Cloud security has a lot of angles, and the Cloud Security Alliance has done a good job mapping many of the different aspects back to related standards and controls. If you’re interested in learning more about how deep cloud security goes, I recommend diving into the CSA Cloud Controls Matrix. Getting back to the video, the question that Alex answers has to do with how to leverage an existing next-generation firewall to provide protection for access to cloud services.

Let’s take an example of internal-facing applications. In the traditional IT model, users need both network access and credentials to access an application hosted in the internal data center. In the cloud model, many internal-only applications are still Internet accessible, and that includes IaaS/PaaS, but it’s especially prevalent with SaaS. Such practices increase the attack surface, since all people on the Internet, including those with hostile intentions, have network access to the application.

Why let unauthorized users attempt to authenticate at all? What we’re seeing from many customers is that they are taking a different attitude towards cloud applications, and making a shift to treat cloud applications more like the internal data center. In other words, the safer practice is to restrict access to the cloud application to users on the local network, either from the LAN or coming through a VPN connection.

SaaS providers are now offering more options to restrict access to a connection coming from predefined address ranges or domains. I’ve also seen content providers with subscription-based websites take similar measures in order to cut down on unauthorized credential sharing. Yet another approach is to use an internally hosted authentication provider to grant access to the external application, using federation protocols such as SAML. In the PaaS model, the cloud provider offers a VPN tunnel to reach the cloud service, and disallows connections from any outside means. In IaaS, you’d be setting up your own tunnels to reach your virtual machine instances.

By treating the cloud as an extended part of your network, you can reduce the attack surface by first requiring network access to your local environment before getting access to the cloud application. With the next-generation firewall, you can further refine who can access the application using App-ID, User-ID and Content-ID. GlobalProtect fits into the picture by always keeping your users connected to the next-generation firewall, regardless of whether they are internal or external to the organization. There’s no thinking about what to do, the user simply accesses the application just as they always had before.

Just like we stated at the start, the topic of cloud security covers a lot of ground. In this video, Alex discussed one approach towards making access more secure. There are many other applications of the next-generation firewall in cloud environments, including the firewalls deployed within the IaaS cloud environment itself. My colleagues will be talking about these other areas in the months to come. In the meantime, I recommend taking a look at these two links for more details about making your cloud secure with the next-generation firewall:

• http://www.securityweek.com/your-head-cloud-compliance
• http://media.paloaltonetworks.com/documents/embracing-fed-cloud.pdf

Do you have a question about network security that you’d like to ask?  Tweet us at #AskPANW to join the discussion.

The post Expanding the Conversation on Cloud Security appeared first on Palo Alto Networks Blog.

In short, SDN is the physical separation of control plane from the data plane, so that instead of each networking device independently forwarding packets to the next hop, the controls are centralized on “SDN controllers”.  SDN networks therefore provide flexibility, programmability and simplicity to network operations, where traffic can be steered, optimized or customized without requiring physical wiring changes.

Where does security fit in an SDN network? We believe security correspondingly needs to be more dynamic, automated and programmable as well. The good news if you have a Palo Alto Networks next-generation firewall is we already interoperate with SDN networks today. In an SDN network, SDN controllers can program our firewalls using our REST-based API, with dynamic address objects supporting dynamic redirection of traffic. While we don’t terminate or inspect VXLAN or NVGRE today, we depend on gateways like Arista switches to translate these protocols to VLANs for context. We demonstrated Arista integration as early as last year at our Ignite conference, while BigSwitch SDN integration details are available here.

Have comments, or want to call out your own observations and experiences with SDN? Feel free to comment here or over at SecurityWeek.

The post Next-Generation Firewalls for Your SDN Network appeared first on Palo Alto Networks Blog.

This was a serious situation that shows strong passwords can’t be the only security measure. Following the AP hack, Twitter sent out instructions to other media organizations providing recommended guidelines for passwords. I have a few issues with those guidelines though.

Read my latest Security Week article to learn more about why passwords aren’t enough for securing social media accounts.

The post Passwords Aren’t Enough appeared first on Palo Alto Networks Blog.

In my latest SecurityWeek article, I outline the top five things to consider when determining how to invest in data center security. Ranging from prioritizing the right form factor for network security to ensuring your team is properly trained, these tips will ensure you take the best approach towards data center security without breaking the bank. Read more here.

The post For Your Consideration — Data Center Security Spend appeared first on Palo Alto Networks Blog.

Because this is a hot topic and there is much interest to learn more this was the topic of my SecurityWeek article this week. In the article I delve further into challenges, like the broad attack surface and exploit-facing signatures, and share a few suggestions, including taking a layered approach and how to take a prevention approach.

For more detail, please read my full article on Security Week, here.

The post The Unique Challenges of Controlling Java Exploits appeared first on Palo Alto Networks Blog.

Credocom, located in Denmark, is rapidly driving the adoption of Palo Alto Networks next-generation firewall protection, with a specialty in securing the data center. Watch the below video to see how Credocom, in partnership with Palo Alto Networks, closely evaluated and worked with a worldwide packaging company, Hartmann (they make the cartons that our eggs come in), to safely enable their business and standardize and simplify their IT security operations – all through a single, comprehensive global launch.

