A few weeks ago, we walked around the show floor at InfoSec Europe and asked the crowd if they had any questions for Palo Alto Networks. One person asked “Can the Cloud be Secure?” Alex Raistrick from Palo Alto Networks delivered a viewpoint about leveraging the next-generation firewall with GlobalProtect as part of a cloud security strategy. The video touched off some healthy discussion about what role the firewall plays in the cloud, so I thought I’d take this opportunity to expand on the concepts that Alex described.
Cloud security has a lot of angles, and the Cloud Security Alliance has done a good job mapping many of the different aspects back to related standards and controls. If you’re interested in learning more about how deep cloud security goes, I recommend diving into the CSA Cloud Controls Matrix. Getting back to the video, the question that Alex answers has to do with how to leverage an existing next-generation firewall to provide protection for access to cloud services.
Let’s take an example of internal-facing applications. In the traditional IT model, users need both network access and credentials to access an application hosted in the internal data center. In the cloud model, many internal-only applications are still Internet accessible, and that includes IaaS/PaaS, but it’s especially prevalent with SaaS. Such practices increase the attack surface, since all people on the Internet, including those with hostile intentions, have network access to the application.
Why let unauthorized users attempt to authenticate at all? What we’re seeing from many customers is that they are taking a different attitude towards cloud applications, and making a shift to treat cloud applications more like the internal data center. In other words, the safer practice is to restrict access to the cloud application to users on the local network, either from the LAN or coming through a VPN connection.
SaaS providers are now offering more options to restrict access to a connection coming from predefined address ranges or domains. I’ve also seen content providers with subscription-based websites take similar measures in order to cut down on unauthorized credential sharing. Yet another approach is to use an internally hosted authentication provider to grant access to the external application, using federation protocols such as SAML. In the PaaS model, the cloud provider offers a VPN tunnel to reach the cloud service, and disallows connections from any outside means. In IaaS, you’d be setting up your own tunnels to reach your virtual machine instances.
By treating the cloud as an extended part of your network, you can reduce the attack surface by first requiring network access to your local environment before getting access to the cloud application. With the next-generation firewall, you can further refine who can access the application using App-ID, User-ID and Content-ID. GlobalProtect fits into the picture by always keeping your users connected to the next-generation firewall, regardless of whether they are internal or external to the organization. There’s no thinking about what to do, the user simply accesses the application just as they always had before.
Just like we stated at the start, the topic of cloud security covers a lot of ground. In this video, Alex discussed one approach towards making access more secure. There are many other applications of the next-generation firewall in cloud environments, including the firewalls deployed within the IaaS cloud environment itself. My colleagues will be talking about these other areas in the months to come. In the meantime, I recommend taking a look at these two links for more details about making your cloud secure with the next-generation firewall:
- http://www.securityweek.com/your-head-cloud-compliance
- http://media.paloaltonetworks.com/documents/embracing-fed-cloud.pdf
Do you have a question about network security that you’d like to ask? Tweet us at #AskPANW to join the discussion.