Issue link: https://insights.oneneck.com/i/1458399
58 Data Center & Hybrid Cloud Security For Dummies, Palo Alto Networks Special Edition These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. Safe Enablement of Applications in the Hybrid Cloud More and more applications, such as instant messaging (IM) applications, peer-to-peer (P2P) file sharing, or Voice over IP (VoIP), are capable of operating on nonstandard ports or hop- ping ports. Additionally, users are accessing diverse types of apps, including software-as-a-service (SaaS) apps, from varying devices and locations. Some of these apps are sanctioned, some tolerated, and others unsanctioned, and users are increasingly savvy enough to force applications to run over nonstandard ports through protocols such as Remote Desktop Protocol (RDP) and Secure Shell (SSH). Furthermore, new applications provide users with rich sets of functions that help ensure user loyalty but may represent dif- ferent risk profiles. For example, Webex is a valuable business tool, but using Webex desktop sharing to take over an employee's desktop from an external source may be an internal or regula- tory compliance violation. Gmail and Google Drive are other good examples. Once users sign in to Gmail, which may be allowed by policy, they can easily switch to YouTube or Google Photos, which may not be allowed. Another common practice in hybrid environments is to mix appli- cation workload trust levels on the same compute resources. Although efficient in practice, mixed levels of trust introduce additional security risks in the event of a compromise. Your net- work security platform must be able to implement security poli- cies based on the concept of Zero Trust as a means of controlling traffic between workloads (segmentation of east–west traffic) while preventing lateral movement of threats. Security administrators need to have complete control over usage of these apps and must be able to set policy to allow or control cer- tain types of applications and application functions while denying others. Your network security platform for the data center and hybrid cloud environment must classify traffic by application on all ports, all the time, by default — and it should not burden you with researching common ports used by each application. It must provide complete visibility into application usage along with capabilities to understand and control their use (see Figure 5-1).