Rapid Adoption of Public Cloud Opens a Cybersecurity Gap, Warns Cybersecurity Professionals

Most European and Middle East cybersecurity professionals at organisations using DevOps practices within the public cloud think that their organisations are buying and selling speed for security. Inside a recently printed cloud security study commissioned by global security leader, Palo Alto Networks® (New york stock exchange: PANW), 72 percent of cybersecurity professionals established that the rate of public cloud adoption is presenting avoidable security risks to software updates.

The DevOps model increases collaboration between development and processes teams, allowing for a quick-paced method of application creation and enhancement. Organisations now utilize this model to attain faster application delivery, enhanced innovation, more stable operating environments, and gratifaction-focused worker teams.  Yet because the DevOps model is enthusiastically accepted, laptop computer findings indicate that cybersecurity has been overlooked and organisations might be vulnerable consequently.  Most particularly:

• There's concern among cybersecurity professionals about whether cybersecurity can match the rate and frequency of methods DevOps updates apps and services within the public cloud. Only 47 percent of survey respondents indicated that they're certain that cybersecurity is working well for DevOps teams operating within the public cloud.
• Only 22 percent of cybersecurity professionals stated they'd a strong grasp around the risks and requires that include securing DevOps-operated environments within the cloud
• Nearly 75 % (73 percent) are convinced that their organisations have either fully or partially adopted DevOps rise in the general public cloud.  They're regularly deploying and altering software, with one in five doing many updates every week.

As Greg Day, v . p . and CSO for EMEA at Palo Alto Systems, explains: “DevOps is shown to deliver strong results. Rapid delivery of code, infrastructure and knowledge enables organisations to meet the requirements of the customers quicker than ever and stand above their competitors. However, too frequently, the rate and complexity of delivery has led to traditional cybersecurity processes neglecting to complete even rudimentary checks and controls in the same rapid pace, leading to unnecessary risks. Indeed, we have seen over half neglecting to meet fundamental password management policies. Organisations won’t watch for security teams to trap up, so that they must leverage native integration points and automate their cybersecurity abilities to deal with the continual and real-time visibility and governance required to keep pace with DevOps practices.”

The Palo Alto Systems Security Operating Platform enables organisations to with confidence deploy applications within the cloud by stopping loss of data and business disruption. Palo Alto Systems customers operating in hybrid and multi-cloud environments take advantage of an extensive and consistent security offering that integrates directly with cloud platforms.

Leading Indonesian Bank Turns to Palo Alto Networks Next- Generation Firewalls to Future-Proof Its IT Security

Palo Alto Networks® (New york stock exchange: PANW), the worldwide cybersecurity leader, announced today that Bank Central Asia has switched to the next-generation firewalls and latest network security management. The move is supposed to future-proof the bank’s method of cybersecurity.

BCA is among Indonesia’s leading retail banks, with roughly 16 million customers, 1,213 branches and 17,207 ATMs. By having an annual 20 % rise in its mobile banking, the financial institution is digitizing a lot of its operations. As adware and spyware attacks be common as well as an growing quantity of customers conduct all their banking online, digital security has turned into a prime concern.

For digital banking to operate, BCA recognized its customers must enjoy an always-on knowledge about the reassurance of rock-solid security. The financial institution responded by picking out a suite of Palo Alto Systems next-generation firewalls, such as the PA-3000 Series and pop-5000 Series, in addition to WildFire® cloud-based threat analysis service and Panorama™ network security management.

Palo Alto Systems next-generation firewalls classify all traffic, including encrypted traffic, according to criteria for example application function, user and content. BCA’s network security team are now able to create comprehensive security policies, inducing the fast and safe enablement of recent applications. By enabling only approved users to operate sanctioned applications, the top area prone to cyberattacks continues to be considerably reduced over the entire bank. Furthermore, Panorama enables the financial institution to considerably reduce administrator workload via a single rule base for firewall, Threat Prevention, URL Filtering, Application-ID™ and User-ID™ technologies, in addition to file blocking and knowledge filtering.

