By Jonathan Maresky, Cloud Product Marketing Manager, published January 18, 2022
Check Point CloudGuard provides the best Azure security, enhancing and complementing Azure services with industry-leading network security, Cloud Security Posture Management, intelligence and threat hunting, workload protection and AppSec (application security and API protection).
But Azure security should be broader than only protecting IaaS assets: it needs to include PaaS security as well, to protect popular Azure PaaS services like Azure Storage, Azure Cosmos DB and
Azure SQL Database.
This blog post outlines the differences between IaaS, PaaS and SaaS, and explains how CloudGuard provides customers with Azure PaaS security.
Please make sure you read all the way until the end of the blog post for recommended next steps as well as additional content for reading and learning.
Most importantly, please register for CPX360, where you can see Azure PaaS security in action and interact interact directly with the CloudGuard development team.
IaaS, PaaS and SaaS – what’s the difference anyway?
The diagram below helps to understand the differences, especially in terms of the offerings provided (left side of the triangle) and who uses these offerings (right side of the triangle).
IaaS: Cloud vendors purchase physical infrastructure (mostly compute servers, storage and networking devices) and provide them as virtual services to their customers. For example, an organization can develop and deploy software using Microsoft Azure Virtual Machines instead of purchasing their own physical servers.
PaaS: Vendors (normally cloud vendors) provide software development platforms as virtual services, so their customers can use these platforms to develop and deploy software. These PaaS offerings include the underlying infrastructure/IaaS, so the customer does not have to manage these. For example, an organization can use Azure SQL Server as part of their software stack and consume this as a service instead of purchasing a software license and running it on their own physical infrastructure.
Gartner predicts that PaaS usage will grow 54% from 2020-2022, in comparison with SaaS usage predicted growth of 41%.
SaaS: Many independent software vendors deliver applications over the internet as virtual services, which are normally consumed via a web browser. These SaaS solutions include the underlying PaaS and IaaS components, so the customer does not need to manage these. For example, an organization can use Office 365 which they access via a web browser, instead of purchasing a Microsoft Office license and running it on their own PCs.
The figure below provides another way to understand IaaS, PaaS and SaaS differences.
PaaS services offer many benefits, including:
- Reduces development time and effort, and adds development capabilities: PaaS customers use pre-coded software components built into the PaaS service instead of developing, testing and maintaining these in-house.
- Enables development teams to efficiently manage the application lifecycle: Teams can develop and test within the same integrated environment.
- Improves RoI: Organizations don’t purchase or maintain physical hardware and don’t need to spend time setting up and maintaining the core software development stack, and can scale up/down as needed to suit their real-time needs.
Most cloud network security solutions are only able to protect IaaS components. But more and more organizations are using PaaS and must ensure these deployments are secure.
How CloudGuard enables Azure PaaS security
One of the main ways that CloudGuard Network Security secures IaaS components like virtual machines and load balancers is by controlling and inspecting traffic that goes to and comes from these components. An example of this Azure IaaS security can be seen in the architecture diagram below.
This is done using the IP address of the IaaS instance: disconnecting the instance’s public IP address and ensuring that the only access to the IaaS instance’s private IP address is via the CloudGuard Network Security gateway.
However Azure PaaS instances don’t have IP addresses. When a PaaS instance is deployed, it is assigned a FQDN, which is considered the instance’s “name”, and is accessed via an Azure gateway. (For example, an Azure SQL Database is accessed via an Azure SQL Database gateway.) All the traffic to and from Azure PaaS instances pass through these Azure gateways.
Unless additional protections are put in place, this PaaS instance can be accessed by any user, anywhere (for example using “nslookup”), which exposes your organization to multiple potential threat vectors.
So how does CloudGuard secure a PaaS instance which does not have an IP address?
By using an Azure Private Endpoint in order to “provide” the PaaS instance with an IP address.
According to Microsoft, a private endpoint is “a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service powered by Azure Private Link.” Private link “provides private connectivity from a vNet to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services”.
