Building seamless, consistent security policies across on-premises and cloud IT environments can be challenging without comprehensive workload visibility. Palo Alto Networks provides organizations with the visibility and automation needed to create and update security policies in your cloud environment in real time. Learn how you can gain greater control over your applications, automatically create consistent and uniform security policies, and prevent known and unknown threats within application flows.
Michael South, AWS Security Acceleration Business Development
Matt McLimans, Public Cloud Consultant Engineer, Palo Alto Networks
Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro
22. RaEd Abudayyeh
Cloud Security Lead, Emerging Markets
Secure and Automate AWS
Deployments with Next Generation
Security.
23. PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS
SECURITY OPERATING PLATFORM
LOGGING SERVICE THREAT INTEL DATA
NETWORK ENDPOINT CLOUD
APPLICATION FRAMEWORK
24. LEADERSHIP IN CYBERSECURITY
63% of the Global 2K
are Palo Alto Networks customers
29% year over year
revenue growth*
85
of Fortune 100
rely on Palo Alto Networks
#1
in Enterprise
Security
54,000+
customers
in 150+ countries
Revenue trend
40% CAGR
FY14 - FY18
FY14 FY15 FY16 FY17 FY18
• Q4FY2018. Fiscal year ends July 31.
• Gartner, Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 1Q18, 14 June 2018
27. AWS SECURITY = A SHARED RESPONSIBILITY
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Encryption Key
Management
Client & Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers are
responsible for
their security IN
the Cloud
AWS looks after
the security OF
the platform
29. SECURING THE CLOUD IS HARD
Fragmented
Security
Human
Error
Manual
Security
30. “A Public Cloud Risk Model: Accepting Cloud Risk Is OK, Ignoring Cloud Risk Is Tragic,” Gartner, November 2, 2016
TRIVIA QUESTION!
95%
Through 2020
Of cloud security
failures will be the
customer fault
33. EV
WEB
Object Storage Caching Database
IaaS
PaaS
Web
Server
APP
App
Server
THREE KEY SECURITY ELEMENTS
INLINE
Protect and
Segment Cloud
Workloads
API
HOST
Secure OS
& App Within
Workloads
API
Continuous
Security &
Compliance
On-Premises
Virtual Private Cloud (VPC)
Evident
Traps
VM-Series
NGFW
34. WEB
Object Storage Caching Database
IaaS
PaaS
Web
Server
APP
App
Server
WEB
Object Storage Caching Database
IaaS
PaaS
Web
Server
APP
App
Server
WEB
Object Storage Caching Database
IaaS
PaaS
Web
Server
APP
App
Server
PROTECT AND SEGMENT CLOUD WORKLOADS
VM-SERIES
On-Premises
Application visibility and
workload segmentation
Auto-scale based
on triggers
Prevent outbound and
inbound attacks
Virtual Private Cloud (VPC)
35. CONTINUOUS MONITORING AND COMPLIANCE
EVIDENT
API
Is MFA Enabled?
Is any sensitive data exposed?
What services are running?
Who has access to this resource?
Evident
Discover and Monitor
Resources
Compliance
Reporting
Secure Storage
Services
EV
40. OUR APPROACH TO SAAS SECURITY
Remote Users
Branch
Headquarters
Unmanaged
Devices
Managed
Devices
GlobalProtect
Cloud Service
NGFW
Aperture
A
PI
Sanctioned
Tolerated
Unsanctioned
SaaS application
visibility and granular
enforcement delivered
inline
Monitor in-cloud
activity and protect
data with Aperture
AWS serves hundreds of thousands of customers in more than 190 countries.
Amazon CloudFront and Amazon Route 53 services are offered at AWS Edge Locations
This slide builds -
Automate and Reduce Risk with Deeply Integrated Services
Automating security tasks on AWS enables you to be more secure by reducing human configuration errors and giving your team more time to focus on other work critical to your business. Select from a wide variety of deeply integrated solutions that can be combined to automate tasks in novel ways, making it easier for your security team to work closely with developer and operations teams to create and deploy code faster and more securely. For example, by employing technologies like machine learning, AWS enables you to automatically and continuously discover, classify, and protect sensitive data in AWS with just a few clicks in the AWS console. You can also automate infrastructure and application security checks to continually enforce your security and compliance controls and help ensure confidentiality, integrity, and availability at all times. Automate in a hybrid environment with our information management and security tools to easily integrate AWS as a seamless and secure extension of your on-premises and legacy environments.
Automation helps reduce the amount of noise and manual work your security engineers have to pay attention to so they can focus their expertise where it really matters for your business. In this example:
Findings point to a compromised instance (e.g. Backdoor:EC2/XORDDOS, Backdoor:EC2/C&CActivity.B!DNS)
CloudWatch Event Alarm triggers Lambda
Instance tag can be checked to see if automatic action can be taken or if manual intervention needed (e.g. critical productions services)
Lambda Function:
Removes instance from current Security Group(s) and adds to one with all ingress and egress blocked
Snapshots EBS volume(s)
Alerts Security Team
Now, let’s see you how we can apply these three principles of cloud security to the public cloud – IaaS and PaaS services.
And of course, to keep this in perspective, our goal is to secure the entire organization, with cloud included. Enterprise security, consistent and automated protections for all your locations, clouds and users.