Background
Global IT Services PSF (GITS) is an independent IT service provider in Luxembourg, licensed as "Professionals of the Financial Sector" (PFS) to provide managed hosting, networking, cloud services, applications and infrastructure for small-to-mediumsized firms in the financial, law, IT, digital and SaaS fields.
Story Summary
Luxembourg-based GITS built a 100 percent software-defined cloud to host small- to medium-sized financial, fiduciary and law services firms from across Europe requiring a cost-effective and compliant IT home. To secure its VMware NSX powered software-defined data center, segregated for individual hosted tenants, GITS deployed the Palo Alto Networks ® Next-Generation Security Platform, virtualized and integrated with VMware® NSX®-powered.
This innovative approach to network security provides GITS and its clients with deep visibility and control of traffic within and between virtual machines to prevent malware, ransomware and other cyberthreats from compromising client information assets. The Palo Alto Networks platform also enables GITS to automate security policy creation and management to quickly onboard new clients with security capabilities tailored to their individual business requirements. By offering a choice of security options to its clients, GITS also created value-added service bundles to generate new revenue streams. Moreover, the versatility of the Palo Alto Networks platform, combined with the advanced capabilities of a software-defined cloud, provides GITS with a competitive advantage over much larger players.
Securing a Highly Regulated, Multi-Tenant Cloud
GITS started as a relatively small IT service provider, but it is now able to compete effectively against some of the biggest players in the industry by leveraging next-generation technology to be more nimble and efficient. For example, instead of hosting each of its clients on dedicated infrastructure, GITS has built a 100 percent regulated software-defined cloud platform that takes full advantage of VMware virtualization and automation technologies. This allows the company to spin up tenant environments in less than an hour while adhering to the strict regulatory requirements of the Luxembourg Commission de Surveillance du Secteur Financier.
Meeting CSSF requirements for multiple clients is no easy feat. GITS must not only segregate all clients at the host level, where client applications and data run in VMware virtual machines (VMs), but also on its VMware NSX virtualized network. This is where the Palo Alto Networks Next-Generation Security Platform comes in.
David Antzorn, manager of global networks for GITS, explains, "We needed an advanced network security offering that integrated seamlessly with VMware NSX and supported automated security policy deployment. Palo Alto Networks was the only company that could offer this capability. CSSF standards are quite high, and the Palo Alto Networks Next-Generation Security Platform helps us ensure compliance across our regulated and multi-tenant cloud."
Next-Generation Network Security Integrated With VMware NSX
The Palo Alto Networks Next-Generation Security Platform comprises the Next-Generation Firewall, Threat Intelligence Cloud services and Advanced Endpoint Protection. For its specific business application, GITS deployed VM-1000-HV virtualized next-generation firewalls with subscriptions for Threat Prevention and URL Filtering. This provides GITS and its clients with application, user and content visibility and control at the VM level, as well as protection against known and unknown cyberthreats.
GITS engaged Palo Alto Networks consulting engineering services to assist with deploying the Next-Generation Security Platform and integrate it with the VMware environment. This included several proofs of concept to ensure each aspect of the overall solution was optimally planned and executed.
"This was a very complex project integrating the Palo Alto Networks platform across multiple sites and multiple instances of VMware," van der Zouw points out. "The help we received from the Palo Alto Networks consultants was excellent and enabled us to go from essentially nothing to full production in just four months."
To manage the virtualized Next-Generation Security Platform, GITS relies on Panorama™ network security management. According to David Antzorn, who manages GITS’ global network, Panorama was essential to the project’s overall success.
"Without Panorama, managing security in the VMware NSX environment would be impossible," he asserts. "In the virtual network, virtual machines can frequently move from one host to another, so using Panorama to aggregate logs is the only way to get a clear report on the security environment. Having one interface to gain visibility of virtual machine traffic across our entire multi-tenant cloud makes administration very easy and efficient."
Provides Deep Visibility at the Virtualization Level
Gaining traffic visibility at the VM level is crucial for detecting and blocking any cyberthreats that could compromise GITS’ virtualized network. The biggest threats are typically malware and ransomware inadvertently passed between users within a tenant environment. That’s precisely where the Palo Alto Networks platform proves its value.
"We need that east-west traffic visibility between different VMs, " says van der Zouw. "That is most important for isolating an infected VM and avoiding a damaging network breach that could affect our clients' business." He is quick to add, "Since implementing the Palo Alto Networks platform, we have not had any such breach."
Automated Creation and Management of Security Policies
Because the Palo Alto Networks platform is tightly integrated with VMware NSX, GITS can automatically deploy network security services when onboarding a new client or deploying additional VMs and applications for an existing tenant.
"One of the biggest factors in choosing the Palo Alto Networks platform was the ability to deploy security policies automatically," notes Antzorn. "Templates make it easy to just modify a few parameters and apply the new policy for a client in minutes. Then we use VMware NSX tags to dynamically add the policy to VMs."
Since no two clients are the same, GITS also takes advantage of the Palo Alto Networks platform’s flexibility to tailor security policies that meet the individual requirements of each client. For example, some clients may allow their employees more freedom to access websites during working hours, while others impose stricter limitations to block web activity. Moreover, capabilities such as App-ID™ and User-ID™ enable GITS to refine security policies even more precisely.
"We can set policies to allow or disallow certain network activity," says Antzorn. "Some clients may only want applications to run in a Citrix session, for example, or restrict applications from reaching out to cloud services like Dropbox or OneDrive. Similarly, we can accommodate clients with highly sensitive areas of their business that only selected users can access. The Palo Alto Networks platform allows us to segregate traffic on an application-by-application basis or according to individual user privileges, which allows us to really tune security policies to the precise requirements of each customer."
Parlays Versatile Security Capabilities Into Competitive Advantage
The versatility of the Palo Alto Networks platform not only makes GITS’ customers happy, it also creates valuable business opportunities and advantages for the service provider.
Van der Zouw remarks, "We’re able to create different levels of security and bundle them with our service offerings. This is a way for us to sell added value and create additional revenue streams."
He concludes that all these next-generation security capabilities play to GITS’ competitive advantage. "We are now the only service provider in Luxembourg that can deliver this type of security offering. It allows us to compete effectively against much larger companies because we are ahead of them in terms of this technology and capabilities."