By Jonathan Maresky, CloudGuard Product Marketing Manager, published December 14, 2020
Check Point is a launch partner for Amazon Web Services (AWS) Outposts. This recognizes that Check Point CloudGuard has demonstrated successful integration with AWS Outposts deployments.
Five years ago, the idea of AWS Outposts would been difficult for me to believe.
Back then, AWS did not publicly refer to hybrid clouds or the future of on-premises physical deployments. This is not surprising in retrospect, because AWS was very focused on a vision of cloud where all on-premises computing workloads would migrate to cloud within a few years.
However, in December 2019 AWS announced AWS Outposts, a “new fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any customer datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience”.
Why did the AWS strategy change?
In my opinion, the change is due to customer-obsession.
I have written about AWS’s corporate value of customer obsession in a previous blog post and I believe it has a strong impact on AWS decision-making regarding hybrid-cloud. AWS listens to its customers and develops services to improve the ways its customers do business. Once AWS understood that its customers continue to need on-premises deployments for a wide variety of use cases, it moved its strategy to support its customers’ needs.
Check Point CloudGuard integrates with AWS Outposts for similar reasons:
Check Point is a trusted cloud security advisor for thousands of customers globally.
The CloudGuard integration with AWS Outposts allows these customers to deploy the same industry-leading cloud network security and advanced threat prevention as they already have in their AWS cloud and for their on-premises deployments, all managed with a single pane-of-glass by CloudGuard’s Unified Security Management.
“We know the importance of helping customers and organizations more easily identify potential security risks in order to take action,” said Joshua Burgin, General Manager, AWS Outposts, Amazon Web Services, Inc. “With Check Point CloudGuard available to customers on AWS Outposts, we are able to provide a comprehensive view of a customer’s security posture on their infrastructure, on AWS Outposts, and in AWS Regions both on premises and in the cloud for a truly consistent hybrid experience.”
In this blog post, I will provide more detail about CloudGuard Network Security, AWS Outposts, the integration, and the resulting benefits to customers.
Check Point CloudGuard Network Security
Check Point CloudGuard delivers industry-leading advanced threat prevention together with automated and elastic cloud network security at the speed of DevOps, over AWS, on-premises and hybrid deployments.
Check Point has demonstrated success building products integrated with AWS services, including AWS Transit Gateway, AWS Gateway Load Balancer, VPC Ingress Routing, AWS Traffic Mirroring, AWS Security Hub and other services, helping AWS customers evaluate and use their technology productively, at scale and varying levels of complexity.
It is stating the obvious that different organizations have different needs, constraints and business objectives.
Specifically for the purposes of this blog post, there are organizations that currently need some of their workloads to be deployed on-premises. AWS explains that there are four main use cases for on-premises deployments:
- Low-latency compute, for example real-time multi-player games or high frequency financial trading applications, which often require single-digit millisecond latencies to operate effectively.
- Local data processing, for example a huge dataset that cannot be easily migrated to the cloud for processing due to cost constraints.
- Data residency, for example highly regulated industries like financial services and healthcare where data is required to remain in a particular country, state, or municipality.
- Migration & Modernization, for example organizations that are gradually moving critical legacy workloads to the cloud and choose to first modernize these legacy workloads on-premises and gradually migrate these workloads to the cloud only when they are ready.
AWS Outposts supports these organizations by extending the use of AWS services to on-premises deployments to support a consistent hybrid experience.
What does this mean in reality?
Until December 2019, users consumed AWS in a purely virtual way.
AWS has physical data centers around the world with physical infrastructure (including servers, data storage and networking equipment). After creating an AWS account, users deploy various AWS services in AWS regions, which run virtually on the physical infrastructure owned and operated by AWS.
The launch of AWS Outposts in late 2019 provides an additional way to consume AWS services (see the diagram below): An organization orders physical infrastructure from AWS, which AWS installs and configures on-premises as self-contained server racks. The organization can then deploy AWS services to run virtually on these physical on-premises infrastructure, using AWS Outposts.
