This week, Palo Alto Networks (PAN) announced a new Cloud NGFW offering with Amazon Web Services (AWS) to provide PAN next-generation firewalls managed by AWS Firewall Manager. I found several things interesting about this announcement – first, a confirmation of something we have seen over the last year – that organizations are demanding better network security in the cloud. Second, that PAN is acknowledging that appliances can’t cut it, and third, that PAN’s view of network security in the cloud is hampered by their legacy.
On the first point – since Log4Shell specifically, we’ve seen a sharp increase in organizations first acknowledging, then demanding better network security in the cloud. Log4Shell highlighted the need for controls outside the app – and the network is a logical place to do that. There is no invulnerable app. Clearly, PAN and AWS see the same thing.
Regarding my second point, the fact that the appliance model doesn’t work in the cloud, we’ve known this since we founded Valtix. PAN customers who tried to make VM-Series work at scale in the cloud have known it too – appliances and their management model impede all of the benefits of the cloud. It’s nice to see PAN finally admitting it. As a side note, AWS is also acknowledging that the AWS Firewall, while cloud-native and good for a specific customer base, is pretty basic. We agree.
The third, and most important point for enterprises, is that the combination of PAN and AWS technology here isn’t going to work for most organizations. Trying to make 15-year-old technology work in a completely different environment is tough – just ask Jay Chaudhry about Netflix vs. Datacenter-racked DVD players. But that’s basically what PAN is doing. Consider:
- The focus on PAN’s App-ID™: The tech that put PAN on the map was designed for data centers. Don’t get me wrong, application identification is more relevant than ever, but traditional App-ID™ for enterprise apps is becoming less relevant. PAN does not have App-IDs for hundreds of AWS services. Given that most customer applications in AWS leverage ten or more AWS services, this gap leads to a major security blind spot in their offering. This solution offers no way to find the apps you need to secure either – so one cannot build dynamic security policies. Organizations are left with IP-based static policies. We believe, as do our customers, that application identity and context are critical in the cloud.
- Who owns production traffic? One of the key differences between traditional virtual NGFW appliances and this new PAN approach is that with virtual appliances, customers’ production traffic (and private keys) stayed with the customer. Valtix followed similar principles from day one. Obviously, this is critical for compliance and security. The new PAN approach violates this important principle: customer traffic and private encryption keys are shared with another vendor.
- The appliance and the manager are mismatched. Panorama is the native NGFW manager with rich management features replicated from the firewall. AWS Firewall Manager was built to manage a basic firewall, lacks the features of Panorama, and is obviously limited to AWS only. So your understanding of what’s happening on the firewall is limited. More on this in a separate blog. At Valtix, we built a simple way to secure cloud apps through the network – across all clouds. Best on each cloud and best for multi-cloud.
The bottom line on this announcement is that PAN understands the problem, but lacks the needed solution. In other words, PAN – you might consider going home to change into something more appropriate before the cloud party really gets going.
By the way, in the time it took you to read this blog, you could enable Valtix to secure your AWS accounts. Check it out through our Free Tier.
Next, read the second part of this blog series that goes into much more detail on the “Seven Critical Flaws of the Palo Alto Networks Cloud NGFW Service” and their potential business impacts.