SlideShare a Scribd company logo

Secure AWS Deployments with Next-Gen Security Automation

Amazon Web Services
Amazon Web Services

Building seamless, consistent security policies across on-premises and cloud IT environments can be challenging without comprehensive workload visibility. Learn how to gain greater control over your applications, automatically create consistent and uniform security policies, and prevent known and unknown threats within application flows. Join us to Learn: How to protect and automate your AWS deployments while maintaining data segregation Best practices for creating consistent security for data moving to and from the cloud How to securely extend your application development testing environment to AWS Speakers: AWS Speaker: David Wright, Solution Architect Palo Alto Networks Speaker: Bisham Kishnani, Senior Consulting Engineer

1 of 42
Secure & Automate AWS Deployments with Next- Generation Security David Wright, Security Solutions Architect, AWS Bisham Kishnani, Head Consulting Engineering (APAC) – DC, Cloud & SDN MSSP/CSSP, Palo Alto Networks
$6.53M 56% 70% https://www.csid.com/resources/stats/data-breaches/ Increase in theft of hard intellectual property http://www.pwc.com/gx/en/issues/cyber- security/information-security-survey.html Of consumers indicated they’d avoid businesses following a security breach https://www.csid.com/resources/stats/data-breaches/ Average cost of a data breach Your Data and IPAre Your Most Valuable Assets
In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How? Automating logging and monitoring Simplifying resource access Making it easy to encrypt properly Enforcing strong authentication AWS Can Be More Secure than Your Existing Environment
AWS and You Share Responsibility for Security
Constantly Monitored The AWS infrastructure is protected by extensive network and security monitoring systems:  Network access is monitored by AWS security managers daily  AWS CloudTrail lets you monitor and record all API calls  Amazon Inspector automatically assesses applications for vulnerabilities
Highly Available The AWS infrastructure footprint helps protect your data from costly downtime  44 Availability Zones in 16 regions for multi-synchronous geographic redundancy  Retain control of where your data resides for compliance with regulatory requirements  Mitigate the risk of DDoS attacks using services like Route 53  Dynamically grow to meet unforeseen demand using Auto Scaling
Integrated with Your Existing Resources AWS enables you to improve your security using many of your existing tools and practices  Integrate your existing Active Directory  Use dedicated connections as a secure, low-latency extension of your data center  Provide and manage your own encryption keys if you choose
Key AWS Certifications and Assurance Programs
Secure Any Cloud – Palo Alto Networks Bisham Kishnani, Head Consulting Engineering (APAC) – DC, Cloud & SDN MSSP/CSSP, Palo Alto Networks
Strong Industry Leadership Position  Palo Alto Networks is positioned as a leader in the Gartner Magic Quadrant for enterprise network firewalls* for the sixth consecutive time  Palo Alto Networks is highest in execution and most visionary within the leaders quadrant *Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hils, Greg Young, Jeremy D’Hoinne, and Rajpreet Kaur, May 2016 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Palo Alto Networks at a Glance  Founded in 2005; first customer shipment in 2007  More than 42,500 customers in 150+ countries  FY17 $1.8B revenue, 28% YoY growth that significantly outpaced the industry  Over 85 of the Fortune 100 and 60% of the Global 2000 rely on us  Excellent global support, awarded by J.D. Power and TSIA  Experienced team of more than 4,500 employees
