Introduction to CloudGuard

Check Point CloudGuard is a SaaS platform that provides unified, cloud-native security across your applications, workloads, and network. You can use it to automate security, prevent threats, get compliance and manage posture for all of your cloud environments: from Amazon AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., and Microsoft AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®., to GCPClosed Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube., KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts., and more.

Protect your Private and Public Clouds

CloudGuard ensures network security and enforces security policy, prevents changes not approved, and enforces the previously defined configuration. Regardless if you use public or private clouds, CloudGuard facilitates server configuration management. Its flexible security management tools ensure compliance and decreases configuration errors and possible breaches.

CloudGuard's powerful layer of Threat Intelligence transforms cloud big data into high-definition, actionable security logic. Customize alerts and built-in queries, quarantine threats, and stop attacks in progress.

Secure Kubernetes Containers

CloudGuard offers a depth of coverage for all container types, rich visualization of cloud assets, and an assessment of security posture to quickly identify misconfiguration issues and threats. Understand at a glance what is running in your container environment and how it is configured. Visualize Kubernetes data flows and get visibility of container misconfigurations and anomalies.

Create and Manage Custom Compliance Rules

Create custom compliance rules with intuitive GSL language, and align with NIS and CIS security benchmarks, with the largest number of rulesets and compliance frameworks across cloud environments.

This video shows what you can do with CloudGuard:

The main menu along the left side of the main screen provides navigation to the CloudGuard pages and features. You can search through the menu items with the search bar located above the menu (Search Navigation). Start to enter the name of the page, and CloudGuard offers you a list of menu items with this name.

The menu options appear as sections in this Administration Guide.

Note - The search of the Shift Left menu items is not supported.

Menu Icon

Section in this Guide

Description

Get to know CloudGuard:

  • Learn the user interface

  • Read the Privacy Policy

  • See Dashboards

Risk Management

  • Maximize the productivity of security teams

  • Increase visibility of each asset's risk score

Events

  • See the Posture Findings, Threat and Security Events that occur in your cloud environments, based on configured policies

  • See the finding details in the CloudGuard portal or receive messages to different notification targets, such as email and SNS

Assets

  • Manage protected assets in onboarded environments in CloudGuard

  • Configure and manage Organizational Units

Posture Management

  • Assess the compliance of your cloud environments

  • Select built-in rulesets or build your compliance test rulesets

Network Security

  • Visualize the security policies in your environments

  • Protect and manage your cloud assets, such as Security Groups

  • Control access to cloud assets

CIEM

(Cloud Infrastructure Entitlement Management)

  • Reduce your attack surface by ensuring that cloud entitlements or permissions respect the principle of least privilege

  • See Cloud Users and Cloud Roles

Workload Protection

Intelligence

Use Intelligence to hunt for and visualize threats and anomalous behavior in your environments through cloud log files

Shift Left

Build the Shift Left functionality into your CI/CD pipeline to detect and prevent risk in cloud deployments

Settings

The diagram below shows the architecture for the CloudGuard portal.

CloudGuard is connected to cloud platforms with the correct platform APIs and platform notification services, such as SNS for AWS. In addition, CloudGuard can connect to logging, ticketing, and email systems, such as ServiceNow and PagerDuty, to forward CloudGuard alerts.

Upstream, corporate systems can connect to CloudGuard with its REST APIClosed Also known as RESTful API - an application programming interface (API or web API) that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services., to implement automation processes to manage activities on CloudGuard. Moreover, users can use Infrastructure as Code systems, such as TerraformClosed An infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. or AWSCloudFormation, to connect to CloudGuard.

CloudGuard Privacy Policy

As a cloud, security Posture Management portal, CloudGuard allows you to manage the cloud security posture of your environments and to assess compliance with leading security standards. For this reason, CloudGuard requires access to information about your environments and different services in them.

This section describes the Privacy Policy used by CloudGuard to ensure the privacy of your information.

When you onboard cloud accounts to CloudGuard, you grant CloudGuard permission to access metadata for entities and resources in these accounts, which includes log files. This information is accessed with public cloud provider APIs (with the applicable IAM permissions).

