Check Point and Accenture Webinar

1©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd.
Amit Schnitzer| Cloud Security Solution Expert, Checkpoint
Dr. Alexander Zimmermann | Cloud Architect, Accenture
MIGRATING YOUR DATACENTERS TO
AWS WITH AUTOMATED SECURITY

2©2018 Check Point Software Technologies Ltd.
CLOUD IS THE NEW NORM

Companies want their cloud environments to be
Efficient Scalable Agile
And Secure!

Legacy security architecture doesn’t work anymore
• Cloud applications are everywhere
perimeter security is not enough – we need
security inside the cloud
• Cloud applications are elastic
legacy security is static
• DevOps wants agile environment
security is a showstopper

European power utility company
“In 5 years from now all our services and
application will be running on the cloud”
Client Facts
• Worldwide ~100.000 employees in 100+ locations
• Revenue: ~25 Bn EUR
• Migration drivers:
̶ Improve performance and availability of IT services
̶ Enhance cost control by standardization
̶ Reduce Time-To-Market

CLIENT USE CASE

Design principle: centralized multi-account approach
Application
Accounts
Application
Accounts
• Reducing the Blast Radius: Leveraging multiple AWS accounts to
reduce the blast radius by deploying only applications into one
account per region that belong together
• At least three account types: Next to the Billing Account at least one
account is to be used for the application and one for security isolation
 Main account is owned for example by the application team
 Another account is owned by the security team and is used for
audit and control access  control network connectivity to
Internet and premise data center
• AWS account size: The account segregation is chosen based on things
that are clearly separate. It can be either
 Single application per account, or
 Group of applications based on shared resources, similarity of
policies, or routing tables required to protect the account
Billing Account
Central Security
Account(s)
Datacenter
Application
Account(s)
Multiple AWS
accounts to
manage security
and reduce the
blast radius

• Centralized DMZ Account: Controlling access
towards AWS platform by limiting access points
to one account
̶ Accounts that require access from the Public
Internet use a centralized DMZ Account for
ingress internet traffic
̶ The DMZ contains centrally administered
Check Point CloudGuard firewalls for
firewalling, URL filtering, and NAT
̶ DMZ VPC for productive workloads will be set
up high available
• Private accounts (Prod | QA | Dev): Private
application accounts have no Internet Gateway
and no VPC Peering to the DMZ  no access
from the Public Internet
Centralized DMZ account
DMZ Account
DMZ VPC for
Production (HA)
DMZ VPC for Dev
and QA (non HA)
Public
Production
Account
Public Internet
Public
QA
Account
Public
Developing
Account
Private
[Prod | QA | Dev]
Account
VPC PeeringInternet GatewayLegend:

Application
Accounts
Application
Accounts
Transit
Account
On-Premise
Datacenter
Application
Accounts
MPLS
(AWS Direct
Connect)
Checkpoint
CloudGuard
VMs
Centralized Transit account
Public Internet
• The centralized Transit account is the only
possibility for applications to communicate to on
premise resources
• There is no way to bypass this account as it is the
only account where the MPLS terminate
• In the Transit account two Check Point
CloudGuard firewalls are in use
• Application accounts connect to the Transit
account via VPN connection utilizing AWS’ native
service “Virtual Private Gateway”
VPN Internet Gateway Virtual Private GatewayLegend:

Application
Accounts
Application
Accounts
Transit
Account
On-Premise
Datacenter
Application
Accounts
Public Internet
MPLS
(AWS Direct
Connect)
VMs
Shared Services
Account
VPC Peering
Centralized Shared Services account
VPN Internet Gateway Virtual Private Gateway
• Although the Transit VPC can be classified as a
shared service, AWS recommends to use a
separate account – the Shared Services account
• This segregation i. a. improves network
connectivity and reduces network-transfer costs
• The objective of this account is to provide lower-
latency access to replicated services and proxy-
controlled access to on-premises resources
• Shared Services are offered to Application
accounts via VPC Peering, that enables you to
route traffic between each other as if they are
within the same network.
Legend:
Checkpoint
CloudGuard
Checkpoint
Management

Application accounts
Availability Zone BAvailability Zone A
Application Tier
(Private Subnet)
Database Tier
(Private Subnet)
Presentation Tier
(“Public” or Private Subnet)
Application Tier
(Private Subnet)
Database Tier
(Private Subnet)
Presentation Tier
(“Public” or Private Subnet)
• To isolate various tiers of infrastructure, a three-
tier-architecture is used - public-facing web
applications in a Public Subnet and application
and database server hosted in Private Subnets.
• In standard configured Application accounts a
three-tier-architecture is always deployed in two
Availability Zones to offer High Availability by
design
Legend: VPC Router Virtual Private Gateway Internet Gateway [Public Accounts only]

SECURITY BLUEPRINT FOR CLOUD ERA

Spoke 1 Spoke 2 Spoke 3 Spoke N…
Check Point’s cloud security blueprint

Northbound
Hub
Southbound Hub

Northbound
Hub
Southbound Hub
VPN

Putting all together…
DMZ
ServiceTransit
PROD
Workload
QA
Private QA Private Prod
Public QA
Public Prod
Internet gateway
VPC Peering
VPN gateway
VPN connection
Customer Gateway
Load Balancer
Direct Connect
Checkpoint
CloudGuard
Internet Egress
Internet Ingress
VPN Connection
Transit
VPC Peering SSC
Legend
On-Premise
Datacenter
Public Dev
Private Dev

Live Demo

Security Architecture that enables innovation
• Agile – new spokes created by DevOps will
automatically get protected
• Automatic – security architecture deployment
• Via AWS CloudFormation
• Via Azure solution templates
• In Control – Security admin gains full visibility for
east-west and north-south traffic

Security architecture for Multi-Cloud environment
ACI
Unified management
• Securely connecting the clouds
with VPN
• Single access rule within a
unified policy which allows
seamless secure connectivity
across cloud environments

This also works across cloud platforms

Security Blueprint
Check Point CloudGuard Security architecture
• Empowers Innovation
• Enables fast & robust scalability
• Bringing clouds together securely

28©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd.
Amit Schnitzer| Cloud Security Solution Expert, Checkpoint
amitsc@checkpoint.com
Dr. Alexander Zimmermann | Cloud Architect, Accenture
Alexander.zimmermann@accenture.com
THANK YOU !

CloudGuard at the glance
Cloud Security
Operation
Cloud Security
Blueprint
Cloud Cyber
Attacks

Everybody is moving to the cloud
Companies cloud strategy
• Public cloud first
• Hybrid Cloud
• Multi-Clouds

Security in the cloud
• Best effective protection from
modern attacks – regular access
control is not enough
• Adaptive security operation that
enables cloud innovation which
scales on demand
• Cloud security architecture that is
unified, efficient, agile, elastic and
robust

Check Point and Accenture Webinar

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Check Point and Accenture Webinar

Similar to Check Point and Accenture Webinar (20)

Recently uploaded

Recently uploaded (20)

Check Point and Accenture Webinar