Cloud Security Puzzle – Solved!

If you are deploying workloads (like web servers) or migrating back office apps into Google Cloud Platform (GCP), you will be happy to know that you can now do it securely in a turn-key way without sacrificing the agility & business elasticity provided by GCP. Check Point’s vSEC cloud security solution delivers advanced security that is virtually built into the Google environment using Google’s APIs. Together, Google and Check Point enable a multilayer security solution that comprehensively protects customers’ assets and data in the cloud with advanced threat prevention security.

Why do we really need another security layer?

While the benefits of adopting the cloud architectures are well known, striking a balance between agility, scalability, control & security has been challenging. Some organizations have been hesitant about migration to the public cloud due to misconception about the security posture of workloads deployed in the cloud. Businesses typically want control over their data and would like to keep it private while maintaining compliance with industry regulations.

As a trusted security vendor, we have partnered with Google, to ensure that businesses achieve both agility and security as they embrace GCP and deploy hybrid cloud architectures. While cloud providers have secured the underlying infrastructure using a multi-layer approach of physical, hardware, software and operational security processes, this is just one piece of the ‘cloud security puzzle’.

To start, let us look at the security that is deployed in most traditional data centers that have internet facing services. As a baseline, you would expect that they would have:

  • A firewall providing access control
  • An IPS & Anti-Virus which protect against protocol and application vulnerabilities
  • Web Security with HTTPS inspection to protect corporate web applications
  • Anti-bot to detect infected machines on the local network and drops communications to C&C centers
  • A Sandboxing technology that detects zero-day threats and evolving malware or advanced persistent threats (APTs).
  • A mechanism for reporting and troubleshooting traffic that may have been blocked

Now let us look at what cloud vendors provide. At the Network Layer, a cloud provider firewall provides environment segmentation. This includes capabilities like stateful packet inspection specified by access control lists (ACL) rules that allow or deny traffic to your VM instances. We need to keep in mind that this is simple stateful packet filtering, and not deep packet inspection.

There is no protocol validation or network level IPS capability in the network firewall.  Data isolation via native cloud security controls provided by the cloud vendors does not protect against malware or other sophisticated threats. It is the customers who are responsible for network traffic protection, OS, Network and Firewall configurations, end-point protections and access management. All cloud providers advise their customers to get additional functionality such as deep packet inspection, IPS/IDS, or network threat protection using a 3rd party advanced security solution . This is known as the “Shared responsibility model” of the public cloud.

Complimentary Controls

A good analogy for the situation is to imagine your cloud based data center as an airport. In order for the airport to function, you need to allow passengers (Packets) to get to a secure zone (Database) and from there to their destinations. So you build fences around the secure zone (Basic firewall rules or security groups), and build a gate through which all passengers, with tickets, will be allowed to pass.

Sounds great! But, there’s a catch . . . or two. The most obvious issue is how can you distinguish between legitimate passengers and suspicious ones (Malwares, Bots)? For that you need to have additional security screening of all passengers such as; baggage screenings, using X-ray machines, etc. (deep packet inspection, Anti-Virus, IPS). Just looking at their ticket is simply not enough.

Moreover, in today’s hyper-connected world, you will probably find yourself in a situation that requires you to create more and more security screenings. However, no matter how many screenings you use, it should be assumed that at times suspicious passengers may still get through. For those cases, you should employ additional security screens (Anti-Bot) to isolate and quarantine a suspicious passenger once identified, but before they actually arrive to your secure zone (DBs).

Similarly our vSEC solution compliments GCP’s security controls (like the built-in firewall) by identifying and blocking advanced threats that mask themselves as legitimate traffic using advanced multi-layer threat prevention and deep packet inspection – from L1-L7 in the network stack. To fulfill your responsibility and protect “your belongings” hosted in the public cloud with same level of security that you have deployed on premise, you will need to deploy a 3rd party advanced security solution like Check Point vSEC. This covers the higher layers in our ‘cloud security puzzle ’.

Highlights of the joint vSEC and GCP solution

The main highlights of our joint solution are:

  • Rapid Single-Click Deployment: a wizard based deployment model allows you to easily and rapidly deploy vSEC gateways through Google Cloud Launcher, and then enable all relevant Check Point protections in your Google cloud environment to secure your public cloud assets.
  • Cloud Aware and Dynamic Security: vSEC monitors your environment and adapts the security policy to any changes. For example: vSEC allow you to define the following rule:
    Allow only SQL-based protocols from Google’s “Web-instance-group-google” to my on-premise VMware group “DB-vApp-group-vmware” while verifying transactions is threat-free (i.e. use IPS, A/V, Threat Prevention).Whenever a new Web Server or DB server is added/removed to the relevant group, vSEC will automatically identify that event, learn the IP of the new instance and will apply the relevant security rules you defined to the new instance.
  • Horizontal Auto-Scaling: by defining a vSEC instance-group, vSEC will scale out linearly and automatically based on the gateway load in order to satisfy critical business needs.
  • Unified Policy and Centralized management: with vSEC you can enable a unified and consistent policy applied across all your physical appliances and your cloud gateways. Cloud agnostic integrations include the following environments: VMware vCenter, VMware NSX, Cisco ACI, OpenStack, Nuage Networks, AWS, Azure and now Google Cloud.

Common Deployment Scenarios

The joint solution powers many common use cases that will help organizations large and small achieve key business objectives while meeting technical and regulatory requirements. Some of the common use cases supported:

  • perimeter security for public cloud infrastructure
  • remote access to public cloud infrastructure for mobile users
  • hybrid cloud environment created with secure connectivity between on-premise and cloud infrastructure via site to site VPN

Some of the key features and benefits of vSEC include:

  • Comprehensive threat prevention and traffic visibility
  • Security automation and orchestration
  • Agile, scalable and dynamic security that adapts and scales automatically

In subsequent blog posts, I will dig deeper into two main deployment scenarios (Web applications and back office apps migration to Google Cloud Platform). These use cases validate fundamental deployment scenarios needed in today’s dynamic public computing environments. They also are designed to help DevOps and security teams rapidly deploy workloads into the cloud while supporting the scale, and elasticity automation, orchestration capabilities without sacrificing advanced security.

Enjoy your journey to the cloud.

More information: Come meet me @ Google NEXT’17 session “Third-party networking solutions for layer 7 networking on Google Cloud Platform” on March 10 at 2:40PM and hear how you can deploy and maintain GCP workloads in a secured manner with Check Point vSEC.

Check out the vSEC for Google Cloud Platform public announcement here. You can also learn more about vSEC for Google Cloud Platform here.

vSEC for Google Cloud Platform is available immediately in PAYG (Pay-as-you-Grow) or BYOL (Bring-your-own-License) options through the Google marketplace.

A fully functional test drive of vSEC for Google Cloud Platform is also available. Test drives are a popular way to try software before you buy without requiring software licenses, credit cards or even a google account. Click here to run a pre-configured test drive of vSEC running on Google Cloud.

Check Point is a sponsor at Google Next 2017 Conference, running March 8 – 10 in San Francisco, which brings together executives, customers, partners, developers, IT decision makers and Google engineers to build the future of the cloud. Visit booth #B9 to learn how to harness Check Point vSEC’s unique threat prevention capabilities within the Google Cloud Platform by meeting our experts and viewing a demonstration.