Public Sector Cloud

Journey Guidance
Security in the Cloud for Public Sector Organisations

Palo Alto Networks | Public Sector Cloud Journey Guidance | White Paper 1
Now that you understand the differences in responsibility
between your organisation and your cloud service provider
(CSP), as outlined in the overview paper, your journey to the
cloud presents three fundamental security challenges:
• How to enable users to access the cloud securely
Figure 2 illustrates how you can implement a strong perim-
eter defense based on VM-Series NGFWs, which can be de-
ployed on public, hybrid, or private clouds and offer the same
features, benefits, and management as the physical NGFWs
deployed elsewhere in your organisation.

• How to monitor cloud configuration for compliance Phase 1:

and threats Pre-Migration
PN
• How to secure applications and data in the cloud
Each of these challenges spans the entire cloud migration VM- Panorama Central
Series
lifecycle throughout your organisation’s journey to becom- Policy Management
ing fully cloud native. This document identifies a three-phase
approach for your cloud journey to help your organisation UF WF TP
achieve a good security posture for your part of the shared re-
sponsibility in the cloud. Boundary
Protection HQ/Central
Phase 3 — Cloud Native Management
Support
Phase 2 — Configuration Cloud Progress:
Management • Fully Shifted Figure 2: Perimeter defense with the VM-Series
• Established Processes
Cloud Progress:

Phase 1 — Lift and Shift

• Finalizing Shift
• Configuration & Threat Mon.
Harmonise Security and Visibility Across Your
• Resource Inventory Objectives: Infrastructure
Cloud Progress: • DevSecOps Culture Shift
Objectives:
• Cloud Security Planning
• Establish Security Posture
• Configuration and Palo Alto Networks offers multiple complementary security
• Actively Shifting Vulnerabilities in CI/CD
• Identify Compliance functions that work together in a single, natively integrated
• Identify and Respond to
Objectives: Requirements Threats (Automation) firewall platform, safely enabling users while protecting data
• Perimeter Defense • Threat Monitoring +
• Resource Migration +
by providing secure network connectivity for your enterprise
Stage 2 Objectives
Stage 1 Objectives networks and multi-cloud environments. VM-Series NGFWs
Other Security Concerns: Other Security Concerns:
• Risk Management Other Security Concerns: • Consistent Monitoring
deliver inline network security and threat prevention to sup-
• Perimeter Mapping • Existing Tech Debt • Tool Consolidation port your specific governmental cloud security best practice
guidelines and policies. The firewall platform is designed to
Figure 1: Palo Alto Networks cloud maturity model for deny all and permit by exception, enabling positive control
public sector organisations over a range of threats, including passive and active threats,
insiders, and integrator risks.
Phase 1: Lift and Shift—Establish To simplify secure connections from your on-premises

Perimeter Defense networks to your cloud environments, you can effectively man-
age segmented connectivity through logical firewall instances
A cloud journey usually begins at the ‘lift and shift’ phase: mi- that provide both security and privacy. By deploying Palo Alto
grating to the cloud. This involves transitioning on-premises Networks NGFWs to protect your cloud boundary and workload
infrastructure to cloud-based virtual machines (VMs) whilst environments against unauthorised access, your organisation
maintaining most of the configuration from the migrated will benefit from a comprehensive view of all network traffic to
on-premises infrastructure and applications. Phase 1 migra- ensure visibility, maintain situational awareness, and increase
tions are typically deployed in a single standalone virtual private agility as you shift operations to the cloud, as shown in figure 3.
cloud (VPC) or virtual network (VNet) with no dependencies Phase 1: Migrate
on outside resources. As part of this phase, your organisation
should also deploy a well-designed transit VPC or VNet.
The challenge in this phase is ensuring that your organi-
sation achieves a good security posture and protects itself VM- VM-
Series Series
against threats, such as data exfiltration. This must also Mission
take into consideration supporting scalability and resilience, UF WF TP
Owner
Traditional
including native support for inbound, outbound, and east- App

west traffic inspection. Boundary Workload

Protection Protection
With Palo Alto Networks PA-Series (hardware) and VM-Series TIC/CAP
(virtual) Next-Generation Firewalls (NGFWs), you can ensure
secure interconnectivity between CSP instances and residu- Figure 3: Protecting your cloud boundary
al on-premises capabilities as required. In addition, you can
centrally administer all Palo Alto Networks NGFWs through The VM-Series integrates with our cloud native security
Panorama™ network security management as well as provide platform to automate routine tasks and establish cloud na-
integration with Prisma® Access and our cloud native security tive enforcement policies, which marks your organisation’s
platform to enable the next step of the migration journey. entry into Phase 2.

