Conquering tomorrow’s cybersecurity challenges with Palo Alto Networks platforms

Trading Point Group is growing fast. With innovative investment solutions offering universal access to thousands of financial instruments, the organisation is opening new offices at a rapid pace. However, with a 1,000-strong, global hybrid workforce, Trading Point can no longer rely on a legacy VPN connectivity strategy that backhauls traffic to a data centre: staff need low-latency, always-on-secure connectivity – wherever they choose to work.

Trading Point Group is a global investment powerhouse. Founded in 2009, the group now operates through several regulated entities in reputable jurisdictions and is considered a leader in the online foreign exchange and contract for difference (CFD) industry. Its brands (including XM, the trading instruments provider) operate under the various regulated firms of the group, which service over 10 million clients in 120 countries around the world.

Due to its doubling in size in the last four years, Trading Point has opened multiple satellite offices around the world, and more people than ever are working remotely to promote its growth. It goes without saying that this has put immense pressure on the group’s connectivity strategy.

Consequently, traditional remote access VPN technology proved to be unreliable for Trading Point and thus became unsatisfactory. Backhauling traffic over a VPN connection impacted latency and made the headquarters a single point of failure, despite the presence of a pair of Palo Alto Networks ML-Powered Next-Generation Firewalls for high availability and multiple ISP lines for redundancy. Ultimately, split tunnelling posed the possible risk of reduced security through uninspected user internet traffic, potentially turning any user into a target or entry point to the Trading Point network.

Additionally, even though the team initially had only a small number of people who occasionally needed to be mobile, that number increased, with COVID eventually accelerating this need for user mobility.

In view of the increased risks – as Andreas Andrellis, Team Leader in Information Security Operations, recalls: “We created VPN accounts on our firewalls for mobile users, either backhauling all traffic or split tunnelling it, though for our colleagues at small remote offices, traffic was backhauled to our headquarters in Cyprus through IPsec tunnels, which introduced incremental latency. In the end, with both options, the users could disable their VPN client, which was an additional risk for us. This also led to additional workload for creating, and then disabling or deleting, user VPN accounts.”

The requirements included:

• Protecting a global hybrid-working staff community.
• Providing a great user experience using simple, unified security.
• Securing access to data and reducing the possibility of data breaches.
• Leveraging a comprehensive cybersecurity platform to reduce complexity and overhead.

Trading Point was already a satisfied user of Palo Alto Networks ML-Powered Next-Generation Firewalls (NGFWs), and when the team turned to Palo Alto Networks for advice on securing the hybrid workforce, Palo Alto Networks recommended Prisma Access. Andreas explains, “We were amazed at the innovation in Prisma Access. It felt as familiar as our NGFWs, which made it easy for us to fully onboard; there was no steep learning curve.”

Currently, some 1,000 users rely on the global footprint of Prisma Access along with its robust service connections for interconnection with the data centres and cloud infrastructure. Within the framework of communication with the data centres, Trading Point uses redundant service connections in different regions and Border Gateway Protocol (BGP) dynamic routing. The flexibility and adaptability of the Palo Alto Networks security platform enables the Trading Point team to also deploy NGFWs and Prisma Access interchangeably, reducing the latency with the data centres and adding capacity where and when needed to accommodate future growth.

Fully integrated Autonomous Digital Experience Management (ADEM) reliably monitors the user experience and provides comprehensive visibility from Prisma Access into any issues affecting end-user experiences. In the words of Andreas: “It can sometimes be hard to quickly identify and diagnose end-user problems. ADEM monitors crucial applications that our employees rely on every day, the Wi-Fi signal, and for ISP issues affecting the users.”

Cloud-Delivered Security Services add an additional layer of security protection, as they can also inspect traffic without impacting the users. “It’s transparent to our end users, but dramatically raises the bar in cybersecurity protection,” says Andreas.

This unified Palo Alto Networks portfolio also includes Prisma Cloud, providing code-to-cloud security – albeit in a different Trading Point division. Additionally, the team is also currently testing Cortex XDR and XSIAM as part of a next-generation endpoint security and SOC modernisation strategy.

The benefits include:

• True Zero Trust 2.0 security: The platform delivers automated app discovery and private app onboarding with superior security, providing fine-grained, least-privileged access and continuous trust verification with deep and ongoing security inspection to protect all users, devices, apps, and data everywhere. The organisation can now secure all user traffic, whether people are in the office or at an airport, hotel, or coffee shop. The solution has all the features of an ML-Powered NGFW – such as deep packet inspection, URL Filtering, antimalware, IPS, and WildFire – without impacting user productivity.
• Increased reliability: Global connectivity with multiple Prisma Access points-of-presence provides reliability that would not be possible with the old infrastructure: the burden of deploying, configuring, and maintaining hardware is eliminated.
• Streamlined management: The unified platform is easier to manage than separate point solutions. For example, Trading Point has onboarded the ML-Powered NGFWs deployed at the remote offices using Panorama. Instead of having users configured on the local database of the firewall, Trading Point uses single sign-on (SSO) with multifactor authentication (MFA) for Prisma Access. It’s both more secure and easier to manage. “When we need to disable an account, the user’s domain account is disabled. No changes are required on Prisma Access,” says Andreas.
• Increased efficiency: Using ADEM, Trading Point has, according to Andreas, reduced the time to resolve connectivity issues “from hours to minutes”. Likewise, the skills needed to manage the ML-Powered NGFWs are transferable to Prisma Access. The team is comfortable with everyday tasks – like setting up rules, creating application groups, and configuring SSL inspection.
• Compatibility with agile change: Andreas explains, “The Palo Alto Networks platforms integrate seamlessly – everything is on the same software version. Furthermore, it is easier to test new versions before upgrading, and support is also simpler because Trading Point engages with one vendor, not separate ones.”

He concludes, “People can be as mobile as they wish with Prisma Access. They have the flexibility to focus on growing our client base, promoting our brand, and maintaining Trading Point’s position as one of the world’s leaders in the forex industry.”

Learn more about Palo Alto Networks on the website where you can also read many more customer stories.