The post Credocom and Palo Alto Networks: Working Together to Consolidate and Simplify IT Security Operations Worldwide appeared first on Palo Alto Networks Blog.

The challenge is how to give users the full advantage of their mobility platform of choice without introducing risks to the business. A key part of that challenge is enabling flexible mobile security options depending on the device and use case. For example, an employee on an unmanaged device may just require access to the Internet, while another employee on a managed device may require full access to specific data center applications. Your mobile security solution should support both use cases.

While there are multiple considerations to secure mobile traffic, it’s the network where you must start. This means maintaining a secure connection, keeping the traffic across it safe, and extending it to all users. By retaining control of the network, organizations can embrace mobility by making it safe for all users in all locations, regardless of the device. Starting from this premise, it becomes much easier to think in terms of how to make mobility work for your organization by providing the security to enable safe usage rather than trying to prevent it.

If you’d like to learn more about mobility and BYOD security challenges, check out my latest SecurityWeek article.

The post Dealing with Mobility and BYOD Security Challenges? Start with The Network appeared first on Palo Alto Networks Blog.

For many industries, business pressure is such that technology innovations might get deployed before any thorough security assessment gets conducted. It’s never on purpose, but the omission is mostly due to limited resources or budget constraints and pressure from the business to meet the demand of a competitive market. The best example is BYOD: many of us access business assets on devices that are either not protected or are outside the control of our IT organization.

Healthcare is a great example of an industry that finds itself at the crossroads of much needed technology innovations and improved security:

• New applications, EMRs and others are being deployed and interoperability between these systems within the same facilities and with business partners is becoming a requirement
• Mobile devices – smartphones, tablets and laptops – are getting more commonly used to improve access to systems anytime and anywhere
• A new generation of digital medical devices is emerging to monitor and collect patient data in a digital form
• Last fall, the Washington Post provided examples of security breaches (Health Care Sector Vulnerable to Hackers) that were mostly the result of new technology and applications.

What can be done? To healthcare network and security professionals, it can be a daunting task especially if you start from a place where your network architecture is mostly flat, with all assets and systems almost treated equally from a security standpoint.

You can opt to maintain the status quo while you build a master security plan that will never get executed. Or, starting today, you can take action and progressively put your organization in a much better position. Here is the first recommendation: get a better understanding of your network traffic.

Nobody will argue that for heavy-loaded areas of your network that carry access to critical applications, you cannot introduce any risk of disruption. A completely transparent, non-disruptive step is to deploy a next-generation firewall in tap mode and start analyzing traffic. Many customers have told us that it gave them immediate visibility into all traffic and allowed them to craft an informed and pragmatic plan to improve security. They gained visibility into:

• The full range of applications and systems running on their network, business critical, authorized, known and unknown
• Bandwidth required to support business critical applications by time of day or any other criteria
• Bandwidth consumed by applications used by employees for personal purposes. In many cases, working with employees allowed for this “tolerated” traffic to be minimized and enabled security teams to refocus all resources and efforts on business critical systems

For a more thorough view of what “full traffic and application visibility” means at Palo Alto Networks, you can download the latest version of our Application Usage and Threat Report. You can easily get the same level of data for your enterprise network and start taking action today.

The post Healthcare and Cybersecurity: Take Action Now; Don’t Wait for a Master Plan appeared first on Palo Alto Networks Blog.

We’ve gathered some interesting quotes from media coverage of the review below. Also, Wade speaks with Threatpost’s Dennis Fisher about the MMR and some of the particularly compelling (dare I say alarming) findings in this podcast – give it a listen here.

“If you talk to most enterprise IT guys, they’re not spending much time worrying about FTP because it’s seen as a dusty old protocol. Some of these older protocols that are flexible and still work are being used by attackers because nobody is going to blink if they see it.” – Wade Williamson (CRN, March 25, 2013)

“Most network managers don’t give a second thought to FTP, but it’s pretty obvious that attackers are thinking about it…a lot,” – Wade Williamson (Security Bistro, March 27, 2013)

Can you sense the theme? FTP was observed to be exceptionally high-risk. FTP had the ignominious distinction of being both a common source of unknown malware as well as one of the sources that rarely received coverage. FTP was the most evasive application in terms of port evasion, and had one of the lowest detection rates in terms of malware.

For more details on getting a handle on the scale of modern malware check out Wade’s guest post on Security Week here. Let us know what you think of the Modern Malware Review in the comments below.

The post Modern Malware Review: FTP Surprises appeared first on Palo Alto Networks Blog.

• PAN-OS 5.0.2 and subsequent releases posted to support site on or after January 15, 2013.
• PAN-OS 4.1.11 and subsequent releases posted to support site on or after February 6, 2013.

We still recommend that you use the following security policy best-practices:

• For applications that you are enabling, you should assign a specific port (default or custom).
• For applications that you explicitly want to block, expand the policy to any port, to maximize the identification footprint.

For any further updates, please work with your local Palo Alto Networks sales team and channel partner.

Nir

The post Update on the App-ID cache pollution issue appeared first on Palo Alto Networks Blog.