BCA now enjoys complete visibility from one console, passing on greatly improved and simplified control. Consequently, the financial institution are now able to make any necessary changes in one location, with automation coping with bigger share from the work.

About Bank Central Asia

Bank Central Asia is really a leading private bank in Indonesia concentrating on business banking transactions, credit loan facilities, and financial solutions for corporate, commercial, and SME, in addition to individual customers. The financial institution presently facilitates banking transactions in excess of 16 million customers through 1,213 branches and 17,207 ATMs. Additionally, it supports 24-hour internet and mobile banking.

Palo Alto Networks Announces Intent to Acquire RedLock

Palo Alto Networks® (New york stock exchange: PANW), the worldwide cybersecurity leader, today announced it has joined right into a definitive agreement to get RedLock Corporation., a cloud threat defense company. Underneath the the agreement, Palo Alto Systems pays roughly $173 million in cash to get RedLock. The purchase is anticipated to shut during Palo Alto Systems fiscal first quarter, susceptible to the satisfaction of customary closing conditions. RedLock co-founders Varun Badhwar and Gaurav Kumar, will join Palo Alto Systems.

Palo Alto Systems already supplies a broad security offering for multi-cloud environments with inline, host-based, and API-based security, that was bolstered through the purchase of Apparent.io in March 2018. The organization presently serves greater than 6,000 cloud customers globally using its cloud security portfolio which includes VM-Series next-generation firewall, Aperture, Apparent, and GlobalProtect cloud service.

Palo Alto Systems will combine the Apparent and RedLock technologies to supply customers with cloud security analytics, advanced threat recognition, continuous security, and compliance monitoring in one offering anticipated early the coming year. The organization expects the new offering can help security teams respond faster towards the most important threats by replacing manual investigations with automated, real-time removal and reports that highlight an organization’s cloud risks.

About RedLock

RedLock provides effective threat defense across public cloud environments to assist organizations ensure compliance, govern security, and let security operations. The RedLock Cloud 360™ platform takes an AI-driven approach that correlates disparate security data sets to supply comprehensive visibility, identify threats, and let rapid response across an organization’s entire public cloud atmosphere.

About Palo Alto Systems

We're the worldwide cybersecurity leader, noted for always challenging the safety established order. Our mission would be to safeguard our method of existence within the digital age by stopping effective cyberattacks. It has provided us with the privilege of securely enabling thousands of organizations as well as their customers. Our pioneering Security Operating Platform emboldens their digital transformation with continuous innovation that seizes the most recent breakthroughs in security, automation, and analytics. By delivering a real platform and empowering an increasing ecosystem an increasing ecosystem of change-makers like us, we offer impressive and innovative cybersecurity across clouds, systems, and cellular devices.

Palo Alto Networks Recognized as a Leader in Gartner Magic Quadrant for Enterprise Network Firewalls Seven Times in a Row

Palo Alto Networks® (New york stock exchange: PANW), the worldwide cybersecurity leader, today announced that, for that seventh consecutive time, the organization continues to be recognized within the Leaders quadrant from the  "Magic Quadrant for Enterprise Network Firewalls" by Gartner Corporation.

Based on the report, "The Leaders quadrant contains vendors that build items that fulfill enterprise needs. These needs include an array of models, support for virtualization and virtual LANs, along with a management and reporting capacity that is made for complex and-volume environments, for example multitier administration and rule/policy minimization. A good NGFW capacity is a vital element, as enterprises still escape from getting dedicated IPS appliances in their perimeter and remote locations. Vendors within this quadrant lead the marketplace in offering additional features that safeguard customers from emerging threats, provide expert capacity instead of treat the firewall like a commodity and also have a good history of staying away from vulnerabilities within their security products. Common characteristics include handling the greatest throughput with minimal performance loss, offering choices for hardware acceleration and offering form factors that safeguard enterprises because they proceed to new infrastructure form factors."

