What is our primary use case?
Dome9 is a SaaS security solution that handles compliance and security for cloud.
There are two major functions, and the first is to operate as a central firewall monitoring and management system in the cloud. We have more than 100 firewalls in the cloud, and Dome9 allows us to manage them.
The second function is its role as a compliance suite that helps you in keeping your cloud platforms compliant with PCI or ISO 27001.
For the most part, this is what I used it for. In the beginning, Dome9 did not have many features. There were only these two.
How has it helped my organization?
Using Dome9, I was able to manage a multi-cloud platform based on AWS, Azure, and Google for a multinational company in Europe with only three engineers.
Dome9 enables customizable governance using simple, readable language. The biggest advantage is that when there are things to be changed because of compliance problems, the engineers receive a plain-language text that instructs them on what to do. This also means that you don't have to have as many cloud specialists available.
What is most valuable?
The two most valuable features for us are the central firewall administrator and the real-time cloud compliance monitoring. The vendor has been building on these features, but they are the two that are most important for us.
With respect to how the compliance frameworks affect our security and compliance operations, it is important to consider that first of all, in the cloud, anybody can change a firewall. We wanted to have a central firewall administrator, with our more than 100 firewalls, so that we could make sure that our platform would stay secure. Dome9 alerts if somebody replaces something and puts it back, which is the biggest feature that we wanted.
Then, as an added feature, they have a real-time audit platform where you constantly have audits of your clouds to see that engineers don't forget to put all of the compliance in place.
Dome9's accuracy when it comes to compliance checking is very good, and it is done in real-time. I would rate it a nine out of ten. It is not perfect because sometimes you have false positives, although I don't think that you can get rid of them entirely. Overall, for compliance and diverse compliance methodologies, I would rate it a nine.
On the topic of accuracy, I would rate remediation a nine out of ten as well. It is easy to do because it is written in plain language, and also because there is a manual on how to remediate.
What needs improvement?
The false positives can be annoying at times.
For how long have I used the solution?
We have been using Dome9 for five years.
My experience with Dome9 began about five and a half years ago when I was working with a company that was building a multi-cloud platform. I was one of the first customers for Dome9, before the Check Point acquisition, and I was using it to manage my multi-cloud platform.
What do I think about the stability of the solution?
I would rate the stability a nine out of ten. It has always worked and I've never had a bad thing happen with it. In the beginning, when they introduced new features during beta testing, there were issues. However, it was always stable.
What do I think about the scalability of the solution?
Dome9 is a SaaS solution, so it scales with your cloud. When you get hundreds of firewalls, perhaps 200 or 300 of one, then the complexity becomes the same in Dome9 as the thing that you want to solve in the cloud, so I don't think that they can extend to that.
I have a deployment that is European-wide, multi-cloud, with approximately 480 virtual machines. There were a lot of other components as well, so it was a really huge use case.
How are customer service and technical support?
The technical support from Dome9 is really good. In fact, for me at the time, it was really good because I had direct access to the American team, so I just had to call if there was an issue. I also had monthly meetings with them to discuss things to improve and see if their service was okay for us.
Which solution did I use previously and why did I switch?
Initially, we used another solution but that was not for firewall security. Rather, it was for compliance.
How was the initial setup?
The initial setup is really easy. Just submit the cloud key. It takes between an hour and two hours to deploy. When I installed it, the process did not take longer than an hour.
My implementation strategy fits into the way I design secure private clouds or multi-clouds, based on public cloud providers. It's almost a necessity. You can do it in other ways by using the local ACLs, etc, but then it becomes cumbersome. Dome9 takes a lot of the work out of it and gives you a single point to manage all of your security firewalls.
What about the implementation team?
I deployed Dome9 myself. In my previous role, I was the head of cloud development and I directed two out of the three engineers in the team.
What's my experience with pricing, setup cost, and licensing?
In the beginning, the price of Dome9 was cheap, whereas now it is not.
I haven't gotten the latest pricing, but my advice is that you need to balance it out with your cloud business cases. It all depends on how many machines, servers, and the size of the cloud that you have. It's probably not useful if you have only a few machines and some network security groups to manage them. In this case, it's not something that you need.
Which other solutions did I evaluate?
I did evaluate another tool initially. I cannot recall the name but it had ".io" after it. Ultimately, we decided not to use it because it only had the compliance component and it was more expensive.
The native cloud security controls provided by the cloud vendors, when it comes to features like transparency and customization, are very weak. That's why you need Dome9. On their own, I would rate the native cloud security controls a four out of ten. They are complex, and the biggest issue is that it's difficult to secure if you want to centralize your security operation.
When maintaining and scaling security services and configurations across multiple public clouds using Dome9, versus using native cloud security controls, I find that it is much better. It's the same interface in Dome9, regardless of the cloud. Of course, your firewall administrator still needs to have knowledge of what he's doing. That doesn't change. The important point is that the interface is much better and it doesn't change between cloud environments.
What other advice do I have?
I would rate the accuracy of the security visibility slightly lower than nine out of ten because it's still complex to do, even with Dome9. The biggest feature of Dome9 is that it rolls back the changes when somebody has changed it in the cloud without authorization, yet the complexity of managing a lot of firewalls is still there. I would rate the accuracy of security visibility a seven and a half or eight out of ten.
I would rate the solution's comprehensiveness for cloud compliance and governance an eight out of ten. The false positives are a little bit annoying at times.
Dome9 helps to minimize the attack surface and manage dynamic access, although I didn't use the dynamic access in my setup. For my use case, it was primarily minimizing the internal attack surface because I didn't use it for external connections. I had a different role there. When you only have three engineers, you need to trust them. The reason that we used Dome9 was to be able to do it with a few engineers.
Dome9 provides a unified security solution across AWS, Azure, and Google, but not for anything else. To that end, I don't think that any other cloud provider would be a market contender at this point, and Google will probably even disappear after a while.
My advice for anybody who is considering Dome9 is to try it. If you're looking to manage a large security defense platform, in-depth, with a lot of firewalls, try it and you'll be surprised.
One of the things that I learned from using Dome9 was that it offered support for compliance. I was originally just looking for a way to manage all of these firewalls, and that came as a pleasant surprise. It helped us a lot with our ISO 27000 and PCI certification.
Overall, in terms of functionality, Dome9 is fairly well made.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?