“Cloud first” is rapidly becoming a key initiative for organizations and agencies in both the public and private sector. As far back as 2010, cloud first was included as part of a comprehensive effort to increase the operational efficiency of federal technology assets, as outlined in the U.S. Chief Information Officer’s “25-Point Implementation Plan to Reform Federal IT Management.”Since the release of that 2010 initiative, numerous other federal governments have followed suit, adopting a ‘cloud first’ approach, including the U.K. and Australia.
In this case, the U.S. CIO’s Cloud First policy means that federal agencies must (1) implement cloud-based solutions whenever a secure, reliable and cost-effective cloud option exists; and (2) begin reevaluating and modifying their individual IT budget strategies to include cloud computing.
However, there are a range of challenges facing agencies as they make this shift. For example, some agency CIOs have stated that, in spite of the stated security advantages of cloud computing, they are, in fact, concerned about moving their data from their data centers – which they manage and control – to outsourced cloud services. Additional questions around where the data actually resides in the cloud – is it in the U.S. or elsewhere? – are sometimes difficult to answer. These, and other concerns, must be addressed in order to build an agency culture that trusts the cloud.
The combination of the VM-Series virtualized next-generation firewall deployed in AWS GovCloud (US) can help address some of the concerns around the security and location of data for the U.S. federal market. AWS GovCloud (US) is an isolated AWS region designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. AWS GovCloud (US) differs from standard AWS regions in many ways, which Amazon has highlighted. With the availability of our VM-Series next-generation firewall for AWS GovCloud (US), agencies can now apply to their AWS deployments the same threat prevention and application policy controls used in the physical data centers.
Taking the Hybrid Approach
With full support for standards-based IPsec VPN connectivity, our VM-Series enables you to quickly create a hybrid architecture that extends your existing data center into AWS via an encrypted tunnel. This enables you to get started with small projects to learn and then expand. More complex projects can be protected using segmentation principles and whitelisting to maintain compliance and prevent cyberattacks from moving laterally from VPC-to-VPC and subnet-to-subnet.
A full suite of native management features automates the firewall deployment and policy updates, while Panorama (purchased separately) allows the VM-Series to be managed centrally alongside our firewall appliances to maintain security policy consistency. The VM-Series for AWS GovCloud (US) (Login Required) is available as a Bring Your Own License (BYOL), which allows you to choose the VM-Series next-generation firewall license, the related Subscriptions (Threat Prevention (includes IPS, AV, malware prevention), WildFire, URL Filtering (PAN-DB), GlobalProtect – and annual support programs that are appropriate for your needs.
Learn more about the VM-Series for AWS here.
[Palo Alto Networks Research Center]