Security architecture proposal template

©2020 Check Point Software Technologies Ltd.All rights reserved
[Internal Use]for Check Pointemployees
PARTNER
LOGO SECURE YOUR EVERYTHING
1
Submitted to <CUSTOMER POC NAME>
Check Point Contacts <Name>,Territory Manager, <email>@checkpoint.com
<Name>,Security Engineer, <email>@checkpoint.com
Partner Contacts <Name>,Account Manager, <email>@<email>.com
<Name>,Security Engineer, <email>@<email>.com
<Date: 0000-00-00>
SECURITY PROPOSAL
FOR YOUR SECURITY ARCHITECTURE
A SECURITY ARCHITECTURE RECOMMENDATION
FOR <CUSTOMER NAME>

SECURITY PROPOSAL
©2020 Check Point Softw are Technologies Ltd. Allrights reserved Q2|20
[Internal Use] for Check Point employees
2
Dear customer,
Today’s world offers almost endless new technologies, with innovations and exciting new products being developed each and
every day. What makes some of these vendors stand out above all the rest is what lies beyond technology itself. It is the
ability to create and to give real value for you.
This mission is what stands in front of every single member of the Check Point family. We and our partners are here for you, to
make sure that your business is secure with the most effective technologies. We are here to make sure that you can use any
architecture and IT tool that support your business,knowing that it is secure.
We will be there with you every step of the way, from planning to deployment and operation of our technologies, so that you
can provide the best products and the most amazing services to your customers.
Above and beyond technology, Check Point’s security experts are devoted to the success of your business.
Enclosed you will find our security proposal. We await your feedback and look forward to our upcoming discussions.
The future is now. Let’s gear up for it together!
Bestregards,
Dan Yerushalmi
Chief Customer Officer
Check Point Software Technologies
SECURE YOUR EVERYTHING

SECURITY PROPOSAL
3
TABLE OF CONTENTS
1. Executive Summary………………………………………………………………….……........................................……...4
2. Security Recommendation for <Customer Name>
2.1 Recommendation Principles ………………………………………………………………………………. 5
2.2 Solution Architecture ……………………………………………………………………………………….. 7
2.3 Business Offer ………………………………………………………………………………………………. 8
3. Appendix A
3.1 10 Facts About Check Point …………………………………………………………………………..... 10
3.2 Why Check Point– top 4 differentiators….……………………………………………………………. 11
3.3 The Need for Cloud Security ……….……………………………………………………………………. 12
3.4 The Need for Mobile Security …….…………………………………………………………..………….. 13
3.5 The Need for SD-WAN Security….……………………………………………………………..………….. 14
3.6 The Need for SaaS Security.. …………………………………………………………………..………….. 15
3.7 The Need for Zero Trust Security………………………………………………………………..………….. 16
3.8 Design Patterns for enterprise networks……………………………………………………..………….. 17

