safe journey to the cloud - controlware...• market-leading threat prevention –anti-bots, ips,...

1©2018 Check Point Software Technologies Ltd. ©2018 Check Point Software Technologies Ltd.

Chris Strebl

Cloud Security Architect EMEA

SAFE JOURNEY TO THE CLOUD

2©2018 Check Point Software Technologies Ltd.

XaaS – “X” As a Service


Customer responsible for security in the cloud

Cloud vendor responsible for security of the cloud

Cloud = Shared Responsibility

Cloud Global Infrastructure

Regions

Availability Zones

Edge Locations

Compute Storage Database Networking

Customer Data

Platform, Applications, IAM

Operating System, Network and FW Configs

Client-side Data Encryption & Data

Integrity Authentication

Server-side Encryption (File System / Data)

Network Traffic Protection (Encryption,

Integrity, Identity)


STATE OF CLOUD CYBER SECURITY

esecurityplanet.com, September 19, 2017 pcmag.com, July 7, 2017

Lightreading.com – September 5, 2017Gizmodo.com – September 19, 2017 Scmagazine.com, September 5, 2017

ZDNet.com, August 16, 2017

5©2018 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees

CloudGuard IaaS + Dome9 = Comprehensive Multi-Cloud Security

• Market-leading threat prevention – anti-bots, IPS, anti-malware, AV and more

• Securely connect your hybrid cloud

• Adaptive policy for macro-segmentation

• Full security visibility and control

• Cloud services and applications are never exposed

• Continuous compliance for cloud native services

• Auto-remediation of security misconfigurations

• Active protection against identity theft and data loss


About Dome9

300+customers

100Global 2000

100+employees

Mountain View, CA

Tel Aviv, Israel

6

7©2018 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees

Network Security

Privileged Identity Protection

Cloud Threat Intelligence

Protecting your Cloud workloads and services is no longer complex. Get full security visibility & control with continuous compliance

Continuous Compliance

Check Point CloudGuard Dome9SaaS Platform for Security and Compliance Automation in the Public Cloud

Native Support for the Big 3 Clouds


Clarity: Complete Network & Security Visibility


Dome9 Compliance Bundles


Compliance Engine: Cloud Compliance and Best Practices


Continues Compliance

Alerts Console

Email (Scheduled Report)

Email (Immediate Notification)

SNS (Slack, Sumo Logic / Splunk;

ElasticSearch; S3; Remediation script/functions)

Ticketing System

Service Now

Jira

PagerDuty

AWS Security Hub


Dome9 Magellan: Context-Aware Security Intelligence

Enriched FlowLogs

Visual Traffic Map Detailed Properties

Canned & Custom Queries


Traditional Security Not Designed FOR CLOUD

Static workloads

Manually intensive

DevOps don't know Security

IT Security doesn't know Cloud


NO Threat Prevention in real time (L4-L7 protections)

NO unified management for all Clouds & Traditional Data Center

NO Identity based authentication access to applications

NO URL Filtering

NO Threat Extraction and Zero-day Sanboxing

WHERE CLOUD NATIVE SECURITY FALLS SHORT


Where are we ?

1990 2000 2010 2015 2017

THREATS

PROTECTIONS

Networks

Gen II

Applications

Gen III

Payload

Gen IV

GRADE I

GRADE II

GRADE III

GRADE V

GRADE IV

Virus

Gen I

Enterprises are between

Gen 2-3

2.8

Mega

Gen V


Lateral threat movements

Data breach due to misconfiguration

Abuse of cloud services

API hacking

Malicious insiders

THIS MIGHT EXPOSE YOU TO…


4 STEPS TO SECURE YOUR CLOUD


STEP #1: CONTROL THE CLOUD PERIMETER

•Use advanced threat prevention at the cloud perimeter

•Securely connect your cloud with your on-premise environment

CLOUD

ON-PREMISE


STEP #2: SECURE THE CLOUD FROM THE INSIDE

•Micro-segment your cloud to control inside communication

•Prevent lateral threats movement between applications

App

App

App

App


STEP #3: MANAGE CONSISTENT SECURITY FOR HYBRID ENVIRONMENTS

• Deploy unified security management for your hybrid cloud (On-Premise and Cloud)

• Ensure policy consistency

• Reduce operation cost

CLOUD

ON-PREMISE


STEP #4: AUTOMATE YOUR SECURITY

Security should be as elastic and dynamic as your cloud

• Auto-provisioning via templates and APIs

• Auto-scale security with Pay-as-you-Go

• Adaptive to changes


Consistent security policy and control across ALL Private and Public CloudsACI

THE CloudGuard FAMILY


Fast API connectLook for a security solution that talks to all major vendor Architectures

Security Workgroups

Public

Private

For AWS

For Azure

For NSX

For vCenter For ACIFor OpenStack

For Google


ADAPTIVE SECURITY

Reduce Firewall Tickets by 60%

Telefonica: “vSEC adaptive security is a game changer.”

Check Point Access Policy

Rule From To Application Action

3 Finance_App1(vCenter Object)

Database_Group

(NSX SecGroup)MSSQL Allow

4 HR_App2(Open StackObject)

Finance_Group(ACI EndPoint Group)

CRM Allow

5 User_ID SAP_App(Azure Object)

SAP Allow


CloudGuard IaaS FOR THE CLOUD

Infrastructure Security

Next Generation Firewall & VPN

Application and Data Security

Advanced Threat Prevention

Forensic Analysis

CloudVendor


‘Cloud Ready’ Unified Access Policy

Users Devices Applications Data Gateways Mobile Public Cloud Private Cloud


SUMMARY

Cloud is eating the world

Bad guys are everywhere

Cloud Native Controls are good, but…

Own your security!

You can get burned when it’s cloudy, protect yourself!

safe journey to the cloud - controlware...• market-leading threat prevention –anti-bots, ips,...

Documents