PROTECT WORKLOADS IN THE HYBRID CLOUD

Similar documents
SEGMENTATION TO A TRADITIONAL DATA CENTER

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

VM-SERIES FOR VMWARE VM VM

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

ONBOARDING GUIDE GLOBALPROTECT CLOUD SERVICE FOR REMOTE NETWORKS

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

PANORAMA. Figure 1: Panorama deployment

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

McAfee Public Cloud Server Security Suite

Securing Your Amazon Web Services Virtual Networks

Best Practices in Securing a Multicloud World

Cato Networks. Network Security as a Service

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

Securing Your Microsoft Azure Virtual Networks

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

SYMANTEC DATA CENTER SECURITY

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

HARNESSING THE HYBRID CLOUD TO DRIVE GREATER BUSINESS AGILITY

Securing Your Most Sensitive Data

VMware Hybrid Cloud Solution

AKAMAI CLOUD SECURITY SOLUTIONS

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

Ensuring a Consistent Security Perimeter with CloudGenix AppFabric

PANORAMA. Key Security Features

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

GDPR: An Opportunity to Transform Your Security Operations

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

Business Strategy Theatre

Securing the Software-Defined Data Center

Cloud Services. Infrastructure-as-a-Service

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Cisco Cloud Application Centric Infrastructure

Accelerate Your Enterprise Private Cloud Initiative

MODERNIZE INFRASTRUCTURE

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Comprehensive Database Security

A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

Dynamic WAN Selection

Customer Onboarding with VMware NSX L2VPN Service for VMware Cloud Providers

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

Cisco Cloud Services Router 1000V and Amazon Web Services CASE STUDY

Policy Enforcer. Product Description. Data Sheet. Product Overview

Verizon Software Defined Perimeter (SDP).

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

Agenda. This Session: Azure Networking Basics, On-prem connectivity options DEMO Create VNET/Gateway Cost-estimation for VNET/Gateways

VMware vshield Edge Design Guide

Why the cloud matters?

Layer Security White Paper

TRUE SECURITY-AS-A-SERVICE

SIEMLESS THREAT DETECTION FOR AWS

Securing the Modern Data Center with Trend Micro Deep Security

VM-SERIES FOR AWS HYBRID CLOUD DEPLOYMENT GUIDELINES

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

Google Cloud & the General Data Protection Regulation (GDPR)

SteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

AWS Reference Design Document

Symantec Cloud Workload Protection

Twilio cloud communications SECURITY

SECURING THE MULTICLOUD

Extending Enterprise Security to Multicloud and Public Cloud

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

The threat landscape is constantly

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

How do you decide what s best for you?

ACTIONABLE SECURITY INTELLIGENCE

EBOOK: VMware Cloud on AWS: Optimized for the Next-Generation Hybrid Cloud

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Cloud Confidence: Simple Seamless Secure. Dell EMC Data Protection for VMware Cloud on AWS

Extending Enterprise Security to Public and Hybrid Clouds

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

McAfee Total Protection for Data Loss Prevention

Deliver Office 365 Without Compromise Ensure successful deployment and ongoing manageability of Office 365 and other SaaS apps

Data center interconnect for the enterprise hybrid cloud

Enhanced Threat Detection, Investigation, and Response

Information Security Controls Policy

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

VMware vcloud Networking and Security Overview

SIMPLIFY PCI COMPLIANCE

Intermedia s Private Cloud Exchange

Third Party Cloud Services Its Adoption in the New Age

Microsoft 365 Business FAQs

Cato Cloud. Global SD-WAN with Built-in Network Security. Solution Brief. Cato Cloud Solution Brief. The Future of SD-WAN. Today.

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

VMWARE CLOUD FOUNDATION: INTEGRATED HYBRID CLOUD PLATFORM WHITE PAPER NOVEMBER 2017

CSP 2017 Network Virtualisation and Security Scott McKinnon

Dimension Data IaaS Services. Gary Ramsay

Total Threat Protection. Whitepaper

VMWARE CLOUD FOUNDATION: THE SIMPLEST PATH TO THE HYBRID CLOUD WHITE PAPER AUGUST 2018

Introducing Avaya SDN Fx with FatPipe Networks Next Generation SD-WAN

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

SIEM Solutions from McAfee

Transcription:

PROTECT WORKLOADS IN THE HYBRID CLOUD SPOTLIGHTS Industry Aviation Use Case Protect workloads in the hybrid cloud for the safety and integrity of mission-critical applications and sensitive data across the public cloud and enterprise data centers. Business Benefits Support public cloud adoption for the flexibility and cost advantages while inherently protecting business-critical data, such as intellectual property, flight plans, regulated data (e.g., PII) and other proprietary data, accessible across the extended environment. Operational Benefits Adapt security at the speed of your business needs. Automate deployment of multiple virtual security appliances with bootstrap configurations. Streamline policy deployment to keep pace with dynamic changes in cloud computing workloads. Maintain consistent security and management across legacy and public cloud environments. Seamlessly extend the private data center for ease of support. Security Benefits Reduce attackers ability to move laterally within the public cloud through application awareness. Reduce the risk of accidental or intentional insider access to virtualized computing resources based on user visibility. Segregate the private data center from the public cloud with consistent security across the entire hybrid environment. Business Challenge Public cloud infrastructure-as-a-service or platform-as-a-service offerings, such as Amazon Web Services (AWS ), Microsoft Azure or Google Cloud Platform, can quickly and economically accommodate unexpected or temporary business computing workloads. Many aviation organizations are extending their private data centers to the public cloud for a hybrid cloud model with competitive and operational benefits. However, proper alignment of security and resiliency to enterprise standards and policies is still required. In the aviation industry, concerns over data, workload, siloed legacy systems, processes, infrastructure security and latency have slowed adoption of the public cloud. Wherever data resides, it can become the target of malicious entities. Moving some of that data to the public cloud does not shift responsibility for it, though, as such responsibility cannot be delegated. Organizations must take appropriate measures to protect their data residing in the public cloud as well. A few aviation industry pioneers have already placed some workloads on public IaaS offerings. Others are evaluating cautiously to ensure effective security controls, 24/7 availability and regulatory compliance, including data residency concerns. Business Drivers Cloud computing is necessary to remain competitive, maintain operational excellence and manage IT costs more effectively. Constrained IT budgets seek relief through more economical public cloud services. However, the move to the public cloud must be done with security foremost in mind. Many in the aviation industry want to leverage the agility, flexibility and economics of public cloud infrastructure to complement their private data centers while ensuring intellectual property, regulated data (e.g., PII, PCI DSS) and other sensitive data is protected. To achieve this, the following issues in a hybrid cloud model need to be addressed: Limited visibility into applications and data in the public cloud. Varying native security capabilities and features at different cloud providers. Shared responsibility for security in the public cloud. Scaling security up and down as needed with dynamic addition and deletion of virtual machines. Palo Alto Networks Protect Workloads in the Hybrid Cloud for Aviation Use Case 1

Traditional Approaches Building upon existing practices, enterprises are likely to secure connections to cloud service providers just as they would any other third-party partner. However, in recognition of the infrastructure nature of the outsourced service, enterprises may also opt to leverage the native security available from the cloud provider strictly out of convenience as a complementary measure. Customer-provided security measures: As with any other third-party business partner, many customers deploy stateful inspection firewalls at the enterprise network perimeter and/or IaaS edge to control traffic flow based on well-known port and IP address pairs. However, such firewalls are not application-aware and cannot adequately manage traffic, as many applications may use arbitrary ports, or even hop ports, during the lifespan of a session. Moreover, these perimeter firewalls do not safely enable traffic flow within the virtual environments at the cloud provider. Cloud provider security measures: Cloud providers openly promote a shared security responsibility model for use of their public cloud IaaS or PaaS computing resources. In this model, the cloud provider is responsible for the underlying infrastructure (i.e., the physical elements of which the service is composed), while the customer is responsible for the data or applications (depending on IaaS or PaaS model) deployed in the environment. Encryption is strongly recommended for data at rest and in transit (see Figure 1). Additionally, the cloud provider offers optional tools to assist customers in securing their data and workloads, including network security, inventory, configuration management, data security and access control. Within the IaaS or PaaS environment, network isolation, virtual networks, security groups (essentially stateful inspection firewalls) and network access control lists offer some degree of traffic control at the cloud provider. However, these all have the limitation of not being application-aware. Additionally, leveraging multiple tools from different cloud providers is difficult to maintain, and security policies increase the complexity of building and maintaining the IaaS environment, especially at scale. Responsibility On-Prem IaaS PaaS Data classification and accountability Client and endpoint protection Identify and access management Application level controls Network controls Host infrastructure Physical security As further evidence of their commitment to the security of their underlying infrastructure, cloud providers offer certifications of compliance with various regulations or standards (e.g., ISO/IEC 27001:2013, PCI Cloud Customer Cloud Provider DSS, EU Model Clauses). However, the customer is ultimately responsible Figure 1: Shared responsibility model for demonstrating compliance with all relevant regulatory requirements, building upon the cloud provider s foundation. For example, transferring personal data out of the European Union is only permitted when the receiving locale has equivalent data privacy laws. The public cloud customer will need to take steps to demonstrate compliance with the EU General Data Protection Regulation, which will be in effect as of May 25, 2018. This may take the form of explicitly and contractually limiting data and workload to public cloud facilities located within the EU. Palo Alto Networks Approach Palo Alto Networks provides the means to extend the enterprise network to public IaaS or PaaS providers seamlessly, using one or more IPsec VPNs. These are the only permissible connections between the enterprise and the public cloud provider. This protects data in transit between the private data center and the public cloud, and creates the foundation for the hybrid data center. To provide resiliency, connections to another geographically diverse cloud provider gateway may also be deployed. For even greater diversity, a separate public cloud provider may also be used. This is known as a multi-cloud configuration. With Palo Alto Networks Next-Generation Security Platform, the aviation industry can improve its security posture by directly mapping security policies to key business initiatives. The addition of context around application, content and user activity, through App-ID, Content-ID and User-ID technology, provides greater visibility that leads to faster incident response and improved forensics. These same elements form the integral components of the public cloud security policy, just as they do in the private data center. Expected application flows can be allowed while all else is denied within, into and out of the cloud. Threat prevention policies can block known and unknown malware from spreading in the virtual environment. Data filtering can block the transfer of sensitive data patterns (e.g., credit card numbers) and dangerous file types. These capabilities provide significant protection beyond the basic security features offered by the public cloud provider. Palo Alto Networks enables aviation industry businesses to move their applications and data to the public cloud while Palo Alto Networks Protect Workloads in the Hybrid Cloud for Aviation Use Case 2

