We just raised a $30M Series A: Read our story

Check Point CloudGuard Posture Management OverviewUNIXBusinessApplication

Check Point CloudGuard Posture Management is the #2 ranked solution in our list of Cloud Workload Security Solutions. It is most often compared to Prisma Cloud by Palo Alto Networks: Check Point CloudGuard Posture Management vs Prisma Cloud by Palo Alto Networks

What is Check Point CloudGuard Posture Management?

Check Point CloudGuard provides cloud native security for all your assets and workloads, across multi-clouds, allowing you to automate security everywhere, with unified threat prevention and posture management. The only solution that provides context to secure your cloud with confidence.

Check Point CloudGuard Posture Management is also known as Dome9.

Check Point CloudGuard Posture Management Buyer's Guide

Download the Check Point CloudGuard Posture Management Buyer's Guide including reviews and more. Updated: October 2021

Check Point CloudGuard Posture Management Customers

Symantec, Citrix, Car and Driver, Virgin, Cloud Technology Partners

Check Point CloudGuard Posture Management Video

Pricing Advice

What users are saying about Check Point CloudGuard Posture Management pricing:
  • "The pricing is tremendous and super cheap. It is shockingly cheap for what you get out of it. I am happy with that. I hope that doesn't get reported back and they increase the prices. I love the pricing and the licensing makes sense. It is just assets: The more stuff that you have, the more you pay."
  • "The licensing and costs are straightforward, as they have a baseline of 100 workloads (number of instances) within one license with no additional nor hidden charges. If you want to have 200 workloads under Dome9, then you need to take out two licenses for that. Also, it does not have any impact on cloud billing, as data is shared using the API call. This is well within the limit of free API calls provided by the cloud provider."
  • "Right now, we have licenses on 500 machines, and they are not cheap."
  • "In the beginning, the price of Dome9 was cheap, whereas now it is not."

Check Point CloudGuard Posture Management Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
KW
Advisory Information Security Analyst at a financial services firm with 501-1,000 employees
Real User
Top 5Leaderboard
Security visibility accuracy is tremendous, letting us see who is trying to access what

Pros and Cons

  • "I love the work involved in maintaining and scaling security services and configurations across multiple public clouds using this solution, versus using native native cloud security controls. It is so much better. The different cloud platforms all have their own way that they handle a lot of the stuff that Dome9 handles. Even within their platform, they are in a lot of disparate places, e.g., in AWS, there are five different tools. You have to jump between them to get the same information that you can just pull in automatically on Dome9, which is just one platform. We are using multiple platforms, so that makes it even more complicated and time consuming if you had to just rely on them to get all of your information. Whereas, it's all just summarized and put together on the Dome9 end."
  • "The biggest thing is the documentation aspect of Dome9 is a little lacking. They were purchased by Check Point about a year and a half to two years ago. When they integrated into Check Point's support system, a lot of the documentation that they had previously got mangled in the transition, e.g., linking to stuff on the Dome9 website that no longer exists. There are still a lot of spaces with incomplete links and stuff that is not as fully explained as it could be."

What is our primary use case?

We pull all of our cloud platforms into Dome9: AWS and Azure as well as our Kubernetes environment. We use it for a few things: 

  1. It provides policy compliance. If we wanted to use SOX compliance or HIPAA, then we can turn on rules for that. Then, if something is in violation of one of those rules, it will let us know and we can correct it.
  2. We are able to set users, authentication, and powers, e.g., give users the ability to create networks. 
  3. We use it for log monitoring. We are able to pull in logs from cloud environments, review them, and take action.

How has it helped my organization?

Dome's security rule sets and compliance frameworks do great at helping us stay in line with various industry standards that we try to keep our company inline with automatically. We have had several examples where we have had users create machines or networks that wouldn't be in compliance with those policies. Dome9 immediately took care of them, preventing them from even being stood up. There is a lot of peace of mind with this stuff.

We are pretty thoroughly regulated for financial compliance. When we are talking to new clients or existing clients, we can point out that our cloud environment is completely in sync with the various industry standards of regulations.

The solution helps us to minimize attack surface and manage dynamic access because it automatically takes action based on the rules that we provide for it. It closes holes before they even open.

Dome9 integrates security best practices and compliance regulations well into the CI/CD, across cloud providers. This helps automate security and improve compliance posture. Rules are automated on their own. You set the policy that you want to hold your cloud environment and company to, while Dome9 is scanning your cloud platforms for those issues which are occurring at all times. If we didn't have that in place, then we would have to manually check every single network or machine that anyone stands up with a cloud. Because Dome9 is so efficient at this, anytime a machine, environment, or network gets stood up, it's able to go in and check the parameters to see if it is inline with our compliance rules.

What is most valuable?

All the features are very valuable. The policy compliance piece is probably the most valuable. It provides monitoring of your environment and whether you are actively looking at it. So, if I have a user who will try to spin up a network in the cloud that isn't inline with our policies, it will automatically stop that from being able to be created, then delete it. Therefore, it will take action whether or not we are explicitly looking at the platform, keeping it in compliance with the rest of the company at all times.

Dome9 enables customizable governance using simple, readable language. It comes with a robust tool set that they have already created with their own rules that they have already built. However, you do have the capability of going in to write your own stuff. We haven't had to do too much of that because the prebuilt stuff that they have is really good, but it is there if you need it.

Dome9's accuracy when it comes to compliance checking is tremendous. It finds issues in the environment pretty quickly when you run a scan. It will do it on an automated basis as well, so you don't have to manually scan your environment all the time. It will be constantly doing it in the background for you.

Security visibility accuracy is tremendous. A lot of that comes in as flow logs and lets us see who is trying to access what almost on a real-time basis. That is not something you usually get easily from cloud providers.

It works great at identifying, prioritizing, and auto-remediating events. Whatever scenario or set of criteria you feed Dome9, it will quickly and efficiently look for those issues in your environment and correct them.

What needs improvement?

The biggest thing is the documentation aspect of Dome9 is a little lacking. They were purchased by Check Point about a year and a half to two years ago. When they integrated into Check Point's support system, a lot of the documentation that they had previously got mangled in the transition, e.g., linking to stuff on the Dome9 website that no longer exists. There are still a lot of spaces with incomplete links and stuff that is not as fully explained as it could be. However, the product itself is really easy to use, so there is not too much of an issue with that. Also, it's not too hard to get on with the actual Check Point support to go over this stuff.

For how long have I used the solution?

I have been using it for about two years.

What do I think about the stability of the solution?

