multi-cloud protection & cloud compliance...2019/11/18 · security groups • basic stateful...
TRANSCRIPT
Multi-Cloud Protection
& Cloud Compliance
Nattapon PalviriyachotSecurity Consultant, Palo Alto Networks
How to secure your application
and data in the cloud?
2 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.
3 | © 2017, Palo Alto Networks. Confidential and Proprietary.
Issue: Running on default ports (27017, ..) and by default authentication is not required
Background : Mongo DB used default port of 27017, 27018, 27019. Issue: By default, many of these have default configuration authentication not required. This was used by the attackers to gain entry.
What Happens When AWS S3 is Not Secured?
• Publically Accessible Amazon S3
bucket
• Leaked by Defense Contractor
• 60K files, 28GB of data, unencrypted
passwords
What happened?
May 2017
• Unsecured Amazon S3 bucket
• 1.1 TB of personal voter data including
names, addresses etc.
What happened?
June 2017
Faulty AWS S3 Configuration
Exposes Personal Data of 198M U.S.
Voters
Top Defense Contractor Left Sensitive
Pentagon Files on Amazon Server With
No Password
Public Cloud Security Options
1. Native tools
2. Point offerings
3. “Do it yourself”
5 | © 2017, Palo Alto Networks. Confidential and Proprietary.
?
Security Groups
• Basic stateful firewall
• Limited scale (# SGs, # rules/SG)
• No application visibility or user level
control
• No threat prevention capability
Web Application Firewall
• HTTP/Web apps only
• Customized for every app
• No application visibility across other ports
• Limited threat prevention capability
• No data exfiltration protection
Option 1: Commonly used Native Network Security Tools
6 | © 2017, Palo Alto Networks. Confidential and Proprietary.
Option 2: Other Third Party Products
7
INLINE SECURITY IAM
• Cisco
• Checkpoint
• Fortinet
• Sophos
• Trend Micro
• Dome9
• Savyint
• Alertlogic
DATA GOVERNANCE
• Netskope
• Skyhigh
• Cisco
Most products address only part of the security problem
Option 3: “Do It Yourself”
• Resources?
• Expertise?
• Incident assistance?
8 | © 2016, Palo Alto Networks. Confidential and Proprietary.
What’s Our Approach?
9 | © 2017, Palo Alto Networks. Confidential and Proprietary.
SAAS
BUSINESS
Our Approach – End to End Cloud Security
S3Console
Workloads Workloads
TRAPS TRAPS
IAAS, PAAS
PALO ALTO NETWORKS SECURITY OPERATING PLATFORM FRAMEWORK
11 | © 2015, Palo Alto Networks. Confidential and Proprietary.
PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS
NETWORK SECURITYADVANCED ENDPOINT
PROTECTIONCLOUD SECURITY
THREAT INTEL DATA
MINEMELD AUTOFOCUS
APPLICATION FRAMEWORK
URL & Domain
Filtering
CLOUD-DELIVERED SECURITY SERVICESExploitation
Prevention
Malware
PreventionC&C Channel
Prevention
ANALYTICSINVESTIGATION &
RESPONSE
Three Critical Components of Cloud Security
The Most Complete Public Cloud Security Offering
13 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
PUBLIC CLOUD
Secure OS and app
within workloads
Continuous security
& compliance
API
WEB APP
Web Server App Server
HOST
Protect and segment
cloud workloads
INLINE
Infrastructure-as-a-Service (IaaS)
SERVERLESS CONTAINERS STORAGE
Platform-as-a-Service (PaaS)
Users/Admins
Prisma Cloud
VM-Series NGFWMulti-Cloud
PALO ALTO NETWORKS SECURITY OPERATING PLATFORM FRAMEWORK
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS
NETWORK SECURITYADVANCED ENDPOINT
PROTECTIONCLOUD SECURITY
THREAT INTEL DATA
MINEMELD AUTOFOCUS
APPLICATION FRAMEWORK
URL & Domain
Filtering
CLOUD-DELIVERED SECURITY SERVICESExploitation
Prevention
Malware
PreventionC&C Channel
Prevention
ANALYTICSINVESTIGATION &
RESPONSE
VM-Series NGFW for Inline Protection