In other words, using a private endpoint allows private connectivity with Azure PaaS services, using a private IP, and it can be configured in any subnet that you choose. Cloud network engineers can define that the PaaS instance is only accessed via the private endpoint, and can similarly define that the private endpoint is only accessed via the CloudGuard security gateway.
Note that one private endpoint can be connected to only one Azure PaaS service, whereas a PaaS service can be attached to multiple private endpoints.
Azure PaaS security in more detail, step-by-step
In this example, I will use an Azure SQL Server.
Ordinarily, after the instance is deployed, it can be accessed by anyone, as can be seen in the example below.
We add a private endpoint inside a secure vNet, connect it to the Azure SQL Server and detach the public access from this instance. This allows cloud network engineers to define precisely who will be allowed access to the private endpoint and thus to the PaaS service. This also helps to enforce Zero Trust principles, where all devices, users, workloads and systems are denied access to this instance by default, unless trust is verified and access is provided based on this trust.
We then add static routes to the CloudGuard security gateway to ensure that all traffic to the private endpoint is routed via the gateway, add relevant NAT rules and add a User Defined Route (UDR) to the client subnet.
The diagram below shows East-West segmentation, where traffic from the client and addressed to the Azure SQL Servier is routed via the CloudGuard security gateway for policy enforcement, advanced threat prevention and traffic inspection.
Similarly for ingress traffic from the internet in the figure below: all incoming traffic to the Azure SQL Server is routed via the CloudGuard security gateway.
Note that the private endpoint may be deployed anywhere, but Check Point recommends creating a new subnet for all the private endpoints and only for them.
The above implemention is suitable for all Azure PaaS services, not just Azure SQL Servers.
This method provides segmentation, threat prevention and network security for Azure PaaS services with the same industry-leading security technologies as CloudGuard Network Security provides to Azure IaaS and hybrid-cloud deployments.
Previously, organizations using Azure did not have a well-defined way to enable Azure PaaS security. The problem is challenging and it is possibly unlikely that any single organization will be successful to solve this alone due to the complexity and nuances of implementation. The Check Point CloudGuard R&D team invested many person-weeks to find the best solution and told me that other approaches that they investigated were not successful.
- The best place to see Azure PaaS security in action and interact directly with the CloudGuard development team is at CPX360, Check Point’s annual global customer and partner event. Register now for the APAC, Americas or EMEA event and make sure you visit the public cloud technology innovation virtual roundtable!
- For a demo of CloudGuard providing Azure PaaS security, click here.
- You can read the detailed guide for using Azure PaaS security with CloudGuard Network Security here.
- CloudGuard Network Security is available for 30-day free trial or deployment on Azure Marketplace and can be consumed via PAYG or BYOL.
- If you’d like to learn more about CloudGuard Network Security, please speak with your Check Point channel partner, your account Security Engineer or contact us.
Additional content for learning and reading
If you are migrating to the cloud and evaluating cloud network security solutions, download the Buyer’s Guide to Cloud Network Security to understand:
- The top 10 considerations when evaluating and choosing a cloud network security solution in more detail
- An overview of Check Point CloudGuard and how it answers these top 10 considerations
- The relative benefits of the solutions provided by leading cloud providers and third-party security vendors
Another fascinating document is the Forrester Total Economic Impact of CloudGuard Network Security:
Forrester Research interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI. To read this document, click here.
Do you want to read more about cloud security?
Download the Check Point cloud security blueprint documents:
- Introduction to Cloud Security Blueprint introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
- Cloud Security Blueprint: Architecture and Solutions explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
- This document provides reference architectures for implementing the cloud security blueprint.
If you are ready to trial CloudGuard Network Security in your public or private cloud, contact us to ask if there is a 3 hour deep-dive technical workshop in your region/country and even in local languages. If you have any other questions, please contact your local Check Point account representative or partner using the same contact us link.