I haven't had any issues with it going down or any connectivity issues.

This solution doesn't require any post-deployment maintenance. It takes care of itself. The only stuff that you would want to do is look for new rule sets as they get added by Dome9, i.e., if you want to add anything or change it. Otherwise, you can set and forget it pretty well.

What do I think about the scalability of the solution?

It scales well. The only thing to watch out for is the licensing. We just ran into that. Dome9 will take how much you have from a cloud deployment standpoint, and you need to be appropriately licensed for it. You can't have too many cloud assets or you will exceed your license, then it stops reviewing the data that was added later.

Everyone who uses Dome9 is security at the moment. We are probably going to change that, as we are probably going to expand it in the future. We will have a lot of developers in there pretty soon.

How are customer service and technical support?

I haven't had to use Check Point's technical support in a while. I used them more back during the initial deployment, and earlier on, when the solution was just purchased by Check Point. I think the documentation could definitely use some improvement: their secure knowledge stuff. 

Which solution did I use previously and why did I switch?

Before Dome9, we just used native.

What we were doing natively wasn't sufficient. Once we saw what we were capable of doing with Dome9, that showed us all the stuff that we weren't doing with the native stuff that we could and should have been doing. Because it was so buried in there, we didn't know about it or how to do it. So, Dome9 helped us learn from a native tool perspective that there are other things that you can be doing with those tools that may not be that apparent.

How was the initial setup?

The initial setup was straightforward. A lot of the work for Dome9 is done upfront. There is an onboarding tool that Dome9 has when you want to add a cloud environment. That holds your hand and walks you through it pretty easily. It will show you everything you need to do both on the Dome9 side and on the cloud side to get the cloud environment integrated and set up. From there, the compliance rule sets that you want to apply to your company are all neatly laid out. With a single click, you can tell it that you want to run the X, Y, Z rule set against your current environment, then it will do that in a matter of minutes.

Initially, our deployment took probably a week just to get ourselves up and running. At that time, we were also trying to get the cloud deployment figured out. Knowing what we know now, we have stood up subsequent environments in minutes.

What about the implementation team?

We did the deployment ourselves. Two people were involved in the deployment process; I worked with a cloud security architect for Dome9's deployment. 

What was our ROI?

I have 100 percent seen ROI from money and time savings. We don't have to spend all day maintaining cloud environments. They take care of that for us. 

Dome9 helps our developers save time by as much as 50 percent. It prevents us from having to make them go back and redo their work. They do not even have the option to be out of compliance. It stops them from building machines and non-compliant stuff only to have to go back and redo them later, especially if Dome9 will shut that down before it even starts. A lot of people, when they get in the cloud, don't know what they're doing. So, if we're limiting the options they have available, then we see that cutting their time in half.

For security, there is a 90 percent time savings. Just having to manually check this stuff would be a nightmare, so I don't mind doing it on an automated basis.

A unified security solution across all major public clouds affects our cloud security operations by saving us a ton of time and effort. We don't have to redo things manually or check every individual environment all the time for compliance. This frees us up to build out and make a more sophisticated environment, really working on fine tuning things. We have a smaller team, so this has definitely helped us.

What's my experience with pricing, setup cost, and licensing?

The pricing is tremendous and super cheap. It is shockingly cheap for what you get out of it. I am happy with that. I hope that doesn't get reported back and they increase the prices. I love the pricing and the licensing makes sense. It is just assets: The more stuff that you have, the more you pay.

Which other solutions did I evaluate?

We didn't evaluate other solutions or vendors. We were impressed with the demo and PoC that we received.

While other vendors do have tools that are pretty good, the thing which we run into is that we have multiple cloud environments. Also, even within the cloud environments themselves, there are a lot of the tools but they are not as streamlined as the one that Dome9 offers. Dome9 pulls everything together into a single pane of glass for you.

I love the work involved in maintaining and scaling security services and configurations across multiple public clouds using this solution, versus using native native cloud security controls. It is so much better. The different cloud platforms all have their own way that they handle a lot of the stuff that Dome9 handles. Even within their platform, they are in a lot of disparate places, e.g., in AWS, there are five different tools. You have to jump between them to get the same information that you can just pull in automatically on Dome9, which is just one platform. We are using multiple platforms, so that makes it even more complicated and time consuming if you had to just rely on them to get all of your information. Whereas, it's all just summarized and put together on the Dome9 end.

What other advice do I have?

I would recommend people buy it. Design your environment with Dome9 in mind. From the ground up, let Dome9 analyze your environment and get you compliant with the rules that you need to be compliant with.

Its remediation works really well. Some of the more advanced remediation stuff can get more complicated because it involves spinning up, like Lambda functions in the cloud. That can be a more complicated procedure than some of the normal compliance remediation, but it's there and it's powerful.

We just use AWS and Azure, but they have Google Cloud Platform as well that you could use.

We are using it pretty extensively for what we are currently doing now, and we will expand that. My team manages all our cloud deployments, so we have everything that we are currently using integrated into Dome9, but we are also in the process of redoing our cloud deployment. So, instead of just building the cloud stuff, then putting Dome9 on top of it, we will be building it knowing that we will have Dome9 from the ground up.

I would rate this solution as a 10 out of 10. I love it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
BasilDange
Sr Manager IT Security at a financial services firm with 10,001+ employees
Real User
Top 10
The IAM role gives us complete control over the cloud environment

Pros and Cons

  • "It helps us to analyze vulnerabilities way before they get installed in production and the web. It gives us more security in the production environment."
  • "Automatic remediation requires read/write access. When providing read/write access to third-party applications, this can add risk. It should have some options of triggering API calls to the cloud platform, which in turn, can make the required changes."

What is our primary use case?

  1. Visibility for cloud workloads, including server, serverless and Kubernetes.
  2. Security configuration review along with automatic remediation.
  3. Posture management and compliance for a complete cloud environment.
  4. Centralize visibility for a complete cloud environment of the workload hosted on multiple cloud platforms (AWS and Azure).
  5. Baseline for security policy as per the workload based on services, such as S3, EC2, etc.
  6. Visibility of an API call within the environment.
  7. IAM management providing access to the cloud network in a controlled manner.
  8. Alerts and notifications for any security breach/changes in the cloud environment.
  9. Flow visibility of traffic to and from the cloud environment.
  10. Real-time alerting for any security incidents.

They provide support for Azure, Amazon, GCP, and Alibaba. However, we just have AWS and Azure.

How has it helped my organization?

