Securing Cloud Applications with Amazon Web Services (AWS) and Palo Alto Networks
Total Page:16
File Type:pdf, Size:1020Kb
Securing cloud applications With Amazon Web Services (AWS) and Palo Alto Networks Name | Title Date Key challenges every organization is facing Growing number of Environments are Everyone is a now stakeholder entities to secure constantly changing Cloud services, along with Developers, DevOps, and I&O are Security is no longer a gate at growing IaaS, PaaS, and building and deploying at a the end of the application CaaS environments, lead to frantic pace, often without lifecycle. Every team along a huge estate for security security guidance or controls the pipeline needs to teams to protect participate in security How security teams are impacted Inability to rapidly detect Lack of visibility Complexity of compliance & respond to threats Increased likelihood of undetected Increased costs of achieving Alert fatigue due to constant misconfigurations and difficulty to compliance and delayed initiatives changes and lack of context for quantify risk to management due to difficulty investigations of proving compliance AWS and Palo Alto Networks provide complete security for the cloud Palo Alto Networks helps customers CUSTOMER DATA enhance security in the cloud Customers have their choice of security PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT configurations IN the Cloud OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION CLIENT-SIDE DATA NETWORKING TRAFFIC SERVER-SIDE ENCRYPTION & DATA PROTECTION ENCRYPTION (FILE INTEGRITY (ENCRYPTION, SYSTEM AND/OR DATA) AUTHENTICATION INTEGRITY, IDENTITY) SOFTWARE COMPUTE STORAGE DATABASE NETWORKING AWS is responsible for the security OF HARDWARE/AWS GLOBAL INFRASTRUCTURE the Cloud AVAILABILITY REGIONS EDGE LOCATIONS ZONES How Palo Alto Networks works with AWS Enhance your investment and protect cloud applications Protect Integrate & enhance Secure compute, network and Integrate with AWS Security storage services - and the services to enhance context applications they run and consolidate visibility Palo Alto Networks complements native AWS services across all solution areas Identity & access Detective Infrastructure Data Incident management controls protection protection response Palo Alto Networks and AWS solve for common security use cases Visibility and Risk management Automated response compliance Understand cloud Better understand and Simplify and streamline environments, maintain mitigate risk across your SOC operations with compliance with industry business-critical scalable, automated standard and enforce application workloads processes guardrails Comprehensive cloud security with a strong foundation • The NIST Cybersecurity Framework (CSF) provides a foundation for cloud security and an accelerated path According to Gartner, to cloud adoption NIST CSF is projected to be • AWS and Palo Alto Networks utilize this foundation to build solutions that support the five risk management functions – Identify, Protect, used by 50% of U.S. private Detect, Respond, and Recover sector organizations by 20201 NIST FRAMEWORK IDENTIFY PROTECT DETECT RESPOND RECOVER Develop an organizational Develop and implement Develop and implement Develop and implement Develop and implement understanding to manage appropriate safeguards appropriate activities to appropriate activities to appropriate activities to cybersecurity risk to to ensure delivery of identify the occurrence take action regarding a maintain plans for resilience systems, people, assets, critical services of a cybersecurity event detected cybersecurity and to restore any capabilities data, and capabilities incident or services that were impaired due to a cybersecurity incident 1 https://www.nist.gov/industry-impacts/cybersecurity Palo Alto Networks integrations with AWS Security and automation for every aspect of your cloud investment VM-Series Prisma Cloud Cortex XSOAR Secure networks and prevent Secure cloud applications and Unburden security teams with advanced threats with the maintain compliance across the automated incident response industry leading NGFW entire development lifecycle and security workflows Prisma Cloud customer use case Prisma Cloud on AWS keeps Western Asset Management agile Challenge “Our senior IT management really has the confidence now For Western Asset Management (WAM), time-sensitive transactions and in our cloud team being able decision-making based upon fast-changing market conditions are key to to leverage Prisma Cloud for differentiate in an increasingly competitive and evolving investment landscape. the compliance, security WAM needed an agile, dynamic cloud environment that was secure and could governance, auditing and speed the application delivery process. network visibility that we get. Outcomes The ROI has just been WAM migrated