Workloads Workloads
• Bi-directional application visibility
and control
• Prevent known and unknown
threats
• Centrally manage for policy
consistency
• Automate deployment and policy
updates
Deployment with VM-Series
Protect your AWS, Azure and GCP deployment just as you would your data center
Hybrid Segmentation Internet Gateway Remote Access
Securely deploy applications in your data
center or in the cloud
Separate data and applications for compliance
and security
Protect Internet facing applications
Security consistency for your network, your cloud,
and your devices
INLINE SECURITY FOR PUBLIC CLOUD
• Internet facing applications
• Protect against known vulnerabilities, until you have time to patch/update
• For example: CVE-2017-5638 for Apache Struts
• Hybrid cloud
• Allow only approved admins to only run SQL transactions against MySQL
• Block all threats from moving laterally between different trust domains
• East-West between VPCs or VNETs
• Only allow MySQL, NTP, DNS and AD/LDAP between application tiers
• Security policy automatically updates to protect auto-scaled apps
• Outbound
• Allow Ubuntu servers to only do apt-get to *.canonical.com for software updates
TRANSIT VPC/VNET WITH THE VM-SERIES
• Provides security for VPC-to-VPC/VNET-to-VNET, hybrid, and
outbound traffic
• Leverages the new AWS Virtual Private Gateway features for large
scale deployments
• Fully redundant with fast convergence
Reference Network Architect with Transit Gateway
20 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
Outbound VPC
Inbound VPC
Inline-Services VPC
Management VPC
APICloud Monitoring & Compliance
Prisma Cloud
Transit Vnet Design
21 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
172.17.1.6
(eth1)
10.1.0.6
(eth2)
Virtual Network - AzureRefArch-Transit-VN ET
172.17.1.7
(eth1)
10.1.0.7
(eth2)
10.1.15.6
(eth3)
10.1.15.7
(eth3)
GatewaySubnet
10.1.40.0/24
Transit-Private
10.1.0.0/ 24
Transit-Public
172.17.1.0/ 24
10.1.0.21
ARATR-VM FW1-Outbound
ARATR-VM FW2-Outbound
0.0.0.0/ 0 next hop 10.1.0.21
10.3.0.0/ 16 next hop 10.1.0.21
10.5.0.0/ 16 next hop 10.1.0.21
10.6.0.0/ 16 next hop 10.1.0.21
0.0.0.0/ 0 next hop 10.1.0.21
10.2.0.0/ 16 next hop 10.1.0.21
10.5.0.0/ 16 next hop 10.1.0.21
10.6.0.0/ 16 next hop 10.1.0.21
UDR
DB - 10.2.3.0/ 24
Virtual Network – ARA-Subscriber3-VN ET
(10.3.0.0/ 16)
VN et peering
Virtual Network – ARA-Subscriber2-VN ET
(10.2.0.0/ 16)
UDR
Business - 10.3.2.0/ 24
VN et peering
VN et peering
Virtual Network – ARA-Subscriber5-VN ET
172.16.1.6
(eth1)
10.5.0.6
(eth2)
172.16.1.7
(eth1)
10.5.0.7
(eth2)
191.237.87.98
191.237.87.98
Private
10.5.0.0/ 24
Public
172.16.1.0/ 24
191.237.87.98(tcp/ 80)
Web - 10.5.1.0/ 24UDR
0.0.0.0/ 0 next hop 10.1.0.21
10.2.0.0/ 16 next hop 10.1.0.21
10.3.0.0/ 16 next hop 10.1.0.21
10.6.0.0/ 16 next hop 10.1.0.21
Inbound
Transit-VPN
10.1.15.0/24
ARATR-VN G
10.1.15.21
Local N etwork –
Outbound
Backhaul
East/ West
Shared VPC Design Model
22 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.
VM-Series License Options
23 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
BYOL PAYG
VM-Series ELA Traditional Marketplace
VM-Series license Term Perpetual Term
Duration 1 and 3 YR 1,3, and 5 YR Hourly, Annual
Capacity License Single Model / ELA Any VM-300
Bundles Bundle 2
Basic
Bundle 1
Bundle 2
Bundle 1
Bundle 2
Two license options in Azure: BYOL and PAYG
Bundle 1 - Includes a VM capacity license, Threat Prevention license (IPS, AV, malware prevention), and a premium
support entitlement.
Bundle 2 - Includes a VM capacity license, Threat Prevention (IPS, AV, malware prevention), GlobalProtect,
WildFire, PAN-DB URL Filtering licenses, and a premium support entitlement.
