PROTECT WORKLOADS IN THE HYBRID CLOUD SPOTLIGHTS Industry Aviation Use Case Protect workloads in the hybrid cloud for the safety and integrity of mission-critical applications and sensitive data across the public cloud and enterprise data centers. Business Benefits Support public cloud adoption for the flexibility and cost advantages while inherently protecting business-critical data, such as intellectual property, flight plans, regulated data (e.g., PII) and other proprietary data, accessible across the extended environment. Operational Benefits Adapt security at the speed of your business needs. Automate deployment of multiple virtual security appliances with bootstrap configurations. Streamline policy deployment to keep pace with dynamic changes in cloud computing workloads. Maintain consistent security and management across legacy and public cloud environments. Seamlessly extend the private data center for ease of support. Security Benefits Reduce attackers ability to move laterally within the public cloud through application awareness. Reduce the risk of accidental or intentional insider access to virtualized computing resources based on user visibility. Segregate the private data center from the public cloud with consistent security across the entire hybrid environment. Business Challenge Public cloud infrastructure-as-a-service or platform-as-a-service offerings, such as Amazon Web Services (AWS ), Microsoft Azure or Google Cloud Platform, can quickly and economically accommodate unexpected or temporary business computing workloads. Many aviation organizations are extending their private data centers to the public cloud for a hybrid cloud model with competitive and operational benefits. However, proper alignment of security and resiliency to enterprise standards and policies is still required. In the aviation industry, concerns over data, workload, siloed legacy systems, processes, infrastructure security and latency have slowed adoption of the public cloud. Wherever data resides, it can become the target of malicious entities. Moving some of that data to the public cloud does not shift responsibility for it, though, as such responsibility cannot be delegated. Organizations must take appropriate measures to protect their data residing in the public cloud as well. A few aviation industry pioneers have already placed some workloads on public IaaS offerings. Others are evaluating cautiously to ensure effective security controls, 24/7 availability and regulatory compliance, including data residency concerns. Business Drivers Cloud computing is necessary to remain competitive, maintain operational excellence and manage IT costs more effectively. Constrained IT budgets seek relief through more economical public cloud services. However, the move to the public cloud must be done with security foremost in mind. Many in the aviation industry want to leverage the agility, flexibility and economics of public cloud infrastructure to complement their private data centers while ensuring intellectual property, regulated data (e.g., PII, PCI DSS) and other sensitive data is protected. To achieve this, the following issues in a hybrid cloud model need to be addressed: Limited visibility into applications and data in the public cloud. Varying native security capabilities and features at different cloud providers. Shared responsibility for security in the public cloud. Scaling security up and down as needed with dynamic addition and deletion of virtual machines. Palo Alto Networks Protect Workloads in the Hybrid Cloud for Aviation Use Case 1
Traditional Approaches Building upon existing practices, enterprises are likely to secure connections to cloud service providers just as they would any other third-party partner. However, in recognition of the infrastructure nature of the outsourced service, enterprises may also opt to leverage the native security available from the cloud provider strictly out of convenience as a complementary measure. Customer-provided security measures: As with any other third-party business partner, many customers deploy stateful inspection firewalls at the enterprise network perimeter and/or IaaS edge to control traffic flow based on well-known port and IP address pairs. However, such firewalls are not application-aware and cannot adequately manage traffic, as many applications may use arbitrary ports, or even hop ports, during the lifespan of a session. Moreover, these perimeter firewalls do not safely enable traffic flow within the virtual environments at the cloud provider. Cloud provider security measures: Cloud providers openly promote a shared security responsibility model for use of their public cloud IaaS or PaaS computing resources. In this model, the cloud provider is responsible for the underlying infrastructure (i.e., the physical elements of which the service is composed), while the customer is responsible for the data or applications (depending on IaaS or PaaS model) deployed in the environment. Encryption is strongly recommended for data at rest and in transit (see Figure 1). Additionally, the cloud provider offers optional tools to assist customers in securing their data and workloads, including network security, inventory, configuration management, data security and access control. Within the IaaS or PaaS environment, network isolation, virtual networks, security groups (essentially stateful inspection firewalls) and network access control lists offer some degree of traffic control at the cloud provider. However, these all have the limitation of not being application-aware. Additionally, leveraging multiple tools from different cloud providers is difficult to maintain, and security policies increase the complexity of building and maintaining the IaaS environment, especially at scale. Responsibility On-Prem IaaS PaaS Data classification