  1. Provides complete visibility of the workload hosted on different cloud platforms (AWS and Azure) along with multiple tenants. 
  2. Helps in enhancing security for cloud environments by providing reports, both in terms of security and compliance. 
  3. Provides complete visibility of traffic flowing to/from the cloud platform.
  4. Provides best practice policy that helps to strengthen the security of the workload.
  5. Assets inventory and API calls can happen from the cloud.
  6. Provides control in terms of accessing the cloud workload. As a policy is created, this will block direct access to the cloud environment in case the same is not define or approved in Dome9.

Security visibility with Dome9 is excellent. Normally, without this type of solution, especially if you have some workloads hosted on Azure, they give you minimal tools to be able to analyze the loss. There are different consoles that need to be checked for analyzing any incident. In the case of Dome9, it gives you the loss provided in a report on a centralized console. It gives you complete visibility, including the IP to IP Flow, which is happening from the workloads to the Internet or the Internet to the workloads. Even in case of getting a threat intelligence from Check Point, which we have the integration, if some workflows are communicating any suspicious IPs, then the reports are available on the flow logs. On top of that, it also provides a report where you will be able to find out from which location or country you are getting the traffic to your workloads. Therefore, if you want to block certain geo-locations from communicating with your network, then you can also do that using Dome9.

The workload, which was taking a day's time, now can be turned out within hours. We are able to analyze the logs in real-time. Previously, if we enabled some services, then the email needed to be sent to the security team who would do the scanning, might submit the reports, and post some action to be taken by the developers. Using this solution, we are getting the reports in real-time. The remediation can also be applied automatically. The developer can take the necessary action immediately. It provides us what action needs to be taken.

Unless we did some scanning, we used to not know that there were security flaws within particular services. However, by using Dome9, as it has complete visibility, we are getting those details much faster.

The firewall normally has been managed by security team. Admins can bypass through firewall to create any policy. They can go outside and downloading/uploading anything from their workloads. This solution provides that control as well.

What is most valuable?

  1. The IAM role gives us complete control over the cloud environment. In case someone tries to bypass and create a user or policy locally, which is not allowed or defined in Dome9, changes will be rolled back and a notification will be sent to the concerned team.
  2. It's always ON and available on a mobile device using the app.
  3. There is complete visibility of the traffic flow with threat intelligence provided from Check Point. It even provides communication detail on any suspicious IPs.
  4. Provides detailed information if some workload tries to directly access and bypass any firewall policy.
  5. Provides a granular level of reports along with issues based on compliance standards, which are defined depending upon organizational requirements.
  6. Task delegation as a particular incident can be assigned to a particular individual. The same can also be done manually or automatically.
  7. Customizes queries for detecting any incident.

The solution is pretty straightforward to use, as it is only a SaaS model. You just need to enable the accounts for which Dome9 needs to do validation, and that's it.

Compliance checking capabilities: When you enroll your account, we have multiple accounts. Once you enter that on Dome9, it does a complete scan of your account based on these flow logs. It checks: "What are the security flaws?" So, the compliance depends on the company and what they are using as a benchmark. Normally, for India, we use the CIS as a benchmark, then whatever flow logs are available, those are provided in the reports. Then, we check those compliance reports against the CIS benchmark, and accordingly, take actions. We can then know what are the deviation on the cloud platform and on the account, with respect to the CIS.

There are some use cases where you will not have reports readily available or not get the dashboard for particular outputs. You can create a query on the console for those, e.g., if a particular EXE file started on a workload, we can find out if that is running anywhere in the cloud. While it does not provide details on the process level, it will provide us with which sensor is communicating to which IP addresses as well as if there are any deviations from that pattern.

It has remediation capabilities, and there are two options available:

  1. You can do automatic remediation, where you need to define the policy for which unit that you are doing remediation. 
  2. It can be assigned to a particular team or group of people for its particular vulnerabilities of security flaws. That ticket can then be raised to service quotas be remediated manually.

What needs improvement?

  1. Policy validation should be available before it is deployed in a production environment using a cloud template.
  2. Automatic remediation requires read/write access. When providing read/write access to third-party applications, this can add risk. It should have some options of triggering API calls to the cloud platform, which in turn, can make the required changes.
  3. A number of security rules need to be added in order to identify more issues. 
  4. The reporting should have more options. The reports should be more granular.
  5. It should support all container platforms for visibility of a complete infrastructure single console, such as, PCF.

For how long have I used the solution?

Three months.

What do I think about the stability of the solution?

Until now, we have not faced any issues in term of downtime or outages. It seems to be quite stable.

What do I think about the scalability of the solution?

Scalability is not an issue. There are a number of workload licenses that need to be procured, then it is straightforward.

There are between eight to 10 security admins and auditors who have access to Dome9.

Our complete cloud workload is managed through Dome9.

How are customer service and technical support?

The support is excellent. They regularly review our cloud infrastructure and provide suggestions to help us have a better security posture.

Which solution did I use previously and why did I switch?

Initially, we were using tools provided by the service provider, such as, ScoutSuite, AWS Config Rules, AWS Trusted Advisor, or Amazon GuardDuty for monitoring, and similar tools for Azure as well. Then, we needed to go through a different console to identify any incidents.

Initially, we used submit a report, but there was no remediation nor information provided how to remediate workload issues. In our current scenarios, we are able to get the complete visibility. The complete visibility of the solution has been a key to the increase in our productivity.

How was the initial setup?

The initial setup was straightforward. The only thing that was required from our side was a cloud template, which was provided by Dome9. We need to executed that template in our cloud environment for AWS and Azure. It automatically creates a read-only ID on the AWS platform for Dome9 to connect with. There is some configuration which needs to be done on Dome9 as well as AWS, but the deployment takes around 15 to 30 minutes.

What about the implementation team?

Check Point's team was available, but we implemented it in-house with our support team.

We don't require staff for deployment and maintenance of this solution.

What was our ROI?

As it is a security product, the ROI will not have that much importance because it is enhancing your security and/or providing more security to your infrastructure. If there are any security incidents, then Dome9 is able to protect us.

Initially, once the solution was deployed into production, then the scanning used to happen and we used to see the environment's visibility. In the current situation, as everyone is moving to the DevOps environment and using the CI/CD pipelines, it helps us to analyze vulnerabilities way before they get installed in production and the web. It gives us more security in the production environment.

What's my experience with pricing, setup cost, and licensing?