Public Sector Cloud Journey Guidance | White Paper 2

Phase 2: Configuration Enforce and report on all compliance standards
Management—Establish across platforms, workloads, and cloud services

Configuration Monitoring
Phase 2 involves making sure you understand what is going on SOC 2 HIPAA
in your public cloud environment: What resources do you have?
Are they compliant? Who is connecting to your environment?
From where are they connecting? What are they accessing? ISO
NIST 27001
The right monitoring and response tools are make-or-break
factors for any organisation. You don’t know what you don’t
know—without visibility into your environment, you are at
PCI
a security disadvantage. Ensuring that your cloud environ- GDPR
DSS
ments meet compliance and conformance requirements pro-
vides confidence and releases resources (both staff and time)
to address other critical concerns for the organisation.
Threat monitoring of inbound and outbound network traf-
fic relative to your resources is extremely important. The
VM-Series secures your perimeter, but you also need to verify
the network configurations of your resources to understand
which ones are connected to the internet as well as who is
connecting to them. Then, you need a way to do proper foren- Figure 5: Powerful compliance and
sics on the data and remediate open systems. conformance assurance
The next step is to establish a means of alerting the necessary
uses its ML-powered capabilities to profile your environment,
parties to any discovered issues or threats as well as create a
learn who your users are, where they log in from, and which
remediation plan.
resources they access on a regular basis. If a user logs in from
an unknown location or accesses resources they don’t usually
Single location for complete visibility, with interactive use, that triggers an alert for an indicator of compromise (IOC).
dashboards to keep tabs on your security posture Prisma Cloud gives you full visibility into your environment’s
infrastructure, network activity, users, and user behaviour. It
then provides multiple ways to plan and remediate any issues
it finds. When you are ready, you will also get the tools you
need to address any security concerns during the full lifecycle
of your continuous integration/continuous development (CI/
CD) pipeline, from build to deploy to run.
Prisma Cloud provides security for every resource, during ev-
ery stage of the development lifecycle, in any cloud.
SIEM
Quickly respond to incidents, auto-remediate issues,
and investigate with full context

1. Incident Identification 3. Risk Prioritization

Alerts within tooling or
integrated with any
outside system
2. Automatic Data Capture
Forensic data is captured
Figure 4: Multi-cloud visibility in a single pane of glass and secured for analysis
Correlate risk to specific
databases, workloads,
and apps to understand
compromise
4. Response and Reporting
Remediate issues to
prevent future compromise

How Palo Alto Networks Can Help

With Palo Alto Networks Prisma Cloud, you have complete
visibility into all your resources. Leveraging more than 30 vul-
nerability intelligence sources, machine learning (ML)-pow-
ered user and entity behaviour analytics (UEBA), and a vast
built-in policy library, you can identify and fix misconfigura-
SecOps
tions, ensure compliance, and protect privileged users.
This level of visibility offers you a complete picture of who is
logging into your environment and from where. Prisma Cloud Figure 6: Rapid response, remediation, and investigation
capabilities