Gartner doesn't endorse any vendor, service or product portrayed in the research publications, and doesn't advise technology users to pick only individuals vendors using the greatest ratings or any other designation. Gartner research publications contain the opinions of Gartner's research organization and cannot be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, regarding these studies, including any warranties of merchantability or fitness for the purpose.

About Palo Alto Systems

We're the worldwide cybersecurity leader, noted for always challenging the safety established order. Our mission would be to safeguard our method of existence within the digital age by stopping effective cyberattacks. It has provided us with the privilege of securely enabling thousands of organizations as well as their customers. Our pioneering Security Operating Platform emboldens their digital transformation with continuous innovation that seizes the most recent breakthroughs in security, automation, and analytics. By delivering a real platform and empowering an increasing ecosystem of change-makers like us, we offer impressive and innovative cybersecurity across clouds, systems, and cellular devices.

Roadmap to Success: Palo Alto ACE

Palo Alto firewalls emerged like a real pressure within the IT industry. Like a shocking quantity of organizations are embracing Palo Alto products to enhance security, the Palo Alto Accredited Configuration Engineer (ACE) has turned into a highly searched for after certification for employers. Roles that the ACE is efficacious include network security administrator, firewall administrator, network security engineer, and much more.

Palo Alto Accredited Configuration Engineer (ACE)

The Palo Alto Accredited Configuration Engineer (ACE) certification is made to test learners’ understanding from the core features of Palo Alto next-generation firewalls. The main objective of the ACE exam would be to function as a goal symbol of a learner’s capability to configure Palo Alto Systems firewalls while using PAN-OS. For that ACE certification, learners should be ready to address issues including interfaces, zones, security policies, guidelines, and much more.

The ACE certification consists of one exam, that is included in CBT Nuggets training:

Palo Alto Systems Firewall

The ACE is definitely an intermediate-level certification. Learners going after the ACE must have knowledge of networking concepts and fundamental knowledge of security concepts. Most typically, learners about this path have 2-5 experience working directly with networking and/or security.

Find out more about Palo Alto Network Firewalls from all of these previous blogs, webinars, and much more:

• Six Good reasons to Learn Palo Alto Firewalls
• Recording: Power Palo Alto Firewalls (web seminar recording)
• Cisco ASA versus Palo Alto Systems Firewalls

Exam Registration and Authorization

Palo Alto administers certification exams through its Learning Center. To join up to have an exam, learners must first on line.

Exam Details

The ACE exam is exclusive certification exam experience often. Carefully evaluate the information below to completely understand what to anticipate in the ACE exam.

Time allotted for exam: Limitless - there's virtually no time limit for that ACE exam.

Quantity of questions: 50

Passing score: Palo Alto doesn't publish the passing score, however, learners can retake test as numerous occasions as essential to acquire a passing score.

Question types: Multiple choice

Exam registration: Palo Alto Systems

Exam cost: Free

Recertification

The ACE certification doesn't have recertification needs. However, the ACE certification changes with major revisions towards the software that runs the Palo Alto Systems platform. Although the ACE is, effectively, a existence-time certification, it might be outdated by more current versions from the credential.

The Next Phase

The ACE certification may be the to begin just two certifications provided by Palo Alto Systems. Individuals who complete the ACE are qualified to carry on to the Palo Alto Systems Certified Network Security Engineer (PCNSE).

Cloudy with a Chance of Entropy

The word “cloud” continues to be popular in the industry lexicon since 2006 when Amazon . com Web Services (AWS) launched its Elastic Compute Cloud (EC2). The most recent Cloud Threat Report from Unit 42, that was released today, implies that organizations still have a problem with securing public cloud platforms some 13 years following the launch of EC2. The report highlights key insights on cloud threats according to intelligence collected from multiple data sources between The month of january 2018 and late June 2019.