Tectonic Shifts Drive Productivity SaaS (Software as a Service) Cloud + virtualization Mobility + BYOD Internet of Things (IoT)
Attackers Exploit These Tectonic Shifts ORGANIZATIONAL RISK KNOWN THREATS UNKNOWN & EVASIVE C2 ZERO-DAY EXPLOITS CREDENTIAL THEFT MOBILE & IOT THREATS UNKNOWN & EVASIVE MALWARE DATA THEFT
Applications and Data Are the Target The attack life cycle applies to both physical or virtualized networks in the cloud Steal Data Build Botnets Harvest Bitcoin Infect User Execute Goal: On the network or in the Cloud Gain Foothold Move Laterally
Shared Security Model: Where We Can Help Where Palo Alto Networks Can Help
First Line of Defense - Security Groups on AWS
> DCD Summit | Interpol World Next Line Of Defense - Palo Alto Networks In Addition to Native Security Palo Alto Networks Value Proposition • Identify applications Full NGFW security for AWS Cloud • Control traffic based on application, not only port • Prevent known and unknown threats • Grant access based on user identity • Creation Of Security zones • Automatically protect new workloads; segment apps and data • Centralized management and logging • Instance / work load -monitoring, API help streamline updates
AWS Security Considerations 3. INLINE SECURITY1. ACCOUNT MGMT • Segmentation • Malware Prevention • Secure Access • VPC Edge Security • Key rotation • Inbound Accessible Services • Unencrypted storage • Nonstandard AMI’s • Password Policy 2. DATA GOVERNANCE • Exposed Data • Keys stored in the open • Admin Access
Solution - AWS Security Considerations VM-Series for AWS AWS Cloud, Segmentation, Internet Gateway, Remote Access Amazon EC2 Aperture for AWS • Prevent Sensitive Data Exposure and misconfigurations • Monitor for risky admin behavior • Track password policy violations and key rotation • Improper security group rules • Use of non-standard AMI • Enforce Data Volume Encryption • Prevent known/unknown malware Amazon EC2 Amazon S3IAM 3. INLINE SECURITY 1. ACCOUNT MGMT 2. DATA GOVERNANCE
Aperture - Cloud Delivered Security APERTURE WILDFIRE 1. ACCOUNT MGMT 2. DATA GOVERNANCE
APERTURE FOR AWS EC2/IAM  Audit IAM security posture – Key rotation – Multifactor authentication – Password hygiene  Monitors EC2 Console Activity – Security group monitoring – Non-standard AMIs – Unencrypted storage volumes  Activity monitoring & anomalies – 150+ normalized events across thousands event types – Excessive launch of EC2 instances – Monitor shutdown of EC2 instances – Access to AWS console from blacklisted IP addresses 1. ACCOUNT MGMT
APERTURE FOR AWS S3  0-Day Malware detection tied to WildFire  Detection of sensitive content and exposure  Activity monitoring and anomalies  Automated Remediation THREAT INTELLIGENCE CLOUD APERTURE 2. DATA GOVERNANCE
VM-Series for AWS Cloud • Visibility into, and control over applications, not ports • Segment/whitelist applications for security and compliance • Prevent known and unknown threats • Extend security to remote users and devices • Centrally manage, automate deployment and policy updates Threat Intelligence Cloud 3. INLINE SECURITY
Bring your own license (BYOL)  Pick and choose licenses, subscriptions and support to best suite our needs  Supported in AWS standard regions and AWS GovCloud (US) Consumption based licensing  Two bundles available as annual or hourly subscriptions Easy Deployment
Private Subnet Ec2 Public Subnet Infrastructure:  An AWS VPC  A public and private subnet  Amazon EC2 instances to protect Easy Deployment
Private Subnet Ec2 Public Subnet Infrastructure:  An AWS VPC  A public and private subnet  Amazon EC2 instances to protect Deployment:  Launch Palo Alto Networks VM-Series from the AWS Marketplace Easy Deployment