SECURITY PROPOSAL
4
1. EXECUTIVE SUMMARY
Security changes every day: new emerging parts ofour systems like cloud,mobile and IoTneed to be protected as hackers
continue to develop new methods and techniques.
Security is the fastestevolving area in IT; there are so manyvendors out there, so many pointproducts, making it very difficultto
keep up with the manynew needs and new solutions.
It is hard not to question the basics and ask,“Am I doing the right things?”
Our advice is not to startwith the solutions,butfirstwith defining the principles and guidelines we would l ike our securityto
follow:
1. Effective Security - The only reason to buy and implementsecuritytechnologyis to be secure.Security systems must
detect both known and unknown threats and PREVENT them in real time.Simply blocking threats before they cause
harm to your digital assets eliminates the need to deal with recovery and remediation.
2. Security Everywhere – As we are only as strong as our weakestlink,we need Security Architecture that protects us
everywhere – on our network,cloud, mobile,endpoints,IoTand more.
3. Efficient Security - Security is a very importantpartof enabling your business operations,butit is not the business
itself.Security needs mustbe managed bya smaller team,create a smaller footprinton your networks and systems and
deliver a greater return on your investment,all with unmatched operational efficiency.
At Check Point, we are driving the next generation of security. Both attacks and securityhave advanced greatly in the last 25
years and looking back,we can see specific generations ofadvancements. Today we are in the 5th and 6th generation of
attacks. These are large scale,multi-vector attacks that inflictcolossal damage on business and reputation. Unfortunatelymost
businesses securitylevel is generationallybehind. They are trying to protect their 2020 IT environments against2020 attack
technologywith circa 2000-securitytechnologythat is mostlydetect-only! It does notwork. Specifically, mostbusiness’ only
have 2nd and 3rd generation securitydeployed which only protect againstviruses,application attacks and payload delivery –
and cannot protect todays 5th
& 6th generations major attacks.Obviously threat techniques and IT environments are
advancing rapidly and the hard fact is that business’ securitylevel cannotbe behind. Businesses’ securitylevel mustkeep up
with the level of attacks - which today are more violent, impactful and target all IT vectors. Our solution is 5th generation security
that prevents all generations ofthreats. An advanced threat prevention solution thatprotects all networks,virtual, multi-cloud,
remote office and mobile operations of a business againstall the attacks known today, including 5th generation attacks. This is
what we’ve built. It is called Check Point Infinity NEXT.
WHAT IS CHECK POINT INFINITY NEXT
Check Point Infinity NEXT is the first cyber security architecture consolidated securityacross networks,cloud and mobile,providing
the highestlevel of threat prevention againstboth known and unknown targeted attacks to keep you protected now and in the future.
Check Point Infinity NEXT leverages unified threat intelligence and open interfaces,enabling all environments to stayprotected
againsttargeted attacks.Unlike other solutions,Check Pointbelieves in a preemptive threat prevention strategy, focused on
prevention rather than detection only, to block the mostsophisticated attacks before they occur.

SECURITY PROPOSAL
5
2. Security Recommendation for <Customer NAME>
2.1. RECOMMENDATION PRINCIPLES
Check Point Infinity is the only fully-unified cyber security architecture that future-proofs your business and IT infrastructure
across all networks,cloud and mobile.The architecture is designed to resolve the complexities ofgrowing connectivity and i n-
efficient security. It provides complete threatprevention which seals securitygaps,enables automatic,im mediate threat
intelligence sharing across all securityenvironments,and a consolidated securitymanagementfor an utmostefficientsecurity
operation.Check Point Infinity delivers unprecedented protection againstcurrentand potential attacks —today and in the future.
Below are the core building blocks ofthe Infinity architecture
Uncompromised security- It Is All about Prevention
With Check Point, you can achieve uncompromised security by preventing breaches before they happen:
 Prevention of unknown malware in real time—notafter an
hour, a minute or a second
 Industry-leading catch-rate of threats with patented CPU-
level threat prevention that surpasses
the competition
 Swift resolution ofvulnerabilities ata rate that is
unmatched.Unlike competitors thattake weeks,and
months to resolve recent flaws,Check Point resolves
issues in mere days
Response time in days to patch new vulnerabilities source:tiny.cc/rightarchitecture
Robust Architecture
Wherever network and data reside,Check Point’s award-winning
solutions offer complete security:
 East-west,north-south protection
 Public cloud or private cloud
 Data center, headquarters,branch,or mobile workforce
 Data stored locallyor in the cloud
 Endpoint,IoT, Workloads
Check Point’s Infinity architecture
Unmatched Operational Efficiency
Operational Efficiency – Gartner calls Check Point the “gold standard” for its unified managementand event correlation.
 Check Point offers control and insightof multiple layers ofsecurity and enforcementpoints,regardless oftheir location
(international,data center, public cloud,private cloud, mobile).
 Check Point managementrequires halfthe headcountper year than the competition,which frees up resources to focus
on other priorities.
 Role-based & Concurrent Administration – Infinity powered by R80 enables several administrators to work in parallel
on the same securitypolicy, while offering a very granular and flexible privilege delegation to each administrator
 Multiple administrators can log-in and work in read-write mode on the same securitypolicy withoutinterrupting each
other’s work.
 Secured Automation and Orchestration (CLI & API)- A complete CLI& API interface for securitymanagement
enables full integration with 3rd party systems and automation ofdaily operations.Automation and SmartConsole
managementoperations are allowed based on the same privilege profile.
EFFECTIVE
EVERYWHERE
EFFICIENT

