Pokémon simplifies security and paves rocky road to compliance with Prisma Cloud

The Pokémon Company International, a subsidiary of The Pokémon Company in Japan, manages the property outside of Asia and is responsible for brand management, licensing, marketing, the Pokémon Trading Card Game, the animated TV series, home entertainment, and the official Pokémon website. Pokémon was launched in Japan in 1996 and is one of the most popular children’s entertainment properties in the world.

In the beginning, The Pokémon Company International was focused solely on marketing its physical gaming cards, promoting regional and global tournaments via their website. Fast-forward to 2016, and the release of Pokémon GO drove an exponential explosion in digital traffic nearly overnight. Not built to handle the surge, the company looked to the cloud, taking immediate action to “lift and shift” into Amazon Web Services (AWS®) and bring their applications and services into the 21st century to ensure continuous future-forward agile development, constant uptime for their global users, and business scalability.

2016 marked the start of a rapid cloud transformation journey for The Pokémon Company International. Prior, things looked very different for Jacob Bornemann, senior security engineer for the popular children’s entertainment property. Once focused solely on marketing for physical gaming cards and events, “with the release of Pokémon GO in 2016—Pokémon Training Club being a big part of this— we saw a huge explosion of traffic basically overnight that we could not handle.”

This spurred an immediate initiative to “lift and shift” their applications and services into the AWS cloud to ensure future-forward agile development, constant uptime for their global users, and business scalability. Along with the move to the cloud came a focus on augmenting its then four-person technology organization within The Pokémon Company International to what is now composed of about 100 expert global employees spanning IT, security, DevOps, development, product management, testing, and more.

Today, the team is creating multiple AWS accounts (e.g., business intelligence, production accounts, development accounts, sandbox accounts, IT accounts, etc.) for multiple AWS services, with a dedicated, cloud-based Game Studio that’s pumping out new cloud native applications on a massive scale, including the launch of a revamped Pokémon TV and new Pokémon Center, among other new applications. While tremendously beneficial for the business, the rapid cloud transformation placed a significant burden on the lean security team.

“I work for a security team of now eight people in total, with only half of us focused on cloud security. It quickly became a critical requirement to be able to manage all of these accounts, plus the configurations within, centrally and easily. So, I started to evaluate a few different services, ultimately landing on Prisma Cloud by Palo Alto Networks.”

The company’s search for a cloud security solution was rooted in three critical requirements.

• Absolute Real-Time Reporting and Configuration Management: “At one time, we had around 40 different people spinning up their own services and running in their own, preferred cloud templates. As they continued to randomly spin up services within AWS, I had no way of managing that or even knowing what was going on or who was doing what when, save for simple logic,” Bornemann says. Using queries that attempt to group together similar usage patterns on AWS did not prove an effective or scalable way to monitor the security posture of the cloud. The company needed a one-stop shop to manage all of their cloud accounts with real-time reporting, alert prioritization, and configuration management to reform AWS from its current “wild, Wild West” state to a more automated, standardized, policy-driven, and securely configured environment.
• Ability to Meet Stringent PCI Compliance Requirements: The Pokémon Company International made the strategic business decision to redesign its Pokémon Center as an entirely serverless application. The end result was amazing, but it complicated the level of PCI compliance requirements around the online shopping center that the business must adhere to. At the time, The Pokémon Company International didn’t have a security team, nor a compliance team, nor a single employee who knew anything about PCI compliance. Understandably, this was a daunting concern that required the aid of a compliance tool to help the team understand the current state of compliance within their environment, plus real-time monitoring and actionable reporting based on compliance best practices.
• Flexible Development to Meet Diverse Needs and Business Requirements: Since The Pokémon Company International’s initial “lift and shift” to AWS, the company has pushed toward cloud native application development, with two thought processes and development approaches, depending on which team is engaged. “Our development and DevOps teams are leaning into serverless technology. Conversely, our Game Studio is focused on containerized services and application development,” Bornemann confirms. “If we want to keep pushing forward and keep innovating, then we need to be on that same edge and provide our teams with flexible, secure development options to meet their specific needs.”

It’s tremendously beneficial to work for a company that doesn’t handcuff its developers to certain technologies or certain configurations, but this is only possible with a flexible, end-to-end cloud security solution.

With Prisma Cloud by Palo Alto Networks, the security team was able to gain complete visibility into their cloud environment, centrally manage security configurations across the diverse set of cloud applications and resources, and effectively meet new, stringent PCI compliance requirements. Further, the simple-to-use, comprehensive Cloud Native Security Platform has helped bridge the gap between InfoSec and DevOps teams and propel collaboration with real-time security alerts and reporting to significantly improve the company’s overall security posture.

Prisma Cloud achieved this by easing the onboarding of new cloud accounts, bringing them on in 30 seconds or less, helping unite InfoSec and DevOps teams with real-time alert reporting and configuration management, reducing the volume of alerts from 15,000 to 2,500 in six months, and simplifying the path to PCI compliance with one-click, detailed reporting.

Bornemann says, “Implementation of Prisma Cloud was an absolute breeze.” The Pokémon team is able to automatically onboard new cloud accounts in 30 seconds or less. Equally important, the simple-to-use, comprehensive Cloud Native Security Platform has helped bridge the gap between InfoSec and DevOps teams and propel collaboration with real-time security alerts and reporting to significantly improve the company’s overall security posture.

“Prisma Cloud has helped strengthen the relationship between DevOps and InfoSec teams. As a security person, I can now go to DevOps with concrete issues and actionable next steps. For example, one of our developers was playing around in our sandbox account—that everyone has full access to. She was spinning up some new services to help PoC some of our new data ingestion, and she opened up some resources to the public. I pinged her almost immediately, and she took instant action to apply the fix.”

At The Pokémon Company International, the DevOps team knows the cloud infrastructure better than anybody. They built it; they are the experts. “With Prisma Cloud fully operational, DevOps has really taken ownership of the security of their development. It’s to the point that the team pipes real-time alerts from the tool into Slack, and the developers take it upon themselves to go ahead and investigate and remediate any issues that come up, which in turn has taken an extreme burden off of myself and the lean security team who used to manage that work ourselves. All in all, the tool has been incredibly useful to unite the two teams, drive collaboration, and ensure that The Pokémon cloud resources are properly configured and secure.”

Learn more about Prisma Cloud and how it can simplify your organization’s cloud security and compliance. Visit paloaltonetworks.com/prisma/cloud.