Among other findings, the report shows:

• Shortcomings in on-premises patching routine is transporting to the cloud. Unit 42 found greater than 34 million vulnerabilities across various cloud providers (CSPs). These vulnerabilities result from the applications customers deploy to CSP infrastructure, for example outdated Apache servers and vulnerable jQuery packages. Researchers identified:

1. 29,128,902 vulnerabilities in Amazon . com EC2
2. 1,715,855 in Azure Virtual Machine
3. 3,971,632 in GCP Compute Engine

Patching is really a struggle, as numerous standalone vulnerability management tools lack cloud context and turn into scattered across multiple consoles. Organizations have to consolidate tools to create a cloud-centric view.

• Default and unsecured container configurations are rampant. Unit 42 research reveals greater than 40,000 container systems operate under default configurations. This represents nearly 51% of openly uncovered Docker containers. Most of the systems identified permitted for unauthenticated accessibility data they contained. We advise a minimum of placing every container with sensitive data behind a correctly configured security policy or perhaps an exterior-facing firewall that stops access from the web.
• Cloud complexity is yielding low-hanging fruit for attackers. Regarding openly disclosed cloud security occurrences, 65% were caused by misconfigurations. Organizations which had a minumum of one Remote Desktop Protocol (RDP) service uncovered towards the entire internet amounted to 56%, even though all major cloud providers natively give consumers the opportunity to restrict inbound traffic. This represents an chance to consolidate cloud-based network controls with well-established on-premises management systems.
• Adware and spyware has extended its achieve towards the cloud. Unit 42 found 28% of organizations contacting malicious cryptomining C2 domains run by the threat group Rocke. We've been carefully tracking the audience and noted the group’s unique tactics, techniques and operations (TTPs), providing them with the opportunity to disable and uninstall agent-based cloud security tools. Timely and consistent patching schedules for cloud-based systems are an expedient method to slow similar adware and spyware threats.

NextWave Enhancements Drive Record-Breaking Quarter for Partners

It's a wonderful time to become a NextWave partner. Together, we still seize new growth possibilities. Our disruptive technologies differentiate us in the competition, and our recently enhanced partner program is fueling mutual success.

Whenever we launched our NextWave enhancements in Feb, we highlighted our objectives to improve program versatility, fuel lengthy-term partner growth, and accelerate the transition to partner-delivered services. We delivered eight (8) new profitability initiatives and three (3) new possibilities to help you build or expand the services you provide-brought business, so we automated three (3) significant business systems to optimize partner productivity.

This month, we shown the program’s versatility and our dedication to assisting you maximize profitability by having an additional three incentives that reward you for incorporating our latest innovations to your customer choices.

Your adoption from the NextWave enhancements continues to be phenomenal. In only three several weeks, we’re seeing partners achieve growth levels which are in front of what we should expected this early in to the new program. In Q3 FY19, our most lately completed quarter, partners drove some jaw-shedding results:

• Nearly 400 partners saw their companies grow by 100% annually
• Partners initiated an archive-breaking rise in pipeline with 59% YoY growth
• Partners guaranteed an archive-breaking 2,000  new clients
• Partner-initiated bookings increased 63% annually

Additionally to the enhanced NextWave program, we lately completed our global partner satisfaction survey the response was unparalleled, and also the answers are much more impressive. Yearly, we invite you to definitely rank every aspect of our funnel strategy. The feedback you provide is crucial to shaping our funnel strategy therefore we stand above altering market dynamics. This season over 4,200 partners completed laptop computer - a business record. The best of this: you rated Palo Alto Systems because the No. 1 cybersecurity vendor within the following critical partnership areas:

• Profitability
• Margins
• Revenue
• Growth
• Product satisfaction
• Expertise possibilities

Once we evolve along with you in to the services-driven economy, we're pleased that all over the world, you've accepted the enhancements we brought to fuel mutual business growth and let more partner-brought services. The expertise chance around Palo Alto Systems product choices ranks 50% more than the following greatest industry vendor. Based on you, we're the obvious leader for brand new growth possibilities, outranking your competition by 300%.

