Palo Alto Networks: Protection for Security & Compliance

Palo Alto Networks: Protection for
Security & Compliance
Matt Lehwess - Partner Solutions Architect, AWS
Matt Keil – Director of Product Marketing, Palo Alto Networks
Matt McLimans – Network Security Engineer, Warren Rogers

$6.53M 56% 70%
https://www.csid.com/resources/stats/data-
breaches/
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-
breaches/
Average cost of a
data breach
Your Data and IPAre Your Most Valuable Assets

AWS Can Be More Secure than Your Existing
Environment
In June 2015, IDC released a report which found that most customers can be more secure
in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication

AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption
AWS and you share responsibility for security

Constantly Monitored
The AWS infrastructure is protected by extensive network and security
monitoring systems:
 Network access is monitored by AWS
security managers daily
 AWS CloudTrail lets you monitor
and record all API calls
 Amazon Inspector automatically assesses
applications for vulnerabilities

Highly Available
The AWS infrastructure footprint protects your data from costly downtime
 38 Availability Zones in 14 regions for
multi-synchronous geographic redundancy
 Retain control of where your data resides
for compliance with regulatory requirements
 Mitigate the risk of DDoS attacks using
services like AutoScaling, Route 53

Integrated with Your Existing Resources
AWS enables you to improve your security using many of your existing
tools and practices
 Integrate your existing Active Directory
 Use dedicated connections as a secure,
low-latency extension of your data center
 Provide and manage your own encryption
keys if you choose

Key AWS Certifications and Assurance Programs

Palo Alto Networks and the
VM-Series on AWS

* Non-GAAP financial measures. See appendix for reconciliation to most comparable GAAP measure.
Revenue
Customers
About Palo Alto Networks
Corporate Highlights
 Founded in 2005; first customer
shipment in 2007
 Safely enable applications and prevent
cyber threats
 Addressing all enterprise
cybersecurity needs
 Exceptional ability to support
global customers
 Experienced team of 3,800+
employees
 Q4 FY16: $401.8M revenue

Applications and Data Are the Target
The attack life cycle applies to both physical or virtualized networks in the cloud
Infect User Gain Foothold Move Laterally
Steal Data
Build Botnets
Harvest Bitcoin
Execute Goal:
On the network
or in the Cloud

Shared Security Model: Where We Can Help
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client & Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Where
Palo Alto
Networks
Can Help
Customer Responsibility
Security on the Cloud
AWS Responsibility
Security of the Cloud

VM-Series Next-Generation Firewall on AWS
• Identifies and controls applications across all ports
• Prevents known/unknown threats targeted at your AWS deployment
• Enforces policy consistency with centralized management
• Automates deployment and policy updates

Segmentation: Separate
applications and data for
security and compliance
Deployment Use Cases
GlobalProtect: Policy
consistency for the cloud, the
network, and your devices
All use cases supported in AWS standard regions and AWS GovCloud (US)
Gateway: Protection from
Internet borne threats

Licensing Options
Consumption based licensing
 Two bundles available as annual or
hourly subscriptions
Bring your own license (BYOL)
 Pick and choose licenses,
subscriptions and support to best
suite our needs
 Supported in AWS standard
regions and AWS GovCluod (US)

Auto Scaling the VM-Series on AWS
As workload traffic
increases, security scales
independently of workloads
Note: Auto Scaling the VM-Series on AWS uses AWS Marketplace Bundle 1 or Bundle 2,
in either an annual or an hourly subscription.

Security Groups, WAF, or Next-gen Firewall?
Native AWS security includes Security Groups and Web Application Firewall
Security Groups and ACLs
 Port-based filtering only
 No visibility traffic at the
application level
 Unable to prevent threats
 Cannot control file movement
Web Application Firewalls
 Customized for each application/environment
 Focused narrowly on public facing web
applications on HTTP/HTTPs
 No visibility, control, or protection on other
applications

Customer Success Story: How
Warren Rogers Achieved PCI
Compliance on AWS

Warren Rogers Services
Variance
reports
Tank
activity
Sales
by hour
Unexplained
removals
Delivery
reports
Dispenser/Probe
out summary
All-Point
monitoring
system that
provides the
most
accurate and
complete
information
about fueling
operations

Customer Store Network
Warren Rogers’ Network
Our Operation
Our Device
“OSP”

AWS as Level 1 Service Provider
Lowest cost PCI
complaint cloud
service.
Reduce and implify
scoped environment.
If required, provides
forensic
investigations
A B

AWS PCI Compliant Services
CloudWatch BeanStalk
SNSSES
FederationIAMCloud TrailCloud FormationOpsWork
SQS Elastic Transcoder Cloud Search SWF
Dynamo ElastiCache RedShift EMR DataPipeline Kinesis CloudFront
Ec2 WorkSpaces S3 Route53ELBDirect ConnectStorage Gateway VPCGlacier
Monitoring Deployment & Management Identity & Access
Application Services
Databases Analytics
Compute Storage Networking
Content Delivery
AppStream
EBS
Deployment
&Management
Application
ServicesFoundationServices
RDS

The PCI Challenge for Warren Rogers
How do we protect ourselfs?

The PCI Challenge for Warren Rogers
How do we protect ourself?

