Align information security with a micro-segmented, software defined data center to extend consistent network and endpoint security capabilities seamlessly across multi-cloud environments.
The Palo Alto Networks Security Operating Platform, providing unified next-generation security capabilities and integrated global threat intelligence to automate cyber protections across the network, endpoints, and public cloud environments, with consolidated policy management and visibility through a single pane of glass.
Threat Prevention, URL Filtering (PAN-DB), WildFire, GlobalProtect, Traps, AutoFocus, Panorama, Prisma
PA-5250 (8), PA-5220 (2), PA-3220 (1), PA-820 (4), PA- 220 (2), VM-300 (8), VM-100 (2)
FNTS is a leading cloud hosting and managed services provider specializing in end-to-end technology offerings, including legacy system management, digital transformation, data center services, and managed security services. Established in 1995, FNTS is a subsidiary of First National of Nebraska Inc., a $20 billion multi-state holding company based in Omaha, Nebraska, that has a strong heritage of banking excellence. Operating a state-of-the-art data center and offering customized services, FNTS is a trusted, nationally recognized leader in managed IT services. Founded on hardworking, Midwestern ideals, the company places value on work ethic and customer service. FNTS is recognized through numerous industry-specific certifications and partners with the world’s most respected technology companies.
Nebraska-based cloud hosting and managed services provider FNTS transformed its cloud hosting environment by adopting a hyperconverged, micro-segmented, and software-defined infrastructure. Traditional security approaches did not align with this new model, instead requiring an integrated suite of security capabilities that could extend seamlessly across private and public cloud environments. To address this need, FNTS deployed the Palo Alto Networks Security Operating Platform®, taking advantage of the platform’s integration with VMware NSX® network virtualization to build a Zero Trust security infrastructure across its internal and client-facing network, physical and virtual endpoints, and public cloud environments. By centrally building, managing, and enforcing granular security policies, FNTS ensures that only specific, authorized traffic is permitted into, across, and out of its multi-cloud environments. The Palo Alto Networks platform also enables FNTS to accelerate investigation and remediation of incidents as well as automate protection across the network and endpoints, saving time and building client trust.
Securing Multi-Cloud Environments on a Single Platform
Organizations of all types and sizes are increasingly moving business applications, if not their entire operations, into public clouds like Google Cloud Platform (GCP™), Amazon Web Services (AWS®), and Microsoft Azure®. However, many organizations have large investments in legacy platforms that are not good fits for public clouds. How can these organizations take advantage of cloud features, such as elastic computing, microservices, and hyperconverged infrastructure, and mesh these with their traditional environments all under one roof? FNTS has the answer.
FNTS is a cloud hosting and managed services provider that brings its clients a personalized approach to address the full range of their IT operations needs. The company’s “white glove” service includes providing every client with a strategic account manager to evaluate current and future objectives as well as guide them in making the best IT choices to meet those objectives. That could mean running platforms and applications in the secure, state-of-the-art FNTS private cloud, on the client’s premises, in a public cloud, or in any combination. Regardless, FNTS ensures each client has a single, dedicated partner to look after their best interests.
Such an operationally critical relationship carries great responsibility to protect client environments from cyberattacks, credential theft, and data exfiltration. Thanks to its lineage in the banking industry, FNTS has a strong culture of security and compliance built into its hosting and cloud services. As the company modernized its data center, building a hyperconverged and micro-segmented cloud hosting infrastructure, FNTS needed a holistic approach to security that aligned with its business model and defended against threats such as phishing, zero-day attacks, advanced persistent threats, and sophisticated new exploits that compromise social media profiles to steal credentials. Rob LaMagna-Reiter, chief information security officer at FNTS, remarks, “We see attacks with a variety of origins, entry points, methods, and intentions, which makes it difficult to apply a common set of protection mechanisms. We needed an approach to security that integrated into all the components of our software-defined data center and enabled us to extend our security capabilities seamlessly throughout a multi-cloud environment.”
He continues, “Rather than take a traditional route and deploy multiple best-of-breed point products, which would create a lot of complexity and limit the full value of what we could get from the investment, we wanted a unified approach—all the security capabilities we need on a single platform with centralized logging for sharing information across the enterprise. That led us straight to Palo Alto Networks.”
Enabling Zero Trust Without Impeding Hosted Client Operations
FNTS deployed the Palo Alto Networks Security Operating Platform, using the platform’s integration with VMware NSX network virtualization to build a Zero Trust security infrastructure across its internal and client-facing network, endpoints, and multi-cloud environments. Drawing on its legacy in securing banking operations, FNTS saw adopting a Zero Trust posture as a competitive differentiator compared to other managed services and cloud hosting providers.
Security and networking technology have matured to a point where implementing Zero Trust principles is more “frictionless,” allowing FNTS to maximize limitations on who has access to which servers and assets without inhibiting workflow or user productivity. This gave the company the confidence to fully embrace Zero Trust principles and begin to gradually transition clients from their traditional operating models to a Zero Trust environment.
LaMagna-Reiter explains, “We start by creating policies based on more open traffic flow and then use the visibility we gain out of the logs in Panorama to pare down those policies over time. In this way, we transform clients into a Zero Trust environment without impacting their day-to-day business.”
