Building seamless, consistent security policies across on-premises and cloud IT environments can be challenging without comprehensive workload visibility. Learn how to gain greater control over your applications, automatically create consistent and uniform security policies, and prevent known and unknown threats within application flows.
Join us to Learn:
How to protect and automate your AWS deployments while maintaining data segregation
Best practices for creating consistent security for data moving to and from the cloud
How to securely extend your application development testing environment to AWS
Speakers:
AWS Speaker: David Wright, Solution Architect
Palo Alto Networks Speaker: Bisham Kishnani, Senior Consulting Engineer
Secure AWS Deployments with Next-Gen Security Automation
1. Secure & Automate AWS
Deployments with Next-
Generation Security
David Wright, Security Solutions Architect, AWS
Bisham Kishnani, Head Consulting Engineering (APAC) – DC, Cloud & SDN
MSSP/CSSP, Palo Alto Networks
2. $6.53M 56% 70%
https://www.csid.com/resources/stats/data-breaches/
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-breaches/
Average cost of a
data breach
Your Data and IPAre Your Most Valuable Assets
3. In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
AWS Can Be More Secure than
Your Existing Environment
5. Constantly Monitored
The AWS infrastructure is protected by extensive
network and security monitoring systems:
Network access is monitored by AWS
security managers daily
AWS CloudTrail lets you monitor
and record all API calls
Amazon Inspector automatically assesses
applications for vulnerabilities
6. Highly Available
The AWS infrastructure footprint helps protect your data from costly
downtime
44 Availability Zones in 16 regions for
multi-synchronous geographic redundancy
Retain control of where your data resides
for compliance with regulatory requirements
Mitigate the risk of DDoS attacks using
services like Route 53
Dynamically grow to meet unforeseen demand
using Auto Scaling
7. Integrated with Your Existing Resources
AWS enables you to improve your security using many
of your existing tools and practices
Integrate your existing Active Directory
Use dedicated connections as a secure,
low-latency extension of your data center
Provide and manage your own encryption
keys if you choose
9. Secure Any Cloud – Palo Alto
Networks
Bisham Kishnani, Head Consulting Engineering (APAC) – DC, Cloud &
SDN MSSP/CSSP, Palo Alto Networks
10. Strong Industry Leadership Position
Palo Alto Networks is positioned as a
leader in the Gartner Magic Quadrant
for enterprise network firewalls* for the
sixth consecutive time
Palo Alto Networks is highest in
execution and most visionary within the
leaders quadrant
*Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hils, Greg Young, Jeremy D’Hoinne, and Rajpreet Kaur, May 2016
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to
select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with
respect to this research, including any warranties of merchantability or fitness for a particular purpose.
11. Palo Alto Networks at a Glance
Founded in 2005; first customer shipment in 2007
More than 42,500 customers in 150+ countries
FY17 $1.8B revenue, 28% YoY growth that significantly outpaced the
industry
Over 85 of the Fortune 100 and 60% of the Global 2000 rely on us
Excellent global support, awarded by J.D. Power and TSIA
Experienced team of more than 4,500 employees
12. Tectonic Shifts Drive Productivity
SaaS
(Software as a Service)
Cloud + virtualization
Mobility + BYOD Internet of Things (IoT)
13. Attackers Exploit These Tectonic Shifts
ORGANIZATIONAL RISK
KNOWN
THREATS
UNKNOWN &
EVASIVE C2
ZERO-DAY
EXPLOITS
CREDENTIAL
THEFT
MOBILE & IOT
THREATS
UNKNOWN &
EVASIVE
MALWARE
DATA THEFT
14. Applications and Data Are the Target
The attack life cycle applies to both physical or virtualized networks in the cloud
Steal Data
Build Botnets
Harvest Bitcoin
Infect User
Execute Goal:
On the network
or in the Cloud
Gain Foothold Move Laterally
17. > DCD Summit | Interpol World
Next Line Of Defense - Palo Alto Networks
In Addition to Native Security
Palo Alto Networks Value Proposition
• Identify applications
Full NGFW security for AWS Cloud
• Control traffic based on application, not only port
• Prevent known and unknown threats
• Grant access based on user identity
• Creation Of Security zones
• Automatically protect new workloads; segment apps and data
• Centralized management and logging
• Instance / work load -monitoring, API help streamline updates
21. APERTURE FOR AWS EC2/IAM
Audit IAM security posture
– Key rotation
– Multifactor authentication
– Password hygiene
Monitors EC2 Console Activity
– Security group monitoring
– Non-standard AMIs
– Unencrypted storage volumes
Activity monitoring & anomalies
– 150+ normalized events across thousands event types