Private Subnet Ec2 Tune VM-Series Public Subnet Infrastructure:  An AWS VPC  A public and private subnet  Amazon EC2 instances to protect Deployment:  Launch Palo Alto Networks VM-Series from the AWS Marketplace  Tune VM-Series to protect from network threats Easy Deployment
Private Subnet Ec2 Simplify Security Groups Tune VM-Series Public Subnet Infrastructure:  An AWS VPC  A public and private subnet  Amazon EC2 instances to protect Deployment:  Launch Palo Alto Networks VM-Series from the AWS Marketplace.  Tune VM-Series to protect from network threats  Simplify Amazon EC2 Security Groups Easy Deployment
Streamline Management and Policy Updates  Centrally manage configuration and policy deployment of the VM-Series for AWS – Manage all Palo Alto Networks next-generation firewall instances, both hardware and virtualized form factor  Aggregate traffic logs across multiple VM-Series for AWS instances for visibility, forensics and reporting  Streamline policy updates with VM-Monitoring, Dynamic Address Groups and an API MS SQLSharePointWeb FE Credit Card / Intellectual Property / PII Panorama
> DCD Summit | Interpol World Automation
Bootstrapping Dynamic Policy Updates Fully documented Bi-directional XML API support (support for Native Cloud tools, (Cloud Watch) Service Now & Orchestration Tools XML API XML API Automation
Automated Policy Update – Dynamic
Bootstrapping inAWS  Why? – Fast and repeatable deployments – Leverage AWS native automation tools  Create bootstrap files – PAN-OS config – Content updates – Software updates – Add VM to Panorama – License authcode for BYOL  Store it in a S3 bucket www.example.com Availability Zone #1 Elastic Load Balancing web app servers Route53 DNS vm-series-bootstrap-aws-s3- bucket=<bucketname> EC2 Instance deployment settings S3 storage bucket PAN-OS bootstrap files
Deployment Use Cases Protect your AWS deployment just as you would in your data center AWS Cloud Segmentation Internet Gateway Remote Access Securely deploy applications & extend your data center into AWS Separate data and applications for compliance and security Protect Internet facing applications Security consistency for your network, your cloud, and your devices
> DCD Summit | Interpol World Auto Scaling Of Instances / Workloads Cyber Monday Start of work day Tax season Snow day Provisioned Capacity On-demand scaling Predictable Less Predictable
Auto Scaling the VM-Series Cyber Monday Start of work day Tax season Snow day Provisioned capacity On-demand scaling Predictable Less Predictable As workload traffic increases, security scales independently of workloads
DC- FW1 DC- FW2 Default route learned via DHCP on E1/1 Static or dynamic route defined for enterprise network Redistribution profile shares static routes with BGP peers BGP routes propagated into local route table SNAT on gateway firewall ensure symmetric return Services VPC Real Life Deployment
AWS Free Trial: Available Now Try one of the bundles for 15 days – Just like an Eval – PoC to production – Free usage cannot be extended – Automatically converts to hourly purchase after 15 days if VM-Series instance is running
VM-Series For AWS Hybrid Cloud Deployment Guidelines Document
Summary  Security On Cloud is a Shared Responsibility & Collaborative Approach  Uniform Security Framework Across all Data Centers (private & AWS)  Automated Security  Ease Of Deployment  Application Visibility  Preventing “Known & Unknown” threats effectively & quickly  Using & Sharing Threat Intelligence
Recommendations  Organizations should look for a seamless AWS security solution fit  Ensure the partner you choose has expertise on, in, and around AWS  End-to-end visibility and actionable security best practices are the keys to success  Use the Free Trial on AWS Marketplace - https://aws.amazon.com/marketplace