VM-Series Industry Leading Performance and Breadth
VM-1002Gbps
VM-3004Gbps
VM-5008Gbps
VM-70016Gbps
VM-100 VM-300 VM-500 VM-700
Capacities
Max Sessions 250,000 800,000 2,000,000 10,000,000
Security Rules 1,500 10,000 10,000 20,000
Security Zones 40 40 200 200
IPSec VPN Tunnels 1000 2000 4000 8000
SSL VPN Tunnels 500 2000 6000 12,000
Requirements
CPU cores (Min/Max) 2 2/4 2/8 2/16
Min Memory 6.5GB 9GB 16GB 56GB
Min Disk Capacity 60GB 60GB 60GB 60GB
NGFW METRICS IN PUBLIC CLOUD
• Use VM-Series metrics for monitoring and automation
• Monitor VM-Series from respective cloud management portals
• Trigger actions based on metrics
• Custom/do-it-yourself auto scaling
• Supported environments
• Google Cloud Platform StackDriver
• Azure Application Insights
• AWS CloudWatch (Feb 2017)
• New metrics can be added via PAN-OS
content updates
VM-Series Metrics
Session Utilization %
GlobalProtect Tunnel Utilization %
Dataplane CPU Utilization %
Dataplane Packet Buffer Utilization %
SSL Proxy Utilization %
Total Active Sessions
GlobalProtect Active Tunnels
CONSISTENT INLINE PROTECTIONS ACROSS CLOUDS
CapabilitiesAmazon
Web Services
Microsoft
Azure
Cloud Platform
Native firewall metrics sharing CloudWatch Application Insights Stackdriver
Native VM monitoring PAN-OS Template PAN-OS
Deployment templates and
bootstrappingYes Yes Yes
Cloud centric scalability and
availabilityAuto-scaling template
Managed scaling
templateFuture
Multi-region Marketplace
support: hourly/annualYes Yes Yes
BYOL and VM-Series ELA Yes Yes Yes
Most Organizations Are Multi-Cloud
27 | © 2019 Palo Alto Networks. All Rights Reserved.
81% of cloud users leverage 2 or more cloud providers - Gartner
Automated, Repeatable
CUSTOMER DEPLOYMENT TRENDS
28 | © 2017, Palo Alto Networks. Confidential and Proprietary.
Large Scale Multi Cloud
DEVOPS & SECURITY: CAN’T WE ALL GET ALONG?
DevOps
29 | © 2017, Palo Alto Networks. Confidential and Proprietary.
• DevOps is dynamic
• VPC, Resource Groups
added/removed
• Frequent workload
adds/removals
Security
• Security is structured
• Follow change control best practices
• Protection of digital assets is Job 1
Deployment Configuration Vendor
SOLUTION: AUTOMATION
30 | © 2017, Palo Alto Networks. Confidential and Proprietary.
THE NEED FOR AUTOMATION…
31 | © 2017, Palo Alto Networks. Confidential and Proprietary.
Untrust
Untrust
Trust
Trust
VPC
Security Group
Security Group
Security Group
Infra + Apps + Security = Complexity
AUTOMATING SECURE MULTI-CLOUD DEPLOYMENTS
32 | © 2017, Palo Alto Networks. Confidential and Proprietary.
+ =
ANSIBLETERRAFORM +One-click Deployment
Quick Reproducible Repeatable Scalable
• All stake holders addressed• Repeatable
• DevSecOps• Agile
• Single DSL for multi-cloud
BENEFITS OF AUTOMATION
DeployInfra
ConfigureVM-Series
Policies
AnsibleNetwork Team
App Team
Security Team
TerraformApp
Network
Security
Prisma CloudCloud Monitoring & Compliance
The Most Complete Public Cloud Security Offering
35 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
PUBLIC CLOUD
Secure OS and app
within workloads
Continuous security
& compliance
API
WEB APP
Web Server App Server
HOST
Protect and segment
cloud workloads
INLINE
Infrastructure-as-a-Service (IaaS)
SERVERLESS CONTAINERS STORAGE
Platform-as-a-Service (PaaS)
Users/Admins
Prisma Cloud
SECURITY IS A SHARED RESPONSIBILITY
38 | © 2019 Palo Alto Networks. All Rights Reserved.