maintaining the same security posture established on their private networks. A consistent security posture is ensured through centralized management that can control both the physical and virtual firewall instances. Palo Alto Networks offers a unified public and private cloud-based architecture that can scale from the smallest organization to the largest enterprise with a single security platform that may be deployed simply and pervasively throughout the network. Architectural Vision Using AWS as an example of a cloud provider, Figure 2 depicts a deployment of a hybrid cloud environment. The private data center is connected to the AWS Virtual Private Cloud via an IPsec VPN that terminates on next-generation firewall instances. For further resiliency (not shown), this same configuration can be replicated from a second private data center to another AWS region or a different public cloud provider. Within the VPC, Palo Alto Networks virtualized next-generation firewalls and servers are distributed across different availability zones to create separate fault domains for high availability and to accommodate maintenance windows. As shown, two firewalls are deployed in each availability zone, in an active/passive, stateful failover, high availability configuration, to secure traffic moving into and out of the environment. PN DC-FW1 DC-FW2 NSX NSX IPsec VPN Internet AZ1c AZ1b Private Data Center Figure 2: Hybrid cloud architecture diagram Use Case Implementation In this deployment (see Figure 2), the private data center was extended to AWS to host the internet-facing applications. Palo Alto Networks Next-Generation Firewall appliances are used to secure the AWS Direct Connect link. virtual next-generation firewalls handle traffic between the internet and the servers in the virtual private cloud at AWS. PN DC-FW1 DC-FW2 NSX NSX IPsec VPN Internet AZ1c AZ1b Private Data Center Figure 3: Use case deployment Palo Alto Networks Protect Workloads in the Hybrid Cloud for Aviation Use Case 3

