In order to optimize security operations and meet stringent advanced threat prevention requirements, cloud network security solutions must evolve and add new functionality, to address the growing number of use cases across complex cloud deployments.
With this in mind, Check Point is unifying its cloud network security and WAAP security solutions with CloudGuard Network Security as a Service (NSaaS), planned for general availability in early 2023. Appealing to the traditional network security teams, as well as the newer CloudOps or DevOps teams, this unified solution brings together previously independent functions like next generation firewalls and Web Application Firewalls for greater security posture and operational efficiencies.
This blog in explains the three main benefits of CloudGuard NSaaS, and its advantages over more traditional cloud network security solutions. It also includes a short video which presents a real-life customer use case to show how CloudGuard enables operational efficiency. At the end, you will be able to sign up for the early availability of this solution to see the magic of unification for yourself.
Cloud-native on AWS
Most cloud network security solutions were born from a “lift and shift” approach to cloud migration. This happened when the vendor used existing software from on-premises network security solutions and ported it to work in a similar way in the cloud. They did this using cloud vendor integrations and adding various cloud “bells and whistles” to support cloud functionality like high availability and scalability, but this approach created limitations. Some of these limitations were the result of existing software using old development technology that was not truly cloud-native by design, and as a result, required long development and deployment cycles, and like the on-premises solution, was often complex to plan, deploy and configure. This process has caused cloud security teams to spend a lot of time and effort on operational overhead instead of focusing on the real security issues.
CloudGuard NSaaS is developed with modern technology to overcome these limitations and provide an improved user experience. It’s tightly integrated with AWS infrastructure services and AWS Firewall Manager, and uses its cloud-native structure to deliver a managed SaaS solution. It also combines beneficial services like managed AWS Gateway Load Balancer Endpoint and AWS PrivateLink to make the service highly available, resilient and perfectly performant. As an industry-leading cybersecurity leader and trusted cloud security advisor to thousands of AWS customers, we’ve spent a lot of time working with AWS cloud experts to reinvent a cloud network security solution that offers an intuitive cloud-native experience, empowering security teams to focus on what matters.
The new solution also includes a brand-new design for easy onboarding, set-up of services, and automated or manual configuration of global policy when adding new assets into your cloud deployment. You can see more on this last topic in the video below.
Everything is now “as a service”
Customer experience is always key to success, so it’s critical that we deliver simplified operations to security teams. The SaaS solution simplifies onboarding and modernizes the control plane. More importantly, the maintenance, updates, upgrades and patching are seamless, fully transparent, and managed by Check Point. This creates greater simplicity for security teams who already have extensive tasks and little time. CloudGuard NSaaS requires minimal investment in security operations, letting security managers change their focus from ongoing daily operational tasks to what really matters, like evolving security.
Additionally, CloudGuard NSaaS provides consumption-based billing so that you pay only for the traffic that is inspected by the security gateways. There are no ongoing licensing management or minimum term commitments, just simple cost analysis based on traffic throughput. It is easy to transact and consume through AWS Marketplace with a single monthly invoice, as opposed to traditional cloud network security solutions where you pay the ISV for the SW license and the cloud provider for the virtual infrastructure. Purchasing from AWS Marketplace also means that there is no long tedious procurement and renewal process. The service is auto-renewed on a monthly basis and is fully scalable on demand, to address traffic growth, infrastructure expansion and business peaks and troughs.
Does it work for DevOps?
Cloud customers often ask us about the dynamic between the CI/CD pipeline, DevOps processes and the cloud security team: “How can we bring security into our DevOps processes without limiting agility?”
Traditional solutions retrofitted APIs on top of their core software design, which often causes a kludgy user experience. CloudGuard NSaaS has an API-first design, which often allows you to secure new cloud assets with a line of code. We provide multiple IaC templates, including AWS CloudFormation and Terraform, for simple configuration and operation. The use case below provides an example of how this dynamic is improved through good design and understanding customer requirements and use cases.
A real-world customer use case
One cause of friction between “agile” DevOps teams and “careful” security teams is when new cloud assets are created by a developer, and a security engineer needs to define the new asset’s security guardrails. This process is often time-consuming and manual and can delay the development process unnecessarily.
Watch this video to see how new AWS assets can be consumed automatically by CloudGuard NSaaS, which then applies a predefined security policy to these assets, thus reducing operational overhead.
- Initially we see the newly discovered virtual machines in the Assets tab. Similar to the Controller capability of CloudGuard Network Security, CloudGuard NSaaS has an automated discovery engine and is immediately aware of new cloud assets.
- We then see how CloudGuard NSaaS allows users to set up logical Zones that are defined by a simple query, or a more complex query using AND and OR, for example “all VMs in some IP range AND located in US-East“.
This is where a well-defined tagging process can be helpful to group similar cloud assets into the same Zone, so that new cloud assets that are properly tagged will automatically receive the predefined policy or security rules. The Zone approach is different to the traditional cloud network security use of layers to configure rules, and we believe that this new approach is more intuitive to cloud users, especially when used with tagging.
- The video shows how a virtual machine which is properly tagged is associated with a predefined Zone, has a well-defined policy and able to communicate with other assets, while another VM without the proper tags is blocked.
- The video shows some of the logging capabilities of CloudGuard NSaaS, but doesn’t show how clicking on any event in the log provides a wealth of valuable information and advanced analytics. This is important because many cloud network security solutions have poor logging and analytic capabilities – an important consideration when evaluating different competing solutions. And early adopter customers give CloudGuard NSaaS high marks for the detailed logs.
What are the next steps?
CloudGuard NSaaS is currently in “soft launch”, so if you’d like to be an early adopter and join the Early Availability (EA) program, please register here.
Better yet, if you’re planning to be at AWS re:Invent (Nov 28-Dec 2 in Las Vegas), you’re invited to booth #217 in the Expo Hall. Chat with our cloud security architects, play trivia to win prizes or just hang out and say hi. While CloudGuard NSaaS is super exciting, I also recommend that you ask about our new CNAPP capabilities.
By Jon Harlow, Product Marketing Manager for Cloud Security