Recommended

Google Cloud Platform (GCP) At a Glance
Google Cloud Platform (GCP) At a GlanceGoogle Cloud Platform (GCP) At a Glance
Google Cloud Platform (GCP) At a GlanceCloud Analogy
 
OCI Overview
OCI OverviewOCI Overview
OCI OverviewKamil Wieczorek
 
Understanding Azure Disaster Recovery
Understanding Azure Disaster RecoveryUnderstanding Azure Disaster Recovery
Understanding Azure Disaster RecoveryNew Horizons Ireland
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for GoviesAmazon Web Services
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16David Pasek
 
Enterprise WAN Evolution with SD-WAN
Enterprise WAN Evolution with SD-WANEnterprise WAN Evolution with SD-WAN
Enterprise WAN Evolution with SD-WANToshal Dudhwala
 
Hybrid Data Guard to Cloud GEN2 ExaCS.pdf
Hybrid Data Guard to Cloud GEN2 ExaCS.pdfHybrid Data Guard to Cloud GEN2 ExaCS.pdf
Hybrid Data Guard to Cloud GEN2 ExaCS.pdfALI ANWAR, OCP®
 

Recommended

Google Cloud Platform (GCP) At a Glance
Google Cloud Platform (GCP) At a GlanceGoogle Cloud Platform (GCP) At a Glance
Google Cloud Platform (GCP) At a GlanceCloud Analogy
 
OCI Overview
OCI OverviewOCI Overview
OCI OverviewKamil Wieczorek
 
Understanding Azure Disaster Recovery
Understanding Azure Disaster RecoveryUnderstanding Azure Disaster Recovery
Understanding Azure Disaster RecoveryNew Horizons Ireland
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for Govies(SEC204) AWS GovCloud (US): Not Just for Govies
(SEC204) AWS GovCloud (US): Not Just for GoviesAmazon Web Services
 
VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16VMware HCI solutions - 2020-01-16
VMware HCI solutions - 2020-01-16David Pasek
 
Enterprise WAN Evolution with SD-WAN
Enterprise WAN Evolution with SD-WANEnterprise WAN Evolution with SD-WAN
Enterprise WAN Evolution with SD-WANToshal Dudhwala
 
Hybrid Data Guard to Cloud GEN2 ExaCS.pdf
Hybrid Data Guard to Cloud GEN2 ExaCS.pdfHybrid Data Guard to Cloud GEN2 ExaCS.pdf
Hybrid Data Guard to Cloud GEN2 ExaCS.pdfALI ANWAR, OCP®
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SAMeh Zaghloul
 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cGlen Hawkins
 
VMware Virtual SAN Presentation
VMware Virtual SAN PresentationVMware Virtual SAN Presentation
VMware Virtual SAN Presentationvirtualsouthwest
 
SQL to Azure Migrations
SQL to Azure MigrationsSQL to Azure Migrations
SQL to Azure MigrationsDatavail
 
Sccm hands-on-lab
Sccm hands-on-labSccm hands-on-lab
Sccm hands-on-labDPA
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory ProposalMJ Ferdous
 
Ibm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshopIbm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshopsolarisyougood
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
Active directory
Active directoryActive directory
Active directoryMuuluu
 
X-Tour Nutanix 101
X-Tour Nutanix 101X-Tour Nutanix 101
X-Tour Nutanix 101NEXTtour
 
Azure purview
Azure purviewAzure purview
Azure purviewShafqat Turza
 
Exadata master series_asm_2020
Exadata master series_asm_2020Exadata master series_asm_2020
Exadata master series_asm_2020Anil Nair
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD ConnectSasha Rosenbaum
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsKhash Nakhostin
 
Azure 101
Azure 101Azure 101
Azure 101Korry Lavoie
 
Hci solution with VxRail
Hci solution with VxRailHci solution with VxRail
Hci solution with VxRailAnton An
 
Dropbox
DropboxDropbox
DropboxLenin George Diñoso
 
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...Amazon Web Services
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftSerhat Dirik
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
 

More Related Content

What's hot

SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SAMeh Zaghloul
 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cGlen Hawkins
 
VMware Virtual SAN Presentation
VMware Virtual SAN PresentationVMware Virtual SAN Presentation
VMware Virtual SAN Presentationvirtualsouthwest
 
SQL to Azure Migrations
SQL to Azure MigrationsSQL to Azure Migrations
SQL to Azure MigrationsDatavail
 
Sccm hands-on-lab
Sccm hands-on-labSccm hands-on-lab
Sccm hands-on-labDPA
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory ProposalMJ Ferdous
 
Ibm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshopIbm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshopsolarisyougood
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud SecurityAlert Logic
 
Active directory
Active directoryActive directory
Active directoryMuuluu
 
X-Tour Nutanix 101
X-Tour Nutanix 101X-Tour Nutanix 101
X-Tour Nutanix 101NEXTtour
 