The licensing and costs are straightforward, as they have a baseline of 100 workloads (number of instances) within one license with no additional nor hidden charges. If you want to have 200 workloads under Dome9, then you need to take out two licenses for that. Also, it does not have any impact on cloud billing, as data is shared using the API call. This is well within the limit of free API calls provided by the cloud provider.

Which other solutions did I evaluate?

We evaluated Prisma Cloud by Palo Alto Networks and Trend Micro Cloud One Conformity.

Normally, the policies are accessible only on the browsers, e.g., if you compile them from Prisma Cloud, they're available as a part of a browser. However, for management users, especially for CIOs and CTOs, it becomes difficult for them to type URLs, then login. In the case of Dome9, they provide an app. With that app, you can directly login with single sign-on. It is much easier to access using the app compared to the browser option.

Most things are the same for all three providers. The major difference between Dome9 and Prisma is the IAM roles. The maturity of IAM roles available in Dome9 are much better than the other two solutions. Currently, our focus is mostly on what is happening and who is making the changes in the environment. Another thing is the visibility that Dome9 provides through its intel is better than the other two solutions.

The other two solutions have system capabilities better than Check Point.

I would recommend Prisma as well as Dome9 because they both have the visibility. In our case, the IAM was a critical piece of our requirements.

What other advice do I have?

The cloud and on-prem environments are completely two different networks.

They should offer the cloud in India. Soon, there will be GDPR and India will have its own data protection laws. This might create some issues in the case of the data residing outside India. Because we are collecting metadata from the internal networks for the cloud environment, this is the reason that I suggest that they should have some plans to have the cloud in India. However, neither Prisma nor Trend Micro have cloud in India.

I would rate this solution as an eight out of 10.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about Check Point CloudGuard Posture Management. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
541,462 professionals have used our research since 2012.
ITCS user
Network Security Engineer/Architect at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Solution helps to ensure that we comply with our security measures

Pros and Cons

  • "On Dome9, you can have reports on compliance, users created, and EAM access to the cloud infrastructure. For example, if some machine is exposed to the Internet, importing and exporting to the Internet when it shouldn't, we get immediate alerts if someone does this type of configuration by mistake. Dome9 is very important because AWS doesn't protect us for this. It is the client's responsibility to make sure that we don't export things to the Internet. This solution helps us ensure that we comply with our security measures."
  • "The main issue that we found with Dome9 is that we have a default rule set with better recommendations that we want to use. So, you do a clone of that rule set, then you do some tweaks and customizations, but there is a problem. When they activate the default rule set with the recommendations and new security measures, it doesn't apply the new security measures to your clones profile. Therefore, you need to clone the profile again. We are already writing a report to Check Point."

What is our primary use case?

The primary use case has been for auditing the cloud infrastructure in terms of security, because our company has been audited a lot of times. For the cloud, this is a tool that we use to audit the cloud environment. For example, all of the S3 buckets are encrypted to know if we don't have servers exposed to the Internet where they shouldn't be. This solution runs some compliance reports. That is why we use it.

We use it the most to check if things are complaint, because the compliancy checking is accurate.

How has it helped my organization?

On Dome9, you can have reports on compliance, users created, and EAM access to the cloud infrastructure. For example, if some machine is exposed to the Internet, importing and exporting to the Internet when it shouldn't, we get immediate alerts if someone does this type of configuration by mistake. Dome9 is very important because AWS doesn't protect us for this. It is the client's responsibility to make sure that we don't export things to the Internet. This solution helps us ensure that we comply with our security measures. 

We use the compliance rule set to run some reports on our infrastructure. According to the report, we know if we are secure or compliant with our security recommendations. We wanted a default security compliance toolset. So, we cloned it, then we did some customization of some security measures that we wanted. 

We run the compliance rule set report, then the InfoSec team receives that report. They go through it and see if we are compliant and need to do some security measures on some of it resources. It helps us towards visibility and security.

We use the solution to enable customizable governance using simple, readable language. We are not just stuck with the default rules set. If we think the security measures they recommend are not needed, then we can add some others instead, change them, or customize them.

What is most valuable?

We have full visibility of our cloud infrastructure in terms of compliance and security. For example, if someone has a machine that doesn't comply with the company policy, then we get an alert.

Security visibility is very good. Usually, when it's the security report, they match the reality and are correct, then they raise some alerts. Almost 100 percent of the time, we will need to do some tweaking to fix issues.

It is a very good tool for both cloud compliance and governance. We use it for both. We can monitor our entire cloud infrastructure. It provides reports on our security, then if we have to fix something in regards to the security, we can do it in a centralized tool. If you go to AWS and check each tool and server if it is compliant, then it's a mess, but this tool works. It is very simple for governance and reducing the risk.

The solution helps us to minimize attack surface and manage dynamic access. With Dome9, we are sure our machines are not exposed to the Internet. We have reports about users who access of our AWS accounts with the EAM function, which reduces our attack surface.

This solution provide a unified security solution across all major public clouds. We have all our infrastructure integrated on Dome9, so it provides us security on our entire cloud infrastructure, both AWS and Azure, which we are currently integrating. 

What needs improvement?

The main issue that we found with Dome9 is that we have a default rule set with better recommendations that we want to use. So, you do a clone of that rule set, then you do some tweaks and customizations, but there is a problem. When they activate the default rule set with the recommendations and new security measures, it doesn't apply the new security measures to your clones profile. Therefore, you need to clone the profile again. We are already writing a report to Check Point. I think they have solution to this issue.

For how long have I used the solution?

We have been using it for approximately a year and a half.

What do I think about the scalability of the solution?

It is very scalable since we only need to buy licenses for more protective items. However, the overall license is very protective.

Dome9 integrates security best practices and compliance regulations into the CI/CD, across cloud providers. We are also currently integrating our ancillary environment on the domain. At the moment, we have more than 500 servers and domes protected by Dome9. Therefore, it's a tool that can accomplish security for almost all call environments.

Dome9 is used by the technical team. It is utilized in production and nonproduction. It is also integrated with Azure along with Office 365.

Dome9 has 100 percent adoption rate, as all our environment will be integrated with it. 

There are two types of users:

  • My team who implements the domain.
  • The infrastructure team who looks at the report. There are three guys on the infrastructure team.

How are customer service and technical support?

I would rate the technical support an eight out of 10. We received a lot of support when implementing the solution directly with the product owners of Check Point, which is not their regular support. They were very useful and helpful, which was very good. We haven't had many complaints.

Which solution did I use previously and why did I switch?

The solution helps save our security team time. Before we had Dome9, our security team had to go through each problem and check it. Nowadays, we just need to analyze one report and use one tool. We don't have to go through all the accounts with all their data. Dome9 is saving them approximately 10 hours a week.

