Site icon Check Point Blog

Check Point CloudGuard further enhances Azure security with Azure PaaS protections

By Jonathan Maresky, Cloud Product Marketing Manager, published January 18, 2022

Check Point CloudGuard provides the best Azure security, enhancing and complementing Azure services with industry-leading network security, Cloud Security Posture Management, intelligence and threat hunting, workload protection and AppSec (application security and API protection).

But Azure security should be broader than only protecting IaaS assets: it needs to include PaaS security as well, to protect popular Azure PaaS services like Azure Storage, Azure Cosmos DB and

Azure SQL Database.

This blog post outlines the differences between IaaS, PaaS and SaaS, and explains how CloudGuard provides customers with Azure PaaS security.

Please make sure you read all the way until the end of the blog post for recommended next steps as well as additional content for reading and learning.

Most importantly, please register for CPX360, where you can see Azure PaaS security in action and interact interact directly with the CloudGuard development team.

Background

IaaS, PaaS and SaaS – what’s the difference anyway?

The diagram below helps to understand the differences, especially in terms of the offerings provided (left side of the triangle) and who uses these offerings (right side of the triangle).

IaaS, PaaS and SaaS cloud service models (source: Devteam.space)

Very simplistically:

IaaS: Cloud vendors purchase physical infrastructure (mostly compute servers, storage and networking devices) and provide them as virtual services to their customers. For example, an organization can develop and deploy software using Microsoft Azure Virtual Machines instead of purchasing their own physical servers.

PaaS: Vendors (normally cloud vendors) provide software development platforms as virtual services, so their customers can use these platforms to develop and deploy software. These PaaS offerings include the underlying infrastructure/IaaS, so the customer does not have to manage these. For example, an organization can use Azure SQL Server as part of their software stack and consume this as a service instead of purchasing a software license and running it on their own physical infrastructure.

Gartner predicts that PaaS usage will grow 54% from 2020-2022, in comparison with SaaS usage predicted growth of 41%.

SaaS: Many independent software vendors deliver applications over the internet as virtual services, which are normally consumed via a web browser. These SaaS solutions include the underlying PaaS and IaaS components, so the customer does not need to manage these. For example, an organization can use Office 365 which they access via a web browser, instead of purchasing a Microsoft Office license and running it on their own PCs.

The figure below provides another way to understand IaaS, PaaS and SaaS differences.

IaaS, PaaS and SaaS components (source: Microsoft)

PaaS services offer many benefits, including:

Most cloud network security solutions are only able to protect IaaS components. But more and more organizations are using PaaS and must ensure these deployments are secure.

How CloudGuard enables Azure PaaS security

One of the main ways that CloudGuard Network Security secures IaaS components like virtual machines and load balancers is by controlling and inspecting traffic that goes to and comes from these components. An example of this Azure IaaS security can be seen in the architecture diagram below.

Architecture diagram for Azure IaaS security (source: Check Point)

This is done using the IP address of the IaaS instance: disconnecting the instance’s public IP address and ensuring that the only access to the IaaS instance’s private IP address is via the CloudGuard Network Security gateway.

However Azure PaaS instances don’t have IP addresses. When a PaaS instance is deployed, it is assigned a FQDN, which is considered the instance’s “name”, and is accessed via an Azure gateway. (For example, an Azure SQL Database is accessed via an Azure SQL Database gateway.) All the traffic to and from Azure PaaS instances pass through these Azure gateways.

Unless additional protections are put in place, this PaaS instance can be accessed by any user, anywhere (for example using “nslookup”), which exposes your organization to multiple potential threat vectors.

So how does CloudGuard secure a PaaS instance which does not have an IP address?

By using an Azure Private Endpoint in order to “provide” the PaaS instance with an IP address.

According to Microsoft, a private endpoint is “a network interface that uses a private IP address from your virtual network. This network interface connects you privately and securely to a service powered by Azure Private Link.” Private link “provides private connectivity from a vNet to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services”.

In other words, using a private endpoint allows private connectivity with Azure PaaS services, using a private IP, and it can be configured in any subnet that you choose. Cloud network engineers can define that the PaaS instance is only accessed via the private endpoint, and can similarly define that the private endpoint is only accessed via the CloudGuard security gateway.

Note that one private endpoint can be connected to only one Azure PaaS service, whereas a PaaS service can be attached to multiple private endpoints.

Azure PaaS security in more detail, step-by-step

In this example, I will use an Azure SQL Server.

Ordinarily, after the instance is deployed, it can be accessed by anyone, as can be seen in the example below.

Step 1: The newly deployed Azure SQL Server instance is immediately accessible

We add a private endpoint inside a secure vNet, connect it to the Azure SQL Server and detach the public access from this instance. This allows cloud network engineers to define precisely who will be allowed access to the private endpoint and thus to the PaaS service. This also helps to enforce Zero Trust principles, where all devices, users, workloads and systems are denied access to this instance by default, unless trust is verified and access is provided based on this trust.

Step 2: The Azure SQL Server instance is accessible only via the Azure Private Endpoint

We then add static routes to the CloudGuard security gateway to ensure that all traffic to the private endpoint is routed via the gateway, add relevant NAT rules and add a User Defined Route (UDR) to the client subnet.

The diagram below shows East-West segmentation, where traffic from the client and addressed to the Azure SQL Servier is routed via the CloudGuard security gateway for policy enforcement, advanced threat prevention and traffic inspection.

East-West segregation: The CloudGuard security gateway controls traffic from the client to the Azure SQL Server

Similarly for ingress traffic from the internet in the figure below: all incoming traffic to the Azure SQL Server is routed via the CloudGuard security gateway.

Ingress perimeter security: The CloudGuard security gateway controls traffic from the internet to the Azure SQL Server

Note that the private endpoint may be deployed anywhere, but Check Point recommends creating a new subnet for all the private endpoints and only for them.

The above implemention is suitable for all Azure PaaS services, not just Azure SQL Servers.

Benefits

This method provides segmentation, threat prevention and network security for Azure PaaS services with the same industry-leading security technologies as CloudGuard Network Security provides to Azure IaaS and hybrid-cloud deployments.

Previously, organizations using Azure did not have a well-defined way to enable Azure PaaS security. The problem is challenging and it is possibly unlikely that any single organization will be successful to solve this alone due to the complexity and nuances of implementation. The Check Point CloudGuard R&D team invested many person-weeks to find the best solution and told me that other approaches that they investigated were not successful.

Next Steps

Additional content for learning and reading

If you are migrating to the cloud and evaluating cloud network security solutions, download the Buyer’s Guide to Cloud Network Security to understand:

Another fascinating document is the Forrester Total Economic Impact of CloudGuard Network Security:

Forrester Research interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI. To read this document, click here.

Do you want to read more about cloud security?

Download the Check Point cloud security blueprint documents:

 

If you are ready to trial CloudGuard Network Security in your public or private cloud, contact us to ask if there is a 3 hour deep-dive technical workshop in your region/country and even in local languages. If you have any other questions, please contact your local Check Point account representative or partner using the same contact us link.

Follow and join the conversations about Check Point and CloudGuard on TwitterFacebookLinkedIn and Instagram.

Exit mobile version