Hopefully, you saw our recent announcement of PAN-OS 8.1. This blog will highlight the top three features in 8.1 that help bolster confidence and control in the growing use of the public cloud by financial institutions, and optimize the decryption infrastructure for operational efficiencies and and improved performance.
Consistent Multi-Cloud Security
Resiliency and geographic diversity are key aspects of any business continuity plan for financial institutions. By not placing all its eggs in one basket, an IT organization limits the exposure of any technology or even supplier failures on the supported business. As workloads continue to move to the public cloud, financial institutions will prefer to spread their risk both geographically and across multiple service providers. In the end, resilient designs will be implemented for cloud-based workloads, but reduced fault domains and supplier diversity will also be key considerations for all IT teams. Consequently, financial institutions can be expected to have a multi-cloud strategy.
To maintain a consistent and effective security posture across multi-cloud environments, Palo Alto Networks VM-Series virtualized next-generation firewall is supported on three major cloud service providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. Common use cases include hybrid cloud, segmentation, internet gateway, and remote access. Integration with the native cloud infrastructure offers automation for frictionless workflows even in multi-cloud environments. Our VM-Series has the same feature set regardless of the cloud service provider and will enable financial institutions to create a consistent security policy across all three.
SaaS Application Control: Consumer vs. Enterprise
SaaS application usage continues to grow in the financial sector. For many institutions, SaaS was a first step into the cloud as subscriptions for non-mission-critical applications drove cost savings and efficiencies. Not surprisingly then, the use of SaaS apps for HR, CRM, and also Office 365 is fairly common. Some financial institutions may use Google G Suite, Dropbox, and YouTube for business purposes as well. In such cases, this creates a situation where the enterprise version of SaaS applications is indistinguishable from the consumer one. Employees may be accessing their personal email, calendar, or online storage SaaS applications from the same workstation used for the enterprise versions. At its worst, this becomes another avenue for exfiltration of corporate data by malicious insiders. Even in benign cases, the personal use of Office 365, G Suite, Dropbox, and YouTube from the office can be a questionable use of corporate resources.
With PAN-OS 8.1, Palo Alto Networks next-generation firewalls can be used to distinguish between enterprise and consumer use of common SaaS applications, and ultimately prevent access for the latter purpose. Our next-generation firewall will insert HTTP headers for Google, Office 365, Dropbox, and YouTube to signal what is desirable for enterprise use. The SaaS application recognizes this and then allows access based on the settings in the header. This prevents any data exfiltration attempts to consumer accounts on common SaaS applications and, furthermore, limits the use of corporate resources for personal purposes.
Simplified Decryption Architecture
Gartner has predicted that, by 2019, more than 80 percent of all network traffic will be encrypted. Attackers have also taken notice and may hide their communications within encrypted data streams as well. To combat this, financial institutions have already gone about decrypting internet traffic to detect and stop malicious traffic. However, this is typically done by:
- Decrypting each time on every single-function security appliance in the chain (e.g., firewall, IPS, DLP, WAF, proxy) for policy enforcement, or
- Introducing a dedicated appliance for SSL offload, which then sends the unencrypted data to each of the single-function security appliances.
Both approaches do allow for inspection of encrypted traffic for malicious activity, but both also have drawbacks. Decrypting multiple times adds latency and impacts end-user experience. A dedicated SSL offload appliance adds design complexity and operational costs.
In PAN-OS 8.1, Palo Alto Networks has introduced the Decryption Broker, which enables the next-generation firewall to decrypt the data and scan it using its single-pass architecture for IPS, network antivirus, and security policies before a hand-off to third-party security appliances for further enforcement. This approach reduces the total number of devices required, minimizes added latency, and increases the operational efficiency of a security chain of multi-vendor appliances. Using this simplified architecture for decryption allows for streamlined inspection for security, while minimizing the performance impact on end users.
[Palo Alto Networks Research Center]