SECURITY PROPOSAL
6
2.2 SOLUTIONBUILDING BLOCKS
Input Network/Solution diagram here, with descriptive items . Below see a sample Diagram that you can add descriptions to:
Below you can find 11 samples ofcommon customer challenges & desired outcomes with recommendation
You can pick/modify the ones most relevant. For more customer challenges “Software Defined Protection (SDP)” page @
https://www.checkpoint.com/products-solutions/software-defined-protection-sdp/
 Lack of Application and Malware Visibility: The existing environmentat <Customer NAME> lacks the ability to identify
and block “Outbound Unfiltered” traffic. Lack of visibility into this traffic allows data exfiltration events and malware
compromised hosts to egress the environmentin an unobstructed fashion.
 Recommendation: Consolidation ofApplication Control and Anti-Bot technologies within <CUSTOMER Name> on
all outbound egress environments will drasticallyimprove visibilityon outbound unfiltered traffic, with little
operational impact.Implementation ofthe attached proposal will increase infrastructure stability,reduce operational
costthrough security consolidation and reduce time to diagnose securityevents.
 Consolidation of Internet Access Solutions: <Customer NAME> currently leverages several pointsolutions which allow
users to use the Internet safely. Individual departments utilize BlueCoatproxies to filter access to specific websites based on
their own policies while ITtakes a threat-focused approach,utilizing Cisco and FireEye to perform these tasks.These tools
can perform overlapping functions,increasing operational costand reducing securityefficiency and visibility. Considering the
growth in sophistication and volume ofattacks within the threat landscape,itis critical for <Customer NAME> to address this
challenge.
 Recommendation: Consolidate these functions to increase the qualityof securityeffectiveness that can be
achieved through integrated protection sets across the environment.
 Improve Perimeter Controls: <Customer NAME> has limited visibilityand operational capabilities around incoming or
propagating threats.Check PointIPS and Anti-Virus are in use.IPS signatures are updated approximatelymonthlyand set
to detect mode.,there is a need to improve perimeter controls againstmodern threats
 Recommendation: Deploying next generation threatprevention controls protecting key segmentation points in the
network and that can automaticallyleverage the latestthreat information will significantly mitigate this risk.Adding
additional threatprevention controls such as zero-day malware prevention tools and Anti-Bot will improve overall
security posture.Application Control and URL Filtering will provide additional visibilityand provide ability to whitelist
access to specific applications.Updating IPS signatures automaticallywill ensure visibilityof latestthreats.
 Email is a common entry pointfor malware. <Customer NAME>’s recentmove to Office 365 does not eliminate this threat
as Microsoft is only able to block known malware,even with its Advanced Threat Prevention offering.
 Recommendation: A solution thatintegrates with Office 365 that can block both known and unknown zero-day
malware withoutimpacting user experience is highlyrecommended to mitigate this threat.
 Extranet Firewall “sprawl” has created operational burden within <Customer NAME> More specifically,the organic growth
of this environmentcentered around individual device deployments to supportadditional Partners comes atthe costof:
1. Limited elastic utilization ofresources
2. Increased physical footprint
3. Slowed time to delivery for growth as partner implementations evolve
 Recommendation: Leverage a single (or 2) cluster(s) oflarger,highly scalable SecurityGateways to
accommodate elastic growth and utilization of various virtualized Partner firewalls. The resulting implementation
will allow for drasticallyreduced time-to-deliveryfor new virtual FW’s as well as reduced physical footprintand
increased performance optimization.
 Encrypted Traffic: <Customer NAME> has Limited visibilityinto SSL/TLS encrypted connections,limiting effectiveness of
other securitycontrols.
 Recommendation: Enabling deep inspection ofthis traffic, either with external hardware or on existing perimeter
gateways,is recommended.
 Business Data Classification: <Customer NAME> has no defined data classification strategy.Data is in many locations,
some onsite,some in cloud services,with minimal controls in place to control access and protectdata a t restand in motion.
 Recommendation: Create a data classification strategyand Iadd controls to protect data at restand in motion,
such as full disk encryption, media protection,port protection,documentsecurity,and data loss prevention
controls.
 Cloud Infrastructure on Demand is a clear priority. Security around cloud based deliverables has been limited within
<Customer NAME> up to this point.
 Recommendation: Due to the speed with which <Customer NAME> is looking to adoptCloud-centric deliverables
(Network and Computer Virtualization,Orchestration and Self-Service functionality), the attached proposal outlines
the technologies and process to achieve increased service and application deliveryfor the relevant <Customer

