1©2017 Check Point Software Technologies Ltd. ©2017 Check Point Software Technologies Ltd.
Stephan Fritsche
Cloud Security – Cloud Guard IaaS Sales Manager Central Europe
WOLKENVERHANGEN: DAS SECURITY-DILEMMA IN DER CLOUD. KONSOLIDIERTE SICHERHEITSARCHITEKTUR FÜRPRIVATE UND ÖFFENTLICHE CLOUD-SERVICES.
2©2017 Check Point Software Technologies Ltd.
GmbH
Stephan FritscheCloud Guard IaaS Sales Manager
Central Europe
Check Point Software Technologies GmbH
Zeppelinstr. 1, D-85399 Hallbergmoos
Phone: +49 151 4221 4988
E-Mail: [email protected]
3©2017 Check Point Software Technologies Ltd.
Public Cloud Security:
Sicher hin - sicher drin
Herausforderung Virtualisierung:
ACI, NSX, OpenStack - aber sicher!
SDN & IaaS:
Sicherheitsherausforderungen neuer
Infrastrukturkonzepte
4©2017 Check Point Software Technologies Ltd.
5©2017 Check Point Software Technologies Ltd.
6©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content
FROM DATA CENTER TO CLOUD
DATA CENTER
WHAT USED TO TAKE WEEKS TAKES MINUTES WITH CLOUD
CLOUD
7©2017 Check Point Software Technologies Ltd.
DATA CENTER EVOLUTION
VIRTUAL DATA CENTER HYBRID CLOUD
• Manual operation
• Perpetual licensing
• Automation & Orchestration
• Pay as you go licensing
8©2017 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals
THE NEW CLOUD ENVIROMENT
Cloud Management One place to orchestrate and automate all applications
HypervisorThe virtual compute
SDNCentral place to control
the entire networks
9©2017 Check Point Software Technologies Ltd.
WELCOME TO THE CLOUD
10©2017 Check Point Software Technologies Ltd.
11©2017 Check Point Software Technologies Ltd.
Cloud Market
12©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
ADOPTION GROWTH80% OF ENTERPRISES ARE
COMMITTED TO CLOUD STRATEGY BY 2017
IDC
CLOUD COMPUTING MARKET TO
REACH $170B BY 2020
Gartner
NEW TECH
CONTAINERS MARKET TO
REACH $3.5B AND
SERVERLESS $8B BY 2021
Gartner and 451 Research
THE CLOUD IS HERE
13©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
CLOUD DIVERSITY67% OF ENTERPRISES ARE IN HYBRID
CLOUD MODEL. MULTI CLOUD BECOMING THE NORM
RightScale
SECURITY40% OF ENTERPRISES RATE CLOUD
SECURITY AS SIGNIFICANTCHALLENGERightScale 2017
THE CLOUD IS HERE
14©2017 Check Point Software Technologies Ltd.
New objects of Anxiety
Networks are more Inter-Connected
Threats are more Sophisticated and Automated
&
15©2017 Check Point Software Technologies Ltd.
Infrastructure Diversity
[Internal Use] for Check Point employees
IOT
16©2017 Check Point Software Technologies Ltd.
The Global Risks Report 2018
17©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
STATE OF CLOUD CYBER SECURITY
esecurityplanet.com, September 19, 2017 pcmag.com, July 7, 2017
Lightreading.com – September 5, 2017Gizmodo.com – September 19, 2017 Scmagazine.com, September 5, 2017
ZDNet.com, August 16, 2017
18©2017 Check Point Software Technologies Ltd.
WHO’S RESPONSIBLE FOR CLOUD SECURITY?
[PROTECTED] Distribution or Modification is subject to approval
19©2017 Check Point Software Technologies Ltd.
TRADITIONAL SECURITY NOT DESIGNED FOR CLOUD
Static workloads
Manually intensive
DevOps don't know Security
IT Security doesn't know Cloud
20©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
Customer responsible for security in the cloud
Cloud vendor responsible for security of the cloud
CLOUD = SHARED RESPONSIBILITY
Cloud Global Infrastructure
Regions
Availability Zones
Edge Locations
Compute Storage Database Networking
Customer Data
Platform, Applications, IAM
Operating System, Network and FW Configs
Client-side Data Encryption & Data
Integrity Authentication
Server-side Encryption (File System / Data)
Network Traffic Protection (Encryption,
Integrity, Identity)
21©2017 Check Point Software Technologies Ltd.
NO Threat Prevention in real time (L4-L7 protections)
NO unified management for all Clouds & Traditional Data Center
NO Identity based authentication access to applications
NO URL Filtering
NO Threat Extraction and Zero-day Sanboxing
WHERE CLOUD NATIVE SECURITY FALLS SHORT
22©2017 Check Point Software Technologies Ltd.
Lateral threat movements
Data breach due to misconfiguration
Abuse of cloud services
API hacking
Malicious insiders
THIS MIGHT EXPOSE YOU TO…
23©2017 Check Point Software Technologies Ltd. 23©2018 Check Point Software Technologies Ltd.
Generations of Attacks and Protections
Gen ILate 1980s –PC attacks - standalone
Virus
Gen IIMid 1990s –Attacks from the internet
Networks
Gen IIIEarly 2000s -Exploiting vulnerabilities in applications
Applications
The Anti Virus
The Firewall
Intrusion Prevention (IPS)
Gen IV2010 -Polymorphic Content
Payload
SandBoxingand Anti-Bot
24©2017 Check Point Software Technologies Ltd.
