1©2017 Check Point Software Technologies Ltd. ©2017 Check Point Software Technologies Ltd.

Kevin Malesky

Cloud Security Specialist

CHECK POINT CLOUDGUARD

2©2018 Check Point Software Technologies Ltd.

HOW EXPOSED ARE WE

REALLY IN THE

CLOUD?

3©2018 Check Point Software Technologies Ltd.

OUR CLOUD ENVIRONMENT

Internet

4©2018 Check Point Software Technologies Ltd.

WITHIN THE FIRST 15 MINUTESHouston we have a problem . . .

5©2018 Check Point Software Technologies Ltd.

AFTER 7 DAYS . . .Oh won’t you please be my neighbor . . .

~4 million attacks recorded!

6©2017 Check Point Software Technologies Ltd.

A TRUE STORY…

[Internal Use] for Check Point employees

https://research.checkpoint.com/hey-you-get-off-of-my-cloud/

48153050100150200250 Servers(!!!)

$500,000 Loss

Digital Advertising campaign on AWS

7©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees

Customer responsible for security in the cloud

Cloud vendor responsible for security of the cloud

CLOUD = SHARED RESPONSIBILITY

Cloud Global Infrastructure

Regions

Availability Zones

Edge Locations

Compute Storage Database Networking

Customer Data

Platform, Applications, IAM

Operating System, Network and FW Configs

Client-side Data Encryption & Data

Integrity Authentication

Server-side Encryption (File System / Data)

Network Traffic Protection (Encryption,

Integrity, Identity)

8©2017 Check Point Software Technologies Ltd.

NO Threat Prevention in real time (L4-L7 protections)

NO unified management for all Clouds & Traditional Data Center

NO Identity based authentication access to applications

NO URL Filtering

NO Threat Extraction and Zero-day Sandboxing

WHERE CLOUD NATIVE SECURITY FALLS SHORT

9©2017 Check Point Software Technologies Ltd.

Lateral threat movements

Data breach due to misconfiguration

Abuse of cloud services

API hacking

Malicious insiders

THIS MIGHT EXPOSE YOU TO…

10©2017 Check Point Software Technologies Ltd. [Restricted] for designated teams

ACI

Consistent security policy and control across ALL Public and Private Clouds

11©2017 Check Point Software Technologies Ltd.

CloudGuard IaaS BUILDING BLOCKS

Centralized Management

Advanced Threat Prevention

Cloud Diversity

DevOps Ready

Adaptive and Automatic

12©2017 Check Point Software Technologies Ltd.

Cloud

Northbound-HUB

SPOKE-1 SPOKE-2

CloudGuard IaaS Auto-Scale

CloudGuardIaaS-N

CloudGuardIaaS-1

…..

SPOKE-N…

Southbound-HUB

CloudGuard IaaS Cluster

WWWLoad Balancer

Load Balancer

[Internal Use] for Check Point employees

THE HUB & SPOKE ARCHITECTURE (TRANSIT)

Load Balancer

SPOKE-3

VPN

Co

rpo

rate

• Northbound security auto-scales

• Southbound security deployed

in high-availability

• Supported Clouds

• Azure Transit- vNET

• AWS Transit - VPC

CloudGuardIaaS - 2

CloudGuardIaaS - 1

13©2017 Check Point Software Technologies Ltd.

COMPREHENSIVE SECURITY ARCHITECTURE

Headquarters

Remote Employees Branch

Private Cloud & SDN SAASPublic IAAS

14©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees

SUMMARYCloud “Best Practices” are foggy

Bad guys are everywhere (still)

Cloud Native Controls are good, but…

Own your security!

You can get burned when it’s cloudy, protect yourself!

15©2017 Check Point Software Technologies Ltd. ©2017 Check Point Software Technologies Ltd.

THANK YOU