Challenges
Previously non-compliant
Questions to Answer
 How can we secure transmission to AWS?
 How do we know if we inadvertently collect cardholder data?
 How do we ensure all our boxes are running PCI required applications?
 How can we standardized access to our OSPs?
Thousands of remote devices Various deployments within
diverse customer environments

CIDR: 10.0.0.0/16 CIDR: 172.17.0.0/24 CIDR: 192.168.3.0/8
Customer A Network Customer B Network Customer n Network
What We Had…

WR Custom IP Range 1 WR Custom IP Range 1 WR Custom IP Range 1
Customer A Network Customer B Network Customer n Network
What We Wanted…
Secure Comm. Secure Comm.
One Access Method

Using Palo Alto Networks to Achieve Our Goal
GlobalProtect
 Encryption
 HIP Profiles
LSVPN
 Reducing latency
 Increasing redundancy
 Increasing global presence
Access Policies
 Data filtering
 Removing uncertainty
 Jump server

GlobalProtect: Use Case
HIP Check
A Unique Deployment
 Installed on OSP
 Pre-Log On
Benefits
 User-ID
 Exceeding PCI requirements.
 Complete insight into data transmission
 Centrally managed & IP Assignment
 HIP Checks & LDAP Segregation Control

Host Information in Policy Enforcement (HIP)
Stages
1. GlobalProtect agent collects information.
2. Agent submits host information.
3. Gateway matches host information against HIP
objects and HIP profiles.
Key Advantages
 Centrally managed from Palo Alto Networks.
 Easy configuration changes & granular policies.
 Custom application IDs.
 Allow box to connect, but notify personnel of
compliance mismatch.
 Routine checks on all OSPs, removes worry.
Firewall Status Data Encryption
Patch Management Anti-Virus

Data Filtering for CHD
CHD Filtering
 Predefined data pattern
 Looks for 16 digit card numbers
through hash algorithm (less false
positives)
 Scan all data or only certain file
types (.pdf .txt .csv ….)
Alerting on CHD Detected
 Contact customer immediately
that their network is passing CHD
to our OSP
Out of
Scope for
Compliance

LSVPN
1. Amazon Data Centers
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series

LSVPN
2. Geo-located OSPs
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series

LSVPN
2. Geo-located OSPs
3. Palo Alto Networks VM-300 Portal
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
PORTAL

LSVPN
2. Geo-located OSPs
4. Palo Alto Networks VM-300 Satellites
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
CA.SAT02
OR.SAT01
PORTAL
VA.SAT01
CA.SAT01

LSVPN
2. Geo-located OSPs
5. Connecting LSVPN
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
CA.SAT02
OR.SAT01
PORTAL
VA.SAT01
CA.SAT01

LSVPN
2. Geo-located OSPs
5. Connecting LSVPN
6. GlobalProtect to WR defined satellites
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
CA.SAT02
OR.SAT01
PORTAL
VA.SAT01
CA.SAT01

ADDS & Group Policy
LSVPN
Portal Private Network
Oregon
Satellite 1
Virginia
Portal
Satellite Private Network
Active Directory Servers
Break devices into
organizational units
 Geography
 Customer type
 …really anything
Advantages of ADDS
 Sync with Palo Alto Networks Firewalls
 Addressable remote devices by DNS
 Powerful tools available
Group Policy
 “Touch one, configure many”
 Floor to ceiling security model
Active Directory Servers
OSP Default PCI Policy
Customer A
Policy
Site 1 Policy
Group Policy Hierarchy

Private Subnet
Ec2
Public Subnet
Easy Deployment
Infrastructure:
 An AWS VPC.
 A public and private subnet.
 EC2 instances to protect.

Private Subnet
Ec2
Public Subnet
Easy Deployment
Infrastructure:
 An AWS VPC
 A public and private subnet
 EC2 instances to protect
Deployment:
 Launch Palo Alto Networks VM-
Series from the AWS Marketplace.

Private Subnet
Ec2
Tune VM-Series
Public Subnet
Easy Deployment
Infrastructure:
 An AWS VPC.
 A public and private subnet.
 EC2 instances to protect.
Deployment:
 Tune VM-Series to protect from
network threats.

Private Subnet
Ec2
Simplify
Security
Groups
Tune VM-Series
Public Subnet
Easy Deployment
Infrastructure:
 An AWS VPC
 A public and private subnet
 EC2 instances to protect
Deployment:
 Tune VM-Series to protect from
network threats.
 Simplify EC2 Security Groups

Making Compliance Easy with Palo Alto Networks
Least Access Control Logging & Flexibility Segmentation
 Reduced Scope
 Reduced Cost
 Reduced Threat
 Changes are
unavoidable for
productive organizations
 Active Directory
 Proof of policy controls

Making Compliance Easy with Palo Alto Networks
CHD
Network
Non-CHD Network
Flat Network Segmented Network
Whole Network
Cardholder servers
4
4
Flat Network
Segmented Network
Total servers
100
100
Open audit scope
100
4
Reduction of audit scope
0%
96%

Some Tips Before I Go…
Reach beyond PCI requirements for security.
 If you don’t have a security plan, use PCI as a base line.
Avoid expensive mistakes!
 Involve a QSA, a Palo Alto Networks Engineer, and your team on all major design decisions.
Remember, a single credit card number is a liability.
 Cost of CHD Compromise > Cost of PCI Compliance
Evaluate whether or not you can eliminate the reasons for necessary compliance.
 Ensure the benefit of touching CHD is greater than the liability.
Compliance with and without is Palo Alto Networks
 “Uncertainty in Compliance” v. “Certainty in Compliance”

Q&A
Matt Lehwess - Partner Solutions Architect, AWS

Palo Alto Networks: Protection for Security & Compliance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Palo Alto Networks: Protection for Security & Compliance

Similar to Palo Alto Networks: Protection for Security & Compliance (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Palo Alto Networks: Protection for Security & Compliance