multi-cloud protection & cloud compliance...2019/11/18 · security groups • basic stateful...

Multi-Cloud Protection

& Cloud Compliance

Nattapon PalviriyachotSecurity Consultant, Palo Alto Networks

How to secure your application

and data in the cloud?

2 | © 2016, Palo Alto Networks, Inc. Confidential and Proprietary.

3 | © 2017, Palo Alto Networks. Confidential and Proprietary.

Issue: Running on default ports (27017, ..) and by default authentication is not required

Background : Mongo DB used default port of 27017, 27018, 27019. Issue: By default, many of these have default configuration authentication not required. This was used by the attackers to gain entry.

What Happens When AWS S3 is Not Secured?

• Publically Accessible Amazon S3

bucket

• Leaked by Defense Contractor

• 60K files, 28GB of data, unencrypted

passwords

What happened?

May 2017

• Unsecured Amazon S3 bucket

• 1.1 TB of personal voter data including

names, addresses etc.

What happened?

June 2017

Faulty AWS S3 Configuration

Exposes Personal Data of 198M U.S.

Voters

Top Defense Contractor Left Sensitive

Pentagon Files on Amazon Server With

No Password

Public Cloud Security Options

1. Native tools

2. Point offerings

3. “Do it yourself”


?

Security Groups

• Basic stateful firewall

• Limited scale (# SGs, # rules/SG)

• No application visibility or user level

control

• No threat prevention capability

Web Application Firewall

• HTTP/Web apps only

• Customized for every app

• No application visibility across other ports

• Limited threat prevention capability

• No data exfiltration protection

Option 1: Commonly used Native Network Security Tools


Option 2: Other Third Party Products

7

INLINE SECURITY IAM

• Cisco

• Checkpoint

• Fortinet

• Sophos

• Trend Micro

• Dome9

• Savyint

• Alertlogic

DATA GOVERNANCE

• Netskope

• Skyhigh

• Cisco

Most products address only part of the security problem

Option 3: “Do It Yourself”

• Resources?

• Expertise?

• Incident assistance?


What’s Our Approach?


SAAS

BUSINESS

Our Approach – End to End Cloud Security

S3Console

Workloads Workloads

TRAPS TRAPS

IAAS, PAAS

PALO ALTO NETWORKS SECURITY OPERATING PLATFORM FRAMEWORK


PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS

NETWORK SECURITYADVANCED ENDPOINT

PROTECTIONCLOUD SECURITY

THREAT INTEL DATA

MINEMELD AUTOFOCUS

APPLICATION FRAMEWORK

URL & Domain

Filtering

CLOUD-DELIVERED SECURITY SERVICESExploitation

Prevention

Malware

PreventionC&C Channel

Prevention

ANALYTICSINVESTIGATION &

RESPONSE

Three Critical Components of Cloud Security

The Most Complete Public Cloud Security Offering

13 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.

PUBLIC CLOUD

Secure OS and app

within workloads

Continuous security

& compliance

API

WEB APP

Web Server App Server

HOST

Protect and segment

cloud workloads

INLINE

Infrastructure-as-a-Service (IaaS)

SERVERLESS CONTAINERS STORAGE

Platform-as-a-Service (PaaS)

Users/Admins

Prisma Cloud

VM-Series NGFWMulti-Cloud

PALO ALTO NETWORKS SECURITY OPERATING PLATFORM FRAMEWORK


PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS

NETWORK SECURITYADVANCED ENDPOINT

PROTECTIONCLOUD SECURITY

THREAT INTEL DATA

MINEMELD AUTOFOCUS

APPLICATION FRAMEWORK

URL & Domain

Filtering

CLOUD-DELIVERED SECURITY SERVICESExploitation

Prevention

Malware

PreventionC&C Channel

Prevention

ANALYTICSINVESTIGATION &

RESPONSE

VM-Series NGFW for Inline Protection

Workloads Workloads

• Bi-directional application visibility

and control

• Prevent known and unknown

threats

• Centrally manage for policy

consistency

• Automate deployment and policy

updates

Deployment with VM-Series

Protect your AWS, Azure and GCP deployment just as you would your data center

Hybrid Segmentation Internet Gateway Remote Access

Securely deploy applications in your data

center or in the cloud

Separate data and applications for compliance

and security

Protect Internet facing applications

Security consistency for your network, your cloud,

and your devices

INLINE SECURITY FOR PUBLIC CLOUD

• Internet facing applications

• Protect against known vulnerabilities, until you have time to patch/update

• For example: CVE-2017-5638 for Apache Struts

• Hybrid cloud

• Allow only approved admins to only run SQL transactions against MySQL

• Block all threats from moving laterally between different trust domains

• East-West between VPCs or VNETs

• Only allow MySQL, NTP, DNS and AD/LDAP between application tiers

• Security policy automatically updates to protect auto-scaled apps

• Outbound

• Allow Ubuntu servers to only do apt-get to *.canonical.com for software updates

TRANSIT VPC/VNET WITH THE VM-SERIES

• Provides security for VPC-to-VPC/VNET-to-VNET, hybrid, and

outbound traffic

• Leverages the new AWS Virtual Private Gateway features for large

scale deployments

• Fully redundant with fast convergence

Reference Network Architect with Transit Gateway


Outbound VPC

Inbound VPC

Inline-Services VPC

Management VPC

APICloud Monitoring & Compliance

Prisma Cloud

Transit Vnet Design

21 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.