We implemented Dome9 as soon as we started having some production services on our current environment and started our cloud journey three years ago. 

How was the initial setup?

The initial setup process was very quick: Create the user on AWS, then you can log in and have all your information. On the domain side, it was very quick to log in with the account created on the AWS.

The deployment was one or two days. We had three remote session, where two of those sessions were about how it works. 

Our approach was to have our accounts on Dome9. After adding accounts, we ran some reports and compliance rule sets based on the security measure recommendations from Dome9 for our AWS product. We also went through the recommendations and made some changes on some of them. That is how we deployed the solution.

Our implementation strategy was to first only add the key accounts in the first stage, seeing how it worked. Then, after some weeks of working with it, we added the rest of the accounts to production.

What about the implementation team?

We did the initial setup directly with Check Point. They were very good and helpful because we were one of the first customers after they bought the domain company. They were very interested in helping us. We didn't have any complaints.

What was our ROI?

Dome9 helps developers save time. If you enable the remediate mode, then it will help you save time as it eliminates manual work. The reports also save time because you don't have to go into the tool and search for information. The reports save about five hours a week.

This solution has enabled us to reduce the number of employees involved in managing our cloud environment, especially the personnel who have had to analyze reports and implement security measures to mitigate risks. Before we had the tool, we had more people working on this task. Now, we only need one or two people to look through the report to review the risks.

What's my experience with pricing, setup cost, and licensing?

Right now, we have licenses on 500 machines, and they are not cheap.

Which other solutions did I evaluate?

They didn't find many other competitors for this type of domain and security tool.

The cloud providers give you the tools for their solutions to be secure, but they aren't easy to implement nor are they clear how to use because each tool that we have has its own security measures. This solution provides clarity for what you need to do to be secure in one centralized tool.

What other advice do I have?

Try it in read-only mode. 

We do not use remediation at the moment. We do the remediation manually, since we are still using Dome9 in read-only mode. I don't know if we will use the remediation in the future because we prefer to do it ourselves. We don't know what will be the impact of doing it automatically from the tool. 

If you use the remediate mode, which we currently don't use, it will leave you with automation to help out with your call environment for compliance. However, if we wanted to use it, we do have the tool.

Biggest lesson learnt: Securing the cloud is more difficult than we originally thought.

I would rate this solution as an eight out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Schillebeeks Bart
Owner at AD Internet Consulting
Real User
Top 10
Provides central firewall administration capability, real-time compliance checking, and good technical support

Pros and Cons

  • "The two most valuable features for us are the central firewall administrator and the real-time cloud compliance monitoring."
  • "The false positives can be annoying at times."

What is our primary use case?

Dome9 is a SaaS security solution that handles compliance and security for cloud.

There are two major functions, and the first is to operate as a central firewall monitoring and management system in the cloud. We have more than 100 firewalls in the cloud, and Dome9 allows us to manage them.

The second function is its role as a compliance suite that helps you in keeping your cloud platforms compliant with PCI or ISO 27001.

For the most part, this is what I used it for. In the beginning, Dome9 did not have many features. There were only these two.

How has it helped my organization?

Using Dome9, I was able to manage a multi-cloud platform based on AWS, Azure, and Google for a multinational company in Europe with only three engineers.

Dome9 enables customizable governance using simple, readable language. The biggest advantage is that when there are things to be changed because of compliance problems, the engineers receive a plain-language text that instructs them on what to do. This also means that you don't have to have as many cloud specialists available.

What is most valuable?

The two most valuable features for us are the central firewall administrator and the real-time cloud compliance monitoring. The vendor has been building on these features, but they are the two that are most important for us.

With respect to how the compliance frameworks affect our security and compliance operations, it is important to consider that first of all, in the cloud, anybody can change a firewall. We wanted to have a central firewall administrator, with our more than 100 firewalls, so that we could make sure that our platform would stay secure. Dome9 alerts if somebody replaces something and puts it back, which is the biggest feature that we wanted.

Then, as an added feature, they have a real-time audit platform where you constantly have audits of your clouds to see that engineers don't forget to put all of the compliance in place.

Dome9's accuracy when it comes to compliance checking is very good, and it is done in real-time. I would rate it a nine out of ten. It is not perfect because sometimes you have false positives, although I don't think that you can get rid of them entirely. Overall, for compliance and diverse compliance methodologies, I would rate it a nine.

On the topic of accuracy, I would rate remediation a nine out of ten as well. It is easy to do because it is written in plain language, and also because there is a manual on how to remediate.

What needs improvement?

The false positives can be annoying at times.

For how long have I used the solution?

We have been using Dome9 for five years.

My experience with Dome9 began about five and a half years ago when I was working with a company that was building a multi-cloud platform. I was one of the first customers for Dome9, before the Check Point acquisition, and I was using it to manage my multi-cloud platform.

What do I think about the stability of the solution?

I would rate the stability a nine out of ten. It has always worked and I've never had a bad thing happen with it. In the beginning, when they introduced new features during beta testing, there were issues. However, it was always stable.

What do I think about the scalability of the solution?

Dome9 is a SaaS solution, so it scales with your cloud. When you get hundreds of firewalls, perhaps 200 or 300 of one, then the complexity becomes the same in Dome9 as the thing that you want to solve in the cloud, so I don't think that they can extend to that.

I have a deployment that is European-wide, multi-cloud, with approximately 480 virtual machines. There were a lot of other components as well, so it was a really huge use case.

How are customer service and technical support?

The technical support from Dome9 is really good. In fact, for me at the time, it was really good because I had direct access to the American team, so I just had to call if there was an issue. I also had monthly meetings with them to discuss things to improve and see if their service was okay for us.

Which solution did I use previously and why did I switch?

Initially, we used another solution but that was not for firewall security. Rather, it was for compliance.

How was the initial setup?

The initial setup is really easy. Just submit the cloud key. It takes between an hour and two hours to deploy. When I installed it, the process did not take longer than an hour.

My implementation strategy fits into the way I design secure private clouds or multi-clouds, based on public cloud providers. It's almost a necessity. You can do it in other ways by using the local ACLs, etc, but then it becomes cumbersome. Dome9 takes a lot of the work out of it and gives you a single point to manage all of your security firewalls.

What about the implementation team?

I deployed Dome9 myself. In my previous role, I was the head of cloud development and I directed two out of the three engineers in the team.

What's my experience with pricing, setup cost, and licensing?

