What is our primary use case?
The primary use case has been for auditing the cloud infrastructure in terms of security, because our company has been audited a lot of times. For the cloud, this is a tool that we use to audit the cloud environment. For example, all of the S3 buckets are encrypted to know if we don't have servers exposed to the Internet where they shouldn't be. This solution runs some compliance reports. That is why we use it.
We use it the most to check if things are complaint, because the compliancy checking is accurate.
How has it helped my organization?
On Dome9, you can have reports on compliance, users created, and EAM access to the cloud infrastructure. For example, if some machine is exposed to the Internet, importing and exporting to the Internet when it shouldn't, we get immediate alerts if someone does this type of configuration by mistake. Dome9 is very important because AWS doesn't protect us for this. It is the client's responsibility to make sure that we don't export things to the Internet. This solution helps us ensure that we comply with our security measures.
We use the compliance rule set to run some reports on our infrastructure. According to the report, we know if we are secure or compliant with our security recommendations. We wanted a default security compliance toolset. So, we cloned it, then we did some customization of some security measures that we wanted.
We run the compliance rule set report, then the InfoSec team receives that report. They go through it and see if we are compliant and need to do some security measures on some of it resources. It helps us towards visibility and security.
We use the solution to enable customizable governance using simple, readable language. We are not just stuck with the default rules set. If we think the security measures they recommend are not needed, then we can add some others instead, change them, or customize them.
What is most valuable?
We have full visibility of our cloud infrastructure in terms of compliance and security. For example, if someone has a machine that doesn't comply with the company policy, then we get an alert.
Security visibility is very good. Usually, when it's the security report, they match the reality and are correct, then they raise some alerts. Almost 100 percent of the time, we will need to do some tweaking to fix issues.
It is a very good tool for both cloud compliance and governance. We use it for both. We can monitor our entire cloud infrastructure. It provides reports on our security, then if we have to fix something in regards to the security, we can do it in a centralized tool. If you go to AWS and check each tool and server if it is compliant, then it's a mess, but this tool works. It is very simple for governance and reducing the risk.
The solution helps us to minimize attack surface and manage dynamic access. With Dome9, we are sure our machines are not exposed to the Internet. We have reports about users who access of our AWS accounts with the EAM function, which reduces our attack surface.
This solution provide a unified security solution across all major public clouds. We have all our infrastructure integrated on Dome9, so it provides us security on our entire cloud infrastructure, both AWS and Azure, which we are currently integrating.
What needs improvement?
The main issue that we found with Dome9 is that we have a default rule set with better recommendations that we want to use. So, you do a clone of that rule set, then you do some tweaks and customizations, but there is a problem. When they activate the default rule set with the recommendations and new security measures, it doesn't apply the new security measures to your clones profile. Therefore, you need to clone the profile again. We are already writing a report to Check Point. I think they have solution to this issue.
For how long have I used the solution?
We have been using it for approximately a year and a half.
What do I think about the scalability of the solution?
It is very scalable since we only need to buy licenses for more protective items. However, the overall license is very protective.
Dome9 integrates security best practices and compliance regulations into the CI/CD, across cloud providers. We are also currently integrating our ancillary environment on the domain. At the moment, we have more than 500 servers and domes protected by Dome9. Therefore, it's a tool that can accomplish security for almost all call environments.
Dome9 is used by the technical team. It is utilized in production and nonproduction. It is also integrated with Azure along with Office 365.
Dome9 has 100 percent adoption rate, as all our environment will be integrated with it.
There are two types of users:
- My team who implements the domain.
- The infrastructure team who looks at the report. There are three guys on the infrastructure team.
How are customer service and technical support?
I would rate the technical support an eight out of 10. We received a lot of support when implementing the solution directly with the product owners of Check Point, which is not their regular support. They were very useful and helpful, which was very good. We haven't had many complaints.
Which solution did I use previously and why did I switch?
The solution helps save our security team time. Before we had Dome9, our security team had to go through each problem and check it. Nowadays, we just need to analyze one report and use one tool. We don't have to go through all the accounts with all their data. Dome9 is saving them approximately 10 hours a week.
We implemented Dome9 as soon as we started having some production services on our current environment and started our cloud journey three years ago.
How was the initial setup?
The initial setup process was very quick: Create the user on AWS, then you can log in and have all your information. On the domain side, it was very quick to log in with the account created on the AWS.
The deployment was one or two days. We had three remote session, where two of those sessions were about how it works.
Our approach was to have our accounts on Dome9. After adding accounts, we ran some reports and compliance rule sets based on the security measure recommendations from Dome9 for our AWS product. We also went through the recommendations and made some changes on some of them. That is how we deployed the solution.
Our implementation strategy was to first only add the key accounts in the first stage, seeing how it worked. Then, after some weeks of working with it, we added the rest of the accounts to production.
What about the implementation team?
We did the initial setup directly with Check Point. They were very good and helpful because we were one of the first customers after they bought the domain company. They were very interested in helping us. We didn't have any complaints.
What was our ROI?
Dome9 helps developers save time. If you enable the remediate mode, then it will help you save time as it eliminates manual work. The reports also save time because you don't have to go into the tool and search for information. The reports save about five hours a week.
This solution has enabled us to reduce the number of employees involved in managing our cloud environment, especially the personnel who have had to analyze reports and implement security measures to mitigate risks. Before we had the tool, we had more people working on this task. Now, we only need one or two people to look through the report to review the risks.
What's my experience with pricing, setup cost, and licensing?
Right now, we have licenses on 500 machines, and they are not cheap.
Which other solutions did I evaluate?
They didn't find many other competitors for this type of domain and security tool.
The cloud providers give you the tools for their solutions to be secure, but they aren't easy to implement nor are they clear how to use because each tool that we have has its own security measures. This solution provides clarity for what you need to do to be secure in one centralized tool.
What other advice do I have?
Try it in read-only mode.
We do not use remediation at the moment. We do the remediation manually, since we are still using Dome9 in read-only mode. I don't know if we will use the remediation in the future because we prefer to do it ourselves. We don't know what will be the impact of doing it automatically from the tool.
If you use the remediate mode, which we currently don't use, it will leave you with automation to help out with your call environment for compliance. However, if we wanted to use it, we do have the tool.
Biggest lesson learnt: Securing the cloud is more difficult than we originally thought.
I would rate this solution as an eight out of 10.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)