Where are we ?
1990 2000 2010 2015 2017
THREATS
PROTECTIONS
Networks
Gen II
Applications
Gen III
Payload
Gen IV
GRADE I
GRADE II
GRADE III
GRADE V
GRADE IV
Virus
Gen I
Enterprises are between
Gen 2-3
2.8
Mega
Gen V
25©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content
4 STEPS TO SECURE YOUR CLOUD
BUCKLE UP
26©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content
STEP #1: CONTROL THE CLOUD PERIMETER
•Use advanced threat prevention at the cloud perimeter
•Securely connect your cloud with your on-premise environment
CLOUD
ON-PREMISE
27©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content
STEP #2: SECURE THE CLOUD FROM THE INSIDE
•Micro-segment your cloud to control inside communication
•Prevent lateral threats movement between applications
App App
App App
28©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content
STEP #3: MANAGE CONSISTENT SECURITY FOR HYBRID ENVIRONMENTS
• Deploy unified security management for your hybrid cloud (On-Premise and Cloud)
• Ensure policy consistency
• Reduce operation cost
CLOUD
ON-PREMISE
29©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content
STEP #4: AUTOMATE YOUR SECURITY
Security should be as elastic and dynamic as your cloud
• Auto-provisioned
• Auto-scaled
• Adaptive to changes
30©2017 Check Point Software Technologies Ltd.
TRAVEL TO THE CLOUD IN FIRST CLASS
[Protected] Non-confidential content 30©2017 Check Point Software Technologies Ltd.
31©2017 Check Point Software Technologies Ltd.
CHECK POINT CLOUD SECURITY PRINCIPLES
Utmost protection
Adaptive Security
Hybrid Infrastracture
32©2017 Check Point Software Technologies Ltd.
Consistent security policy and control across ALL Private and Public CloudsACI
THE CloudGuard FAMILY
33©2017 Check Point Software Technologies Ltd.
CloudGuard IaaS FOR THE CLOUD
Infrastructure Security
Next Generation Firewall & VPN
Application and Data Security
Advanced Threat Prevention
Forensic Analysis
CloudVendor
34©2017 Check Point Software Technologies Ltd.
Firewall
Anti-Virus
Anti-Bot
Application
Control
IPS
Threat
Emulation
URL
Filtering
Utmost Protection from Modern Threats
35©2017 Check Point Software Technologies Ltd.
Check Point Access Policy
Rule From To Application Action
3 Finance_App1(vCenter Object)
Database_Group
(NSX SecGroup)MSSQL Allow
4 HR_App2(Open StackObject)
Finance_Group(ACI EndPoint Group)
CRM Allow
5 User_ID SAP_App(AWS Object)
SAP Allow
ADAPTIVE SECURITY
Reduce Firewall Tickets by 60%
36©2017 Check Point Software Technologies Ltd.
‘Cloud Ready’ Unified Access Policy
[Restricted] ONLY for designated groups and individuals
Users Devices Applications Data Gateways Mobile Public Cloud Private Cloud
37©2017 Check Point Software Technologies Ltd.
CloudGuard Security Automation & Orchestration
Security at the speed of DevOps
Adapt policy to application changes
Auto-scale security with Pay-as-you-Go
Auto-provisioning via templates and APIs
38©2017 Check Point Software Technologies Ltd.
Azure
vNET-1
vNET-2
Check Point Unified Management & Security Policy
AWSOn Premise Datacenter
Transit VPC
VPC-1 VPC-2 VPC-3
SDN
Hybrid Cloud Security Architecture with CloudGuard
39©2017 Check Point Software Technologies Ltd.
ADAPTIVE SECURITY THAT ENABLES INNOVATION
Easy to secure and connect
Multi-clouds application
Applications are protected
with the best security
DevOps and IT Security
speaks the same language
Policy is updated when
application is deleted Application owner
never waits
Reduce security tickets
by 60%
40©2017 Check Point Software Technologies Ltd.
SUCCESSMore than 3,500 customers world-wide
use CloudGuard to secure their cloud
40
41©2017 Check Point Software Technologies Ltd.
XERO is a global online accounting firm servicing over 1M accounts in AWS
CloudGuard secures all their accounts in AWS
Allegiant makes leisure travel affordable
CloudGuard secures their new NSX-based Private Cloud
HAPPY CUSTOMERS
[Protected] Non-confidential content 41©2017 Check Point Software Technologies Ltd.
42©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
SUMMARYCloud is eating the world
Bad guys are everywhere
Cloud Native Controls are good, but…
Own your security!
You can get burned when it’s cloudy, protect yourself!
43©2017 Check Point Software Technologies Ltd.
XaaS – “X” As a Service
44©2017 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
“99% of security breaches could have been
prevented by the correct configuration of security
appliances.”
Gartner Research Note
45©2017 Check Point Software Technologies Ltd.
TRAVEL TO THE CLOUD IN FIRST CLASS
[Protected] Non-confidential content 45©2017 Check Point Software Technologies Ltd.
Utmost Protection, Adaptive Security , Hybrid Infrastructure