SECURITY PROPOSAL
7
NAME> teams while providing optimized operations around <Customer NAME> existing NSX infrastructure,
Orchestration tools,Public cloud integrations (Salesforce,etc.)
 Mobile Security: <Customer NAME> uses AirWatch MDM for 25 iPhones (fullycounty controlled) and will expand to
additional users.2,000 BYOD using ActiveSync. ActiveSync does not protect data nor monitor devices for threats.
 Recommendation:A containerized email solution will protectthe email data on the device and a mobile threat
prevention solution can ensure BYOD devices do not contain threats.
 Endpoint: <Customer NAME> owns several differentendpointcontrols from differentvendors that are used for anti-
malware and to protect data at rest.These controls provide limited protection againstzero-day malware.
 Recommendation: Add controls that address this threat.Consider consolidating vendors used for endpoint
controls to lower costand simplifymanagement. Also,remove administrative permissions from mostend users,
which can be used to uninstall endpointsecuritycontrols and install malicious software.
 Identity Awareness:<Customer NAME>Security policies are defined by IP address and/or subnet.There are potential
regulatory compliance issues with nothaving strong correlation between users and their activities.
 Recommendation: Implementing IdentityAwareness and using User Roles in the securitypolicy will lower
operational costand improve operational efficiency,particularlyin the disaster recovery scenario.If needed (e.g.
for elected officials),some IP ranges and names can be excluded.
1. For more reference architectures and design patterns see Appendix A (click to view)– Enterprise security Design
patterns for:
2. INTERNET ACCESS (PERIMETER) (click to view)
3. DATA CENTERS (click to view)
4. CLOUD (click to view)
5. MOBILE (click to view)

SECURITY PROPOSAL
8
2.3 BUSINESS OFFER AND TIMELINES
Preventing the next cyber-attack is a possible mission.Check Pointhas the mostadvanced technologies and threatprevention
solutions for the entire IT infrastructure.Check PointInfinity architecture unifies the entire IT security, providing real -time shared
threat intelligence and a preemptive protection—all managed bya single,consolidated console.Future-proofyour business and
ensure business continuitywith the architecture that keeps you protected againstany threat, anytime and anywhere.
Check Point continually creates new cyber security protections with a multi-layered set of capabilities, to preemptively protect
against the most sophisticated known and unknown threats. The preemptive approach prevents cyber-attacks from penetrating
the network, saving time and the costs associated with remediating the damages.
Check Point’s advanced setofprotections,led bythe SandBlastproductfamily,blocks both knownand zero -day,unknown threats.
With over 30 different innovative technologies,the SandBlastfamilyof solutions adds additiona l prevention capabilities across all
environments.
• Network based threat prevention for security gateways, with best-in-class IPS, AV, post-infection BOT prevention, network
Sandboxing (threat emulation) and malware sanitation with Threat Extraction.
• SandBlastAgent endpointdetection and response solution with forensics,anti-ransomware,AV, post-infection BOT prevention
and Sandboxing on the endpoint.
• SandBlast Mobile advanced threat prevention for mobile devices provides a complete mobile security solution that protects
devices from threats on the device (OS), in apps,and in the network,and delivers the industry’s highestthreatcatch rate for
iOS and Android.
• SandBlastfor Office365 cloud,part of Check Point’s cloud securityofferings
ATTACH HERE PARTNER PRICING QUOTATION.
Sample Timelines & milestones:
See below a proposed theoretical projectplan around deliveryof the outcome.Specifically,in alignmentwith the customer
projectrequirements,we should detail whatsteps we will deliver over each month/quarter associated with completion ofthe
project.
For example,in the case of a refresh,upgrade or technologyconsolidation,something like this:
Q2 2020
• Architecture/policy review
o Resources:Account team,Partner, ABC Co. Architecture and Operations teams.
• R80.10 certification
o Resources:SE, Partner, ABC Co. Operations teams.
• Policy conversion
o Resources:PS, LCMS
• Training
o Resources:Account team,PS, Partner
Q2 2020
• Consolidate ThreatManagementplatforms
o Resources:Account team,PS, Partner, ABC Co. Architecture and Operations teams.
• Pilot deployments in monitor mode
o Resources:PS, Partner, ABC Co. Architecture and Operations teams.
• Production Rollout
o Resources:PS, Operations teams.