Host Vulnerabilities
Network Traffic
User Activities
Resource Configurations Networking
Data Security
Storage
Compute
(CSP)
The Security Landscape is Fragmented
39 | © 2019 Palo Alto Networks. All Rights Reserved.
SECOPS
CSP
NATIVE TOOLS
OPEN
SOURCE
TOOLS
Siloed data
Not multi-cloud
Limited
Compliance
Higher TCOs
Limited coverage
SIEM
Point
Security Product
DIY security
Expensive
Missing infrastructure
context
Lack threat hunting
& incident response
Most Organizations Are Multi-Cloud
40 | © 2019 Palo Alto Networks. All Rights Reserved.
81% of cloud users leverage 2 or more cloud providers - Gartner
Many Security Requirements Across Every Cloud Technology
We Are at Risk of Repeating the Sins of the Past
RISKS IN PUBLIC CLOUD
43 | © 2019 Palo Alto Networks. All Rights Reserved.
29%of organizations
experiencedpotential account
compromises
Account
Compromises
32%of organizations
publicly exposed atleast one cloudstorage service
Risky
Configurations
23%of organizations
have hosts missingcritical patches
In the cloud
Host
Vulnerabilities
46%of organizationsaccept traffic to
Kubernetes podsfrom any source
Container
Security
source: https://start.paloaltonetworks.com/5-key-cloud-security-trends
Through 2023, at least 99% of cloud failures will be the customer’s fault
Gartner
Prisma Cloud: The Most Comprehensive PlatformToday and In the Future
Complete Multi-Cloud Security
45 | © 2019 Palo Alto Networks. All Rights Reserved.
Network Security
Vulnerability
Management
CI/CD
Integration
Runtime
Defense
Asset Discovery and
Identification
Governance and
Compliance
Threat Detection
and Investigation
Automated
Response
Data Protection
Any Workload, Any Cloud Throughout The Entire Lifecycle
46 | © 2019 Palo Alto Networks. All Rights Reserved.
Asset Discovery & Inventory
● Keep track of cloud
inventory in real-time
● Track any change in
security posture
● Prioritize alerts by
severity and relevancy
Governance and Compliance
48 | © 2019 Palo Alto Networks. All Rights Reserved.
● One-Click reporting for all
major compliance standards
● 400+ out-of-the-box
governance policies
● Centrally discover and monitor
cloud native services across
clouds, accounts, and regions
Network Security
50 | © 2019 Palo Alto Networks. All Rights Reserved.
● Multi-layered network and
workload security with both in-
line and cloud-native distributed
firewalls
● Automatic microsegmentation
based your microservice
topology
● Move beyond IP address
whitelisting with application-
aware firewalls
Cloud Threat Detection & Investigation
51 | © 2019 Palo Alto Networks. All Rights Reserved.
● Monitor user, network, and
resource activity to detect
anomalous behaviour and
threats
● Drill down into incidents with
visualized queries and analyze
blast radius
● Auto-prioritize risks for
vulnerable hosts, know where
your focus is needed
ResponseActions
Automated Security Response
52 | © 2019 Palo Alto Networks. All Rights Reserved.
● Auto-remediate risky
configurations from the
Prisma Cloud console
● Trigger security orchestration
playbooks for immediate
incident response
Alert Ingestion
AutoFocu
sWildFire Panorama MineMeld
Demisto
Threat Intelligence
Prisma Cloud
IAM Security
53 | © 2019 Palo Alto Networks. All Rights Reserved.
● Ensure all access configurations
such as MFA, SSH keys, and
certificates are secure across
resources
● Detect and remediate over-
permissive roles on workloads
and cloud services
● Enforce least-privileged
permissions on IAM roles across
your environments
Cloud Data Protection
54 | © 2019 Palo Alto Networks. All Rights Reserved.
● Gain complete visibility into
your data across SaaS and
public cloud storage
● Prevent storage
misconfiguration and avoid
accidental exposure
● Automatically identify sensitive
data and prevent data leakage
with governance policies
Business andSecurity Value
Security Value
58 | © 2019 Palo Alto Networks. All Rights Reserved.
One Console For
Complete Visibility
Protect Every Resource,
AnywhereCatch & Prevent
Violations Faster
The Prisma Cloud Difference
59 | © 2019 Palo Alto Networks. All Rights Reserved.