172.17.1.6

(eth1)

10.1.0.6

(eth2)

Virtual Network - AzureRefArch-Transit-VN ET

172.17.1.7

(eth1)

10.1.0.7

(eth2)

10.1.15.6

(eth3)

10.1.15.7

(eth3)

GatewaySubnet

10.1.40.0/24

Transit-Private

10.1.0.0/ 24

Transit-Public

172.17.1.0/ 24

10.1.0.21

ARATR-VM FW1-Outbound

ARATR-VM FW2-Outbound

0.0.0.0/ 0 next hop 10.1.0.21

10.3.0.0/ 16 next hop 10.1.0.21

10.5.0.0/ 16 next hop 10.1.0.21

10.6.0.0/ 16 next hop 10.1.0.21

0.0.0.0/ 0 next hop 10.1.0.21

10.2.0.0/ 16 next hop 10.1.0.21

10.5.0.0/ 16 next hop 10.1.0.21

10.6.0.0/ 16 next hop 10.1.0.21

UDR

DB - 10.2.3.0/ 24

Virtual Network – ARA-Subscriber3-VN ET

(10.3.0.0/ 16)

VN et peering


(10.2.0.0/ 16)

UDR

Business - 10.3.2.0/ 24

VN et peering

VN et peering


172.16.1.6

(eth1)

10.5.0.6

(eth2)

172.16.1.7

(eth1)

10.5.0.7

(eth2)

191.237.87.98

191.237.87.98

Private

10.5.0.0/ 24

Public

172.16.1.0/ 24

191.237.87.98(tcp/ 80)

Web - 10.5.1.0/ 24UDR

0.0.0.0/ 0 next hop 10.1.0.21

10.2.0.0/ 16 next hop 10.1.0.21

10.3.0.0/ 16 next hop 10.1.0.21

10.6.0.0/ 16 next hop 10.1.0.21

Inbound

Transit-VPN

10.1.15.0/24

ARATR-VN G

10.1.15.21

Local N etwork –

Outbound

Backhaul

East/ West

Shared VPC Design Model


VM-Series License Options

23 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.

BYOL PAYG

VM-Series ELA Traditional Marketplace

VM-Series license Term Perpetual Term

Duration 1 and 3 YR 1,3, and 5 YR Hourly, Annual

Capacity License Single Model / ELA Any VM-300

Bundles Bundle 2

Basic

Bundle 1

Bundle 2

Bundle 1

Bundle 2

Two license options in Azure: BYOL and PAYG

Bundle 1 - Includes a VM capacity license, Threat Prevention license (IPS, AV, malware prevention), and a premium

support entitlement.

Bundle 2 - Includes a VM capacity license, Threat Prevention (IPS, AV, malware prevention), GlobalProtect,

WildFire, PAN-DB URL Filtering licenses, and a premium support entitlement.

VM-Series Industry Leading Performance and Breadth

VM-1002Gbps

VM-3004Gbps

VM-5008Gbps

VM-70016Gbps

VM-100 VM-300 VM-500 VM-700

Capacities

Max Sessions 250,000 800,000 2,000,000 10,000,000

Security Rules 1,500 10,000 10,000 20,000

Security Zones 40 40 200 200

IPSec VPN Tunnels 1000 2000 4000 8000

SSL VPN Tunnels 500 2000 6000 12,000

Requirements

CPU cores (Min/Max) 2 2/4 2/8 2/16

Min Memory 6.5GB 9GB 16GB 56GB

Min Disk Capacity 60GB 60GB 60GB 60GB

NGFW METRICS IN PUBLIC CLOUD

• Use VM-Series metrics for monitoring and automation

• Monitor VM-Series from respective cloud management portals

• Trigger actions based on metrics

• Custom/do-it-yourself auto scaling

• Supported environments

• Google Cloud Platform StackDriver

• Azure Application Insights

• AWS CloudWatch (Feb 2017)

• New metrics can be added via PAN-OS

content updates

VM-Series Metrics

Session Utilization %

GlobalProtect Tunnel Utilization %

Dataplane CPU Utilization %

Dataplane Packet Buffer Utilization %

SSL Proxy Utilization %

Total Active Sessions

GlobalProtect Active Tunnels

CONSISTENT INLINE PROTECTIONS ACROSS CLOUDS

CapabilitiesAmazon

Web Services

Microsoft

Azure

Google

Cloud Platform

Native firewall metrics sharing CloudWatch Application Insights Stackdriver

Native VM monitoring PAN-OS Template PAN-OS

Deployment templates and

bootstrappingYes Yes Yes

Cloud centric scalability and

availabilityAuto-scaling template

Managed scaling

templateFuture

Multi-region Marketplace

support: hourly/annualYes Yes Yes

BYOL and VM-Series ELA Yes Yes Yes

Most Organizations Are Multi-Cloud

27 | © 2019 Palo Alto Networks. All Rights Reserved.

