Warren Rogers Associates pioneered the development of Statistical Inventory Reconciliation Analysis (SIRA) and Continual Reconciliation for monitoring underground fuel tanks and associated lines. These methods are certified in accordance with EPA requirements and have been used by petroleum marketers for more than 25 years. Today, Warren Rogers specializes in statistical analysis and precision fuel system diagnostics for the retail petroleum industry and develops innovative ways to identify and combat fuel shrinkage and theft.
Achieve PCI compliance for thousands of remote data collection devices at fueling stations by segmenting traffic and preventing malicious network traffic from penetrating the company’s cloudbased corporate data center.
Palo Alto Networks® Next-Generation Security Platform deployed in Amazon Web Services (AWS) to segment network traffic coming from thousands of remote data collection devices, prevent malicious traffic from infiltrating fuel system diagnostics and reporting systems, white-list applications and services, and segment cardholder data to ensure PCI compliance in the company’s cloud-based data center
Threat Prevention, GlobalProtect™
As an industry leader in retail fuel monitoring and diagnostics, Warren Rogers Associates (Warren Rogers) manages thousands of data collection devices installed at service stations across the U.S. Because these devices reside alongside its customers’ business systems that handle credit and debit card data, Warren Rogers had to guarantee it would prevent cardholder data from being collected to ensure PCI DSS compliance.
By deploying Palo Alto Networks Next-Generation Security Platform with VM-Series next-generation virtualized firewalls and GlobalProtect gateways in AWS, Warren Rogers created a PCI-compliant network that automatically blocks cardholder data from other network traffic. With the virtualized Palo Alto Networks platform deployed in multiple Amazon Web Services (AWS) regions, Warren Rogers also achieves disaster resilience to ensure continuous availability of threat prevention and secure gateway services while simplifying day-to-day administration and onboarding of new customers as the business expands.
A new industry is born
In 1979 Warren Rogers invented the fuel monitoring industry. The brainchild of cofounders Dr. Warren Rogers and Jill Jones, the company has continued to be a pioneer and leader in fuel storage and management to this day.
Today, Warren Rogers continuously monitors underground tanks and lines at thousands of retail fuel stations across the U.S. Using advanced statistical analysis and system diagnostics, the company ensures the accuracy of all consumption readings and proactively identifies tank systems at risk of leaks, illegal siphoning, or other potentially hazardous situations. These services are important to station owners grappling with tight margins in a fluctuating petroleum market and critical to avoiding disastrous environmental impacts and costly fines.
To serve its customers with valuable insights, Warren Rogers installs remote data collection devices on each fuel station’s local network. These devices are minimally configured network appliances called “On Site Processors” (OSPs). The OSPs collect data from every dispenser, tank and line at the station, and transmit it back to the Warren Rogers data center for analysis and reporting.
Traditionally, Warren Rogers used standard encryption methods for real-time data transmission to its datacenter and occasional client VPN access to maintain the OSPs. Sometimes an OSP resides on the same local network as the stations’ payment processing systems. In this case, the Payment Card Industry (PCI) data security standard (DSS) potentially brought the OSP into scope for PCI DSS assessments, even though the OSP does not handle cardholder data. Therefore, Warren Rogers took the initiative to make its OSPs PCI-compliant by ensuring that cardholder data is not collected, regardless of how the OSP is deployed within the local network.
Warren Rogers was determined to find a solution that met the following criteria:
Virtualized firewall security in the AWS cloud
After researching potential vendors, Warren Rogers found the Palo Alto Networks Next-Generation Security Platform to be the best fit for its unique business requirements. Consisting of Next-Generation Firewalls, Threat Intelligence Cloud services, and Advanced Endpoint Protection, the Palo Alto Networks platform also offered another key feature: cloud support.
Warren Rogers deployed eight Palo Alto Networks VM-300 virtualized next-generation firewalls in a “hub-and-spoke” network typology, with advanced threat prevention features configured on each firewall. The hub is one VM-300 virtualized firewall deployed at the company’s data center in AWS, where it acts as the primary secure gateway for all outside network traffic and the company’s internal business operations.
The spokes are multiple “satellite” VM-300 virtualized firewalls deployed across AWS regions and Availability Zones. All of these virtualized firewalls are configured with GlobalProtect gateways that pass their traffic to the hub over secure IPsec tunnels. With built-in host identity protocol (HIP) checking, GlobalProtect gateways enable Warren Rogers to securely and accurately control traffic to and from its OSPs.
Warren Rogers also installed GlobalProtect clients on thousands of OSPs. The GlobalProtect client establishes a secure connection to the closest satellite firewall. This ensures end-to-end security of fuel data transmitted from the OSPs to the satellite firewall and through to the company’s primary AWS-based data center.
Matthew McLimans, Computer Engineer at Warren Rogers, remarks, “Palo Alto Networks was the only network security vendor we found that had a platform designed for the cloud. It’s ideal since we can take advantage of AWS’s redundancy to ensure high availability of our virtualized firewalls and GlobalProtect gateways. It makes it easy for us to scale our security platform as we continue to bring on new customers and business ventures.”
