With so much focus on how the cloud is changing the way we build and deploy applications, cloud security can become an afterthought. Some organizations worry about slowing the momentum of cloud migration. Others find new cloud security processes daunting.
Brad Orluk is the Microsoft Alliance Manager at Check Point, which offers CloudGuard on Azure Marketplace and was recognized as the Most Prolific Integration Partner during Microsoft Security 20/20. He explains common cloud security scenarios, challenges, and best practices below:
Although the concepts may seem similar, cloud security is different than traditional enterprise security. Additionally, there may be industry-specific compliance and security standards.
Public cloud vendors have defined the Shared Responsibility Model where the vendor is responsible for the security “of” their cloud, while their customers are responsible for the security “in” the cloud.
Cloud deployments include multi-layered components, and the security requirements are often different per layer and per component. Often, the ownership of security is blurred when it comes to the application, infrastructure, and sometimes even the cloud platform – especially in multi-cloud deployments.
Cloud vendors, including Microsoft, offer fundamental network-layer, data-layer, and other security tools for use by their customers. Security analysts, managed security service providers, and advanced cloud customers recommend layering on advanced threat prevention and network-layer security solutions to protect against modern-day attacks. These specialized tools evolve at the pace of industry threats to secure the organization’s cloud perimeters and connection points.
Check Point is a leader in cloud security and a trusted security advisor to customers migrating workloads to the cloud. Check Point’s CloudGuard helps protect assets in the cloud with dynamic scalability, intelligent provisioning, and consistent control across public, private, and hybrid cloud deployments. CloudGuard supports Azure and Azure Stack. Customers using CloudGuard can securely migrate sensitive workloads, applications, and data into Azure and thereby improve their security.
But how well does CloudGuard conform to Microsoft’s best practices?
Principal Program Manager of Azure Networking, Dr. Reshmi Yandapalli (DAOM), published a blog post entitled “Best practices to consider before deploying a network virtual appliance,” which outlined considerations when building or choosing Azure security and networking services. Yandapalli defined four best practices for networking and security ISVs – like Check Point – to enhance the cloud experience for Azure customers:
1. Azure accelerated networking support
Make sure an ISV’s Azure security solution is available on one or more Azure virtual machine (VM) type with Azure’s accelerated networking capability to improve networking performance. Yandapalli recommends that users “consider a virtual appliance that is available on one of the supported VM types with Azure’s accelerated networking capability.”
The diagram below (from this Microsoft tutorial) shows communication between VMs, with and without Azure’s accelerated networking:
Amir Kaushansky, Check Point’s Head of Cloud Network Security Product Management, said, “Check Point was the first certified compliant vendor with Azure accelerated networking. Accelerated networking can improve performance and reduce jitter, latency, and CPU utilization.”
According to Kaushansky – and depending on workload and VM size – Check Point and customers have observed at least a 2-3 times increase in throughput thanks to Azure accelerated networking.
2. Multi-Network Interface Controller (NIC) support
Using VMs with multiple NICs improves network traffic management via traffic isolation. For example, one NIC can be used for data plane traffic and one NIC for management plane traffic. Yandapalli wrote, “With multiple NICs you can better manage your network traffic by isolating various types of traffic across the different NICs.”
This Microsoft article describes the Azure Dv2-series and defines the maximum NICs.
CloudGuard supports multi-NIC VMs, without any maximum of the number of NICs. Check Point recommends the use of VMs with at least two NICs – VMs with one NIC are supported but not recommended.
Depending on the customer’s deployment architecture, the customer may use one NIC for internal East-West traffic and the second for outbound/inbound North-South traffic.
3. High Availability (HA) port with Azure load balancer
Azure security and networking services should be reliable and highly available. Yandapalli suggests the use of a High Availability (HA) port load balancing rule.
“You would want your NVA to be reliable and highly available, to achieve these goals simply by adding network virtual appliance instances to the backend pool of your internal load balancer and configuring a HA ports load-balancer rule,” Yandapalli wrote.
The diagram below (from this article) shows an example usage of a HA port:
“CloudGuard supports this functionality with a standard load balancer via Azure Resource Manager deployment templates, which customers can use to deploy CloudGuard easily in HA mode,” said Kaushansky, whose responsibilities include the CloudGuard roadmap and coordination with the R&D/development team.
4. Support for Virtual Machine Scale Sets (VMSS)
Use Azure VMSS to provide HA. These also provide the management and automation layers for Azure security, networking, and other applications. This cloud-native functionality provides the right amount of infrastructure as a service (IaaS) resources at any given time, depending on application needs. Yandapalli points out that “scale sets provide high availability to your applications, and allow you to centrally manage, configure, and update a large number of VMs.”
In a similar way to the previous best practice, customers can use an Azure Resource Manager deployment template to deploy CloudGuard in VMSS mode. Check Point recommends the use of VMSS for traffic inspection of North-South (inbound/outbound) and East-West (lateral movement) traffic.
Learn more and get a free trial
As can be seen above, CloudGuard is compliant with all four of Microsoft’s common best practices for how to build and deploy Azure network security solutions. Visit Check Point’s website to understand how CloudGuard can help protect your data and infrastructure in Microsoft Azure and hybrid clouds and improve Azure network security. If your customers are evaluating Azure security solutions, they can get a free 30-day trial license of CloudGuard on Azure Marketplace as well as Azure sponsorship credits* to evaluate the technology first hand.
- Download the Check Point Cloud Security Blueprint to learn additional best practices for designing secure Azure deployments.
- Read this solution brief for scalable and secure remote access on Azure.
- Visit http://www.checkpoint.com to learn more about how CloudGuard can help you protect your data and infrastructure in Microsoft Azure and hybrid clouds and improve Azure network security.
- Contact Check Point to schedule your personalized demo of CloudGuard.
*Some restrictions may apply to Azure sponsorship credits. Contact the Check Point team to explore further.