Public Sector Cloud Journey Guidance | White Paper 3

Phase 3: Cloud Native—Establish
Cloud Native Workload Defense
As your organisation builds on the planning, migration, and
governance of the previous stages, your cloud adoption will
extend beyond simply replicating traditional applications and
application development and move towards new technologies
and working practices. You will start to become ‘cloud native’.
As you embrace cloud native architectures, using technolo-
gies like infrastructure as code (IaC), containers, and server-
less functions, combined with a set of principles and work-
ing practices designed to optimise throughput and developer
feedback—commonly known as DevOps—in addition to agile
software development methods, it’s likely that your update fre-
quency will greatly increase and time to value for your new ini-
tiatives will similarly decrease. Your challenge and opportunity
will be to incorporate security practices and controls into these
new platforms and pipelines in a way that enhances productivi-
ty and accelerates delivery, rather than hampering them.
Palo Alto Networks Helps You Shift Security Left
To secure this new software development lifecycle, security
teams need to be influential in all stages: build, deploy, and run.
While attitudes, shared understanding, and working practices
are critical, the right set of tools can be a powerful catalyst for
success. Figure 7 offers a reference architecture for the DevOps
process and the key insertion points for security tools.
Protect every aspect of your application lifecycle
without compromising on agility
Scan SecOps
• Host OS
• Container image files
• IaC templates
• IAM profiles
• Serverless functions
Developer
CI/CD
Source code
repository
Protect
• VMs
• Bare metal containers
• Serverless functions
Figure 7: Secure DevOps process with Prisma Cloud
Prisma Cloud integrates with developer tools, source con-
trol, and CI/CD software to help you to incorporate security
best practices and tests into modern software development
practices, enabling you to maintain secure container and
serverless builds and deployment templates that have been
scanned for misconfiguration and hardened for compliance.
Public Sector Cloud Journey Guidance | White Paper
When software is deployed, Prisma Cloud provides runtime
protection for hosts, containers, and serverless functions,
plus some powerful tools to protect container orchestration
platforms, in addition to monitoring of container, host, and
serverless activity. Combined with the inventory, network,
and account monitoring you deployed earlier in your cloud
journey, you now have end-to-end protection for your cloud
native applications, along with rich telemetry on the config-
uration and activity of your cloud assets.
The amount of data this generates can be overwhelming, but
Prisma Cloud does the heavy lifting by continuously correlat-
ing disparate data sources, including asset configuration,
network logs, user activities, host and container vulnerabili-
ties, and runtime information. This gives you complete cloud
visibility, compliance, conformance, and security assurance,
along with the ability to automate the mapping of important
cloud security standards, such as the NIST Special Publication
800-190 for container security. These capabilities lead to such
outcomes as continuous Authority to Operate (ATO) for your
cloud-based applications, using security tools built for cloud
native environments.
Benefits include:
• Cost savings over time
• Effective management of your environment
• SOC/Data centre consolidation
• Enhanced situational awareness
As your organisation moves to the cloud, your migration
planning should include a framework that addresses these
key challenges during all phases of your migration:
• Asset inventory enables you to dynamically discover new
resources as soon as they are deployed in the cloud, as well
as track historical changes for auditing purposes. You’ll
gain a unified view of your security, compliance, and con-
formance posture across the full cloud native stack, appli-
cation lifecycle, and your cloud environments.
• Full visibility—not just of the initial assessments, but
continuous monitoring of compliance and vulnerabili-
ties—lets you quickly identify changes within your op-
erational boundaries and cloud assets, helping you easily
meet compliance and conformance standards by prevent-
ing misconfigurations and enforcing policy guardrails.
Prisma Cloud enables your organisation to achieve a
‘continuous authority to operate’.
• Governance and compliance monitoring will continually
assess all your cloud resources for misconfigurations, vul-
nerabilities, and other security threats. Prisma Cloud sim-
plifies government and company-mandated compliance
requirements using the industry’s most complete library
of compliance standards, and you can quickly generate
reports for audit.
• Forensics and investigation let you connect the dots between
configuration, user activity, and network traffic, along with
granular auditing of host, container, and serverless function
activities. This gives you the insight and forensic data you
need to quickly investigate security incidents.
4
• Integration with SOAR tools enables you to automate alert
ingestion, enrichment, and response. Automation tools
should be able to easily integrate with all of the services
that you are using currently, even if those are cloud na-
tive services. Cortex® XSOAR simplifies these integrations
with out-of-the-box support for hundreds of third-party
offerings, including services such as Amazon CloudWatch
and Microsoft 365™ events while enabling customers to
easily enable custom integrations based on Python.
For a public sector organisation, having the proper tools
to meet the requirements of a cloud migration framework
implemented in phases can be difficult due to a number of
challenges, such as certifications. Tools provided by a CSP
that public sector organisations choose usually must be cer-
tified. At Palo Alto Networks, we are committed to maintain-
ing and pursuing the relevant certifications (e.g., ISO 27001,
FedRAMP, Common Criteria, SOC 2) for our products that can
help your organisation with cloud migration. With these cer-
tifications in place for our cloud-delivered services, working
seamlessly with the power of a perimeter-based cloud secu-
rity posture, your organisation will be in a great position to
start its cloud journey.

Stage 1: Migrate Stage 1: Operate Stage 2: Manage Stage 3: Mature

VM- VM-
Series Series

Traditional Cloud-Native
App App
UF WF TP

Boundary Workload Security Multi-Cloud

Protection Protection Monitoring Platform Security
TIC/CAP

Figure 8: Support throughout your cloud journey

3000 Tannery Way © 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at https://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
Main: +1.408.753.4000 herein may be trademarks of their respective companies. parent_wp_public-
Sales: +1.866.320.4788 sector-cloud-journey-guidance_012021
Support: +1.866.898.9087

www.paloaltonetworks.com