and accountability Client and endpoint protection Identify and access management Application level controls Network controls Host infrastructure Physical security As further evidence of their commitment to the security of their underlying infrastructure, cloud providers offer certifications of compliance with various regulations or standards (e.g., ISO/IEC 27001:2013, PCI Cloud Customer Cloud Provider DSS, EU Model Clauses). However, the customer is ultimately responsible Figure 1: Shared responsibility model for demonstrating compliance with all relevant regulatory requirements, building upon the cloud provider s foundation. For example, transferring personal data out of the European Union is only permitted when the receiving locale has equivalent data privacy laws. The public cloud customer will need to take steps to demonstrate compliance with the EU General Data Protection Regulation, which will be in effect as of May 25, 2018. This may take the form of explicitly and contractually limiting data and workload to public cloud facilities located within the EU. Palo Alto Networks Approach Palo Alto Networks provides the means to extend the enterprise network to public IaaS or PaaS providers seamlessly, using one or more IPsec VPNs. These are the only permissible connections between the enterprise and the public cloud provider. This protects data in transit between the private data center and the public cloud, and creates the foundation for the hybrid data center. To provide resiliency, connections to another geographically diverse cloud provider gateway may also be deployed. For even greater diversity, a separate public cloud provider may also be used. This is known as a multi-cloud configuration. With Palo Alto Networks Next-Generation Security Platform, the aviation industry can improve its security posture by directly mapping security policies to key business initiatives. The addition of context around application, content and user activity, through App-ID, Content-ID and User-ID technology, provides greater visibility that leads to faster incident response and improved forensics. These same elements form the integral components of the public cloud security policy, just as they do in the private data center. Expected application flows can be allowed while all else is denied within, into and out of the cloud. Threat prevention policies can block known and unknown malware from spreading in the virtual environment. Data filtering can block the transfer of sensitive data patterns (e.g., credit card numbers) and dangerous file types. These capabilities provide significant protection beyond the basic security features offered by the public cloud provider. Palo Alto Networks enables aviation industry businesses to move their applications and data to the public cloud while Palo Alto Networks Protect Workloads in the Hybrid Cloud for Aviation Use Case 2
maintaining the same security posture established on their private networks. A consistent security posture is ensured through centralized management that can control both the physical and virtual firewall instances. Palo Alto Networks offers a unified public and private cloud-based architecture that can scale from the smallest organization to the largest enterprise with a single security platform that may be deployed simply and pervasively throughout the network. Architectural Vision Using AWS as an example of a cloud provider, Figure 2 depicts a deployment of a hybrid cloud environment. The private data center is connected to the AWS Virtual Private Cloud via an IPsec VPN that terminates on next-generation firewall instances. For further resiliency (not shown), this same configuration can be replicated from a second private data center to another AWS region or a different public cloud provider. Within the VPC, Palo Alto Networks virtualized next-generation firewalls and servers are distributed across different availability zones to create separate fault domains for high availability and to accommodate maintenance windows. As shown, two firewalls are deployed in each availability zone, in an active/passive, stateful failover, high availability configuration, to secure traffic moving into and out of the environment. PN DC-FW1 DC-FW2 NSX NSX IPsec VPN Internet AZ1c AZ1b Private Data Center Figure 2: Hybrid cloud architecture diagram Use Case Implementation In this deployment (see Figure 2), the private data center was extended to AWS to host the internet-facing applications. Palo Alto Networks Next-Generation Firewall appliances are used to secure the AWS Direct Connect link. virtual next-generation firewalls handle traffic between the internet and the servers in the virtual private cloud at AWS. PN DC-FW1 DC-FW2 NSX NSX IPsec VPN Internet AZ1c AZ1b Private Data Center Figure 3: Use case deployment Palo Alto Networks Protect Workloads in the Hybrid Cloud for Aviation Use Case 3
In this use case, as shown in Figure 4, we have additional VPCs at AWS. There is also a business-to-business VPC as an example. Protected for by the, this VPC can also be used for other third parties, like MRO (maintenance, repair and overhaul). Within AWS, supporting VPCs are dedicated by business unit to separate test, staging and production workloads from one another. This creates segmentation within and across Airline 1 and Airline 2 VPCs to limit lateral movement and the propagation of malware through their public cloud. Airline 1 Airline 2 B2B MRO PRODUCTION STAGING TEST PRODUCTION STAGING TEST 172.16.0.0 172.16.1.0 172.16.0.0 172.16.1.0 IPsec VPNs to third parties 172.16.2.0 172.16.2.0 VPC peering Direct connect Corporate Data Center Figure 4: Additional AWS VPCs Implementation Overview Products Required Palo Alto Networks (virtual next-generation firewall) at public IaaS or PaaS provider Palo Alto Networks Next-Generation Firewall (physical