orchestration tool, to extract and store IP addresses of secure VPCs, to help automate the deployment of security policies into new VPCs. BENEFITS By leveraging Palo Alto Networks and REAN Cloud, Gigamon can deploy one or more approved VPCs for engineers that are protected by a VM-Series Firewall with the push of a button. Gigamon no longer has concerns about their developers working in unsecured environments, as they now have a centralized VPC in which they can control the VM-Series Firewall. 8

9 LEARN MORE Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership. For more information, please visit www. paloaltonetworks.com, info@paloaltonetworks.com.com or call +1 (866) REAN Cloud is a global Cloud Systems Integrator and Premier Consulting Partner in the Amazon Web Services (AWS) Amazon Partner Network (APN). REAN Cloud offers managed and professional services and solutions for hyperscale integrated IaaS and PaaS providers and is one of few MSPs capable of supporting the entire cloud services lifecycle. Backed by extensive security DNA and deep compliance IP and expertise, REAN Cloud specializes in helping enterprise customers operating in highly regulated environments Financial Services, Healthcare/Life Sciences, Education and the Public Sector to get the most from their cloud investment while enabling them to accelerate the value gained from the cloud once there. REAN Cloud s team has worked with global organizations including the American Heart Association, Alexion Pharmaceuticals, Ditech Mortgage, Ellucian, Globus Genomics, PierianDx, SAP, Symantec, Teradata and Veritas. REAN Cloud solution ns are bundled with advanced security features to help address clients compliance needs. For more information, please visit info@reancloud.com or call +1 (844) For 10 years, Amazon Web Services has been the world s most comprehensive and broadly adopted cloud platform. AWS offers more than 90 fully featured services for compute, storage, databases, analytics, mobile, Internet of Things (IoT) and enterprise applications from 44 Availability Zones (AZs) across 16 geographic regions in the U.S., Australia, Brazil, Canada, China, Germany, India, Ireland, Japan, Korea, Singapore, and the UK. AWS services are trusted by millions of active customers around the world monthly -- including the fastest growing startups, largest enterprises, and leading government agencies -- to power their infrastructure, make them more agile, and lower costs. To learn more about AWS, visit Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. All other marks mentioned herein may be trademarks of their respective companies Amazon Web Services. All rights reserved REAN Cloud. All Rights Reseved. 9