to AWS and deployed Prisma Cloud giving them: immense – allowing our • Full visibility across all Accounts: Prisma Cloud acts as a pseudo Asset business to work faster, and Inventory which is aware of every workload across all accounts. Provides more efficiently.” single pane of view. -David Pace • Faster response times: Prioritized alert routing improves incident and Global Information Security, potential misconfiguration response times from days to minutes. Western Asset Management • Better compliance: Built in, single click compliance reporting and alerting in Prisma Cloud eliminates the need to manually sift through audit files and empowers SecOps and Compliance teams with actionable email alerts. VM-Series Migrate to the cloud securely and at scale with AWS services and Palo Alto Networks VM-Series • Migrate business-critical applications to the cloud Elastic Load Balancing with a prevention-based approach to protecting AWS Transit Gateway apps and data on AWS • Unmatched application visibility and control • Prevent threats from moving laterally between Amazon GuardDuty AWS Security Hub workloads and stop data exfiltration • Automation and centralized management VPC Traffic Mirroring Amazon VPC Ingress Routing Integrations planned for 2020 • AWS Outposts • AWS Network Manager VM-Series VM-Series integration with AWS Transit Gateway How it works • The VM-series integration with Transit Gateway simplifies the setup of centralized inspection, leverages infrastructure as code and allows for scalability of a customer’s security controls with applications • Maintains a consistent security posture and allows for security and networking teams to easily deploy and provide infrastructure protection for their application owners • Deployment architecture sets up security VPCs in which the firewalls are deployed and connect to the Transit Gateway via VPC or VPN attachments • All traffic routed to the VM-series firewall for inspection • Can be used with AWS Resource Access Manager to create a clear delineation between security and application owners NIST FRAMEWORK IDENTIFY PROTECT DETECT RESPOND RECOVER VM-Series VM-Series integration with AWS Transit Gateway Spoke 1 Spoke 2 Customer benefits 10.1.0.0/16 10.2.0.0/16 • Application, User and Content specific web-a web-b db-a db-b 10.1.1.0/24 10.1.2.0/24 10.1.1.0/24 10.1.2.0/24 security across the AWS landscape Mgmt-a TGW-a 10.255.110.0/4 10.255.1.0/24 • Scalable to meet customer demand VM-Series Pub-a Priv-a • Utilizes VPC connectivity options for 10.255.100.0/24 10.255.11.0/24 Inbound highest resiliency Inbound Web Pub-b Priv-b • Encompasses all traffic flow patterns 10.255.100.0/24 10.255.11.0/24 Services-a and return traffic 10.3.1.0/24 • Integrates with CI/CD Pipeline VM-Series Mgmt-b TGW-b • Integrates with AWS security products 10.255.110.0/4 10.255.1.0/24 like GuardyDuty and Security Hub Services-b 10.3.2.0/24 Transit Gateway TGW-a Internet 10.255.1.0/24 Pub-a 10.255.100.0/24 VM-Series Priv-a Services 10.255.11.0/24 Outbound 10.3.0.0/16 Outbound Mgmt-b 10.254.120.0/24 TGW-a 10.255.1.0/24 initiated traffic Pub-b 10.255.100.0/24 VPN or Pub-a VM-Series Direct VM-Series 10.255.100.0/24 TGW-b Mgmt-a 10.255.1.0/24 Connect 10.253.110.0/24 VPN Mgmt-b 10.253.120.0/24 NGFWs Pub-b 10.255.100.0/24 VPN Attachment VM-Series TGW-b 10.255.1.0/24 VPC Attachment On-Prem or Colo 172.16.0.0/16 Security-East-West 10.253..0.0/16 East-West Traffic VM-Series VM-Series integration with Elastic Load Balancing How it works • Protects public facing assets • Auto-scale based on demand • Deploy VM-Series in a load balancer “sandwich” architecture to adjust capacity in a controlled or dynamic :801 :80 manner independent from :4431 :443 applications VM-Series • Inspect the application stream to detect and prevent known and unknown threats, such as advanced persistent threats Transit Gateway :801 :80 Customer benefits VM-Series • Layer 7 inspection for Application :4431 :443 Hosting • Application Specific Security • Scalable to meet customer demand • Integrated with Autoscaling (not req) • Multi-application ready • Transit Gateway ready (not req) NIST FRAMEWORK IDENTIFY PROTECT DETECT RESPOND RECOVER VM-Series VM-Series integration with Amazon GuardDuty How it works • Enable automated responses to malicious actors and protect business critical workloads • VM-Series integration with GuardDuty uses an AWS Lambda function to VPC collect threat findings Security group • Create a dynamic address group within a security policy that blocks any Untrust VM- VM- Series Series VM-Series VM-Series activity emanating from the IP Amazon address CloudWatch • Dynamic address groups and security Malicious policies are automatically updated, IP address VPC Amazon without administrative intervention GuardDuty Security group Customer benefits AWS Lambda Untrust • Streamlined actioning