Exadata master series_asm_2020
Exadata master series_asm_2020Exadata master series_asm_2020
Exadata master series_asm_2020Anil Nair
 
Azure active directory
Azure active directoryAzure active directory
Azure active directoryRaju Kumar
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsKhash Nakhostin
 
Hci solution with VxRail
Hci solution with VxRailHci solution with VxRail
Hci solution with VxRailAnton An
 
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...Amazon Web Services
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftSerhat Dirik
 

What's hot (20)

SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19c
 
VMware Virtual SAN Presentation
VMware Virtual SAN PresentationVMware Virtual SAN Presentation
VMware Virtual SAN Presentation
 
SQL to Azure Migrations
SQL to Azure MigrationsSQL to Azure Migrations
SQL to Azure Migrations
 
Sccm hands-on-lab
Sccm hands-on-labSccm hands-on-lab
Sccm hands-on-lab
 
Active Directory Proposal
Active Directory ProposalActive Directory Proposal
Active Directory Proposal
 
Ibm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshopIbm power ha v7 technical deep dive workshop
Ibm power ha v7 technical deep dive workshop
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
Active directory
Active directoryActive directory
Active directory
 
X-Tour Nutanix 101
X-Tour Nutanix 101X-Tour Nutanix 101
X-Tour Nutanix 101
 
Azure purview
Azure purviewAzure purview
Azure purview
 
Exadata master series_asm_2020
Exadata master series_asm_2020Exadata master series_asm_2020
Exadata master series_asm_2020
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD Connect
 
Azure active directory
Azure active directoryAzure active directory
Azure active directory
 
Five Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNetsFive Connectivity and Security Use Cases for Azure VNets
Five Connectivity and Security Use Cases for Azure VNets
 
Azure 101
Azure 101Azure 101
Azure 101
 
Hci solution with VxRail
Hci solution with VxRailHci solution with VxRail
Hci solution with VxRail
 
Dropbox
DropboxDropbox
Dropbox
 
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...
(BIZ305) Case Study: Migrating Oracle E-Business Suite to AWS | AWS re:Invent...
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShift
 

Similar to Secure AWS Deployments with Next-Gen Security Automation

Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingAmazon Web Services
 
Fortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsFortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsAmazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Cynthia Hsieh
 
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfAmazon Web Services
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPTAmazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security SuperheroAmazon Web Services
 
AWS Webcast - Emergency Preparedness and Interagency Collaboration Webinar
AWS Webcast - Emergency Preparedness and Interagency Collaboration Webinar AWS Webcast - Emergency Preparedness and Interagency Collaboration Webinar
AWS Webcast - Emergency Preparedness and Interagency Collaboration Webinar Amazon Web Services
 
AWS Webcast - AWS haystax afb oct 17(1)
AWS Webcast - AWS haystax afb oct 17(1)AWS Webcast - AWS haystax afb oct 17(1)
AWS Webcast - AWS haystax afb oct 17(1)Amazon Web Services
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
Secure & Automate AWS Deployments with Next-Generation on Security
Secure & Automate AWS Deployments with Next-Generation on SecuritySecure & Automate AWS Deployments with Next-Generation on Security
Secure & Automate AWS Deployments with Next-Generation on SecurityAmazon Web Services
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorAmazon Web Services
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionAmazon Web Services
 
Initiate Edinburgh 2019 - Governance & Compliance in your VPC
Initiate Edinburgh 2019 - Governance & Compliance in your VPCInitiate Edinburgh 2019 - Governance & Compliance in your VPC
Initiate Edinburgh 2019 - Governance & Compliance in your VPCAmazon Web Services
 

Similar to Secure AWS Deployments with Next-Gen Security Automation (20)

Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
 
Fortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure WorkloadsFortinet Automates Migration onto Layered Secure Workloads
Fortinet Automates Migration onto Layered Secure Workloads
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
 
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdfATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
ATLO Software Delivers Secure Training Programs with Sophos UTM on AWS.pdf
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero
 