More importantly, the organization can build and run workloads that run virtually using AWS Outposts on the on-premises infrastructure as well as virtually using AWS Regions on AWS owned-and-operated data centers transparently. This allows users to design and deploy hybrid-cloud workloads in a consistent way. Users can also benefit from the same experience across on-premises and the cloud in terms of reliability, the same APIs and services, the same automation tools, the same pace of innovation and of course, the same security.
Integration of CloudGuard Network Security with AWS Outposts
Customers use CloudGuard Network Security on AWS Outposts to secure their workloads, assets and traffic just as they would on AWS Regions, and gain the benefit of a fully-managed infrastructure with native AWS APIs as well as fully tested and supported CloudFormation templates for automated deployment.
(AWS customers using a non-Outposts-integrated product to inspect traffic and secure workloads need to deploy, manage, and integrate the product themselves including procurement, support, and integration.)
Additionally, Check Point’s Unified Security Management console provides consistent visibility, policy management, logging, reporting and control across AWS Regions, AWS Outposts, as well as other hybrid and on-premises deployments.
Supported use cases include North/South (ingress/egress) advanced threat prevention and traffic inspection between subnets in an AWS Outposts VPC and:
- Public access to the Internet
- Private access to the local network connected to the AWS Outpost
To understand how to use CloudGuard with AWS Outposts, please refer to the reference architecture below. (Note that users can deploy Unified Security Management in the Outpost or alternatively outside the Outpost, in an AWS Region, on-premises or in any other network depending on their considerations.)
Deploying CloudGuard Network Security on AWS Outposts is similar to the regular deployment in an AWS Region. For more details, please refer to this document in the Check Point Support Center.
Check Point leadership are very pleased to be a launch partner for AWS Outposts:
“CloudGuard provides the best levels of cloud network security, automated to support cloud scalability and agile CI/CD processes, and everywhere that our customers need, now including AWS Outposts,” said Itai Greenberg, VP Product Management at Check Point Software. “We are dedicated to helping companies achieve their technology and business goals with security and cloud confidence, leveraging the agility, breadth of services, and pace of innovation that AWS provides.”
Check Point customers are eager to deploy CloudGuard to secure their existing AWS Outposts. Customers who have not yet deployed AWS Outposts are even more enthusiastic. During a meeting between the CloudGuard product and development teams and a large US-based healthcare provider, the customer CISO explained that they would only deploy sensitive workloads to an Outpost after they were certain that they could apply the CloudGuard security policies consistently and efficiently from their existing AWS Regions deployments and manage these policies from a single pane-of-glass.
Check Point is attending the biggest cloud event of the year, AWS re:Invent, as a Gold Partner from November 30 – December 18, 2020.
- A customized demo
- A cloud security assessment
- Play trivia for cool prizes
- Enter our raffle for even better prizes!
If you’d like to learn more about CloudGuard Network Security on AWS Outposts, please speak with your Check Point channel partner, your account Security Engineer or contact us.
If you are in the process of planning your migration to AWS or you are already using AWS, please contact us to schedule a demo, and a cloud security expert will help to understand your needs.
If you are ready for a 30-day free trial of CloudGuard Network Security, or if you are ready to purchase CloudGuard, you can deploy this via the AWS Marketplace. For more information about the different CloudGuard offerings on AWS Marketplace, read this blog post.
How secure is your AWS VPC?
The Check Point Cloud Security CheckMe performs a quick and easy high-level analysis of one of your AWS VPCs and sends you a report of your vulnerabilities against advanced threats.
Note: CheckMe is free from Check Point; however, standard AWS rates apply for your compute and data usage. For a limited time, Check Point will send you a $100 AWS credit after the CheckMe is completed.
Do you want to read more about cloud security?
Download the Check Point cloud security blueprint documents:
- This document introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
- This document explains the architecture of the blueprint, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
If you have any questions, please contact your local Check Point account representative or partner, or contact us here.