In the beginning, the price of Dome9 was cheap, whereas now it is not.

I haven't gotten the latest pricing, but my advice is that you need to balance it out with your cloud business cases. It all depends on how many machines, servers, and the size of the cloud that you have. It's probably not useful if you have only a few machines and some network security groups to manage them. In this case, it's not something that you need.

Which other solutions did I evaluate?

I did evaluate another tool initially. I cannot recall the name but it had ".io" after it. Ultimately, we decided not to use it because it only had the compliance component and it was more expensive.

The native cloud security controls provided by the cloud vendors, when it comes to features like transparency and customization, are very weak. That's why you need Dome9. On their own, I would rate the native cloud security controls a four out of ten. They are complex, and the biggest issue is that it's difficult to secure if you want to centralize your security operation.

When maintaining and scaling security services and configurations across multiple public clouds using Dome9, versus using native cloud security controls, I find that it is much better. It's the same interface in Dome9, regardless of the cloud. Of course, your firewall administrator still needs to have knowledge of what he's doing. That doesn't change. The important point is that the interface is much better and it doesn't change between cloud environments.

What other advice do I have?

I would rate the accuracy of the security visibility slightly lower than nine out of ten because it's still complex to do, even with Dome9. The biggest feature of Dome9 is that it rolls back the changes when somebody has changed it in the cloud without authorization, yet the complexity of managing a lot of firewalls is still there. I would rate the accuracy of security visibility a seven and a half or eight out of ten.

I would rate the solution's comprehensiveness for cloud compliance and governance an eight out of ten. The false positives are a little bit annoying at times.

Dome9 helps to minimize the attack surface and manage dynamic access, although I didn't use the dynamic access in my setup. For my use case, it was primarily minimizing the internal attack surface because I didn't use it for external connections. I had a different role there. When you only have three engineers, you need to trust them. The reason that we used Dome9 was to be able to do it with a few engineers.

Dome9 provides a unified security solution across AWS, Azure, and Google, but not for anything else. To that end, I don't think that any other cloud provider would be a market contender at this point, and Google will probably even disappear after a while.

My advice for anybody who is considering Dome9 is to try it. If you're looking to manage a large security defense platform, in-depth, with a lot of firewalls, try it and you'll be surprised.

One of the things that I learned from using Dome9 was that it offered support for compliance. I was originally just looking for a way to manage all of these firewalls, and that came as a pleasant surprise. It helped us a lot with our ISO 27000 and PCI certification.

Overall, in terms of functionality, Dome9 is fairly well made.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
RR
Senior Security Engineer at a insurance company with 10,001+ employees
Real User
Top 5Leaderboard
Enables us to manage all instances and accounts, whether Azure or AWS, through a single portal

Pros and Cons

  • "The audit feature is the most valuable for compliance reasons. It gives you a full view of the whole environment, no matter how many accounts you have in AWS or Azure. You have it all under one umbrella."
  • "The accuracy of its remediation is a 7.5 out of 10. Before, I would have given it a ten but now, to handle remediation for fully qualified domain names, it's not working as it did in the past. We're finding some difficulties there."

What is our primary use case?

We use Dome9 for security groups on the AWS/Azure side. We use it for inventory purposes, to gather all of the accounts into one single view. We do some governance and compliance in it as well.

How has it helped my organization?

The solution enables customizable governance using simple readable language. It all depends on how you customize it. If you customize it properly, you'll definitely have full visibility of the environment.

Similarly, if it's customized well it helps minimize attack surface. For example, you can lock the security groups to be managed only through Dome9, so any change made directly on AWS would be reverted by Dome9. That helps minimize the risk.

In addition, it integrates security best practices and compliance regulations into the CI/CD, across cloud providers. You can set up the automation so that if any group is created outside of Dome9, it is reverted. You can also run scheduling functionality to identify anything that is not compliant.

It also helps developers save time and increase their productivity. If they save time they have more time to do other things, whether within Dome9 or elsewhere. The features that are offered by Dome9 definitely make developers more productive. I would estimate it saves 10 to 15 percent of their time. And it absolutely saves time and increases productivity for security teams, by about 20 percent.

Another benefit is that Dome9 provides a unified security solution across all major public clouds. You manage all the instances and all the different accounts, whether Azure or AWS, through a single portal. Otherwise, with AWS, for example, you would have to log in to each account individually, and if you wanted to run reports, you would have to do it at the account level. If you have ten accounts, you'd have to go through ten accounts. Whereas, with Dome9, you can see all of the accounts in one place, run one query, and obtain everything. And you can play around with the report in Excel and filter it for what account you want to look at.

What is most valuable?

The audit feature is the most valuable for compliance reasons. It gives you a full view of the whole environment, no matter how many accounts you have in AWS or Azure. You have it all under one umbrella.

We use solution’s security rule sets and compliance frameworks and, again, for compliance purposes, we do have the full view. We see all of our vulnerable, open ports and open IPs. Its comprehensiveness for cloud compliance and governance is good. If it was not a good product that defines all aspects of cloud security, we would not be using it.

Also, Dome9’s accuracy when it comes to compliance checking is a nine out of 10. I would not give it a ten because sometimes the report is returning something and when we look at it on the AWS side, it's not exactly the way it showed on the report, because of the layout of the report. The accuracy of the security visibility is a nine out of 10. I give it a high score because we have full security visibility over the incidents and the groups, everything that is related to AWS. It's not a ten because sometimes you have to look in different places to get the full visibility, as it's not all gathered in the same place.

What needs improvement?

The accuracy of its remediation is a 7.5 out of 10. Before, I would have given it a ten but now, to handle remediation for fully qualified domain names, it's not working as it did in the past. We're finding some difficulties there.

Also, as soon as Check Point took over the solution, the feature that identifies and creates security groups based on fully qualified domain names, instead of IP addresses, was degraded.

For how long have I used the solution?

I have been using Dome9 for two-plus years. 

What do I think about the stability of the solution?

It's quite stable.

What do I think about the scalability of the solution?

It scales well.

In terms of increasing usage, it all depends on the size of the company. If we grow, the number of the users will grow as well.

How are customer service and technical support?

The support for Dome9 is not thrilling. It was degraded when Check Point took over. Support needs a push. When Check Point bought the solution, they did not fully understand it. So when we called support, we would get sent in different directions before someone knew what we were talking about. I would rate the support at five out of 10.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

The initial setup of the solution was straightforward for me as a professional working in the cloud environment. For someone else who is a beginner or not familiar with cloud products, he or she might find it a bit difficult. It all depends on the level of knowledge that each person has.

