Protecting Europe’s Managed Services with AI-Driven Network Security

Ctac is a leading European business and cloud integration specialist. Headquartered in the Netherlands, they offer a broad portfolio of solutions, including using SAP, and Microsoft ‘on any cloud’. SAP applications include SAP S/4 HANA, SAP ERP Central Command (ECC), and SAP Analytics Cloud. Microsoft solutions include Microsoft Azure, Microsoft Hyper-V, and Microsoft Office 365. The organisation also provides services in IT modernisation, connected intelligence, transformation management, and security.

The company is growing fast – broadening its IT solutions suite, entering new verticals, and making business acquisitions. Net revenue grew by 23% in the first half of 2021. However, with success comes challenges – especially in security.

Ctac’s security value proposition promises maximum protection for clients’ managed IT infrastructures, covering customers in retail, wholesale, manufacturing, real estate, and other sectors. ‘Cybercrime is increasingly professional,’ explains Erwin van Beinum, Director Cybersecurity, Ctac. ‘Hackers have more to gain, the attack surface is widening with transformation to private and public clouds, and threats are becoming more and more complex. It’s our job to stop them.’

Before becoming a Palo Alto Networks customer in 2013, the Dutch organisation relied on a Cisco stateful inspection firewall to secure clients’ data and applications. But that port-based approach became insufficient to prevent known and unknown threats. More and more customers were trusting Ctac to manage their critical infrastructures – and security needed to be invincible.

‘With more clients connecting to the cloud, we needed to integrate client systems across the value chain and with their business partners. This complexity demanded a new approach to network security, which is why we approached Palo Alto Networks,’ says van Beinum.

Ctac decided on a PA-Series ML-Powered Next-Generation Firewalls (NGFW) to add application-based security and IPS. ‘We undertook a rigorous proof of concept and concluded that the Palo Alto Networks ML-Powered NGFW is the best-in-class solution,’ explains Maikel van Dooren, Security and Network Consultant, Ctac. ‘It offers a lightweight, web-based firewall management system, whereas other vendors have a heavy-duty client.’ The PoC also validated the depth and quality of the application-based security inherent in the ML-Powered NGFW.

As part of their network security selection process, Ctac established multiple business and technical requirements. They needed to adopt a firewall platform that would:

• Be flexible and adaptive to meet clients’ present and future needs.
• Provide dynamic security policies for dynamic virtual workloads.
• Use simple tools and automation to integrate security and prevent fast-changing threats.
• Protect against evasive and never-before-seen attacks.
• Implement multifactor authentication on the firewall to prevent attackers moving laterally with stolen credentials.
• Offer consistent protection, wherever users or applications are located.

‘Organisational security cannot be a “one-size-fits-all mindset”. Ctac – and our clients – have unique needs. The security architecture should reflect that,’ says van Beinum.

Ctac has standardised on Palo Alto Networks ML-Powered Next-Generation Firewalls (NGFW) to protect dozens of clients across retail, wholesale, manufacturing, and other sectors. This NGFW was pre-built to automatically stop threats across the attack lifecycle. It also provides Ctac with consistent risk-appropriate protection for data and users regardless of location.

The ML-Powered NGFW, with its integrated threat prevention service, protects the Ctac network from advanced threats by identifying and scanning traffic across all ports and protocols. A native Advanced URL Filtering subscription is also used to protect users from untrusted websites, malware, phishing pages, and attacks attempting to leverage web browsing. ‘All of these features are very easy to configure for our clients,’ says van Dooren.

However, Ctac is not standing still.

The organisation used to connect multiple clients to a single NGFW cluster; but any problem with the firewall, or if any one customer used a lot of resources, it could impact other customers. Moreover, if one customer wanted a new security subscription, such as WildFire, the subscription needed to be purchased on the complete cluster even if other customers on that cluster didn’t want the subscription – pushing up costs. Ctac was also concerned that increased client demand for a hybrid cloud model could diminish the demand for a physical security platform.

Van Beinum and his team were therefore eager to capitalise on Palo Alto Networks VM-Series Virtual NextGeneration virtual firewall with an enterprise licence agreement (ELA) option. Ctac now uses VM-Series virtual firewalls on hypervisors in their Ctac Private Cloud data centres – as well as in the public cloud (for example Microsoft Azure Public Cloud), amounting to 67 clusters. Each customer has their own VM-Series HA cluster.

This agile and flexible security ecosystem is transforming Ctac’s approach to network security.

Trusted client experience

Clients trust Ctac to manage their complex hybrid infrastructures. Connected network security is easy to implement, alleviates operational burdens, and offers Ctac’s clients the best protection against hackers and hijackers, assisting with ISO 27000, SOX, PCI, and GDPR security compliance, now and in the future.

Reduction in incidents and risk

Prior to implementing the ML-Powered NGFWs, any incident would have impacted some or all of their clients. Now, with the 37 clusters segregated using the VM-Series virtual firewalls, Ctac manages risk more effectively.

Lower cost of operation

Simplified licence management with a single contract is more cost effective. Every customer has their own isolated firewall and their own set of dedicated compute resources, significantly reducing the impact on other customers if one customer uses more resources than forecast. By contrast, on a shared physical box, one customer could impact the performance of other customers.

Forward-thinking security

ML-based analysis accelerates Ctac client protection. If analysis identifies a file or site as malicious, the firewall will block it. Credential filtering manages authentication to authorised applications and blocks credential submission to unknown sites.

Simplicity of use

Ctac can manage all the NGFWs using a single pane of glass, irrespective of their physical or virtual form factors or location. This reduces complexity by simplifying the configuration, deployment, management, and consistency of security policies. Logs are correlated to provide network and security insights and ensure surface malicious behaviour is not buried in the noise.

Service flexibility

Ctac has the flexibility to deploy single VM-Series virtual firewall instances as part of the ELA, reducing cost and freeing resources for more strategic tasks. Client environments can be managed individually, with unique policies tailored to each client environment. ELA includes options for Ctac to include subscriptions per client for Threat Prevention, Advanced URL Filtering, GlobalProtect, and WildFire.

Ctac also benefits from improved scalability with the VM-Series virtual firewall. Licensing on the physical firewalls was for the entire box, whereas the VM-Series offers the flexibility to add additional licences as needed.

Streamlined management

The Ctac Security Operations Centre (SOC) plays a vital role in defending client assets, with intelligent, behaviourbased security insights monitored in the SOC. Should an event be detected, it is shared instantly with all Ctac clients. ‘In the past, we used to analyse each threat by the source,’ says Rob Wismans, Chief Information Security Officer, Ctac. ‘Now, our SOC team looks at exposures and threats at the enterprise level.’

VM-Series firewalls also bring a lot more streamlining and efficiency to operations. When Ctac wanted to make an update for all customers on a shared object on their physical firewall, the commit time was more than six hours (75 x five minutes). Only 10 commits could be queued at a time, and when these queues were running Ctac could not perform other changes. But now, with the VM-Series, Ctac can push shared configuration changes instantly to all VM-Series firewalls in less than one minute. Finally, with a fully integrated management using Panorama™ across all firewall form factors, day-to-day operations are simplified dramatically.