This document discusses security and compliance solutions from Palo Alto Networks and AWS. It begins with an overview of how AWS infrastructure and services provide security capabilities. Palo Alto Networks' VM-Series next-generation firewall on AWS is then introduced as a way to identify and control applications across all ports within an AWS deployment. The final section discusses how Warren Rogers, a fuel delivery company, achieved PCI compliance by using Palo Alto Networks' GlobalProtect VPN, VM-Series firewall, and other services on AWS. This allowed them to securely connect remote devices, filter credit card data, and simplify their network and access management.
Palo Alto Networks: Protection for Security & Compliance
1. Palo Alto Networks: Protection for
Security & Compliance
Matt Lehwess - Partner Solutions Architect, AWS
Matt Keil – Director of Product Marketing, Palo Alto Networks
Matt McLimans – Network Security Engineer, Warren Rogers
2. $6.53M 56% 70%
https://www.csid.com/resources/stats/data-
breaches/
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-
breaches/
Average cost of a
data breach
Your Data and IPAre Your Most Valuable Assets
3. AWS Can Be More Secure than Your Existing
Environment
In June 2015, IDC released a report which found that most customers can be more secure
in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
4. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption
AWS and you share responsibility for security
5. Constantly Monitored
The AWS infrastructure is protected by extensive network and security
monitoring systems:
Network access is monitored by AWS
security managers daily
AWS CloudTrail lets you monitor
and record all API calls
Amazon Inspector automatically assesses
applications for vulnerabilities
6. Highly Available
The AWS infrastructure footprint protects your data from costly downtime
38 Availability Zones in 14 regions for
multi-synchronous geographic redundancy
Retain control of where your data resides
for compliance with regulatory requirements
Mitigate the risk of DDoS attacks using
services like AutoScaling, Route 53
7. Integrated with Your Existing Resources
AWS enables you to improve your security using many of your existing
tools and practices
Integrate your existing Active Directory
Use dedicated connections as a secure,
low-latency extension of your data center
Provide and manage your own encryption
keys if you choose
9. Palo Alto Networks and the
VM-Series on AWS
Matt Keil – Director of Product Marketing, Palo Alto Networks
10. * Non-GAAP financial measures. See appendix for reconciliation to most comparable GAAP measure.
Revenue
Customers
About Palo Alto Networks
Corporate Highlights
Founded in 2005; first customer
shipment in 2007
Safely enable applications and prevent
cyber threats
Addressing all enterprise
cybersecurity needs
Exceptional ability to support
global customers
Experienced team of 3,800+
employees
Q4 FY16: $401.8M revenue
11. Applications and Data Are the Target
The attack life cycle applies to both physical or virtualized networks in the cloud
Infect User Gain Foothold Move Laterally
Steal Data
Build Botnets
Harvest Bitcoin
Execute Goal:
On the network
or in the Cloud
12. Shared Security Model: Where We Can Help
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client & Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Where
Palo Alto
Networks
Can Help
Customer Responsibility
Security on the Cloud
AWS Responsibility
Security of the Cloud
13. VM-Series Next-Generation Firewall on AWS
• Identifies and controls applications across all ports
• Prevents known/unknown threats targeted at your AWS deployment
• Enforces policy consistency with centralized management
• Automates deployment and policy updates
14. Segmentation: Separate
applications and data for
security and compliance
Deployment Use Cases
GlobalProtect: Policy
consistency for the cloud, the
network, and your devices
All use cases supported in AWS standard regions and AWS GovCloud (US)
Gateway: Protection from
Internet borne threats
15. Licensing Options
Consumption based licensing
Two bundles available as annual or
hourly subscriptions
Bring your own license (BYOL)
Pick and choose licenses,
subscriptions and support to best
suite our needs
Supported in AWS standard
regions and AWS GovCluod (US)
16. Auto Scaling the VM-Series on AWS
As workload traffic
increases, security scales
independently of workloads
Note: Auto Scaling the VM-Series on AWS uses AWS Marketplace Bundle 1 or Bundle 2,
in either an annual or an hourly subscription.
17. Security Groups, WAF, or Next-gen Firewall?
Native AWS security includes Security Groups and Web Application Firewall
Security Groups and ACLs
Port-based filtering only
No visibility traffic at the
application level
Unable to prevent threats
Cannot control file movement
Web Application Firewalls
Customized for each application/environment
Focused narrowly on public facing web
applications on HTTP/HTTPs
No visibility, control, or protection on other
applications
18. Customer Success Story: How
Warren Rogers Achieved PCI
Compliance on AWS
Matt McLimans – Network Security Engineer, Warren Rogers
21. AWS as Level 1 Service Provider
Lowest cost PCI
complaint cloud
service.
Reduce and implify
scoped environment.
If required, provides
forensic
investigations
A B
25. The PCI Challenge for Warren Rogers
How do we protect ourselfs?
Warren Rogers’ Network
Customer Store Network
26. The PCI Challenge for Warren Rogers
How do we protect ourself?
Warren Rogers’ Network
Customer Store Network
27. The PCI Challenge for Warren Rogers
How do we protect ourself?
Warren Rogers’ Network
Customer Store Network
28. Challenges
Previously non-compliant
Questions to Answer
How can we secure transmission to AWS?
How do we know if we inadvertently collect cardholder data?
How do we ensure all our boxes are running PCI required applications?
How can we standardized access to our OSPs?