81% of cloud users leverage 2 or more cloud providers - Gartner

Automated, Repeatable

CUSTOMER DEPLOYMENT TRENDS


Large Scale Multi Cloud

DEVOPS & SECURITY: CAN’T WE ALL GET ALONG?

DevOps


• DevOps is dynamic

• VPC, Resource Groups

added/removed

• Frequent workload

adds/removals

Security

• Security is structured

• Follow change control best practices

• Protection of digital assets is Job 1

Deployment Configuration Vendor

SOLUTION: AUTOMATION


THE NEED FOR AUTOMATION…


Untrust

Untrust

Trust

Trust

VPC

Security Group

Security Group

Security Group

Infra + Apps + Security = Complexity

AUTOMATING SECURE MULTI-CLOUD DEPLOYMENTS


+ =

ANSIBLETERRAFORM +One-click Deployment

Quick Reproducible Repeatable Scalable

• All stake holders addressed• Repeatable

• DevSecOps• Agile

• Single DSL for multi-cloud

BENEFITS OF AUTOMATION

DeployInfra

ConfigureVM-Series

Policies

AnsibleNetwork Team

App Team

Security Team

TerraformApp

Network

Security

Prisma CloudCloud Monitoring & Compliance

The Most Complete Public Cloud Security Offering


PUBLIC CLOUD

Secure OS and app

within workloads

Continuous security

& compliance

API

WEB APP

Web Server App Server

HOST

Protect and segment

cloud workloads

INLINE

Infrastructure-as-a-Service (IaaS)

SERVERLESS CONTAINERS STORAGE

Platform-as-a-Service (PaaS)

Users/Admins

Prisma Cloud

SECURITY IS A SHARED RESPONSIBILITY


Host Vulnerabilities

Network Traffic

User Activities

Resource Configurations Networking

Data Security

Storage

Compute

(CSP)

