Please share with the community what you think needs improvement with Check Point CloudGuard Posture Management.
What are its weaknesses? What would you like to see changed in a future version?
Today, globally, there are many companies of all sizes that do not understand the value of their data, but even with all the existing clouds, they also do not understand what the shared responsibility model is. They only assume that by having a cloud, the provider must ensure security, when the truth is that providers only protect their sites. Everything we do in the cloud and how we configure it is actually our responsibility, in this sense we can evaluate many solutions that help us protect our clouds, however, and after trying 5 different solutions, the checkpoint solution is by far The most complete
I'd like to see improvements with the configuration.
The tool has a lot of potential, but today, it lacks a lot of Scripts/Bots for Azure. This is one of the main cloud providers, so it's imperative to make this a priority in order to bring a lot of value to this tool. The idea is to leverage Dome9 as the main central place for auto-remediation of all cloud environments so that customers don't have to spend a lot of time manually remediating. Manual remediation is very challenging once you have so many cloud accounts to support on a regular basis, and Dome9 can help do part of the job.
In Dome9, there should be a policy validation option where we can validate the policy before we push it into production. This option is very important, as we are working in a critical and complex environment. This option would give us more confidence in our activities or policy pushing. We could see the option is available for on-premises devices. Automatic remediation requires read/write access. Otherwise, overall this product is very good for our cloud environment, and we are satisfied with this.
The false positives can be annoying at times.
The biggest thing is the documentation aspect of Dome9 is a little lacking. They were purchased by Check Point about a year and a half to two years ago. When they integrated into Check Point's support system, a lot of the documentation that they had previously got mangled in the transition, e.g., linking to stuff on the Dome9 website that no longer exists. There are still a lot of spaces with incomplete links and stuff that is not as fully explained as it could be. However, the product itself is really easy to use, so there is not too much of an issue with that. Also, it's not too hard to get on with the actual Check Point support to go over this stuff.
The accuracy of its remediation is a 7.5 out of 10. Before, I would have given it a ten but now, to handle remediation for fully qualified domain names, it's not working as it did in the past. We're finding some difficulties there. Also, as soon as Check Point took over the solution, the feature that identifies and creates security groups based on fully qualified domain names, instead of IP addresses, was degraded.
The main issue that we found with Dome9 is that we have a default rule set with better recommendations that we want to use. So, you do a clone of that rule set, then you do some tweaks and customizations, but there is a problem. When they activate the default rule set with the recommendations and new security measures, it doesn't apply the new security measures to your clones profile. Therefore, you need to clone the profile again. We are already writing a report to Check Point. I think they have solution to this issue.
We were demotivated by the lack of native automation modules for the Terraform and Ansible tools. We think that in the era of the DevOps approach and practices, all the new products need to be released with such support, mandatorily. In addition, we also hope that the Dome9 will eventually support the other Public Cloud platforms, like Alibaba, since we are planning to expand to the Asian market. Alibaba is the big player in this region due to the fact that Google Cloud and AWS are almost banned.
* Policy validation should be available before it is deployed in a production environment using a cloud template. * Automatic remediation requires read/write access. When providing read/write access to third-party applications, this can add risk. It should have some options of triggering API calls to the cloud platform, which in turn, can make the required changes. * A number of security rules need to be added in order to identify more issues. * The reporting should have more options. The reports should be more granular. * It should support all container platforms for visibility of a complete infrastructure single console, such as, PCF.
1) More number of Security Policy to have more number of detection 2) It should capture more information in metadata including communication detail. Also, Internal IP addresses should not be tracked as this might be having some compliance issues. 3) Should have support for VMware Pivotal Cloud Foundry 4) Should maintain configuration information which will help in case forensic need to be performed in term of changes 5) Should allow Policy to be deployed using a template and the same should be getting reviewed before deployment. This will help us to provide secure deployment CI/CD
Dome9 should also support deployments that are on-premises and in a hybrid cloud. This solution needs DLP support.
Integration with other security tools would be of benefit. I would like to see some AI on the back-end, just to assist with doing analysis and making recommendations.
I would like to see Test B functions at the application access level.
What do you like most about Check Point CloudGuard Posture Management?
Thanks for sharing your thoughts with the community!