SECURITY PROPOSAL
9
3. APPENDIX A
3.1. 10 FACTSABOUT CHECK POINT
1
COMMITMENT TO CUSTOMER SUCCESS: To ensure our customers are always provided with tools
and services for planning and securitysuccess,Check Pointoffers:
 24x7 international support
 Dedicated local resources
 Complimentarysecuritycheck-ups
 Lifecycle managementprograms
 Incident response team
2 LEADER in Gartner Magic Quadrantfor Network Firewalls since 1997
3 LEADER in Gartner Magic Quadrantfor UTM Firewalls 6 years in a row
4 LEADER in Gartner Magic Quadrantfor Mobile Data Protection 9 years in a row
5
ONLY VENDOR to receive over 20 consecutive NSS Labs “Recommended” ratings since 2011 in
Firewalls,Next-Generation Firewalls,Intrusion Prevention Systems, Breach Detection and Prevention
Systems and Advanced EndpointProtection
6 BEST ManagementLabor TCO for Next-Generation Firewalls according to NSS Labs
7 LEADER in the Forrester Wave™ EndpointSecurity Suites
8 LEADER in the Forrester Wave™ Automated Malware Analysis
9 BEST Miercom-rated Overall Detection of Advanced Evasion Techniques and Advanced Threat Malware
(99.9%)
10 BEST Small and Medium Enterprises (SME) Security Solution,Network World “Clear-Choice”

SECURITY PROPOSAL
10
3.2. WHY CHECK POINT – TOP 4 DIFFERENTIATORS
Check Point is committed to providing solutions that provide the best security for customers’ digital
information. Our solutions have a robust architecture that provides uncompromised security and
unparalleled operational efficiency. Below, find four proof points that demonstrate our leadership, based
on publicly verifiable information. (For more information visit http://tiny.cc/rightarchitecture)
1
OPERATIONAL
SECURITY
MOST EFFICIENT
SECURITY
MANAGEMENT
2
INNOVATION
MOST VISIONARY
AND UNIQUE
TECHNOLOGIES TO
PREVENT THREATS
3
PROVEN TRACK
RECORD OF
SECURITY
EXCELLENCE
THE ONLYVENDOR
WITH CONSISTENT
THIRD-PARTY
“RECOMMENDED”
RATINGS
4
AN EXTREME SENSE
OF URGENCY
THE MOST SECURE
ARCHITECTURE &
FASTEST RESPONSE
TIME TO
VULNERABILITIES

