Authored By: Samuel Lee @SamuelLee
We’ve just launched Cloud NGFW for Azure to strengthen security for applications running on Azure while streamlining network security operations. This fully managed, Azure-native, next-generation firewall service is built to better protect cloud-native and migrated applications with the industry’s only AI and ML-powered next-generation firewall technology.
The Rise in Cloud Adoption and Its Drivers
Here’s the context: Over the past few years, cloud adoption has been steadily on the rise, revolutionizing and reinventing the way organizations drive their businesses. To stay ahead of the competition, organizations are looking for agility and scalability in product development and processes. What’s more, cloud adoption frees up valuable resources to focus on rapid application innovation that delivers business value.
To realize the potential of cloud-driven productivity, cost savings, and competitiveness, organizations leverage hybrid and multi-cloud strategies to automate infrastructure management and deployments. Getting to these benefits is one thing. Safeguarding it is another.
Three Key Challenges of Securing Cloud Deployments
Minimizing risk is critical as data centers become virtualized and applications are developed in the cloud — or migrated to the cloud. According to the 2021 Thales Data Threat Report, almost half (45%) of US companies suffered a data breach in the past year, and those worrisome numbers continue to grow.
Those findings confirm what our customers tell us — that they struggle to adequately secure their Azure deployments against advanced cyber threats in a way that seamlessly fits into how their cloud security and network security teams work. They need their security solutions in Azure to provide these three essential capabilities:
- Prevents advanced cyber threats: Threats are constantly morphing. Basic Layer 4 security and IPS signatures are not enough to secure workloads anywhere, including in Azure. Organizations need best-in-class security to stop new threats and reduce the risk of breaches.
- Fits into how customers work in Azure: Organizations don’t want to deal with complexity or incur operational overhead to secure their deployments. They want network security to be as easy to deploy and automate as any other native Azure service.
- Works with how customers manage network security: Organizations have existing tools and processes for managing network security across multiple environments. Why change them? They want to leverage these same tools to centrally manage network security policy and logs in Azure.
Why Palo Alto Networks Created a Managed Firewall Service for Azure
Inspired by honest conversations with our customers, Palo Alto Networks has set out to create a new category of firewall that simplifies the deployment and management of the firewall — all while providing best-in-class security. Cloud NGFW for Azure meets those needs by:
Providing the ability to prevent advanced cyber threats
For the 11th straight year, Palo Alto Networks was named a Leader in the Gartner® Magic Quadrant™ for Network Firewalls. This network security leadership is built on cutting-edge technology, including the industry’s only machine learning (ML) powered NGFW, capable of stopping known, unknown, and zero-day cyber threats. It enables customers to reduce the risk of an attack by controlling network traffic based on applications identified with our patented App-ID technology.
It doesn’t stop there. Through integration with Advanced Threat Prevention, customers are able to block more unknown command-and-control (C2) traffic and more zero-day exploits in real-time than traditional IPS solutions. Add Advanced URL Filtering detection capabilities powered by Inline Deep Learning, and Cloud NGFW for Azure can prevent known and unknown malicious URLs long before other vendors.
With DNS Security, we offer the most comprehensive threat coverage against DNS-layer threats. Finally, WildFire tackles the rise in sophisticated malware and stops more evasive malware than ever before. And to provide even more flexibility, Cloud NGFW for Azure detects and stops threats in all traffic, including encrypted traffic, via integration with Azure Key Vault.
Figure 1: Best-In-Class Security features
Fitting into how customers currently work on Azure
Thanks to extensive collaboration with Microsoft Azure, we’ve integrated our industry-leading NGFW capabilities onto the Azure portal as a native service. Think about that. As an Azure service, you can easily use your Azure identity to create and manage firewalls directly from the Azure portal, without logging into another UI. On top of being offered as a service, Cloud NGFW is integrated with Virtual WAN Hub to provide robust, secure, and scalable connectivity between your hub and branches. This greatly simplifies security deployments for Virtual WAN, thanks in large part to our built-in auto-scaling feature.
To further leverage Azure native services, you can configure Cloud NGFW for Azure to securely access keys in Azure Key Vault to decrypt traffic and inspect it for hidden threats. Finally, to empower the automation of security management of Azure workloads, Cloud NGFW for Azure will soon be integrated with native Azure APIs, CLI, SDK, and Terraform Provider.
Dovetails into how customers manage network security
With Panorama integration, securing your cloud migration journey will be greatly simplified. You can create and edit security rules in accordance with your organization’s security policy, across firewall deployments, from one central location: Panorama. You can also leverage the existing institutional knowledge of your security team codified as a configuration in Panorama. This allows you to maintain your current NGFW workflows and integrations, and simplify your operations by streamlining configuration and automating tasks. Finally, with Panorama integration, you will gain actionable insights into your network traffic and security threats, as well as centralized logging and visibility.
Cloud NGFW Use Cases
Broadly speaking, you can use Cloud NGFW to protect your Azure deployments from three network-based threat vectors:
The first network-based threat vector in the cloud comes from outbound connections to the Internet. As applications need to download software updates from the internet and connect to API services such as Google, most organizations' firewalls are configured to allow these outbound connections. However, these connections can also be used to download malware, establish connections to command and control servers and exfiltrate your critical data. If these outbound connections are secured using Cloud NGFW, these malicious connections can be automatically blocked to prevent exploitation by ransomware, stop command-and-control applications, and prevent data exfiltration.
The second threat vector comes from allowing traffic from the Internet to connect to applications such as a web server. Cybercriminals can use these network connections to exploit unknown or unpatched vulnerabilities in application software.
While organizations aim to patch all the vulnerabilities before the applications go into production, there are several reasons why vulnerabilities continue to exist in your environment. Unknown vulnerabilities such as Log4J existed for seven years before it was discovered and announced as a common vulnerability and exposure (CVE). There might be hundreds of such vulnerabilities out there that are being exploited by attackers, which organizations are unaware of and hence are unable to patch them against.
Even in the best-case scenario, where a patch exists, delays in patching still occur. It takes enterprises weeks or even months to patch these vulnerabilities. During these gap periods, organizations are exposed while trying to patch these vulnerabilities. If your organization's inbound connections are secured using Cloud NGFW, it can block attackers from exploiting these vulnerabilities while you work on patching. It buys you time and acts as a compensating control. Additionally, Cloud NGFW traffic logs provide deep visibility and context of network traffic (such as country, URL category, App-ID, application functions, filename, and file type) to your SIEM, CSPM, and CWP tools. This added visibility further helps identify, isolate, and remediate compromised or unpatched workloads.
Lastly, the third threat vector is lateral connections between workloads in your environment. For example, multiple applications may need to connect to a database server. To follow the true philosophy of Zero Trust, organizations need to protect all connections within their environment, including those between internal workloads and applications. Otherwise, organizations run the risk of hackers using a breach of one application to spread laterally to other applications.
Cloud NGFW in Action
Setup and deployment is a simple process, as shown below and demonstrated in this video walkthrough.
Explore the Benefits of Cloud NGFW for Azure with Your Free Trial
To get started with a 30-day free trial, visit the Azure Marketplace. To get more technical details, please take a look at the documentation and FAQ pages. Cloud NGFW for Azure is currently available in five regions across the world: East US, East US 2, Central US, Australia East, and West Europe. Rapid expansion to additional regions is planned.