Writing software these days entails a lot of web surfing and downloading. Your developers may be using professional tools from Microsoft or Oracle, but modern software incorporates components from numerous third parties, and developers rely on disparate communities of expertise in their fields of specialty. So it's hard to limit developers' access to the Internet without harming their productivity.
And yet, developer systems are among the most critical to protect. An attacker who gains access to them could steal corporate assets and then the means to steal other corporate assets. With your source code, criminals can make malicious software that looks just like yours.
The best approach is to maximize scrutiny of Internet communications, and your devlopers, is to by establish a best-practice Gateway Security policy within your public cloud deployment. This policy has two goals: to minimize the chance of a successful intrusion and to provide your application developers with secure access to the resources they need. Both of these are possible with modern network security products. These products also provide built-in mechanisms to detect potential and actual operating threats on your network, as well as security gaps in your configuration.
Legacy port-based firewalls have no concept of the actual application communicating on the port. Next-Generation Firewalls and related security products, however, perform deep packet inspection to examine the contents as well as the source, destination, and application context. The Palo Alto Networks next-generation firewall features that perform these tasks are App-ID, User-ID, and Content-ID.
App-ID provides visibility into the applications running on your network, so you can set reasonable policies for their use. True to its name, App-ID identifies applications and their behaviors. Armed with this information, you can transition to a positive enforcement model, meaning that all access is blocked other than the permitted applications. Security authorities have long recognized the advantages of this model, sometimes called whitelisting, over blacklisting, which attempts to keep a list of banned items. Blacklisting is a doomed approach, as you can never keep up with all the malicious actors around the world and the chance of false positive increases with the size of the blacklist.
User-ID tracks users and their behavior across the network. You can set policies for allowed and prohibited behavior, and the policy follows the user in any location and on any device.
Content-ID employs multiple threat prevention technologies (IPS, anti-malware, URL filtering, etc.), applied based on policy to allowed application flows.
Once you know what applications are running, who is using them, and for what, you can reduce your attack surface by creating rules that limit access to applications or specific functionality to privileged users.
Deployed in the public cloud, Palo Alto Networks can block both known and unknown threats, the nastiest APTs (Advanced Persistent Threats) among them, through deep-packet inspection and behavioral analysis. You can choose to forward unknown files to Palo Alto Networks WildFire service for more advanced scrutiny.
With next-generation advanced firewalls, you can operate with confidence that malicious actors will have a hard time getting into and staying inside your systems. Used intelligently and in the right combination, these security measures can place sufficient impediments in the way of attackers that they will not get their work done. But your developers will.