The deployment took a week or two, and that was not full-time.

We have about ten users of the solution, including security engineers, analysts, cloud engineers, enterprise engineers, and architects.

What about the implementation team?

We had a sales engineer from Dome9 and he gave us a push. The support they provided back then was good.

Which other solutions did I evaluate?

When looking at the native cloud security controls provided by our cloud vendors, when it comes to features like transparency and customization, I would give full credit to Dome9. If the  cloud vendors did offer what Dome9 is offering, we would not be using Dome9. We use Dome9 because of the features it offers.

As for maintaining and scaling security services and configurations across multiple public clouds, it depends. If I have one account, it will take me the same amount of time to do it, whether in Dome9 or directly on the cloud vendor's portal. But if I have, say, five AWS accounts and I want to implement a change, I would have to do it five times to those five different accounts. In Dome9, I can do it one time for all five accounts.

We did look at other vendors' solutions, in addition to Dome9. Back then, the FQDN was compatible and that was one of the main features that pushed us to select Dome9.

What other advice do I have?

Scale it right the very first time and you will be happy. You need to have cloud knowledge to do so. If you don't, outsource that task to a vendor, to a contractor, or to Dome9. By getting it right the very first time, you are starting on a good basis. If you don't do it right, you're not going to take full advantage of the features being offered by Dome9.


Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
reviewer1398609
Senior Manager at a financial services firm with 10,001+ employees
Real User
Top 20
Threat intel integration provides us visibility in case any workload is communicating with suspicious or blacklisted IPs

Pros and Cons

  • "Assets Management as it provide complete visibility of our workload inkling EC2 instance or Serverless"
  • "It should capture more information in metadata including communication detail. Also, Internal IP addresses should not be tracked as this might be having some compliance issues."

What is our primary use case?

1) Visibility for Cloud Work Load for Server, Server Less & Container environment 

2) Security configuration review along with auto-remediation

3) Posture management and Compliance for complete Cloud Environment

4) Centralize Visibility for Complete Cloud Environment of Workload hosted on Multiple Cloud Platform (AWS, Azure, and GCP)

5) The baseline for Security Policy as per Workload based on Services such as S3, EC2, etc

6) Visibility of API call within the environment

7) IAM management providing access to cloud network in a control manner

8) Alert and Notification for any Security breach/Changes in Cloud environment

9) Flow Visibility of traffic from and to Cloud Environment

10) Real-time alerting for any incident 

How has it helped my organization?

1) Provides visibility of organization complete cloud infra hosted on different cloud platforms such as AWS & Azure. It also provides visibility of different accounts hosted on multiple tenants on a single dashboard.

2) Provide visibility of workload with an average instance running on a daily basis. As we have few instances that are taken offline during nonworking hours

3) It provides access to complete Cloud environment in control manner, Admin is not allowed to create or add any user or change security Policy directly with an admin account, unless the same has been approved via IAM role

4) Provides compliance and vulnerability detail of our environment. It also provides auto-remediation for few policies.

5) It has helped us to create a baseline while enabling any services.

6) Provides complete detail of any workload trying or getting connected to the Internet or if some workload is getting bypass from Firewall Policy.

7) Provides end to end visibility of source and detail IP address along with communication detail.

8) Reports generated based on metadata and API calls hence it does not impact our billing cycle 

What is most valuable?

1) IAM role is the feature which is widely used as it provides a granular level of control and visibility of any changes happening within our Cloud network

2) Benchmark of our network

3) Complaisance and reporting to understand and mitigate any security issue 

4) Threat intel integration which provides us visibility in case any workload is communicating with Suspicious or blacklisted IP

5) Centralize dashboard for different tenant and account 

6) Assets Management as it provide complete visibility of our workload inkling EC2 instance or Serverless 

What needs improvement?

1) More number of Security Policy to have more number of detection 

2) It should capture more information in metadata including communication detail. Also, Internal IP addresses should not be tracked as this might be having some compliance issues. 

3) Should have support for VMware Pivotal Cloud Foundry

4) Should maintain  configuration information which will help in case forensic need to be performed in term of changes

5) Should allow Policy to be deployed using a template and the same should be getting reviewed before deployment. This will help us to provide secure deployment CI/CD

For how long have I used the solution?

We have been using Dome9 for three months.

What do I think about the stability of the solution?

we have workout for SaaS offering from Dome9 hence entire setup is managed and maintained by Dome9. We have enrolled our account and using it as a service and till not we have not observed any outages 

What do I think about the scalability of the solution?

As it's available as SaaS and subscription offering it can be scalable deepening upon the number of workloads for which support is required.

How are customer service and technical support?

Overall its excellent both support and presales team.

Which solution did I use previously and why did I switch?

We used a Cloud-native solution to identify security issues but it did not provide any detailed visibility. Also, multiple console access where required in order to identify and security flaw.

How was the initial setup?

It was straightforward there was template provided by Dome9 (Checkpoint) and that need to be imported in our account which create ID and provide access to Dome9 on our cloud infra to monitor and collect metadata logs

What about the implementation team?

Our cloud team has helped us in terms of implementation. Also, it's not complicated the complete step by step guide is provided by Dome9 (CheckPoint) for enrolling Cloud to Dome9.

What's my experience with pricing, setup cost, and licensing?

Cost is based on number or Workload in case of Prisma & Dome9 

For Aquasec it's based on a number of application workloads

For Conformity it's based on the number of accounts 

Which other solutions did I evaluate?

Redlock from Prisma 

Conformity from Trend Micro

Auquasec 

What other advice do I have?

Licensing should be based on workload and should have some option for smaller brackets its should not in starting from 100,200 etc.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Mantu Shaw
Sr. Technology Architect at Incedo Inc.
Real User
Top 5
Helpful technical support, with a seamless setup and good integration with the public cloud

Pros and Cons

  • "Auto remediation is a very effective feature that helps ensure less manual intervention."
  • "Almost all features are good, however, they still require improvements to the code security portion on which integration with the major source code repository is required."

What is our primary use case?

The product provides complete visibility of our cloud security posture. It supports servers and Cloud-Native Services. It provides a centralized solution for Cloud Security with risk and compliance management. 

We required it to manage various compliance requirements including live ISO, SOC, PCI and it supports everything. Our Organization is in a hybrid structure and in it, we are using various AWS and Azure accounts. Earlier, we managed everything individually, however, after the implementation of it, we now manage everything from a single solution. The single solution helps with the system, network, and security administration.