AWS Webcast - Emergency Preparedness and Interagency Collaboration Webinar
AWS Webcast - Emergency Preparedness and Interagency Collaboration Webinar AWS Webcast - Emergency Preparedness and Interagency Collaboration Webinar
AWS Webcast - Emergency Preparedness and Interagency Collaboration Webinar
 
AWS Webcast - AWS haystax afb oct 17(1)
AWS Webcast - AWS haystax afb oct 17(1)AWS Webcast - AWS haystax afb oct 17(1)
AWS Webcast - AWS haystax afb oct 17(1)
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
Secure & Automate AWS Deployments with Next-Generation on Security
Secure & Automate AWS Deployments with Next-Generation on SecuritySecure & Automate AWS Deployments with Next-Generation on Security
Secure & Automate AWS Deployments with Next-Generation on Security
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud Security
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud Adoption
 
Initiate Edinburgh 2019 - Governance & Compliance in your VPC
Initiate Edinburgh 2019 - Governance & Compliance in your VPCInitiate Edinburgh 2019 - Governance & Compliance in your VPC
Initiate Edinburgh 2019 - Governance & Compliance in your VPC
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Secure AWS Deployments with Next-Gen Security Automation

  • 1. Secure & Automate AWS Deployments with Next- Generation Security David Wright, Security Solutions Architect, AWS Bisham Kishnani, Head Consulting Engineering (APAC) – DC, Cloud & SDN MSSP/CSSP, Palo Alto Networks
  • 2. $6.53M 56% 70% https://www.csid.com/resources/stats/data-breaches/ Increase in theft of hard intellectual property http://www.pwc.com/gx/en/issues/cyber- security/information-security-survey.html Of consumers indicated they’d avoid businesses following a security breach https://www.csid.com/resources/stats/data-breaches/ Average cost of a data breach Your Data and IPAre Your Most Valuable Assets
  • 3. In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How? Automating logging and monitoring Simplifying resource access Making it easy to encrypt properly Enforcing strong authentication AWS Can Be More Secure than Your Existing Environment
  • 4. AWS and You Share Responsibility for Security
  • 5. Constantly Monitored The AWS infrastructure is protected by extensive network and security monitoring systems:  Network access is monitored by AWS security managers daily  AWS CloudTrail lets you monitor and record all API calls  Amazon Inspector automatically assesses applications for vulnerabilities
  • 6. Highly Available The AWS infrastructure footprint helps protect your data from costly downtime  44 Availability Zones in 16 regions for multi-synchronous geographic redundancy  Retain control of where your data resides for compliance with regulatory requirements  Mitigate the risk of DDoS attacks using services like Route 53  Dynamically grow to meet unforeseen demand using Auto Scaling
  • 7. Integrated with Your Existing Resources AWS enables you to improve your security using many of your existing tools and practices  Integrate your existing Active Directory  Use dedicated connections as a secure, low-latency extension of your data center  Provide and manage your own encryption keys if you choose
  • 8. Key AWS Certifications and Assurance Programs
  • 9. Secure Any Cloud – Palo Alto Networks Bisham Kishnani, Head Consulting Engineering (APAC) – DC, Cloud & SDN MSSP/CSSP, Palo Alto Networks
  • 10. Strong Industry Leadership Position  Palo Alto Networks is positioned as a leader in the Gartner Magic Quadrant for enterprise network firewalls* for the sixth consecutive time  Palo Alto Networks is highest in execution and most visionary within the leaders quadrant *Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hils, Greg Young, Jeremy D’Hoinne, and Rajpreet Kaur, May 2016 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
  • 11. Palo Alto Networks at a Glance  Founded in 2005; first customer shipment in 2007  More than 42,500 customers in 150+ countries  FY17 $1.8B revenue, 28% YoY growth that significantly outpaced the industry  Over 85 of the Fortune 100 and 60% of the Global 2000 rely on us  Excellent global support, awarded by J.D. Power and TSIA  Experienced team of more than 4,500 employees
  • 12. Tectonic Shifts Drive Productivity SaaS (Software as a Service) Cloud + virtualization Mobility + BYOD Internet of Things (IoT)
  • 13. Attackers Exploit These Tectonic Shifts ORGANIZATIONAL RISK KNOWN THREATS UNKNOWN & EVASIVE C2 ZERO-DAY EXPLOITS CREDENTIAL THEFT MOBILE & IOT THREATS UNKNOWN & EVASIVE MALWARE DATA THEFT
  • 14. Applications and Data Are the Target The attack life cycle applies to both physical or virtualized networks in the cloud Steal Data Build Botnets Harvest Bitcoin Infect User Execute Goal: On the network or in the Cloud Gain Foothold Move Laterally
  • 15. Shared Security Model: Where We Can Help Where Palo Alto Networks Can Help
  • 16. First Line of Defense - Security Groups on AWS
  • 17. > DCD Summit | Interpol World Next Line Of Defense - Palo Alto Networks In Addition to Native Security Palo Alto Networks Value Proposition • Identify applications Full NGFW security for AWS Cloud • Control traffic based on application, not only port • Prevent known and unknown threats • Grant access based on user identity • Creation Of Security zones • Automatically protect new workloads; segment apps and data • Centralized management and logging • Instance / work load -monitoring, API help streamline updates
  • 18. AWS Security Considerations 3. INLINE SECURITY1. ACCOUNT MGMT • Segmentation • Malware Prevention • Secure Access • VPC Edge Security • Key rotation • Inbound Accessible Services • Unencrypted storage • Nonstandard AMI’s • Password Policy 2. DATA GOVERNANCE • Exposed Data • Keys stored in the open • Admin Access
  • 19. Solution - AWS Security Considerations VM-Series for AWS AWS Cloud, Segmentation, Internet Gateway, Remote Access Amazon EC2 Aperture for AWS • Prevent Sensitive Data Exposure and misconfigurations • Monitor for risky admin behavior • Track password policy violations and key rotation • Improper security group rules • Use of non-standard AMI • Enforce Data Volume Encryption • Prevent known/unknown malware Amazon EC2 Amazon S3IAM 3. INLINE SECURITY 1. ACCOUNT MGMT 2. DATA GOVERNANCE
  • 20. Aperture - Cloud Delivered Security APERTURE WILDFIRE 1. ACCOUNT MGMT 2. DATA GOVERNANCE
  • 21. APERTURE FOR AWS EC2/IAM  Audit IAM security posture – Key rotation – Multifactor authentication – Password hygiene  Monitors EC2 Console Activity – Security group monitoring – Non-standard AMIs – Unencrypted storage volumes  Activity monitoring & anomalies – 150+ normalized events across thousands event types – Excessive launch of EC2 instances – Monitor shutdown of EC2 instances – Access to AWS console from blacklisted IP addresses 1. ACCOUNT MGMT
  • 22. APERTURE FOR AWS S3  0-Day Malware detection tied to WildFire  Detection of sensitive content and exposure  Activity monitoring and anomalies  Automated Remediation THREAT INTELLIGENCE CLOUD APERTURE 2. DATA GOVERNANCE
  • 23. VM-Series for AWS Cloud • Visibility into, and control over applications, not ports • Segment/whitelist applications for security and compliance • Prevent known and unknown threats • Extend security to remote users and devices • Centrally manage, automate deployment and policy updates Threat Intelligence Cloud 3. INLINE SECURITY
  • 24. Bring your own license (BYOL)  Pick and choose licenses, subscriptions and support to best suite our needs  Supported in AWS standard regions and AWS GovCloud (US) Consumption based licensing  Two bundles available as annual or hourly subscriptions Easy Deployment
  • 25. Private Subnet Ec2 Public Subnet Infrastructure:  An AWS VPC  A public and private subnet  Amazon EC2 instances to protect Easy Deployment
  • 26. Private Subnet Ec2 Public Subnet Infrastructure:  An AWS VPC  A public and private subnet  Amazon EC2 instances to protect Deployment:  Launch Palo Alto Networks VM-Series from the AWS Marketplace Easy Deployment