appliance) in the corporate data center Palo Alto Networks Panorama network security management for all next-generation firewalls How the Hybrid Cloud Is Implemented (High Level) Physical next-generation firewalls monitor and control traffic between the enterprise data center and the public cloud instance. The firewalls include subscriptions for Threat Prevention, URL Filtering and WildFire cloud-based threat analysis service. Internet-facing applications hosted in the public cloud are protected by virtual appliances and control traffic with firewall policies based on App-ID. Firewall rules based on App-ID are used to control inter-vpc traffic between Airline 1 and Airline 2 at AWS. Business units with multiple VPCs (e.g., development, test) segregate them with AWS security groups. How the Hybrid Cloud Works (High Level) The public cloud is designed as a logical but untrusted extension of the existing private data center. An IPsec VPN tunnel between the private data center and the cloud provider carries all traffic across the hybrid cloud environment over a dedicated, high-bandwidth wide area network. Palo Alto Networks Next-Generation Firewall appliances (physical and virtual) safely enable all traffic moving through the public cloud environment. No data traverses the cloud provider environment without passing through a Palo Alto Networks firewall. Consistent Palo Alto Networks Next-Generation Firewall features (e.g., application control, IPS, anti-malware, anti-exploit, sandboxing and URL Filtering) and security policies apply across both the private and public cloud portions of the network. Panorama can monitor and centrally manage all of this enforcement. Benefits of Palo Alto Networks for Hybrid Cloud Following the Palo Alto Networks approach for hybrid cloud deployments, aviation industry organizations may realize the following benefits: Business Benefits Support the adoption of public cloud computing for agility, flexibility and economies of scale while inherently protecting business-critical data, such as intellectual property, regulated data (e.g., PII), flight plans and other proprietary data, accessible across the extended environment. Palo Alto Networks Protect Workloads in the Hybrid Cloud for Aviation Use Case 4
Operational Benefits Reduce operational time to secure the data center with security adapted to the speed of your business, allowing for more effective use of staff resources elsewhere. Automate the deployment of multiple physical and virtual security appliances with bootstrapped configurations. Streamline policy deployment so that security keeps pace with changes in compute workloads. Seamlessly extend the private data center to the public cloud for network transparency and ease of support. Scale your next-generation firewalls on AWS for increased aggregate capacity and improved availability in the public cloud. Centralize management of all physical form factor and next-generation firewalls, on- and off-premise, to ensure consistent system configurations, provide streamlined policy updates and get a single view of all logs from the entire security architecture. Security Benefits Reduce business and operational risk: Minimize exposure with siloed systems and data. Limit unauthorized lateral movement into and within the virtualized public cloud environment. Prevent exfiltration of data from the public cloud. Enjoy better security controls than ports and IP addresses can provide. Block previously seen and brand-new malware across zones/segments/attack vectors at every stage of the attack lifecycle. Reduce the risk of accidental or intentional insider access to virtualized resources in the public cloud based on application and user awareness with App-ID and User-ID, respectively. Get consistent security across all environments, with the confidence that the data workload and environment in the public cloud enjoy the same Palo Alto Networks Next-Generation Security Platform protections available in the private data center. Additional Resources Find further resources to secure your public cloud implementations at the links below: https://www.paloaltonetworks.com/solutions/initiative/public-cloud.html https://www.paloaltonetworks.com/resources/whitepapers/aws-hybrid-design-guidelines https://www.paloaltonetworks.com/resources/whitepapers/building-secure-hybrid-cloud-azure Services to Help You Support Palo Alto Networks Customer Support automates the discovery of related cases to increase productivity and get you to a resolution more quickly. We offer multiple support packages: Standard, Premium and Premium Plus. You can also opt for your own technical account manager as a subscription-based extension of Premium Support. Premium Plus provides both a designated technical support engineer and technical account manager who will learn and understand your deployment at technical and business levels. This in-depth understanding accelerates incident resolution. Consulting Palo Alto Networks Consulting Services provide access to specialized talent knowledgeable in ensuring the safe enablement of applications. By matching talent to task, we deliver the right expertise at the right time, dedicated to your success. Resident engineers, for example, provide on-site product expertise and are uniquely qualified to advise how to get the most out of your Next-Generation Security Platform deployment. Education Training from a Palo Alto Networks Authorized Training Center delivers the knowledge and expertise to prepare you to protect our way of life in the digital age. Our trusted security certifications provide the necessary Next-Generation Security Platform knowledge to prevent successful cyberattacks and safely enable applications. 3000 Tannery Way Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. protect-workloads-in-thehybrid-cloud -for-aviation-uc-101117