Built from the
Best In Class products
in cloud security
Leverage the
experience and
integrations of the
World’s Leading
Cybersecurity
Company
Protect any resource,
throughout the
lifecycle, on any
cloud
60 | © 2019 Palo Alto Networks. All Rights Reserved.
paloaltonetworks.com
Email: [email protected]
Thank You
SECURING DATA CENTER AND
PRIVATE CLOUD
61 | © 2018, Palo Alto Networks. All Rights Reserved.
SegmentationZero Trust Threat Prevention
Intrusion Prevention
Security Strategy Prevent Breaches Compliance MandatesSecurity Aligned w/h
Network/Cloud Transformation
Technology
Integration
Cisco
VMware Arista
Nuage BigSwitch
Micro-Segmentation
Stop Lateral
Movement
Zero Trust – Protecting Data Center Network At All Levels
Physical
Servers
Virtualized Servers / Private Cloud
Hardware Firewalls
Virtual Firewalls
Orchestration,
Automation,
Customization
via REST API, Scripting,
and SDK
Panorama:Central management
of all PAN’s
Real-time
communication
with Hypervisor.
Security policy
responds to
network changes
In real-time.
Data Center Perimeter
Public Cloud
VMware, Citrix SDX, KVM
Network Core
WildfireCloud-Based
Threat Intelligence
Automating Security in SDDC – VMWare NSX
VMware ESXi
Web DBApp
NSX Service Insertion
Cloud Admin
NSX Manager Panorama
Security Admin
Register as a Service; Traff ic redirection policies
Real-t ime context updates
VM-series License;
Security Policy;
Logging
Automated deployment of VM-Series Firewall
Service Insertion
Policy
Compute Host
Automated Security Policy Creation within Panorama
65 | © 2018, Palo Alto Networks. All Rights Reserved.
Network Segmentation
66 | © 2017, Palo Alto Networks. Confidential and Proprietary.
PCI
PCI
PCI
WebWeb WebWeb Tier
App AppAppApp Tier
DB DBDBDatabase Tier
Multitenant
67 | © 2017, Palo Alto Networks. Confidential and Proprietary.
Web
Development
App
Test
DB
Production
Web
App
DB
Web
App
DB
Security Tracks Changes – Dynamic Address Groups
68 | © 2017, Palo Alto Networks. Confidential and Proprietary.
Cloud Admin
NSX Manager Panorama
Security Admin
Real-t ime Dynamic Updates
Security Policy Tracks Changes
Host A Host B Host C Host D Host E
Web Tier Applicat ion Tier Database Tier
DB Servers
App Servers
App ServersAllow App to DB
Allow Web to App
Policy
Web Servers
Source Dest ination Application
MyApp
MySQL
10.1.90.10
10.1.90.14
10.1.90.32
App Servers
10.1.90.51
10.1.90.55
10.1.90.65
Web Servers
10.1.90.2
10.1.90.47
10.1.90.49
DB Servers
Web
10.1.90.51
NGINX
LinuxDB
10.1.90.2
Linux
MySQL
Web
10.1.90.55
NGINX
LinuxWeb
10.1.90.65
NGINX
LinuxApp
10.1.90.32
Windows
App
App
10.1.90.14
Windows
App
DB
10.1.90.49
Linux
MySQL
10.1.90.47
DB Linux
MySQLApp
10.1.90.10
Windows
App
Automate Security Response
69 | © 2017, Palo Alto Networks. Confidential and Proprietary.
VM
VM
Threat prevent ion logs
Malware and phishing categories
Data filtering logs
Filte
r
Malware
Panorama
10.1.90.5
Policy Source Action
Compromised
Hosts
Dynamic
Address
Group
Enforce multifactor
authentication
HT
TP
/S
Quarantine
VM
1
2
2
3
2
ServiceDesk Ticket
Update Firewall Policy
NSX Manager
Compromised
10.1.90.5 Compromised
Dynamic Address Group
VM-series for NSX
Model VM-100/VM-200 VM-300/VM-1000-HV VM-500
Cores 2 4 8
Firewall Throughput
(App-ID Enabled)
2 Gbps 4 Gbps 9 Gbps
Threat Prevention
Throughput1 Gbps 2 Gbps 5 Gbps
Max sessions 250,000 800,000 2,000,000
70 | © 2017. Palo Alto Networks. Confidential and Proprietary.