SECURITY PROPOSAL
11
3.3 THENEED FOR CLOUDSECURITY
Market estimates cloud data centers will process more than 86 percent
of IT workloads by 2019. According to RightScale, 95 percent of
businesses already employ hybrid cloud platforms, using 3 public clouds
and 3 private clouds on average.
In virtualized or software-defined networks deployed in private cloud
environments, up to 80 percent of the traffic travels east-west.
Furthermore, virtualized applications can migrate among host servers as
resource usage changes. Under these conditions, the majority of
traffic entirely bypasses the perimeter security gateway.
Therefore, to maintain IT security in public and private clouds, it is helpful to
think about segmenting your network and applications by using the same
security capabilities as physical gateways, but with the addition of flexible
support for software-defined micro-segmentation which can be centrally
managed. High visibility of applications is also critical for securing cloud
based services traveling in new directions because of cloud platforms and
domains.
Check Point CloudGuard protects assets in the hybrid cloud, both private
and public, as well as SaaS applications from the mostsophisticated threats
with dynamic scalability, Compliance, IAM security, Anti tampering,
intelligent provisioning, and consistent control across physical and virtual
networks. This ensures you can embrace the cloud with confidence.
Today, Check Point leads the market in cloud security threat prevention by
offering modern day data center infrastructure with the mostadvanced
security protections against malware and zero-day attacks. Check Point
hybrid cloud security supports all the leading public clouds such as Amazon AWS, Microsoft Azure and Google Cloud, as well
as leading private cloud hypervisors like VMware NSX, Cisco ACI and OpenStack. Check Point holds the industry’s best
catch-rate and the fastest response time to new vulnerabilities.
As the IT environment continues to evolve, Check Point helps you to simplify, consolidate, and reduce the securi ty footprint in
your network. This enables streamlined and efficient operations with a single, unified management that is lauded for its
unparalleled vision and ability to execute.
CloudGuard Cloud security infrastructure support
THE WORLD IS MOVING TO
HYBRID CLOUD.
IT IS ESSENTIAL TO MAINTAIN THE
SAME LEVEL OF CONTROL AND
VISABILTY WHILE DOING SO.
KEEP THE SAME POLICY AND
LOGGING ACROSS ALL
ENVIRONMENTS

SECURITY PROPOSAL
12
3.4. THE NEED FOR MOBILE SECURITY
Mobile devices use is on the rise and allow for increased business
productivity. Mobile devices also present a new and growing vector for
threats that can compromise networks and business data. Balancing security,
usability, and user privacy is key.
For many enterprises, mobile security is a double-edged sword. On the one
hand, enterprises and users want both the increased productivity of mobile
devices and protection while accessing company information. But on the
other hand, no one likes the idea of unilateral restrictions, nor the thought
that they are being watched.
Accurate threat detection and efficient response are critical to prevent
advanced attacks on smartphones and tablets
Only solutions that analyze behavior across all three vectors for indicators of
attack can protect mobile devices effectively. Check Point Sandblast Mobile
identifies threats using on-device, network- and cloud-based algorithms. In the
process, it triggers automatic defense responses that keep mobile devices
and the data on them protected.
To protect user privacy, Check Point SandBlast Mobile never views content or
files. Instead, it examines critical risk indicators found in the anonymized data
it collects. Some analysis is performed on the device while other, more
resource-intensive analysis is performed in the cloud. This approach
minimizes any impact to device performance and battery life without changing
the end-user experience.
SandBlast Mobile 3.0 management dashboard and app UI
WE ARE ALL USING MOBILE
DEVICES, THOSE DEVICES
BEACOME BACKDOORS TO OUR
NETWORKS.
THERE ARE MORE AND MORE
MOBILE MALWARE OUT THERE.
WE NEED TO PROTECT OUR
MOBILE DEVICES