“Some from the new enhancements towards the NextWave program are key products we've been requesting to assist Sirius deliver a lot of solutions and services our clients have to drive better engagement and loyalty,” stated Deborah Bannworth, senior v . p . for Proper Alliances, Inside Sales & Maintenance Services from Sirius Computer Solutions, Corporation.

We still listen, learn, and act to aid our NextWave partners in building effective Palo Alto Systems security-based practices. The success you’re seeing in the changes we’ve designed to help grow your company is encouraging. We expect to remaining your lover of preference and winning together!

See the Unseen in AWS Mirrored Traffic With the VM-Series

Gain Complete Visibility and Eliminate Network Blind Spots in AWS Cloud

AWS’ inaugural security event re:Inforce is finally here. Furthermore, the wedding marks the launch of another exciting new feature from AWS: VPC Traffic Mirroring. This selection supplies a non-intrusive method to enable network visibility to your AWS deployments without requiring significant design changes to virtual network architecture.

Equally exciting, Palo Alto Systems has generated an integration of their VM-Series Virtualized Next-Generation Firewall with AWS traffic mirroring capacity. The VM-Series may be the industry-leading virtualized firewall protecting your applications and knowledge with next-generation security measures that deliver superior visibility, precise control, and threat prevention in the application level.

The VM-Series has supported AWS cloud since 2014 with inline security protections for application workloads running within the cloud. Based on Mukesh Gupta, v . p . of Product Management at Palo Alto Systems, “Enterprises require consistent peace of mind in the cloud without having to sacrifice deployment versatility and selection. Together with inline threat prevention abilities, the combination from the VM-Series using the recently announced AWS traffic mirroring capacity gives organizations an option to deploy the firewall out-of-band for application visibility and advanced threat recognition in AWS cloud.”

The VM-Series on AWS deployed from band now supports two critical security outcomes in AWS cloud:

• Granular visibility into application traffic and recognition of network-borne threats through inspection of mirrored traffic.
• Rapid recognition and response against advanced attacks utilizing an AI-driven approach, for example Cortex by Palo Alto Systems.

Application visibility and threat recognition

The VM-Series on AWS can evaluate, filter, and process the raw data available with the AWS traffic mirroring capacity within AWS cloud and supply contextually wealthy application, content, and threat information. The requirement for removing data from AWS cloud for more processing is eliminated, saving cost and supplying deep understanding of network traffic. According to this more in-depth inspection, customers can pick to allow alerts for an array of security issues, for instance:

• High priority security alerts: Attacks for known exploits, for instance, an effort to take advantage of CVE-2017-5638 for Apache Struts-based web servers running in AWS. Mainly, the VM-Series is becoming an invasion recognition system (IDS).
• Visitors to inappropriate, malicious destinations and command-and-control systems: identify when the source/destination is inappropriate or malicious, whether you will find geoblocking limitations to become met, or maybe there's bitcoin traffic or perhaps an SSH session to some known command-and-control (C2) domain.

In line with the visibility and recognition (in logs), you are able to filter for occasions, and let alerts and actions that may trigger removal using Action-Oriented log forwarding using HTTP(S). This gives a webhook to produce a ticket inside a service desk system or perhaps a security orchestration and response tool, for example Demisto, or launch an AWS Lambda function, which could quarantine by shutting lower the instance or lock lower the safety Group.

Rapid recognition and response against advanced attacks

The VM-Series firewall supports enhanced application logging, which converts raw packet data from AWS mirrored network traffic into context-aware network activity information for storage in Palo Alto Systems cloud services, including Cortex Data Lake. Security applications, for example Cortex XDR, can begin analyzing the wealthy data collected, using analytics and machine understanding how to identify stealthy attacks and expedite security investigations precisely. Identified threats could be mitigated through automated response from Demisto along with other security orchestration and response tools.