In this use case, as shown in Figure 4, we have additional VPCs at AWS. There is also a business-to-business VPC as an example. Protected for by the, this VPC can also be used for other third parties, like MRO (maintenance, repair and overhaul). Within AWS, supporting VPCs are dedicated by business unit to separate test, staging and production workloads from one another. This creates segmentation within and across Airline 1 and Airline 2 VPCs to limit lateral movement and the propagation of malware through their public cloud. Airline 1 Airline 2 B2B MRO PRODUCTION STAGING TEST PRODUCTION STAGING TEST 172.16.0.0 172.16.1.0 172.16.0.0 172.16.1.0 IPsec VPNs to third parties 172.16.2.0 172.16.2.0 VPC peering Direct connect Corporate Data Center Figure 4: Additional AWS VPCs Implementation Overview Products Required Palo Alto Networks (virtual next-generation firewall) at public IaaS or PaaS provider Palo Alto Networks Next-Generation Firewall (physical appliance) in the corporate data center Palo Alto Networks Panorama network security management for all next-generation firewalls How the Hybrid Cloud Is Implemented (High Level) Physical next-generation firewalls monitor and control traffic between the enterprise data center and the public cloud instance. The firewalls include subscriptions for Threat Prevention, URL Filtering and WildFire cloud-based threat analysis service. Internet-facing applications hosted in the public cloud are protected by virtual appliances and control traffic with firewall policies based on App-ID. Firewall rules based on App-ID are used to control inter-vpc traffic between Airline 1 and Airline 2 at AWS. Business units with multiple VPCs (e.g., development, test) segregate them with AWS security groups. How the Hybrid Cloud Works (High Level) The public cloud is designed as a logical but untrusted extension of the existing private data center. An IPsec VPN tunnel between the private data center and the cloud provider carries all traffic across the hybrid cloud environment over a dedicated, high-bandwidth wide area network. Palo Alto Networks Next-Generation Firewall appliances (physical and virtual) safely enable all traffic moving through the public cloud environment. No data traverses the cloud provider environment without passing through a Palo Alto Networks firewall. Consistent Palo Alto Networks Next-Generation Firewall features (e.g., application control, IPS, anti-malware, anti-exploit, sandboxing and URL Filtering) and security policies apply across both the private and public cloud portions of the network. Panorama can monitor and centrally manage all of this enforcement. Benefits of Palo Alto Networks for Hybrid Cloud Following the Palo Alto Networks approach for hybrid cloud deployments, aviation industry organizations may realize the following benefits: Business Benefits Support the adoption of public cloud computing for agility, flexibility and economies of scale while inherently protecting business-critical data, such as intellectual property, regulated data (e.g., PII), flight plans and other proprietary data, accessible across the extended environment. Palo Alto Networks Protect Workloads in the Hybrid Cloud for Aviation Use Case 4

Operational Benefits Reduce operational time to secure the data center with security adapted to the speed of your business, allowing for more effective use of staff resources elsewhere. Automate the deployment of multiple physical and virtual security appliances with bootstrapped configurations. Streamline policy deployment so that security keeps pace with changes in compute workloads. Seamlessly extend the private data center to the public cloud for network transparency and ease of support. Scale your next-generation firewalls on AWS for increased aggregate capacity and improved availability in the public cloud. Centralize management of all physical form factor and next-generation firewalls, on- and off-premise, to ensure consistent system configurations, provide streamlined policy updates and get a single view of all logs from the entire security architecture. Security Benefits Reduce business and operational risk: Minimize exposure with siloed systems and data. Limit unauthorized lateral movement into and within the virtualized public cloud environment. Prevent exfiltration of data from the public cloud. Enjoy better security controls than ports and IP addresses can provide. Block previously seen and brand-new malware across zones/segments/attack vectors at every stage of the attack lifecycle. Reduce the risk of accidental or intentional insider access to virtualized resources in the public cloud based on application and user awareness with App-ID and User-ID, respectively. Get consistent security across all environments, with the confidence that the data workload and environment in the public cloud enjoy the same Palo Alto Networks Next-Generation Security Platform protections available in the private data center. Additional Resources Find further resources to secure your public cloud implementations at the links below: https://www.paloaltonetworks.com/solutions/initiative/public-cloud.html https://www.paloaltonetworks.com/resources/whitepapers/aws-hybrid-design-guidelines https://www.paloaltonetworks.com/resources/whitepapers/building-secure-hybrid-cloud-azure Services to Help You Support Palo Alto Networks Customer Support automates the discovery of related cases to increase productivity and get you to a resolution more quickly. We offer multiple support packages: Standard, Premium and Premium Plus. You can also opt for your own technical account manager as a subscription-based extension of Premium Support. Premium Plus provides both a designated technical support engineer and technical account manager who will learn and understand your deployment at technical and business levels. This in-depth understanding accelerates incident resolution. Consulting Palo Alto Networks Consulting Services provide access to specialized talent knowledgeable in ensuring the safe enablement of applications. By matching talent to task, we deliver the right expertise at the right time, dedicated to your success. Resident engineers, for example, provide on-site product expertise and are uniquely qualified to advise how to get the most out of your Next-Generation Security Platform deployment. Education Training from a Palo Alto Networks Authorized Training Center delivers the knowledge and expertise to prepare you to protect our way of life in the digital age. Our trusted security certifications provide the necessary Next-Generation Security Platform knowledge to prevent successful cyberattacks and safely enable applications. 3000 Tannery Way Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. protect-workloads-in-thehybrid-cloud -for-aviation-uc-101117

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback