Palo Alto Networks: Customer Profile

Palo Alto Networks Safely Enables Application Access for Top Global Advertising Agency

“Functionality and security are like two opposites; if you give the user all the functionality they want, you’ll lose security. Palo Alto Networks enables us to give users all the functionality they need and still have the security we need.”

– Jeroen Buren, IT Manager, DDB Amsterdam ORGANIZATION: DDB Amsterdam

BACKGROUND INDUSTRY: With 200 offices and over 13,000 employees in more than 90 countries, DDB Worldwide Advertising Group is a top five global advertising and marketing services network. The company’s CHALLENGE: clients include major brands such as Exxon, Clorox, McDonald’s, Johnson & Johnson, Gain visibility into network to control Novartis and many others. No other agency has received more awards internationally application usage, improve security and for its creative work than DDB. Under the DDB Worldwide rubric, DDB Amsterdam, enable business operations. based in Holland, serves clients such as KLM and Philips. DDB Worldwide is part of Omnicom Group Inc., (NYSE-OMC), a global marketing and advertising communications SOLUTION: holding company ranked among the top three in the world. Replace legacy firewalls with Palo Alto Networks PA-4000 and PA-500 next- CREATIVITY DEPENDS ON ACCESS generation firewalls for granular visibility As a key component of DDB Worldwide, international marketing and advertising agency of threats and better control of Internet DDB Amsterdam interacts with clients all over the world. Its staff is heavily weighted applications. with creatives, who develop innovative, award-winning advertising campaigns for the firm’s clientele. RESULTS: DDB Amsterdam’s IT team supports over 400 internal users working out of two locations • Increased application visibility and in the city. Its job is to protect the company and its clients while supporting the needs of control; improved security its end-users. “Social Media usage is very heavy in our organization, and our employees • Creation of flexible, granular, user- routinely send extremely large files back and forth via email and FTP,” explains Jeroen specific application usage policies Buren, IT Manager, DDB Amsterdam. “One hundred percent of our users are on the Internet a lot, as nearly all of them produce creative works.” • 100% increase in service response times to end-users without To be effective, the agency’s creative staff must be able to quickly access any type of compromising security social media application or website instantly. Delays inhibit productivity and generate • Enabled speed-to-market for complaints to the firm’s IT staff. “The constant challenge in an advertising agency is creative staff to balance allowing our creative staff immediate access to applications, sites and files without compromising security,” states Buren.

To prevent employees from visiting sites that posed security risks, the company tried using WebMarshal, a web filtering software from M86 Security. “We got rid of it because it took too much work for us to determine whether to grant a user access to a site,” Buren says. “Employees were not happy seeing ‘denied/dangerous site’ messages frequently.”

Jettisoning WebMarshal, Buren and his team installed Netscreen (now Juniper Networks) firewalls to regulate access and protect end-users. “They were doing the job, basically, but part way through 2010 we decided the firewalls weren’t as transparent to users or as easy to use as we’d like them to be,” describes Buren. Palo Alto Networks: Customer Profile

ACCESS OR SECURITY? CAN WE HAVE BOTH? DDB Amsterdam’s creatives routinely swap large, client-sensitive advertising files such as proofs, images and other materials. These files, often several megabytes or gigabytes in size, are exchanged with clients via external VPN connections set up by the agency’s IT staff. However, DDB Amsterdam’s incumbent Juniper Networks firewalls were too cumbersome to easily set up VPNs and safely monitor communication with clients. “When a user made a real simple request like asking us to set up a VPN connection to one of our clients, we had to tell them it was technically possible, but very complicated and time-consuming,” says Buren. “Creating a VPN took a lot of work because we had to give their computer a static IP address, etc. It was very laborious just to satisfy a very simple request from the end user’s perspective.”

Once a VPN was set up, DDB Amsterdam’s existing firewalls still didn’t function optimally. “Our incumbent firewalls required us to open a specific port or use Remote Desk Protocol (RDP),” Buren explains. “We could filter to specific IPs, but it didn’t work well because when you date the HTTP the IP addresses can change.” Enforcing its existing application usage policies also proved problematic. “With Juniper Networks firewalls you have to go “In IT, what you really want to do through all the policies to see which policy is blocking an end-user’s access,” adds Buren. is give a person the right to use “This takes a lot of time.” a certain application securely DDB Amsterdam sought to more easily and efficiently enable safe access for its end-users. “We needed a firewall that would let us give end-users transparent access to the Internet whenever they want to. With Palo without lowering our security standards,” relays Buren. After deciding to upgrade its Alto Networks we can do that.” firewalls, DDB Amsterdam began searching for a solution that could deliver the granular visibility and flexibility it needed to squash threats while securely controlling application usage and Internet access. Keeping everything transparent to its employees was paramount. – Jeroen Buren, IT Manager, DDB Amsterdam ON THE MARKET FOR A BETTER SOLUTION A simple Internet search unearthed information about Palo Alto Networks. “From my research, Juniper Networks and Palo Alto Networks had the most advanced and up-to-date firewall products,” states Buren. “When I compared the two, I found that the Palo Alto Networks PA-4000 and PA-500 Firewalls could identify and filter traffic by user instead of just by computer IP address. That triggered us to look more closely at Palo Alto Networks.”