Success Secrets: How you can Pass PaloAlto Certification Exams in first attempt

All Layers Are Not Created Equal

How the Principles of Journalism Help Define Zero Trust Policy

Everyone knows that in order for a news article, blog post or white paper to have any credibility, a writer needs to cover the “who, what, where, when, why and how” of the topic. Without covering these things, the reader is left with a partial story. We can credit Rudyard Kipling for clearly defining these journalistic essentials for us:

I keep six honest serving-men

(They taught me all I knew);

Their names are What and Why and When

And How and Where and Who.

-Rudyard Kipling, Just So Stories, 1902

However, the usefulness of this “Kipling Method” extends far beyond journalistic best practices. For years, I have used the Kipling Method to help companies define policy and build Zero Trust networks. It ensures that security teams are thorough in their definitions and that anyone, including non-technical business executives, can understand cybersecurity policies due to the simplicity of the approach. Given that the first design principle of Zero Trust is to focus on business objectives, this method is particularly useful.

Policy at Layer 3 vs. Policy at Layer 7

In order to actually apply the Kipling Method and build a real Zero Trust architecture, you need to understand why it cannot be done with Layer 3 technologies.

First, what is the difference between Layer 3 and Layer 7? Layer 3 is the layer where information is evaluated based only on IP address, port or protocol. It is severely limited by the lack of information that can be seen. IP addresses can be spoofed. Simple port scans will uncover all the open ports so that the attacker can encapsulate stolen data and exfiltrated across the open port, and the protocol is really just a metadata tag to help the administrator understand the type of traffic that is supposed to be traversing a specific port. Most importantly, ALL adversaries know how to bypass Layer 3 controls. You need to be able to define things with higher fidelity to keep your company secure.

Layer 7 is much more specific. It is where information is evaluated based on the actual application that’s being used (for example, defining Facebook as a unique application rather than traffic running across ports 80 and 443). While at Forrester, I created a five-step methodology to a Zero Trust network. The fourth step states that you need to write policy rules for your segmentation gateway based on the expected behavior of the data and the user or applications that interact with that data. This is what the Palo Alto Networks Next-Generation Firewall, serving as a segmentation gateway in a Zero Trust environment, allows you to do, and due to the granularity of the policy, it can only be done at Layer 7.

Applying the Kipling Method Using the Palo Alto Networks Next-Generation Firewall

Here’s how you can apply the Kipling Method when deploying the Palo Alto Networks Next-Generation Firewall, using our revolutionary User-ID, App-ID and Content-ID technologies:

• User-ID becomes a WHO statement: “Who is accessing a resource?”

User-ID is a Layer 7 instantiation of the approximation given by the source IP address. For example, we can grab OUs from Active Directory to pull domain users into a custom User-ID. We can then add things like multifactor authentication (MFA) or the Host Information Profile (HIP) from our GlobalProtect client to enrich the fidelity of the “Who” statement. We can also add MFA to a User-ID and an additional attribute for more granular control.

• App-ID becomes a WHAT statement: “What application is being used to access the resource?”

Palo Alto Networks currently has more than 2800 published App-IDs (visit Applipedia to see the growing list) to be used in building these rules. This means that attackers can no longer use a generic application, such as web services (HTTP/HTTPS), to bypass the security control.

• Content-ID becomes a HOW statement: “How should the User-ID and App-ID traffic be allowed to access a resource?”

Content-ID includes Threat Prevention rules, our advanced intrusion prevention capability; SSL Decryption so that malicious traffic and stolen data can’t hide inside of encrypted tunnels; URL Filtering so that users don’t go to malicious or phishing domains; WildFire, our state-of-the-art sandbox technology that redefines the way malware is stopped; and our new DNS Security service, which applies predictive analytics for automated protections to thwart attacks that use DNS.