SECURITY PROPOSAL
13
3.5 THENEED FOR BRANCH OFFICE & SD-WAN SECURITY
As enterprises rapidly move their data centers to the cloud, backhauling the traffic to the hub site and using the centralized
Internet breakout there, may not be the best option in terms of cost and/or latency for users in branch offices wanting to
access the cloud. Replacing the VPN or MPLS routers in branch offices with an SD-WAN device, typically means that all traffic
is no longer routed to the hub site and the branches will almost always get local Internet access (although this depends on t he
policy). Connecting branch offices directly to the Internet significantly increases their security risk, and security management
costs. Branches are also no longer protected by centralized data center security, which exposes them and the enterprise WAN
to sophisticated multi-vector Gen V cyber-attacks. To combat this issue, enterprises can deploy traditional security gateway
appliances in all branch offices to protect Internet traffic. Although this approach will provide the maximum security for all
branches, it can be very costly. Moreover, some locations may not have the local IT resources to provide them with ongoing
support. Enterprises therefore need additional security solutions that can be quickly deployed across all branch offices, are
always up to date with the latest security, and can be seamlesslyintegrated with existing routers or SD-WAN solutions.
Check Point CloudGuard Connect and CloudGuard Edge transform branch SD-WAN Security with the industry’s leading threat
prevention, flexibility to deploy in the Cloud or On-Premise, and a unified threat managementplatform that can reduce
operational expenses up to 40%, With:
•Always up-to-date threat prevention security
•Real-time Threat Intelligence protects from latest Zero-Day and Gen V cyber attacks
• Automated deployment for consistent security across thousands of branches
•Elastic, Scalable with Low latency connection with global presence
• APIs automate on-boarding new sites
•GRE or IPsec tunnels ensure privacy
•Redundant links ensure 99.999% uptime
Check Point SD-WAN Security Offering

SECURITY PROPOSAL
14
3.6 THENEED FOR SAAS SECURITY
Software-as-a-Service (SaaS) has evolved from simple email platforms designed for the everyday user, to targeting
organizations of all sizes, who have realized the benefits that these applications offer, and have adopted them for corporate
use. According to Forbes, 70% of enterprises have adopted cloud applications, making SaaS a norm for modern businesses.
SaaS adoption allows organizations to incorporate everything from cloud-based finance apps to full office suites, into their
daily operations. It is now even possible to run an entire business via SaaS apps.
This is a paradigm shift from the days of hosting services in data-centers, dealing with support, licensing and uptime, to
organizations now having a better experience though subscription based SaaS apps. The change should also be reflected in
the way security is approached, i.e. moving away from a network-centric approach to API-driven security, as will be discussed
below. As is often the case with the adoption of new solutions, some very serious secu rity questions will become apparent
when the time comes to consider how the organization will use SaaS applications. For example: where does data reside when
stored in SaaS apps and how secure is the SaaS app platform from abuse? What drives an organizatio n to adopt SaaS apps?
As with all architectural practices, it should be made clear why an organization would be motivated to use SaaS apps.
Understanding the context in which decisions are being made will help to secure the design, make it aligned with the
business’s requirements and means,and justify each solution that is deployed. Adopting new technology and incorporating it
into an established system, through the use of SaaS products, may prove to have the following benefits:
 Cost – SaaS applications are often more cost-effective than in-house deployments. The applications offer the chance to
move more operational costs from CAPEX to OPEX, and cut back on the license, support and infrastructure costs.
 Mobility – SaaS applications are by nature accessible from any location, which is an imperative point for organizations that
have a contingent of employees working remotely. Allowing users to, for example, access platforms such as Salesforce
while on the road, is crucial for modern enterprises.
 Availability – SaaS applications are conveniently cloud native, meaning that users can take advantage of the cloud’s
inherent high-availability, no matter where in the world they may be.
 Agility – SaaS platforms allow organizations to work in a more agile manner as they are easily adaptable to suit any
business type i.e. the integration of Salesforce into O365.
 Security – Organizations often perceive SaaS applications as inherently secure i.e. that the SaaS provider is responsible.
This can be seen as reducing the workload on already over-burdened security teams and shift responsibility to the SaaS
application providers.
 Support– Modern SaaS apps are often only available online, where they receive constant technical updates from their
development teams. Organizations adopting SaaS apps can divest themselves from the need to support and maintain
similar in-house platforms.
 Zero-Trust – Moving security into the application i.e. away from in-line traffic inspection, and using identity as part of the
security enforcement, aligns with a Zero-Trust architectural methodology.
Check Point CloudGuard SaaS