LaMagna-Reiter points out that capabilities like Palo Alto Networks App-ID™ and User-ID™ technology play a central role in providing the visibility to define fine-grained policies in a micro-segmented Zero Trust environment. “Using App- ID and User-ID, we’re able to create classifications so that only certain users or groups of users can access a particular application or a specific resource on a server. That allows us to constrict our policies and enforce tighter controls, which is huge from a policy standpoint.”
Enforcement is enabled at the infrastructure level using service redirection provided by the Palo Alto Networks platform to automatically route all traffic coming into, crossing, or attempting egress from the NSX virtual network through the next-generation firewall where FNTS’ Layer 7 policies are applied. This determines which users, virtual machines, and applications can connect with each other whether or not they are on the same subnet.
LaMagna-Reiter comments, “Having such a deep level of visibility and control that the Palo Alto Networks platform provides furthers our Zero Trust posture because, as we all know, it’s never trust, always verify. With Zero Trust, you only want specific, authorized network traffic to get through, and nothing else is allowed. By not only having control at the device and application layer, but also being able to leverage user intelligence, we know definitively that a resource on our network is only being used for its intended purpose, and we have less worry that data is being exfiltrated.”
He adds, “We’re able to report on the level of risk mitigation these controls introduce, which I can share [with] my peers and external audit firms. It allows us to demonstrate how we’re continually enhancing role-based access controls to protect both FNTS and our clients. This gets back to assuring our clients that they can put their trust in FNTS.”
Enforcing Consistent Policies Across Network, Endpoints, and the Public Cloud
FNTS is also extending its Zero Trust security posture beyond its own private cloud hosting services to include public clouds. This assures clients that security policies and controls are applied consistently regardless of where their business workloads and IT assets reside.
To do this, FNTS works with each client to determine which workloads are best suited for a public cloud environment. The company then deploys a virtual Palo Alto Networks Next-Generation Firewall in the public cloud on the client’s behalf and uses Panorama™ management to centrally administer network security, along with the rest of the client’s privately hosted infrastructure.
LaMagna-Reiter notes, “For us, having Panorama as our single pane of glass for consolidated policy management and visibility is the key to ensuring adherence to our policies and standards across all environments.”
In addition, FNTS deploys Traps™ for end-to-end endpoint protection and response across its clients’ multi-cloud environments. LaMagna-Reiter shares why FNTS chose Traps over other endpoint protection options: “We had a lot of incidents with our legacy antivirus products. They just didn’t provide the level of assurance our customers were demanding and the depth of capabilities we needed. When we were evaluating a new endpoint protection solution, we wanted something that communicated natively with everything else on the platform. The fact that Traps is a next-generation approach that looks at process monitoring and behavior on the endpoints gave us a lot more confidence than relying on the old signature format.”
LaMagna-Reiter comments, “By automatically blocking malicious activity on the endpoints, Traps saves us and our clients at least a couple days each month that otherwise we’d have to spend on restoring servers from a known good backup. That’s a major win.”
LaMagna-Reiter adds that another key factor in choosing Traps was integration with Palo Alto Networks WildFire® service, which provides cloud-based malware prevention. “Having assurance that WildFire will automatically prevent malware activity, even if it’s something never seen before, allows us to focus our time and attention on other priorities.”
FNTS is further extending security monitoring in public clouds with Prisma™ Public Cloud (formerly RedLock), providing visibility into cloud resources, detecting suspicious behavior, and integrating that data into Cortex™ Data Lake to enact appropriate policy changes as needed.
In addition, FNTS extends the threat intelligence and protections of the Palo Alto Networks platform to remote contractors, who use GlobalProtect™ network security for endpoints to ensure the same Zero Trust policies apply to them as everyone else on the FNTS network. The company even extends WildFire analysis to its Proofpoint email security system and continues to explore creative ways of leveraging advanced threat intelligence across enterprise and client environments.
LaMagna-Reiter points out that applying threat intelligence and automation across the network, endpoints, and cloud environments is key to FNTS upholding its core value proposition to clients. “When you’ve built a business model around preventing malware and other malicious activity from impacting hosted clients, you need to deliver on that promise uniformly wherever their data and workloads are running. Knowing that the Palo Alto Networks platform covers every data processing point with the same policies and level of protection, whether it’s on the network, on an endpoint, or in the cloud, gives us peace of mind that we’re living up to customer expectations and requirements.”
Accelerating Incident Investigation and Response
By standardizing on the Palo Alto Networks Security Operating Platform, FNTS can aggregate incident logs and global threat intelligence in a single location using Palo Alto Networks AutoFocus™ service for contextual threat intelligence. This enables the security team to more quickly and efficiently triage incidents as well as automate dissemination of protection updates based on threat intelligence to the next-generation firewalls and endpoints secured by Traps.
LaMagna-Reiter remarks, “I can’t even calculate the amount of time AutoFocus saves us. Aggregating data into a common platform multiplies the value of the threat intelligence so we can get context for threats and can respond more effectively.”
This time savings is crucial for meeting client service-level agreements (SLAs). “AutoFocus helps us meet and exceed client SLAs, and actually enable their business by avoiding disruptions,” says LaMagna-Reiter. “For clients running core operations with us, that’s priceless. They can keep on running their business and booking revenue while we dig into the incident on the back end.”
He concludes, “With Palo Alto Networks, we have a partner whose vision is in lockstep with ours. They’re aligned with where we want to take our business in terms of securing multi-cloud environments, gaining more visibility, and automating as much as possible through a single common platform. That’s huge for us.”