CloudGuard customers supply some personal information (name, address, and more).

CloudGuard customers are in full control regarding what permissions are granted to CloudGuard as part of the onboarding procedure (through the IAM/AD policies and roles that are assigned to CloudGuard account) and, therefore, what is shared with CloudGuard.

CloudGuard does not access or collect customer data of any sort stored in cloud instances, S3 bucketsClosed A bucket is a container for objects stored in Amazon S3 (Amazon Simple Storage Service)., EBSClosed Elastic Block Storage (EBS) Volume hosts virtual data in segments. It's like a storage disk with the ability to contain various sizes of data. These virtual storage devices usually replicate within one AWS region to increase their availability. volumes, RDSClosed Relational Database Service (RDS) - A web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks., compute instances, storage, or other services. CloudGuard only collects the necessary metadata from these resources to evaluate security posture. CloudGuard does not store sensitive information such as passwords or SSL certificates.

CloudGuard uses customer metadata for these reasons:

  • To show your assets on the CloudGuard Web app. You can only see data for your own environments (that have been onboarded to CloudGuard), or accounts for which you have a cross-account trust relationship.

  • For compliance assessments of your cloud accounts (your information is only accessed by your rulesets and policies, which assess only your environments, not by those of other users).

  • For threat analysis (Intelligence).

Customer environment metadata is collected with cloud provider APIs, based on cloud provider permission models (read-only for entity info).

This information is refreshed in intervals (from two to three minutes to each hour, changes, for each entity) by CloudGuard.

CloudGuard does not write or update any customer environment metadata (this does not include Security Groups and similar entities, if the account is in Full-Protection mode that is only used if you explicitly enable and add required permissions for CloudGuard in your environment).

CloudGuard keeps metadata for customer cloud entities in an AWS S3 bucket in a CloudGuard environment.

CloudGuard contains information on some levels:

  • Restricted Data - Leakage of this type of data is considered dangerous.

    • Customer API keys [API keys are not necessary for AWS as CloudGuard moved to cross-account-role AWS integration]

    • ExternalId (used as a second protection mechanism, in cross-account-role AWS integrations)

    • User passwords (we only keep hashes of passwords)

    • User CloudGuard API keys

  • Private customer metadata - Leakage of data from this category can show internal information, but not very important secrets.

    This data is usually derived from the cloud provider and contains metadata of the environments: servera(s) information, IP addresses, and firewall rules.

CloudGuard is for multi-tenantClosed Tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant. use. Full data segregation is implemented in all system layers, this includes the DB.

A ORM/DALm changed based on requirements, is implemented to enforce strong separation between tenants. No data element is ever fetched by its ID alone. As an alternative, <accountId, ItemId> tuple is used, where the authentication system provides the account ID and cannot be injected by the user.

  • Live production data is available only to applicable application servers on a need-to-know basis.

    This security in depth is enforced by:

    • Strict Firewall configurations

    • Network policies

    • DB authentication with specific access permissions for the different servers.

  • Production data is not replicated to non-production environments.

  • Back-office system: some metadata (policies, servers info, and more) is available to be viewed by Support / Back-office systems to assist support and troubleshooting:

    • No restricted information can be accessed by the sytem.

    • Access is on a need to know basis with specific credentials for each CloudGuard employee.

    • System and data access are logged and monitored.

    • Access is protected by 2 factors (user credentials + MFA / user credentials + CloudGuard access lease)

  • Offline DB backup Data:

    • Backups are in the form of EBS snapshots

    • Snapshots read permissions are only available to some named employees.

    • Constant monitoring of volumes created from snapshots.


Customer metadata stored by CloudGuard is accessed programmatically with the CloudGuard REST API. This requires authentication uses a unique API key, generated for the user on the CloudGuard Web App. Users can retrieve information about their accounts and their entities, and information about compliance bundles, assessments, results, and trends.

Information about other accounts (with summary or trend information) cannot be retrieved.

Metadata information about a customer's cloud account and assessment results based on this information are retained indefinitely in CloudGuard.

Customers can request full deletion of all metadata information in CloudGuard. Customers can change or revoke the IAM policy used by CloudGuard to access cloud metadata.