– Excessive launch of EC2 instances
– Monitor shutdown of EC2 instances
– Access to AWS console from blacklisted IP addresses
1. ACCOUNT
MGMT
22. APERTURE FOR AWS S3
0-Day Malware detection tied to WildFire
Detection of sensitive content and exposure
Activity monitoring and anomalies
Automated Remediation
THREAT
INTELLIGENCE
CLOUD
APERTURE
2. DATA
GOVERNANCE
23. VM-Series for AWS Cloud
• Visibility into, and control over applications, not ports
• Segment/whitelist applications for security and compliance
• Prevent known and unknown threats
• Extend security to remote users and devices
• Centrally manage, automate deployment and policy updates
Threat
Intelligence
Cloud
3. INLINE
SECURITY
24. Bring your own license (BYOL)
Pick and choose licenses,
subscriptions and support to best
suite our needs
Supported in AWS standard
regions and AWS GovCloud (US)
Consumption based licensing
Two bundles available as annual or
hourly subscriptions
Easy Deployment
26. Private Subnet
Ec2
Public Subnet
Infrastructure:
An AWS VPC
A public and private subnet
Amazon EC2 instances to protect
Deployment:
Launch Palo Alto Networks
VM-Series from the AWS Marketplace
Easy Deployment
27. Private Subnet
Ec2
Tune VM-Series
Public Subnet
Infrastructure:
An AWS VPC
A public and private subnet
Amazon EC2 instances to protect
Deployment:
Launch Palo Alto Networks
VM-Series from the AWS Marketplace
Tune VM-Series to protect from network
threats
Easy Deployment
28. Private Subnet
Ec2
Simplify
Security
Groups
Tune VM-Series
Public Subnet
Infrastructure:
An AWS VPC
A public and private subnet
Amazon EC2 instances to protect
Deployment:
Launch Palo Alto Networks
VM-Series from the AWS Marketplace.
Tune VM-Series to protect from network
threats
Simplify Amazon EC2 Security Groups
Easy Deployment
29. Streamline Management and Policy Updates
Centrally manage configuration and policy deployment of the VM-Series for AWS
– Manage all Palo Alto Networks next-generation firewall instances, both hardware and virtualized form
factor
Aggregate traffic logs across multiple VM-Series for AWS instances for visibility, forensics
and reporting
Streamline policy updates with VM-Monitoring, Dynamic Address Groups and an API
MS SQLSharePointWeb FE
Credit Card /
Intellectual Property / PII
Panorama
31. Bootstrapping
Dynamic Policy Updates
Fully documented Bi-directional
XML API support (support for Native
Cloud tools, (Cloud Watch) Service
Now & Orchestration Tools
XML API
XML API
Automation
33. Bootstrapping inAWS
Why?
– Fast and repeatable deployments
– Leverage AWS native automation tools
Create bootstrap files
– PAN-OS config
– Content updates
– Software updates
– Add VM to Panorama
– License authcode for BYOL
Store it in a S3 bucket
www.example.com
Availability Zone #1
Elastic Load
Balancing
web app
servers
Route53
DNS
vm-series-bootstrap-aws-s3-
bucket=<bucketname>
EC2 Instance deployment settings
S3 storage bucket
PAN-OS bootstrap files
34.
35. Deployment Use Cases
Protect your AWS deployment just as you would in your data center
AWS Cloud Segmentation Internet
Gateway Remote Access
Securely deploy
applications & extend your
data center into AWS
Separate data and
applications for compliance
and security
Protect Internet facing
applications
Security consistency for
your network, your cloud,
and your devices
36. > DCD Summit | Interpol World
Auto Scaling Of Instances / Workloads
Cyber Monday
Start of work
day
Tax season
Snow day
Provisioned
Capacity
On-demand
scaling
Predictable
Less
Predictable
37. Auto Scaling the VM-Series
Cyber Monday
Start of work day
Tax season
Snow day
Provisioned
capacity
On-demand
scaling
Predictable
Less
Predictable
As workload traffic increases,
security scales independently of
workloads
38. DC-
FW1
DC-
FW2
Default route learned via DHCP on E1/1
Static or dynamic route defined for enterprise network
Redistribution profile shares static routes with BGP peers
BGP routes propagated into local route table
SNAT on gateway firewall ensure
symmetric return
Services
VPC
Real Life Deployment
39. AWS Free Trial: Available Now
Try one of the bundles for 15 days
– Just like an Eval
– PoC to production
– Free usage cannot be extended
– Automatically converts to hourly purchase after
15 days if VM-Series instance is running
41. Summary
Security On Cloud is a Shared Responsibility & Collaborative Approach
Uniform Security Framework Across all Data Centers (private & AWS)
Automated Security
Ease Of Deployment
Application Visibility
Preventing “Known & Unknown” threats effectively & quickly
Using & Sharing Threat Intelligence
42. Recommendations
Organizations should look for a seamless AWS security solution fit
Ensure the partner you choose has expertise on, in, and around AWS
End-to-end visibility and actionable security best practices are the keys to success
Use the Free Trial on AWS Marketplace - https://aws.amazon.com/marketplace