Buren contacted the company’s local Dutch partner, SecureLink, to obtain and test Palo Alto Networks’ firewalls. Palo Alto Networks’ enterprise firewall, the PA-500, is ideally suited for Internet gateway deployments to ensure network security and threat prevention. The PA-500 manages network traffic flows with high performance processing and dedicated memory for networking, security, threat prevention, URL filtering and management. The Palo Alto Networks PA-4000 Series next-generation firewall delivers granular visibility of threats and better control of Internet applications.

THE BEST FOCUS GROUP: A LIVE TRIAL A live proof-of-concept exercise was arranged to evaluate the firewalls. “SecureLink gave us a Palo Alto Networks firewall, which we hooked up on our network,” describes Buren. “After 4-5 weeks, we started setting up external VPN connections, and implemented user- based filtering. It all worked very smoothly. The ability to see and monitor activity based on user, not just IP, combined with its overall performance, were the big selling points. After a few weeks of testing, we were convinced.”

PA-SERIES DELIVERS AS ADVERTISED DDB Amsterdam purchased and installed the Palo Alto Networks PA-2020 firewall at its headquarters, and the PA-500 at its secondary, remote location in Amsterdam. After 232 East Java Drive several months in production, Buren and his team have already created several specific Sunnyvale, CA application-specific policies. “We have an electronic banking application with several 94089-1318 layers of security,” Buren says. “If a user enters a payment they cannot approve it. And, Main: 408.738.7700 certain people have the ability to communicate with the bank while others do not. So, Sales: 866.320.4788 we’ve been able to set up the application with specific rules, together with user-level security, and it works flawlessly.” www.paloaltonetworks.com Palo Alto Networks: Customer Profile

“If you want to set up a filter for specific ports and specific IPs one by one, any firewall can do this,” Buren relays. “But it takes so much time. Palo Alto Networks lets you write and apply usage policies, and then easily tweak them by group or by individual user. It’s so flexible and efficient.”

DDB Amsterdam also plans to implement application usage policies for its staff to access remote SQL Servers and file exchange programs. “Such policies are meaningful to our business because they safely allow us to interact with clients,” Buren adds. “It’s our job in IT to give our users what they want to do their work. We’re a service department. Our users have to do the job and earn the money, -- and we have to make it happen.”

REPLACING DARK CLOUDS WITH APPLICATION ENABLEMENT Instead of treating security as a dark cloud threat, Palo Alto Networks safely enables application usage. The PA-4000 Series and PA-500 Firewalls are expeditiously and safely enabling DDB Amsterdam’s business. “In terms of serving our end-users, our time to market is now very short,” describes Buren. “We can quickly and clearly see that a given user needs to use a certain application, or to securely FTP big files from a client. Then I can instantly and transparently empower the user without exposing ourselves.”

Buren also appreciates the user-friendliness of the PA-4000 Series and PA-500 Firewalls. “With the login options, if there’s a problem it’s very easy to see what it is and what is causing a denial of traffic or access.

DDB Amsterdam plans to develop more usage policies for end-users. “Our staff likes to use MS Messenger, but with our previous firewalls we weren’t comfortable security-wise with its file exchange functionality,” Buren relays. “But with Palo Alto Networks, we can give users access to the application but deny them the ability to use its file exchange options. We could not do this with our previous firewalls.”

Functionality and security are like two opposites; if you give the user all the functionality they want, you’ll lose security,” sums up Buren. “Palo Alto Networks enables us to give users all the functionality they need and still have the security we need.”

By better servicing its employee end-users, DDB Amsterdam’s IT team helps keep the agency’s creative staff focused on serving the company’s clients and generating revenues. “In IT, what you really want to do is give a person the right to use a certain application securely whenever they want to,” adds Buren. “With Palo Alto Networks, we can do that. I’ve already recommended Palo Alto Networks to one of my colleagues in Europe.”

232 East Java Drive Sunnyvale, CA 94089-1318 Main: 408.738.7700 Sales: 866.320.4788 www.paloaltonetworks.com