PAN-OS 8.1: New Features for the Financial Sector

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Hopefully, you saw our recent announcement of PAN-OS 8.1. This blog will highlight the top three features in 8.1 that help bolster confidence and control in the growing use of the public cloud by financial institutions, and optimize the decryption infrastructure for operational efficiencies and and improved performance.

Consistent Multi-Cloud Security

Resiliency and geographic diversity are key aspects of any business continuity plan for financial institutions. By not placing all its eggs in one basket, an IT organization limits the exposure of any technology or even supplier failures on the supported business. As workloads continue to move to the public cloud, financial institutions will prefer to spread their risk both geographically and across multiple service providers. In the end, resilient designs will be implemented for cloud-based workloads, but reduced fault domains and supplier diversity will also be key considerations for all IT teams. Consequently, financial institutions can be expected to have a multi-cloud strategy.

To maintain a consistent and effective security posture across multi-cloud environments, Palo Alto Networks VM-Series virtualized next-generation firewall is supported on three major cloud service providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. Common use cases include hybrid cloud, segmentation, internet gateway, and remote access. Integration with the native cloud infrastructure offers automation for frictionless workflows even in multi-cloud environments. Our VM-Series has the same feature set regardless of the cloud service provider and will enable financial institutions to create a consistent security policy across all three.

SaaS Application Control: Consumer vs. Enterprise

SaaS application usage continues to grow in the financial sector. For many institutions, SaaS was a first step into the cloud as subscriptions for non-mission-critical applications drove cost savings and efficiencies. Not surprisingly then, the use of SaaS apps for HR, CRM, and also Office 365 is fairly common. Some financial institutions may use Google G Suite, Dropbox, and YouTube for business purposes as well. In such cases, this creates a situation where the enterprise version of SaaS applications is indistinguishable from the consumer one. Employees may be accessing their personal email, calendar, or online storage SaaS applications from the same workstation used for the enterprise versions. At its worst, this becomes another avenue for exfiltration of corporate data by malicious insiders. Even in benign cases, the personal use of Office 365, G Suite, Dropbox, and YouTube from the office can be a questionable use of corporate resources.

With PAN-OS 8.1, Palo Alto Networks next-generation firewalls can be used to distinguish between enterprise and consumer use of common SaaS applications, and ultimately prevent access for the latter purpose. Our next-generation firewall will insert HTTP headers for Google, Office 365, Dropbox, and YouTube to signal what is desirable for enterprise use. The SaaS application recognizes this and then allows access based on the settings in the header. This prevents any data exfiltration attempts to consumer accounts on common SaaS applications and, furthermore, limits the use of corporate resources for personal purposes.


Simplified Decryption Architecture

Gartner has predicted that, by 2019, more than 80 percent of all network traffic will be encrypted. Attackers have also taken notice and may hide their communications within encrypted data streams as well. To combat this, financial institutions have already gone about decrypting internet traffic to detect and stop malicious traffic. However, this is typically done by:


  1. Decrypting each time on every single-function security appliance in the chain (e.g., firewall, IPS, DLP, WAF, proxy) for policy enforcement, or
  1. Introducing a dedicated appliance for SSL offload, which then sends the unencrypted data to each of the single-function security appliances.


Both approaches do allow for inspection of encrypted traffic for malicious activity, but both also have drawbacks. Decrypting multiple times adds latency and impacts end-user experience. A dedicated SSL offload appliance adds design complexity and operational costs.

In PAN-OS 8.1, Palo Alto Networks has introduced the Decryption Broker, which enables the next-generation firewall to decrypt the data and scan it using its single-pass architecture for IPS, network antivirus, and security policies before a hand-off to third-party security appliances for further enforcement. This approach reduces the total number of devices required, minimizes added latency, and increases the operational efficiency of a security chain of multi-vendor appliances. Using this simplified architecture for decryption allows for streamlined inspection for security, while minimizing the performance impact on end users.

Get more details on these and other additional enhancements introduced in PAN-OS 8.1.

The post PAN-OS 8.1: New Features for the Financial Sector appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?