When ESG began discussing the elastic cloud gateway (ECG) architecture in July, one of the key questions we were asked centered on SD-WAN and the importance of the convergence of networking and security. The short answer is that while strong integrations between networking and SD-WAN functionality and security capabilities are clearly necessary, partnerships will be the predominant route for the next few years. Sure, there are vendors that will provide both, be they someone like Cisco that has both networking and security capabilities, or smaller upstarts like Cato Networks. But our feeling was that those would be the exceptions, not the rule.
That expectation hasn’t fundamentally changed, but Palo Alto Networks has shown why it’s one of leading security providers in the market by moving quickly and ahead of the market. The vendor used it’s Ignite ’19 Europe cybersecurity conference in Barcelona to announce some major additions to its Prisma portfolio, including SD-WAN and DLP capabilities that further build out its ECG architecture. Specifically, four announcements were made:
- Prisma Access SD-WAN – According to Palo Alto, the limited security and unreliable performance of existing SD-WAN solutions, coupled with increasing network complexity were the drivers for developing this solution. SD-WAN functionality will be delivered via PAN OS 9.1, with Prisma Access acting as the cloud-based hub. Customers will have the option of utilizing Palo Alto next-generation firewall (NGFW) appliances as the on-premise equipment, or third-party equipment from vendors such as Cloudgenix.
- Data Loss Prevention – DLP capabilities are now generally available in Prisma SaaS, with Prisma Access DLP available for evaluation. Palo Alto indicated that future integrations of DLP capabilities across the portfolio are planned. The initial roll-out will protect data in motion and data at rest via predefined data patterns and automated data profiles, supported by machine learning classifiers.
- Cloud Management for Prisma Access – Adding to the existing plug-in enabling Prisma Access to be managed from the Panorama console, a new cloud-based management interface for Prisma Access will provide administrators with a workflow-based user interface.
- SLA Enhancements – In addition to uptime guarantees increasing from four to five 9s, Prisma Access will now come with commitments on the accessibility of SaaS applications. Customers will be able to track latency in the Panorama console, from Prisma to their SaaS applications. Palo Alto is able to provide low-latency access by having over 100 Prisma locations across 76 countries. This is an underappreciated part of the ECG puzzle; providing local access to distributed users helps prevent degrading the user experience. Without a global platform with local points of presence, traffic flows can quickly turn into a legacy back-hauled model to the cloud.
Palo Alto Networks was in a strong position to deliver SD-WAN functionality due to its network security chops. With existing abilities to create overlay tunnels via VPN, identify traffic destination and applications, and enforce security and routing policy, adding SD-WAN capabilities such as path metrics and selection was a shorter hop than it will be for other providers. The additional capabilities provide a differentiator from pureplay security providers while at the same time maintaining a partner ecosystem to support customer choice.
That said, I think the addition of DLP capabilities are really the major move here. ESG has highlighted content inspection to provide data visibility and control as one of the core tenants of an ECG architecture. As the perimeter dissolves and user, application, device, and location information are used to determine entitlements, data context must also be included to better align security policies to business intent. Considering the recent track record of acquisitions, it’s worth noting that Palo Alto developed this technology in-house by bringing in a veteran data protection team. The fact that Palo Alto Networks is now in the DLP business should provide a shot in the arm to some of the existing players to drive innovation around the ECG architecture and press their current advantage.
ECGs represent a re-platforming of the network security stack to better align with updates to enterprise networking architectures, which better enable cloud usage and the increasingly distributed enterprise environment. It will be an extremely competitive space as vendors with networking, web and cloud, network security, and/or data protection expertise vie for the same mind and wallet-share. With the addition of DLP and SD-WAN capabilities, as well as expanded management options and strong SLAs to go with an already broad portfolio of cloud solutions, Palo Alto Network’s narrative is as strong as anyone’s in the ECG race.