The Security Landscape is Fragmented


SECOPS

CSP

NATIVE TOOLS

OPEN

SOURCE

TOOLS

Siloed data

Not multi-cloud

Limited

Compliance

Higher TCOs

Limited coverage

SIEM

Point

Security Product

DIY security

Expensive

Missing infrastructure

context

Lack threat hunting

& incident response

Most Organizations Are Multi-Cloud


81% of cloud users leverage 2 or more cloud providers - Gartner

Many Security Requirements Across Every Cloud Technology

We Are at Risk of Repeating the Sins of the Past

RISKS IN PUBLIC CLOUD


29%of organizations

experiencedpotential account

compromises

Account

Compromises

32%of organizations

publicly exposed atleast one cloudstorage service

Risky

Configurations

23%of organizations

have hosts missingcritical patches

In the cloud

Host

Vulnerabilities

46%of organizationsaccept traffic to

Kubernetes podsfrom any source

Container

Security

source: https://start.paloaltonetworks.com/5-key-cloud-security-trends

Through 2023, at least 99% of cloud failures will be the customer’s fault

Gartner

Prisma Cloud: The Most Comprehensive PlatformToday and In the Future

Complete Multi-Cloud Security


Network Security

Vulnerability

Management

CI/CD

Integration

Runtime

Defense

Asset Discovery and

Identification

Governance and

Compliance

Threat Detection

and Investigation

Automated

Response

Data Protection

Any Workload, Any Cloud Throughout The Entire Lifecycle


Asset Discovery & Inventory

● Keep track of cloud

inventory in real-time

● Track any change in

security posture

● Prioritize alerts by

severity and relevancy

Governance and Compliance


● One-Click reporting for all

major compliance standards

● 400+ out-of-the-box

governance policies

● Centrally discover and monitor

cloud native services across

clouds, accounts, and regions

Network Security


● Multi-layered network and

workload security with both in-

line and cloud-native distributed

firewalls

● Automatic microsegmentation

based your microservice

topology

● Move beyond IP address

whitelisting with application-

aware firewalls

Cloud Threat Detection & Investigation


● Monitor user, network, and

resource activity to detect

anomalous behaviour and

threats

● Drill down into incidents with

visualized queries and analyze

blast radius

● Auto-prioritize risks for

vulnerable hosts, know where

your focus is needed

ResponseActions

Automated Security Response


● Auto-remediate risky

configurations from the

Prisma Cloud console

● Trigger security orchestration

playbooks for immediate

incident response

Alert Ingestion

AutoFocu

sWildFire Panorama MineMeld

Demisto

Threat Intelligence

Prisma Cloud

IAM Security


● Ensure all access configurations

such as MFA, SSH keys, and

certificates are secure across

resources

● Detect and remediate over-

permissive roles on workloads

and cloud services

● Enforce least-privileged

permissions on IAM roles across

your environments

Cloud Data Protection


● Gain complete visibility into

your data across SaaS and

public cloud storage

● Prevent storage

misconfiguration and avoid

accidental exposure

● Automatically identify sensitive

data and prevent data leakage

with governance policies

Business andSecurity Value

Security Value


One Console For

Complete Visibility

Protect Every Resource,

AnywhereCatch & Prevent

Violations Faster

The Prisma Cloud Difference


Built from the

Best In Class products

in cloud security

Leverage the

experience and

integrations of the

World’s Leading

Cybersecurity

Company

Protect any resource,

throughout the

lifecycle, on any

cloud


paloaltonetworks.com

Email: [email protected]

Thank You

SegmentationZero Trust Threat Prevention

Intrusion Prevention

Security Strategy Prevent Breaches Compliance MandatesSecurity Aligned w/h

Network/Cloud Transformation

Technology

Integration

Cisco

VMware Arista

Nuage BigSwitch

Micro-Segmentation

Stop Lateral

Movement

Zero Trust – Protecting Data Center Network At All Levels

Physical

Servers

Virtualized Servers / Private Cloud

Hardware Firewalls

Virtual Firewalls

Orchestration,

Automation,

Customization

via REST API, Scripting,

and SDK

Panorama:Central management

of all PAN’s

Real-time

communication

with Hypervisor.

Security policy

responds to

network changes

In real-time.

Data Center Perimeter

Public Cloud

VMware, Citrix SDX, KVM

Network Core

WildfireCloud-Based

Threat Intelligence

Automating Security in SDDC – VMWare NSX

VMware ESXi

Web DBApp

NSX Service Insertion

Cloud Admin

NSX Manager Panorama

Security Admin

Register as a Service; Traff ic redirection policies

Real-t ime context updates

VM-series License;

Security Policy;

Logging

Automated deployment of VM-Series Firewall

Service Insertion

Policy

Compute Host

Network Segmentation


PCI

PCI

PCI

WebWeb WebWeb Tier

App AppAppApp Tier

DB DBDBDatabase Tier

Multitenant


Web

Development

App

Test

DB

Production

Web

App

DB

Web

App

DB

Security Tracks Changes – Dynamic Address Groups


Cloud Admin

NSX Manager Panorama

Security Admin

Real-t ime Dynamic Updates

Security Policy Tracks Changes

Host A Host B Host C Host D Host E

Web Tier Applicat ion Tier Database Tier

DB Servers

App Servers

App ServersAllow App to DB

Allow Web to App

Policy

Web Servers

Source Dest ination Application

MyApp

MySQL

10.1.90.10

10.1.90.14

10.1.90.32

App Servers

10.1.90.51

10.1.90.55

10.1.90.65

Web Servers

10.1.90.2

10.1.90.47

10.1.90.49

DB Servers

Web

10.1.90.51

NGINX

LinuxDB

10.1.90.2

Linux

MySQL

Web

10.1.90.55

NGINX

LinuxWeb

10.1.90.65

NGINX

LinuxApp

10.1.90.32

Windows

App

App

10.1.90.14

Windows

App

DB

10.1.90.49

Linux

MySQL

10.1.90.47

DB Linux

MySQLApp

10.1.90.10

Windows

App

Automate Security Response


VM

VM

Threat prevent ion logs

Malware and phishing categories

Data filtering logs

Filte

r

Malware

Panorama

10.1.90.5

Policy Source Action

Compromised

Hosts

Dynamic

Address

Group

Enforce multifactor

authentication

HT

TP

/S

Quarantine

VM

1

2

2

3

2

ServiceDesk Ticket

Update Firewall Policy

NSX Manager

Compromised

10.1.90.5 Compromised

Dynamic Address Group

VM-series for NSX

Model VM-100/VM-200 VM-300/VM-1000-HV VM-500

Cores 2 4 8

Firewall Throughput

(App-ID Enabled)

2 Gbps 4 Gbps 9 Gbps

Threat Prevention

Throughput1 Gbps 2 Gbps 5 Gbps

Max sessions 250,000 800,000 2,000,000

70 | © 2017. Palo Alto Networks. Confidential and Proprietary.

multi-cloud protection & cloud compliance...2019/11/18 · security groups • basic stateful...

Documents