Today, we are announcing exciting new enhancements to Aperture, the Palo Alto Networks CASB (Cloud Access Security Broker) offering. Aperture now provides application protections for several Amazon Web Services (AWS) solutions, including Amazon Elastic Compute Cloud (Amazon EC2), AWS Identity and Access Management (IAM), and Amazon Simple Storage Service (Amazon S3).
These new protections guard against sensitive data loss, enable monitoring for risky or suspicious administrator behavior, and provide additional protection against security misconfigurations and malware propagation. When combined with the preventive capabilities of our Next-Generation Security Platform, these advancements will enable organizations to achieve even more protection for AWS, as well as address critical cloud security needs to deliver the most complete application and data security for cloud environments.
Additionally, Aperture support for Office 365 and Google applications has been enhanced to include cloud-based email services and G Suite Marketplace applications.
Public Cloud Is the New Normal
Public cloud usage continues to grow at a tremendous pace, and AWS makes up a considerable portion of that usage. Gartner predicts infrastructure as a service (IaaS) will grow 36.8 percent in 2017 and reach $34.6 billion. Public cloud has become a key component of most organizations’ application development and deployment, and the only vehicle for new application delivery, in some cases, removing the requirement for physical data centers.
With the use of AWS as a key addition to the IT arsenal, it should be treated no differently from any other environment with highly sensitive data. This requires levels of concern and diligence similar to those of a secure physical data center.
Security needs and diligence required may be the same, but securing applications in AWS does have some unique challenges that need to be addressed.
Public Cloud Multidimensional Security Needs
Multiple security controls need to be employed to achieve complete AWS security. Though AWS native security controls can provide access control and identity management, breaches are often the result of improper use, misconfigurations or advanced threats. Today, we highlight three critical security controls you need to protect your apps and data within AWS.
In-line Security – Managing and Controlling Segmentation in AWS
Properly segmenting and protecting access to applications and data in AWS is the first critical step to securing any AWS environment.
Palo Alto Networks has been leading the way for public cloud security with our VM-Series next-generation firewalls. The VM-Series enables secure hybrid cloud connectivity, segmentation, internet gateway, remote access and many more use cases commonly needed as customers transition to the cloud.
Unfortunately, the desire to roll out applications to meet business needs as quickly as possible often leads to accidental misconfigurations that go unnoticed until it is too late. Before customers implement in-line security, they need to ensure they have strict access control and security policies in place for the native security features provided by AWS. This leads us to the next set of security controls.
Effective Use of Native Security Features in AWS
The native security features provided by AWS enable a basic level of attack protection, but these features are effective only if configured and enforced properly. Here are a few examples of native configurations you need to monitor to help prevent breaches or data exposure:
- Security Groups: This feature enables basic network-level access lists that define inbound and outbound access to specific VMs, services or ports. These access lists need to be strictly controlled and ensure there are no wildcard rules that allow unauthorized access to services.
- AWS Access Keys: SSH keys are used to access services within AWS and need to be rotated periodically.
- Encrypted EBS Volumes: All data volumes should be encrypted, and the administrators should be notified if any unencrypted EBS volumes exist.
- Standard AMIs: Your AWS users should utilize standard AMIs for spawning their services, as these AMIs have been tested and certified to be secure. Administrators should be notified if users leverage a non-standard image that could lead to compromising the security posture.
Aperture monitors all the above configurations and many more by connecting directly through AWS APIs to monitor for any modifications, VM/volume activity and misconfigurations to ensure the security posture of your AWS environment stays intact.
Improper Sharing and Usage of AWS
While in-line security will control segmentation and access to applications in AWS, it will not provide data governance of the contents of data stores in Amazon S3. No matter how good your in-line security is, the moment you start sharing data with an external service with an unknown security posture over which you have no control, you become exposed to new risks. This is where an API approach is needed to control the sharing of S3 buckets, and ensure the content is appropriate and free of malware. For example, if malicious files make their way into AWS S3 from a third party, it could lead to disastrous consequences within your organization as the malware spreads across users and networks.
In addition to malware propagation, the risk of sharing files improperly is becoming all too common because of the complex nature of what and how we share.
These aren’t simply theoretical risks, either. Even highly trained individuals for whom security is a fundamental requirement are not immune to this risk because of the complex challenge of maintaining security while also selectively sharing data.
Aperture now provides deep in-cloud security controls to prevent improper use while enabling malware protection and data governance policies via integration with AWS EC2 and S3.
Complete Public Cloud Security
The security for public cloud deployments needs advanced protections, and it is important to realize the need to go beyond native security to achieve comprehensive security. Aperture, in conjunction with the rest of the Palo Alto Networks Next-Generation Security Platform, now provides the most complete application and data security yet for public cloud environments. Secure connectivity, internet gateway, segmentation, monitoring of native security controls, S3 security, malware threat prevention – all of these critical use cases are delivered while leveraging the same global threat intelligence that powers nearly 42,500 customers worldwide.
Many More Enhancements
The new capabilities for AWS are just the beginning of many enhancements to Aperture. Additional advancements we are also announcing follow.
Support Extended to Office 365 Exchange
Aperture can now scan email content and attachments for compliance violations, malware, user impersonation and data exposure within Office 365.
Policy Control for G Suite Marketplace Applications
Aperture can now apply policy control across marketplace applications, protecting organizations from targeted phishing and malware attacks or unwanted data sharing through the Google G Suite Marketplace.
SIEM Integrations With the New API and Log Export Service
Customers can now configure Aperture to interface with syslog servers and API clients, allowing them to push event information to external syslog servers or access event information from the Aperture service via a REST API.
Suspicious User Behavior Monitoring
Aperture now supports the ability to alert administrators if suspicious activity is detected within SaaS applications.
A full list of the exciting new features of Aperture can be found in the New Features Guide.