Providing development and engineering teams with access to cloud resources introduces challenges around deploying the proper security policies. Organizations need automated security solutions that enable their engineers to spin up their own secure environments for application development with a push of a button. Join our upcoming webinar with Palo Alto Networks, REAN Cloud, and AWS, to learn how organizations are leveraging Palo Alto Networks VM-Series and REAN Cloud to build a simple, fast, and automated solution on AWS that helps provision secure environments for developers.

1. Nick Matthews, Solutions Architect, AWS
Matt Keil, Director of Product Marketing - Public Cloud, Palo Alto Networks
John Plishker, Solution Architect, REAN Cloud
Automate the Provisioning
of Secure Developer Environments
on Amazon Web Services
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

2. What is Driving AWS Adoption?
Urgent Need to Respond to Business Needs for:
Increased
Agility
Flexibility
Lower Costs and
Transparency
More
Capabilities
Go Global in
Minutes
Remove Infrastructure
Dependencies
Remove IT as a “Blocker” to Innovation

3. Compelling Events on the Journey
Value
Time
Discovery
and Testing
Application-
Based Projects
Cloud-First /
Standardization
Business
Transformation
Build applications
to run on the AWS
Cloud
Dev & Test /
Startups
Production App
Migration
“Cloud-First”
Standardization /
Mass Migration
Automation /
Business Innovation
Projects
Current State
1
2
3
4
5

4. Automating logging
and monitoring
Simplifying resource
access
Making it easy
to encrypt properly
Enforcing
strong authentication
AWS Can Be More Secure than Your
Existing Environment
In a recent report which found that most customers can be more secure in
AWS than their on-premises environment. How?

5. AWS and You Share Responsibility
for Security

6. Constantly Monitored
 Network access is monitored by AWS
security managers daily
 AWS CloudTrail lets you monitor
and record all API calls
 Amazon Inspector automatically assesses
applications for vulnerabilities
The AWS infrastructure is protected by extensive network
and security monitoring systems:

7. Highly Available
 44 Availability Zones in 16 regions for
multi-synchronous geographic redundancy
 Retain control of where your data resides
for compliance with regulatory requirements
 Mitigate the risk of DDoS attacks using
services like Route 53
 Dynamically grow to meet unforeseen demand
using Auto Scaling
The AWS infrastructure footprint helps protect your data
from costly downtime:

8. Integrated with Your Existing Resources
 Integrate your existing Active Directory
 Use dedicated connections as a secure,
low-latency extension of your data center
 Provide and manage your own encryption
keys if you choose
AWS enables you to improve your security using many
of your existing tools and practices:

9. Key AWS Certifications and
Assurance Programs

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Palo Alto Networks
Matt Keil, Director of Product Marketing - Public Cloud, Palo Alto Networks

11. Applications and Data Are the Target
The attack life cycle applies to both physical or virtualized
networks in the cloud
Infect
User
Gain
Foothold
Move
Laterally Steal
Data
Build
Botnets
Harvest
Bitcoin
Execute Goal:
On the network
or in the Cloud

12. What We Do
Next-generation firewall on AWS
Deployed as an EC2 instance in a VPC
 Identify and control apps – not ports
 Prevent known and unknown threats
 Centrally managed for policy consistency
 Automation to keep pace with the cloud
Hourly and annual Marketplace subscriptions
and bring your own license (BYOL)
AWS Security Competency
Approved through integration with
ELB/ALB and Auto Scaling

13. Shared Responsibility Model: Where We Can
Help
Where Palo
Alto
Networks Can
Help

14. Complete
Application Visibility
Scalability &
Resiliency
Threat
Prevention
Touchless
Deployment
Application
Segmentation
Centralized
Management
 Reducing the threat exposure with
application-based security policies
 Preventing known and unknown
threats within allowed applications;
blocking lateral movement
 Controlling file movement within
allowed applications
Palo Alto Networks VM-Series Features
We Complement Security Groups and Web Application Firewalls (WAF)
by…

