With enterprises migrating to the cloud, the traditional network perimeter concept is fading. A new approach is needed to ensure more secure access to cloud resources.
by Ran Schwartz, Product Manager, Threat Prevention, published April 11th, 2019
The way we do business has undergone a seismic transformation thanks to the cloud. Few other technologies have had as big an impact on productivity, allowing people to easily access enterprise applications from anywhere and at any time, while facilitating better collaboration, scalability and decision-making. More and more organizations are reaping these benefits by migrating their core infrastructure and apps to a cloud platform.
But with the benefits inevitably come challenges, not least of which is managing access to enterprise resources which are located outside of an organization’s internal network perimeter. Traditional network security solutions were designed to protect data and devices located within the corporate perimeter. However, as employees are increasingly demanding the flexibility to work from anywhere and on a variety of devices, including mobile devices, and as valuable corporate data is no longer located in just one place, the idea of a network security perimeter is losing meaning. One of the main drawbacks of this paradigm is that if hackers manage to breach the perimeter, they have free reign within an organization’s restricted network.
A Fading Perimeter Calls for a New Approach
To keep up with challenges arising from an increasingly mobile workforce, and dynamic and dispersed cloud environments, security professionals must rethink traditional enterprise security. Check Point and is taking a significant step forward in this direction, partnering with Cloud Identity to provide a new, zero trust (also known as BeyondCorp) approach to managing access to corporate resources and apps beyond the perimeter. Today, we’re joining Google Cloud’s BeyondCorp Alliance to help customers manage access to corporate data leveraging user identity attributes and device security posture.
Device-Level Security Signals for Smarter Access Management
Here’s how it works. Check Point SandBlast Mobile reports on the security posture of all mobile endpoints that are accessing an organization’s resources and data. Security posture is determined based on the analysis of app-, network-, and device-based attack vectors. Malicious apps are identified using Check Point’s Behavioral Risk Engine, which includes static code flow analysis, threat emulation, and machine-learning to detect both known and zero-day threats. This device security posture data is then fed to Google Cloud’s context-aware access engine that can be used to control access to your LOB web apps, SaaS apps, and infrastructure resource like VMs and APIs.
At the network layer, SandBlast Mobile protects against SSL attacks and also delivers powerful threat prevention capabilities through its On-device Network Protection (ONP) agent. Capabilities include anti-phishing, safe browsing, conditional access, anti-bot, and URL Filtering. And with all inspection happening locally on the device, both privacy and performance are preserved.
At the device level, SandBlast Mobile detects advanced jailbreak/rooting that may have been performed on the device, and analyzes the device for insecure configurations and other vulnerabilities.
Indicators of compromise (IOCs) are summarized in a risk score and combined with information on user identity and context of the request, to determine whether a user should be granted access to corporate resources and services.
With the integration of Check Point’s cutting-edge mobile security technology, customers can now gain unprecedented visibility over a device’s risk posture, augmenting what they know about the device and the context in which access is being requested.
Customers can leverage Check Point’s risk scores to create more granular and customized access policies for Google’s Cloud Identity, including G Suite. Granular controls make it easier for admins to grant context-aware access to resources, or to take more drastic measures if needed. For example, access can be blocked if Check Point SandBlast Mobile reports that a device is exposed to risk, or app data can be completely wiped from the device if the device is compromised.
Check Point SandBlast Mobile also reports on the health of its agent on the device – an important signal that can also be used to define access policy. If the agent is not properly installed or activated, access to corporate resources can be blocked. This input also provides admins the vital ability to enforce the proper installation and activation of Check Point SandBlast Mobile agent on endpoints across the organization, particularly on unmanaged devices.
Strengthening Zero Trust (aka BeyondCorp)
Google Cloud’s context-aware access working with Check Point SandBlast Mobile allows employees to securely access corporate resources from any device, and any location, without needing a traditional VPN. Context-aware access enables Google’s BeyondCorp security model, founded in 2011 to strengthen zero trust networks at Google and improve access management. The idea behind this model is that users should not be restricted from accessing certain resources and services based on the network they are connected to. Instead, access to resources should be conditional on user identity, device risk, and other contextual attributes. In a Zero Trust security model, access should be authenticated and encrypted regardless of whether it is within the network security perimeter.
As one of the first companies to join Google Cloud’s BeyondCorp Alliance – a new initiative through which Google Cloud and select partners are working together to deliver better security solutions – Check Point is committed to strengthening Zero Trust implementation and extending it to every device that touches the enterprise security ecosystem. “SandBlast Mobile delivers Check Point’s cutting-edge threat prevention capabilities to the mobile device, to help its customers prevent attacks that attempt to exploit mobile users and their devices to gain unauthorized access to business resources,” said Ran Schwartz, Product Manager for SandBlast Mobile, upon launch of the joint solution.
The integration is already gaining traction in the field, with many mutual customers recognizing the benefits of perimeter-less access management. Together, with our customers and partners, this is one more step Check Point is taking to address enterprise security needs as they migrate to the cloud.
Learn more about SandBlast Mobile here.