  • 27. Private Subnet Ec2 Tune VM-Series Public Subnet Infrastructure:  An AWS VPC  A public and private subnet  Amazon EC2 instances to protect Deployment:  Launch Palo Alto Networks VM-Series from the AWS Marketplace  Tune VM-Series to protect from network threats Easy Deployment
  • 28. Private Subnet Ec2 Simplify Security Groups Tune VM-Series Public Subnet Infrastructure:  An AWS VPC  A public and private subnet  Amazon EC2 instances to protect Deployment:  Launch Palo Alto Networks VM-Series from the AWS Marketplace.  Tune VM-Series to protect from network threats  Simplify Amazon EC2 Security Groups Easy Deployment
  • 29. Streamline Management and Policy Updates  Centrally manage configuration and policy deployment of the VM-Series for AWS – Manage all Palo Alto Networks next-generation firewall instances, both hardware and virtualized form factor  Aggregate traffic logs across multiple VM-Series for AWS instances for visibility, forensics and reporting  Streamline policy updates with VM-Monitoring, Dynamic Address Groups and an API MS SQLSharePointWeb FE Credit Card / Intellectual Property / PII Panorama
  • 30. > DCD Summit | Interpol World Automation
  • 31. Bootstrapping Dynamic Policy Updates Fully documented Bi-directional XML API support (support for Native Cloud tools, (Cloud Watch) Service Now & Orchestration Tools XML API XML API Automation
  • 32. Automated Policy Update – Dynamic
  • 33. Bootstrapping inAWS  Why? – Fast and repeatable deployments – Leverage AWS native automation tools  Create bootstrap files – PAN-OS config – Content updates – Software updates – Add VM to Panorama – License authcode for BYOL  Store it in a S3 bucket www.example.com Availability Zone #1 Elastic Load Balancing web app servers Route53 DNS vm-series-bootstrap-aws-s3- bucket=<bucketname> EC2 Instance deployment settings S3 storage bucket PAN-OS bootstrap files
  • 34.
  • 35. Deployment Use Cases Protect your AWS deployment just as you would in your data center AWS Cloud Segmentation Internet Gateway Remote Access Securely deploy applications & extend your data center into AWS Separate data and applications for compliance and security Protect Internet facing applications Security consistency for your network, your cloud, and your devices
  • 36. > DCD Summit | Interpol World Auto Scaling Of Instances / Workloads Cyber Monday Start of work day Tax season Snow day Provisioned Capacity On-demand scaling Predictable Less Predictable
  • 37. Auto Scaling the VM-Series Cyber Monday Start of work day Tax season Snow day Provisioned capacity On-demand scaling Predictable Less Predictable As workload traffic increases, security scales independently of workloads
  • 38. DC- FW1 DC- FW2 Default route learned via DHCP on E1/1 Static or dynamic route defined for enterprise network Redistribution profile shares static routes with BGP peers BGP routes propagated into local route table SNAT on gateway firewall ensure symmetric return Services VPC Real Life Deployment
  • 39. AWS Free Trial: Available Now Try one of the bundles for 15 days – Just like an Eval – PoC to production – Free usage cannot be extended – Automatically converts to hourly purchase after 15 days if VM-Series instance is running
  • 40. VM-Series For AWS Hybrid Cloud Deployment Guidelines Document
  • 41. Summary  Security On Cloud is a Shared Responsibility & Collaborative Approach  Uniform Security Framework Across all Data Centers (private & AWS)  Automated Security  Ease Of Deployment  Application Visibility  Preventing “Known & Unknown” threats effectively & quickly  Using & Sharing Threat Intelligence
  • 42. Recommendations  Organizations should look for a seamless AWS security solution fit  Ensure the partner you choose has expertise on, in, and around AWS  End-to-end visibility and actionable security best practices are the keys to success  Use the Free Trial on AWS Marketplace - https://aws.amazon.com/marketplace