15. Devops and Security Working Together?
DevOps
 Dynamic environment
 Frequent workload changes
 Code security is Job 1
Security
 Structured, follow change
control best practices
 Protection of digital assets
is Job 1

16. The Solution: Automation
Fully documented XML APIXML API
Dynamic Policy Updates
Bootstrapping

17. Automate Firewall Deployments
Attach to Panorama
Device Group
vm-series-bootstrap-aws-s3-
bucket=<bucketname>
Amazon
S3
VM-Series configuration
Security policies
Firewall licenses
Software updates
Dynamic content

18. Bi-Directional Integration Via an XML API
Inbound
 XML changes to Bootstrap file
 Block lists
 3rd party policy management tools
Outbound
 Amazon CloudWatch
 ServiceNow
 Orchestration tools

19. Dynamically Update Firewall Policies

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
REAN Cloud
John Plishker, Solution Architect, REAN Cloud

21. Who We Are
Established: 2013
Presence:
USA, India
Number of Employees: 300+
AWS Certifications: 150+ (Including 15+ Professional
Certifications)
Industry Focus:
Education, Government, Healthcare / Life Sciences,
Financial Services, and ISV
Corporate Highlights:
Migration Competency
DevOps Competency
Storage Competency
Microsoft Workloads Competency
Life Sciences Competency
Government Competency
Education Competency
Financial Services Competency
Managed Services Partner
Market Place Partner

22. REAN Cloud Service Offering
REAN Managed
Cloud Services
REAN
Implementation
Services
REAN Business
Consulting
Migration
Native AWS
Application
Development
DevOps (CI|CD)
Implementation Billing as a Service
Secure Infrastructure
Setup
Security & Risk Assessment
ROI & Business Case
Justification Cloud Adoption Strategy Cloud Architecture
CloudSecOpsDataDevOpsBizDevOps
Managed Cloud Services
DR & Business Continuity Planning
(BCP) Governance & Compliance

23. REAN Cloud DevOps Adoption Steps
Test-Driven
Deployment
Automated
Deployments
Automated
Operations
Metrics
Focused
Platform
Continuous
Security &
Compliance

24. REAN Cloud - Accelerators Framework
Deploy Verify Manage
Executive
Dashboards
Operational
Accelerators
CI/CD/CC
Automations

25. REAN Deploy - Packaged Cloud Resources
Features
 Drag and Drop
Environment
 Infrastructure as Code
 Multi-Platform Support
 Provisioner Agnostic

26. REAN Deploy - Infrastructure as Code
Cloud
Provider
Resources
Application
Packages
DEV / QA / PROD
Environment Blueprint
+
CD Pipeline
Provision/Validate
Infrastructure
Provision/Validate
Applications
Functional
Regression
Testing
Security Testing
Infrastructure
As
Code (IaC)

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Success Story: Gigamon

28. Background: Who is Gigamon
Gigamon is an ISV that offers a Visibility Platform
that helps manage, secure, and understand data
in motion
 Solution levered in federal, financial services,
healthcare, and technology service providers
 Used Palo Alto Network Firewall in their on-prem
development environments
 Global offices across 20 different countries

29. Challenge: Efficiently & Securely Providing
Developer Environments
 Needed to take their solution to support the
cloud
 Did a migration to the cloud for development
and had some challenging results
 Virtually unlimited developer access to cloud
resources introduced vulnerabilities
 Unstructured environments hampered
developer productivity
 New environments being spun up by
developers put operating budgets at risk

30. Challenge: Security Bottlenecks
 Deploying third party security into VPCs was
introducing bottlenecks
 Developers wanted to operate freely, and
iterate quickly
 Security team concerned about new,
unsecured environments

31. Define and develop
a simple, fast, and
automated solution
Provision new Amazon
VPCs automatically
protected by VM-
Series Firewall
Develop control VPC
to accept new VPN
connections from
developer VPCs
Automate all workflows
to simplify the creation
of developer
environments
The Palo Alto Networks and
REAN Cloud Solution

