Mais conteúdo relacionado Semelhante a Check Point and Accenture Webinar (20) Check Point and Accenture Webinar 1. 1©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd.
Amit Schnitzer| Cloud Security Solution Expert, Checkpoint
Dr. Alexander Zimmermann | Cloud Architect, Accenture
MIGRATING YOUR DATACENTERS TO
AWS WITH AUTOMATED SECURITY
3. 3©2018 Check Point Software Technologies Ltd.
Companies want their cloud environments to be
Efficient Scalable Agile
And Secure!
4. 4©2018 Check Point Software Technologies Ltd.
Legacy security architecture doesn’t work anymore
• Cloud applications are everywhere
perimeter security is not enough – we need
security inside the cloud
• Cloud applications are elastic
legacy security is static
• DevOps wants agile environment
security is a showstopper
5. 5©2018 Check Point Software Technologies Ltd.
European power utility company
“In 5 years from now all our services and
application will be running on the cloud”
Client Facts
• Worldwide ~100.000 employees in 100+ locations
• Revenue: ~25 Bn EUR
• Migration drivers:
̶ Improve performance and availability of IT services
̶ Enhance cost control by standardization
̶ Reduce Time-To-Market
7. 7©2018 Check Point Software Technologies Ltd.
Design principle: centralized multi-account approach
Application
Accounts
Application
Accounts
• Reducing the Blast Radius: Leveraging multiple AWS accounts to
reduce the blast radius by deploying only applications into one
account per region that belong together
• At least three account types: Next to the Billing Account at least one
account is to be used for the application and one for security isolation
Main account is owned for example by the application team
Another account is owned by the security team and is used for
audit and control access control network connectivity to
Internet and premise data center
• AWS account size: The account segregation is chosen based on things
that are clearly separate. It can be either
Single application per account, or
Group of applications based on shared resources, similarity of
policies, or routing tables required to protect the account
Billing Account
Central Security
Account(s)
Datacenter
Application
Account(s)
Multiple AWS
accounts to
manage security
and reduce the
blast radius
8. 8©2018 Check Point Software Technologies Ltd.
• Centralized DMZ Account: Controlling access
towards AWS platform by limiting access points
to one account
̶ Accounts that require access from the Public
Internet use a centralized DMZ Account for
ingress internet traffic
̶ The DMZ contains centrally administered
Check Point CloudGuard firewalls for
firewalling, URL filtering, and NAT
̶ DMZ VPC for productive workloads will be set
up high available
• Private accounts (Prod | QA | Dev): Private
application accounts have no Internet Gateway
and no VPC Peering to the DMZ no access
from the Public Internet
Centralized DMZ account
DMZ Account
DMZ VPC for
Production (HA)
DMZ VPC for Dev
and QA (non HA)
Public
Production
Account
Public Internet
Public
QA
Account
Public
Developing
Account
Private
[Prod | QA | Dev]
Account
VPC PeeringInternet GatewayLegend:
9. 9©2018 Check Point Software Technologies Ltd.
Application
Accounts
Application
Accounts
Transit
Account
On-Premise
Datacenter
Application
Accounts
MPLS
(AWS Direct
Connect)
Checkpoint
CloudGuard
VMs
Centralized Transit account
Public Internet
• The centralized Transit account is the only
possibility for applications to communicate to on
premise resources
• There is no way to bypass this account as it is the
only account where the MPLS terminate
• In the Transit account two Check Point
CloudGuard firewalls are in use
• Application accounts connect to the Transit
account via VPN connection utilizing AWS’ native
service “Virtual Private Gateway”
VPN Internet Gateway Virtual Private GatewayLegend:
10. 10©2018 Check Point Software Technologies Ltd.
Application
Accounts
Application
Accounts
Transit
Account
On-Premise
Datacenter
Application
Accounts
Public Internet
MPLS
(AWS Direct
Connect)
VMs
Shared Services
Account
VPC Peering
Centralized Shared Services account
VPN Internet Gateway Virtual Private Gateway
• Although the Transit VPC can be classified as a
shared service, AWS recommends to use a
separate account – the Shared Services account
• This segregation i. a. improves network
connectivity and reduces network-transfer costs
• The objective of this account is to provide lower-
latency access to replicated services and proxy-
controlled access to on-premises resources
• Shared Services are offered to Application
accounts via VPC Peering, that enables you to
route traffic between each other as if they are
within the same network.