Security zones keep data where it belongs
Palo Alto Networks provides Warren Rogers with a single vantage point for segmenting traffic and implementing security policies across all its virtualized firewalls. For example, the company has set up three security zones: one for all data coming from the OSPs running the GlobalProtect client, a second trusted zone for data-receiving servers in its data center, and a third Internet zone for outbound traffic to trusted resources such as Microsoft Update servers.
Segmenting traffic using security zones proved especially important for achieving PCI compliance. This ensured that no cardholder data intermingled with other traffic on the same network, effectively keeping the company’s network out of PCI scope for its customers. In addition to security zones, Warren Rogers also defined data filtering profiles in the virtualized next-generation firewalls to automatically block any traffic coming from the OSPs that may contain cardholder data.
“The VM-Series next-generation firewall and the features of GlobalProtect have helped us with our PCI compliance,” says McLimans. “They give our customers reassurance that we don’t collect cardholder data, which makes them more comfortable working with us. In fact, our customers are impressed with the security measures we have put in place. Our security initiative with Palo Alto Networks has elevated our reputation within the industry as a security-conscious organization.”
Universal policy management from one vantage point
Threat prevention brings another vitally important benefit to Warren Rogers. With a growing number of OSPs transmitting fuel data across the country, the threat of cyberattack is always a concern. Infiltration of malware or a breach at a customer retail site could lead to serious problems in the company’s data center, potentially affecting business operations and impacting both revenue and reputation.
"We’re confident that the Palo Alto Networks platform is protecting our business in AWS," McLimans affirms. "We can implement very granular security policies and have greater visibility into our traffic. With Palo Alto Networks, we can see how much data is coming from each site, what kind of data it is, and if the data contains malicious content, protecting Warren Rogers and our customers."
Policies also dictate user privileges for accessing OSPs remotely through the Palo Alto Networks platform. Only authorized users specified within defined groups are allowed network access to the OSPs. No other traffic is allowed, thus limiting access to only those users with proper credentials. Moreover, every action taken by authorized users is logged to provide a full audit history.
“We know which employees are accessing our protected servers, and when they are accessing them,” notes McLimans. “This is just another big benefit of the Palo Alto Networks platform as it gives us the ability to generate audit reports for our compliance.”
Stronger security made simple and efficient
Administration of the secure environment is now easier and more efficient because policies implemented on the company’s primary virtualized firewall in the data center are automatically reflected at each of the satellite gateways. In fact, the entire network configuration is simpler.
In the past, Warren Rogers required its customers to provide a VPN connection for remote access to the OSPs. However, this became an administrative nightmare because each customer had its own methodology and best practices. A typical configuration also required customers to open additional ports on their network for live data transmission from the OSPs. Now, with the Palo Alto Networks platform in AWS, all communication between the data center and the OSPs is conducted over a single, secure network connection via GlobalProtect, greatly simplifying the configuration over the previous approach.
“Palo Alto Networks eliminated a lot of headaches and saved us hours of administration overhead,” declares McLimans. “Instead of managing multiple VPNs for each customer, our service techs have a common interface for accessing each OSP. We can manage running services and applications through GlobalProtect’s HIP checks. We can direct our traffic through GlobalProtect to a specified server behind our firewall. Palo Alto Networks always provides the newest encryption methodologies, which keeps our compliance efforts ahead of the curve. It’s simpler for everyone, but most important, it’s more secure.”
Disaster resilience ensures business continuity
By running the Palo Alto Networks platform in AWS, Warren Rogers gained additional advantages, such as availability and disaster resilience. Having virtualized firewalls with GlobalProtect in multiple AWS Regions and Availability Zones assures Warren Rogers of maintaining secure and compliant connectivity with its customers in the event of an outage at any one of the AWS sites.
With GlobalProtect, every OSP connects to multiple virtualized next-generation firewalls, automatically using the best available connection. However, in a disaster recovery scenario where connections to the best firewall are not available, the GlobalProtect client on the OSP will automatically fail over to another firewall in a different AWS Region to maintain secure connectivity.
McLimans notes, “This kind of uptime assurance enables us to maintain a continuous and secure flow of data coming in from the OSPs. So, if our monitoring system detects a catastrophic leak or some other emergency at one of our customers’ stations, we can provide our services reliably and alert them.”
As Warren Rogers continues to expand its business, the Palo Alto Networks platform also helps the company onboard new customers.
“Every customer is different in the way they implement our OSP at their fueling locations,” McLimans points out. “The Palo Alto Networks platform provides a uniform approach for implementing security regardless of where the OSP sits on their local network. Palo Alto Networks is also a brand our customers recognize as a leader in the security market, which makes everyone more comfortable.”
He concludes, “Palo Alto Networks is providing value well beyond addressing our initial need for PCI compliance, and we expect that value to continue to grow as Warren Rogers pursues new business opportunities.”