32. Securing Developer VPCs
 Install the VM-Series into the control VPC
 Setup VPNs to VPCs and to other locations
 Implement an orchestration tool to extract
instance IP addresses
 Build bootstrap code out of the network
interfaces and IP addresses
 Leverage the bootstrap code to spin up new
environments with VM-Series and security
policies already in place

33. Creating the right foundation….
 Setting up a common
security infrastructure to
support a range of
developer needs
 Control VPC supports
connections for:
 Development VPCs
 Separate Regions
 On-Premise
 High Availability

34. Automating the deployment
 Provision the Control VPC
 Multiple automaton
approaches; REAN Deploy,
Cloud Formation,
Teraform, etc.
 Deploy in layers

35. REAN Deploy

36. Automating the VM-Series Firewall
 Fully managed
deployment in any VPC
configuration
 Bootstrap the VM-Series
Firewall
Challenge: How do you know
about the network interfaces
before you deployed the
instances

37. Automating the VM-Series Firewall
Challenge: How do you know
about the network interfaces
before you deployed the
instances
 Deploy networking
infrastructure
 Use an Orchestrator (i.e.
Jenkins)
 Pull IP addresses of
deployed configuration

38. Automating the VM-Series Firewall
 Need to create bootstrap
code
 Built config manually
 Exported configuration
 XML output

39. Automating the VM-Series Firewall
Snippet of xml configuration: Ruby ERB configuration:

40. Automating the VM-Series Firewall
 Stored the Bootstrap in S3
buckets

41. Automating the VM-Series Firewall

42.  bootstrap.xml is
generated by
the orchestrator
Automating the VM-Series Firewall

43. Automating the VM-Series Firewall
1. Provision Instances

44. Automating the VM-Series Firewall
1. Provision Instances
2. Instances read from
Bootstraps

45. Automating the VM-Series Firewall
1. Provision Instances
2. Instances read from
Bootstraps
a. HA
b. Create VPN
3. Connected to Gigamon
Office

46. Automating the VM-Series Firewall
 Use XML API to establish
HA
 Floating ENI
 Elastic IP

47. Automating the VM-Series Firewall
 Ready for Developer to
deploy
 Automated the
deployment of a series of
configurations

48. Automating the VM-Series Firewall
 5-10 minute deployment
time
 Developer up and running
with access to VPC from
on-prem network
 Automated teardown as-
well

49. Automating the VM-Series Firewall
 Ready for Developer to
deploy
 Automated the
deployment of a series of
configurations

50. Automating the VM-Series Firewall
 Ready for Developer to
deploy
 Automated the
deployment of a series of
configurations

51. Automating the VM-Series Firewall
 Included support for VPCs
in multiple Regions

52. Automating the VM-Series Firewall
 Included support for VPCs
in multiple Regions

53. Results and Benefits
Deploy one or more
already secured
developer VPCs with
the push of a button
New VPCs are
connected to central
VPC via IPsec to
maintain compliance
Unsecured developer
environments are no
longer a concern
Successfully extended
their portfolio to cloud
technologies while
maintaining efficiency
and security

54. Next Steps
Available in AWS Marketplace
 Two bundles available as annual
or hourly subscriptions
Bring your own license (BYOL)
 Pick and choose licenses,
subscriptions and support to best
suite our needs
 Supported in AWS Regions and AWS
GovCloud (US)
Palo Alto Networks REAN Cloud
Consulting Services
 Cloud Architecture Designs
 Security Assessments
Implementation Services
 Build secure Foundation (Landing Zone)
 Blueprints for various
VM Series deployments

55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q & A
Nick Matthews, Solutions Architect, AWS
Matt Keil, Director of Product Marketing - Public Cloud, Palo Alto Networks
John Plishker, Solution Architect, REAN Cloud