Legend:
Checkpoint
CloudGuard
Checkpoint
Management
11. 11©2018 Check Point Software Technologies Ltd.
Application accounts
Availability Zone BAvailability Zone A
Application Tier
(Private Subnet)
Database Tier
(Private Subnet)
Presentation Tier
(“Public” or Private Subnet)
Application Tier
(Private Subnet)
Database Tier
(Private Subnet)
Presentation Tier
(“Public” or Private Subnet)
• To isolate various tiers of infrastructure, a three-
tier-architecture is used - public-facing web
applications in a Public Subnet and application
and database server hosted in Private Subnets.
• In standard configured Application accounts a
three-tier-architecture is always deployed in two
Availability Zones to offer High Availability by
design
Legend: VPC Router Virtual Private Gateway Internet Gateway [Public Accounts only]
13. 16©2018 Check Point Software Technologies Ltd.
Spoke 1 Spoke 2 Spoke 3 Spoke N…
Check Point’s cloud security blueprint
14. 17©2018 Check Point Software Technologies Ltd.
Spoke 1 Spoke 2 Spoke 3 Spoke N…
Check Point’s cloud security blueprint
15. 18©2018 Check Point Software Technologies Ltd.
Northbound
Hub
Southbound Hub
Spoke 1 Spoke 2 Spoke 3 Spoke N…
Check Point’s cloud security blueprint
16. 19©2018 Check Point Software Technologies Ltd.
Northbound
Hub
Southbound Hub
Spoke 1 Spoke 2 Spoke 3 Spoke N…
Check Point’s cloud security blueprint
17. 20©2018 Check Point Software Technologies Ltd.
Northbound
Hub
Southbound Hub
Spoke 1 Spoke 2 Spoke 3 Spoke N…
Check Point’s cloud security blueprint
18. 21©2018 Check Point Software Technologies Ltd.
Northbound
Hub
Southbound Hub
Spoke 1 Spoke 2 Spoke 3 Spoke N…
VPN
Check Point’s cloud security blueprint
19. 22©2018 Check Point Software Technologies Ltd.
Putting all together…
DMZ
ServiceTransit
PROD
Workload
QA
Private QA Private Prod
Public QA
Public Prod
Internet gateway
VPC Peering
VPN gateway
VPN connection
Customer Gateway
Load Balancer
Direct Connect
Checkpoint
CloudGuard
Internet Egress
Internet Ingress
VPN Connection
Transit
VPC Peering SSC
Legend
On-Premise
Datacenter
Public Dev
Private Dev
21. 24©2018 Check Point Software Technologies Ltd.
Security Architecture that enables innovation
• Agile – new spokes created by DevOps will
automatically get protected
• Automatic – security architecture deployment
• Via AWS CloudFormation
• Via Azure solution templates
• In Control – Security admin gains full visibility for
east-west and north-south traffic
22. 25©2018 Check Point Software Technologies Ltd.
Security architecture for Multi-Cloud environment
ACI
Unified management
• Securely connecting the clouds
with VPN
• Single access rule within a
unified policy which allows
seamless secure connectivity
across cloud environments
24. 27©2018 Check Point Software Technologies Ltd.
Security Blueprint
Check Point CloudGuard Security architecture
• Empowers Innovation
• Enables fast & robust scalability
• Bringing clouds together securely
25. 28©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd.
Amit Schnitzer| Cloud Security Solution Expert, Checkpoint
amitsc@checkpoint.com
Dr. Alexander Zimmermann | Cloud Architect, Accenture
Alexander.zimmermann@accenture.com
THANK YOU !
26. 29©2018 Check Point Software Technologies Ltd.
CloudGuard at the glance
Cloud Security
Operation
Cloud Security
Blueprint
Cloud Cyber
Attacks
27. 30©2018 Check Point Software Technologies Ltd.
Everybody is moving to the cloud
Companies cloud strategy
• Public cloud first
• Hybrid Cloud
• Multi-Clouds
28. 31©2018 Check Point Software Technologies Ltd.
Security in the cloud
• Best effective protection from
modern attacks – regular access
control is not enough
• Adaptive security operation that
enables cloud innovation which
scales on demand
• Cloud security architecture that is
unified, efficient, agile, elastic and
robust