An insatiable appetite for compute and storage resources, combined with cloud-first development initiatives to support your business, is driving a data center transformation that incorporates the public cloud as a means of more rapidly addressing your growing data center demands. Commonly referred to as a hybrid data center, the use of the public cloud not only helps address your growing data center demands but provides you with the added benefits of agility, scalability and global reach.
From a security perspective, the responsibility for protecting your public cloud is shared between both the provider and the user – you. It is up to you to ensure satisfaction with the steps a provider has taken to protect the public cloud environment. It is also up to you to make sure you take the necessary steps to protect your applications and data in the public cloud.
Regardless of where your applications and data reside, they are an attacker's target and protecting them in the cloud introduces the same security challenges you face present in your on-premises data center. To that end, your public cloud security solution should be consistent with what is deployed in your data center so that, no matter where the application and data reside, security is the same.
Making the challenge of protecting your data a bit more difficult is the fact that many of the principles that make cloud computing attractive are counter to network security best practices.
- The use of a public cloud does not lessen your security risks.
The security risks that threaten your network today do not change when you use a public cloud. In some ways, the security risks become more significant, due, in part, to the many applications on a single server premise that virtualization enables. Once your public cloud environment is compromised, the attacker has access to all of the applications and data.
- Security wants separation and segmentation; the cloud relies on shared resources.
Security best practices dictate that mission-critical applications and data be separated in secure segments on the network. On a physical network, segmentation is accomplished using networking, firewalls and security policies. In your cloud computing environment, direct communication between virtual machines within a server occurs constantly, in some cases across varied levels of trust, making segmentation a difficult task. Mixed levels of trust, when combined with a lack of intra-host traffic visibility by virtualized port-based security offerings, may introduce a weakened security posture.
- Security deployments are process-oriented; cloud computing environments are dynamic.
The creation or modification of your virtual workloads can often be done in minutes, yet the security configuration for this workload may take hours, days or weeks. Security delays are not purposeful; they are the result of a process that is designed to maintain a strong security posture. Policy changes need to be approved, the appropriate firewalls identified, and the relevant policy updates determined. In contrast, virtualization teams operate in a highly dynamic environment, with workloads being added, removed and changed in a dynamic manner. The result is a discrepancy between security policy and virtualized workload deployment – and a weakened security posture.
Palo Alto Networks® VM-Series is a virtualized implementation of the next-generation firewall and advanced threat prevention features found in our physical form factor appliances. The VM-Series enables you to protect your AWS-based public cloud infrastructure using application-centric security policies to protect your applications and data.
- Better Visibility for More-Informed Security Decisions
With application visibility across all ports, you have far more relevant information about your cloud environment; which, in turn, means you can make more-informed policy decisions.
- Greater Control over Your Applications
Firewall access control policies are based on the application, not the port, forcing them to operate on their standard ports while leveraging the firewall deny-all-else premise to block all other traffic. This level of control becomes critically important as you deploy more of your data center assets in the public cloud.
- Segmentation for Data Security and Compliance
Using security zones and whitelisting policies allows you to control applications communicating with each other and across different subnets for increased protection against attacks and regulatory compliance.
- Extend Protection to Remote Devices to Limit Exposure
Integration with a wide range of user repositories introduces the user identity as a policy element, complementing application whitelisting with an added access control component. User-based policies mean you can grant access to critical applications and data based on user credentials and their respective need. When deployed in conjunction with GlobalProtect™, the VM-Series enables you to extend your corporate security policies to device users, protecting them from Internet-borne threats, regardless of their location.
- Protection from Advanced Cyberattacks
Attacks, much like many applications, are capable of using any port, rendering traditional prevention mechanisms ineffective. The VM-Series enables you to apply application-specific threat prevention policies to prevent attacks from accessing your Azure deployment.
- Preventing Attacks from Moving Laterally
Today’s cyberthreats will commonly compromise an individual workstation or user and then move laterally across your physical or virtualized network, placing your mission-critical applications and data at risk. Exerting application-level control between workloads will reduce the threat footprint, while applying policies to block both known and unknown threats can stop their lateral movement.
- Policy Consistency from the Network to the Cloud
Panorama enables you to manage your VM-Series deployments, along with your physical security appliances, thereby ensuring policy consistency and cohesiveness. Rich, centralized logging and reporting capabilities provide visibility into virtualized applications, users and content.
- Security that Keeps Pace with Cloud-First Initiatives.
Native management features let you automate firewall deployments and security policy updates so that new workloads and security can be deployed in lockstep. Bootstrapping enables a fully configured firewall to be deployed in minutes, while the XML API and Dynamic Address Groups allow you to drive dynamic security policy updates as workloads change.
The VM-Series supports a range of public cloud environments, including Amazon® Web Services (AWS), Microsoft® Azure™ and vCloud® Air™.