How has it helped my organization?

The solution provides the complete visibility of Cloud Security, as well as a number of baseline policies and rules. This helps us to manage cloud posture with less effort. After implementation, it reduced administrative effort in terms of managed security over the cloud. Now, we are not dependent on individual tools for each account as well as cloud service providers. 

After implementation, the team can generate reports from a single console for all compliance needs.

Auto Remediation is a very effective feature and it improves the need for manual intervention from the security and cloud administrator.

What is most valuable?

The baseline policy and the integration with the public cloud are very easy.

The number of compliance rulesets along with the baseline policy, support of cloud-native services, and license management are easy. Support of the CI/CD pipeline security (Code Security), Kubernetes, et cetera, is useful. 

There are very helpful and various types of reports. Reporting features are very good and anyone from the compliance team can view/generate a report according to compliance support.

Auto remediation is a very effective feature that helps ensure less manual intervention.

Support of AWS Lamda and Azure Functions helps for any potential breaches.

What needs improvement?

Almost all features are good, however, they still require improvements to the code security portion on which integration with the major source code repository is required.

Integration with CI/CD is an important aspect as it is needed to secure the environment. Having it will help a lot.

Integration with Docker is also a key feature that needs some improvements.

Integration with other third parties and with SIEM is an important aspect that should be addressed.

Currently, it provides integration with Tenable, but it would be good if it had support other VAPT software as well.

For how long have I used the solution?

We have been using Check Point CloudGuard Posture management for the last 8+ months.

What do I think about the stability of the solution?

The solution is very stable and we have not found any gaps. It provides seamless integration with the public cloud.

What do I think about the scalability of the solution?

It's a highly scalable solution and integration with the public cloud is very good. The way you can centralize the dashboard of entire cloud infra is a very impressive.

How are customer service and support?

Support has been good. We implement it with the help of OEM support and whenever we've required help we've received a good response.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Earlier, we tested other tools as well, however, the features which were available via Check Point are very good and the future roadmap is also very good in regards to cloud security.

How was the initial setup?

The setup is straightforward and seamless.

What about the implementation team?

We implemented it with help of Check Point support. The rest was managed by our internal team as it's easy to handle.

What was our ROI?

Security is very important and gives us ROI from security itself. We also get an ROI as we have less administrative effort. We can see an ROI with the compliance and risk management on offer too.

What's my experience with pricing, setup cost, and licensing?

The setup cost is very affordable and very easy. Integration with the public cloud is very easy. The licensing calculation is also very good and no manual effort is required.

Which other solutions did I evaluate?

We evaluated other tools like Rapid7, Qualys, and AWS native security tools, as well as Azure native security tools.

What other advice do I have?

It's a very strong solution for cloud security posture management and very effective for large and mid-size environments. Any organization moving towards the cloud would benefit from this.  

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Chris Dagal
Senior Consultant at a tech services company with 11-50 employees
Consultant
Top 10
Streamlines visibility of cloud environments to make management easy

Pros and Cons

  • "Checkpoint posture management gives you visibility across your entire cloud infrastructure, so it helps you with management, maintenance, and compliance. With visibility across all these cloud platforms, you can protect against compromised credentials or identity theft."
  • "I would like to see improvements in the vulnerability assessments in terms of how the solution discovers vulnerabilities or compromised workloads. Also, customizable reports would be nice."

What is our primary use case?

It is a good tool for a large enterprise operating across multiple cloud environments, like AWS, Azure, or a hybrid infrastructure. Check Point posture management gives you visibility across your entire cloud infrastructure, so it helps you with management, maintenance, and compliance. With visibility across all these cloud platforms, you can protect against compromised credentials or identity theft. 

What is most valuable?

The assessment history lets you test each environment for each rule you set. You can see if the security tests have passed or failed, then plan a roadmap ahead on how to strengthen your security to defend against attacks on your cloud environment.

What needs improvement?

I would be great to have additional features when it comes to vulnerability assessments in terms of how the solution discovers vulnerabilities or compromised workloads and not just on security configurations with customizable reports would be nice. 

For how long have I used the solution?

I'm a system integrator and a managed service provider. I've been using CloudGuard for a couple of years.

What do I think about the stability of the solution?

So far it works and we've had no major issues with stability. When it comes to managing clouds or gaining visibility, generating, or scanning different cloud environments, it meets all the requirements, especially if you're going through a specific compliance audit.

What do I think about the scalability of the solution?

When it comes to scaling up, it's very easy to just add licenses. But to prior implementing this solution, you need to have a good accounting of all your assets to onboard on this platform. CloudGuard is good for bigger, more complex cloud infrastructures. But if you have only one cloud infrastructure, I don't think you will see much advantage over other cloud posture management. That's why this is useful mainly for bigger enterprises with multiple cloud instances and different cloud environment providers. 

How are customer service and technical support?

So far, they've met all the service-level agreements (SLAs) with no delay. When it comes to Check Point, they have local distributors to provide level one or level two support. For level two or level three, it will go directly to the Check Point support. And I think that's how their SLAs work. The first line of their support should be local. If it cannot be handled locally, it goes global Check Point support. 

How would you rate customer service and technical support?

Positive

How was the initial setup?

Setup is usually simple. It's not hard to implement it and gain visibility across two or more cloud infrastructures. It's quite fast. As long as you have the right number of assets, workloads, and applications for each cloud environment, you can easily deploy CloudGuard.

What was our ROI?

In terms of pricing, it's in the middle but more on the high side. It's not steep. However, I think the price is right for its functionality and the value you get from it when you're managing multiple clouds. It solves a lot of your compliance problems.

What's my experience with pricing, setup cost, and licensing?

The licensing model is based on the size of your cloud infrastructure. So to estimate what you will pay, you need to count each and every asset. And when I say assets, that means every application, database, server, or virtual network on your cloud infrastructure. 

I'd like to see more flexibility in their licensing model. It's based on assets, but we all know that assets keep on growing. I would recommend a flexible, upgradeable license, so when you add assets, they can easily bill you or upgrade you.

What other advice do I have?

I rate CloudGuard a nine out of 10.

I recommend CloudGuard posture management for anyone who needs to take control of multiple cloud environments. It streamlines visibility, so this is the right tool if you are trying to meet a specific compliance standard or you're managing hundreds or thousands of servers within your cloud environment. It unifies your cloud environment. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Product Categories
Cloud Workload Security
Buyer's Guide
Download our free Check Point CloudGuard Posture Management Report and get advice and tips from experienced pros sharing their opinions.