With these three technologies defining WHO, WHAT and HOW statements, a basic Kipling Method Layer 7 rule can be easily defined and then implemented using our Panorama management system. Additionally, PAN-OS has the ability to add a WHEN statement (a time delineated rule); a WHERE statement, which is the location of the resource (this can often be automatically pulled into Panorama via an API); or a WHY statement by reading metadata from a data classification tool and using that in the rule.

The Kipling method has been designed to help both business leaders and security administrators define granular, Layer 7 policies using the simple who, what, when, where, why and how methodology given to us by Rudyard Kipling. Individuals who have never considered writing firewall policy can easily understand this methodology and help define the criteria necessary to create a rule set for your segmentation gateway.

Times Are Changing for Remote Access

What’s the Difference Between Remote Access and VPN?

Remote access VPN has been a staple for large enterprises for years, and it’s easy to understand why many people think that “remote access” and VPN are synonymous with one another. I often find it’s useful to have a discussion about the terminology before diving into what the requirements are for securing today’s application mix.

“Remote access” is a use case, and it’s very specifically referring to the scenario when an off-prem user, sitting on an external, untrusted network, needs to reach internal applications in the data center. Users are remotely accessing internal resources.

VPN is the tunneling method used to make remote access possible across a broad range of applications, over all ports and protocols. VPN provides the encrypted connection for privacy, but it does not provide the traffic inspection for visibility and security. However, the majority of remote access VPN deployments are based on a hub-and-spoke topology because the user is trying to reach an internal data center. Therefore, the traffic can be inspected by the corporate firewall. Both the networking team and the security team are on common ground, given that the networking path is optimal and the security is in place.

Shifting Applications to the Cloud

What happens when applications shift to the cloud? Now, both the mobile user and the application are off-prem, and “remote access” is only one use case. Access to the cloud is also necessary and increasingly more important. That’s when architectural differences of opinion start to crop up on how to build out the right security to support different networking requirements. Cloud and networking teams would both argue (quite correctly) that it doesn’t make sense to send traffic over a hub-and-spoke network just to reach the internet egress point at headquarters. Therefore, instead of remote access VPN for these use cases, many organizations are using other types of access approaches to cloud and internet applications, such as CASB for SaaS cloud access proxy for public cloud/internet web access.

New types of issues crop up because controlling access isn’t the only security issue. Inspection of traffic, using three different inspection methods with variations based on which application is being used and where the user is located, is not a good idea. It’s even a worse idea when you consider that both CASB and proxy do not secure all traffic, and anything less than full inspection of the traffic leaves open-ended questions about what happens to the uninspected traffic. Is it benign; is there C2 communications over non-standard ports; or is data being exfiltrated out of a compromised endpoint?

Therefore, full tunnel traffic, properly inspected across all ports and protocols, is the right thing to do from the perspective of security; it’s just that remote access VPN is the wrong way to do it. You can’t build a cloud-focused application strategy around a hub-and-spoke topology. A modern approach requires a new architecture.

Using GlobalProtect Cloud Service as Your Security Architecture

With GlobalProtect cloud service, mobile workforces gain access to all of their applications, whether to the public cloud, SaaS or the internet. All users, no matter where they are, are consistently protected in the same manner. Whenever a user has access to the internet, the GlobalProtect app (on the user’s laptop, mobile phone or tablet), automatically establishes an IPsec/SSL VPN tunnel to GlobalProtect cloud service. The traffic receives full inspection across all ports and protocols, including encrypted SSL/TLS traffic, no matter whether the application lives in the public cloud, private cloud or on the internet. With security policy defined on traffic classification based on App-ID, organizations can further specify access policies based on User-ID, and Host Information Profile as well as consistently enforce protections against exploits, malware, credential theft and other cybersecurity threats.

As you look at your mobile workforce strategy, think about how to use the GlobalProtect cloud service as your security architecture. Instead of being tied down to the architectural limitations of remote access VPN, use GlobalProtect cloud service to move your networking and security forward with support for all of the applications your users need.