Thousands of remote devices Various deployments within
diverse customer environments
29. CIDR: 10.0.0.0/16 CIDR: 172.17.0.0/24 CIDR: 192.168.3.0/8
Customer A Network Customer B Network Customer n Network
What We Had…
Warren Rogers’ Network
30. WR Custom IP Range 1 WR Custom IP Range 1 WR Custom IP Range 1
Customer A Network Customer B Network Customer n Network
What We Wanted…
Secure Comm. Secure Comm.
One Access Method
Warren Rogers’ Network
31. Using Palo Alto Networks to Achieve Our Goal
GlobalProtect
Encryption
HIP Profiles
LSVPN
Reducing latency
Increasing redundancy
Increasing global presence
Access Policies
Data filtering
Removing uncertainty
Jump server
32. GlobalProtect: Use Case
HIP Check
A Unique Deployment
Installed on OSP
Pre-Log On
Benefits
User-ID
Exceeding PCI requirements.
Complete insight into data transmission
Centrally managed & IP Assignment
HIP Checks & LDAP Segregation Control
33. Host Information in Policy Enforcement (HIP)
Stages
1. GlobalProtect agent collects information.
2. Agent submits host information.
3. Gateway matches host information against HIP
objects and HIP profiles.
Key Advantages
Centrally managed from Palo Alto Networks.
Easy configuration changes & granular policies.
Custom application IDs.
Allow box to connect, but notify personnel of
compliance mismatch.
Routine checks on all OSPs, removes worry.
Firewall Status Data Encryption
Patch Management Anti-Virus
34. Data Filtering for CHD
CHD Filtering
Predefined data pattern
Looks for 16 digit card numbers
through hash algorithm (less false
positives)
Scan all data or only certain file
types (.pdf .txt .csv ….)
Alerting on CHD Detected
Contact customer immediately
that their network is passing CHD
to our OSP
Out of
Scope for
Compliance
35. LSVPN
1. Amazon Data Centers
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
36. LSVPN
1. Amazon Data Centers
2. Geo-located OSPs
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
37. LSVPN
1. Amazon Data Centers
2. Geo-located OSPs
3. Palo Alto Networks VM-300 Portal
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
PORTAL
40. LSVPN
1. Amazon Data Centers
2. Geo-located OSPs
3. Palo Alto Networks VM-300 Portal
4. Palo Alto Networks VM-300 Satellites
5. Connecting LSVPN
6. GlobalProtect to WR defined satellites
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
CA.SAT02
OR.SAT01
PORTAL
VA.SAT01
CA.SAT01
41. ADDS & Group Policy
LSVPN
Portal Private Network
Oregon
Satellite 1
Virginia
Portal
Satellite Private Network
Active Directory Servers
Break devices into
organizational units
Geography
Customer type
…really anything
Advantages of ADDS
Sync with Palo Alto Networks Firewalls
Addressable remote devices by DNS
Powerful tools available
Group Policy
“Touch one, configure many”
Floor to ceiling security model
Active Directory Servers
OSP Default PCI Policy
Customer A
Policy
Site 1 Policy
Group Policy Hierarchy
43. Private Subnet
Ec2
Public Subnet
Easy Deployment
Infrastructure:
An AWS VPC
A public and private subnet
EC2 instances to protect
Deployment:
Launch Palo Alto Networks VM-
Series from the AWS Marketplace.
44. Private Subnet
Ec2
Tune VM-Series
Public Subnet
Easy Deployment
Infrastructure:
An AWS VPC.
A public and private subnet.
EC2 instances to protect.
Deployment:
Launch Palo Alto Networks VM-
Series from the AWS Marketplace.
Tune VM-Series to protect from
network threats.
45. Private Subnet
Ec2
Simplify
Security
Groups
Tune VM-Series
Public Subnet
Easy Deployment
Infrastructure:
An AWS VPC
A public and private subnet
EC2 instances to protect
Deployment:
Launch Palo Alto Networks VM-
Series from the AWS Marketplace.
Tune VM-Series to protect from
network threats.
Simplify EC2 Security Groups
46. Making Compliance Easy with Palo Alto Networks
Least Access Control Logging & Flexibility Segmentation
Reduced Scope
Reduced Cost
Reduced Threat
Changes are
unavoidable for
productive organizations
Active Directory
Proof of policy controls
47. Making Compliance Easy with Palo Alto Networks
CHD
Network
Non-CHD Network
Flat Network Segmented Network
Whole Network
Cardholder servers
4
4
Flat Network
Segmented Network
Total servers
100
100
Open audit scope
100
4
Reduction of audit scope
0%
96%
48. Some Tips Before I Go…
Reach beyond PCI requirements for security.
If you don’t have a security plan, use PCI as a base line.
Avoid expensive mistakes!
Involve a QSA, a Palo Alto Networks Engineer, and your team on all major design decisions.
Remember, a single credit card number is a liability.
Cost of CHD Compromise > Cost of PCI Compliance
Evaluate whether or not you can eliminate the reasons for necessary compliance.
Ensure the benefit of touching CHD is greater than the liability.
Compliance with and without is Palo Alto Networks
“Uncertainty in Compliance” v. “Certainty in Compliance”
49. Q&A
Matt Lehwess - Partner Solutions Architect, AWS
Matt Keil – Director of Product Marketing, Palo Alto Networks
Matt McLimans – Network Security Engineer, Warren Rogers