SECURITY PROPOSAL
15
3.7 THENEED FOR ZERO TRUST SECURITY
In today’s digital, cloud,distributed,and mobile work environment,there is no “inside the security perimeter,” because the
perimeter is everywhere. This new reality has dire implications for cybersecurity,with an attack surface that has never been
greater, and with cybercriminals who have become acutelyadeptat exploiting this new reality. The key to overcoming the
challenge of“perimeter everywhere” is Zero TrustSecurity, a security model thatis driven by the precepts of never trusting
anything outside nor inside the organization’s securityperimeters.In this guide,we will cover the seven principles ofthe Zero
Trust securitymodel and share the bestpractices,methodologies,and technologies thatenable its effective implementation.
There is no doubt – the modern workplace is undergoing a revolution thatbrings profound implications to cybersecurity. Namely,
the workspace is dynamic and roaming,the move to the cloud is accelerating,there is a broad proliferation ofIoT-connected
devices,and the workforce has never been more diverse – with partners,customers,and freelancers connecting more and more
to the corporate network. What this means for securityis that long gone are the days of contained network infrastructure and a
well-defined securityperimeter,where all enterprise data rests,moves,and is consumed within the perimeter.To complicate
matters,even more,cybercriminals have never been more successful atpenetrating and moving laterallywithin the security
perimeter.Once inside,they collect valuable and sensitive data and can do so for months before being detected.
The new security paradigm is “Zero Trust,” a securitymodel that constitutes a more data-centric and identity aware approach
that is designed to handle the new challenges ofour “perimeter-everywhere” world.Zero Trustis driven by the precepts ofnever
trusting anything inside nor outside the organization’s securityperimeters.Rather,before access is granted,anything and
everything that is attempting to connectto an organization’s systems mustalways be verified.With Zero Trust, the security team
puts policies in place to validate every connection attemptand every device, and to intelligentlylimitaccess.
The Check Point Infinity security architecture enables organizations to fully implementall ofthe Zero Trustprinciples.Focused
on threat prevention and centrally managed through a centralized securityconsole,itempowers Zero Trustimplementations with
unparalleled securityand efficiency.

SECURITY PROPOSAL
16
3.8DESIGN PATTERNS FORENTERPRISE NETWORKS
A design pattern is a general reusable solution to a commonly occurring problem within a given context. The design
patterns described in the subsequentsections are common to most organizations and can serve as the basis for defining
enterprise security architecture. Each organization creates segmentation templates for distinct types of data processing
entities or sites. These templates are then instantiated with site-specific systems and applications and can be tailored for
different business units. The Figure below depicts an example of an enterprise that has defined site templates for several
types of sites and services. In the sections that follow, segmentation principles are explained for different design patterns
including: Internet access (Perimeter), Data Center, Cloud and Mobile .Suggested protections are provided for each
segmentation design pattern. For more design patterns refer to https://www.checkpoint.com/downloads/product-
related/Ebook/Software-defined%20Protection(2).pdf
Enterprise design pattern site templates

SECURITY PROPOSAL
17
3.8.1 DESIGN PATTERN: INTERNET ACCESS (PERIMETER)
An Internet Access segment consists of network elements that support outbound interactions from an enterprise site to
external entities via the Internet. Note that all inbound interactions should be handled via a Controlled Sharing (DMZ)
segment.
Internet Access design pattern
GENERAL GUIDELINES
 The security profile for an Internet Access segmentis equivalent to that of the Internet. In other words, strict
controls should be placed on all interactions with this segment
 Outbound interactions are initiated by clients within the enterprise.Once initiated,these interactions will allow bi-
directional data flow. Controls should be selected to prevent users from interacting with known or suspected malicious
entities and to protect internal assets from attacks over this vector
 Special consideration should be given to domain name resolution (DNS) as maliciouslycrafted DNS responses can
deceive internal assets into interacting with malicious entities on the Internet or allowing C&C interactions with
compromised internal hosts.DNS tunneling is often used to bypass Access Controls
 GuestWi-Fi networks will often be connected to the Internet Access segmentto allow guests to connectto the Internet,
but with no access to internal assets.Depending on the enterprise securitypolicy, the introduction of an enforcement
pointbetween guests and the Internet may be appropriate for guestassetprotection and securitypolicy enforcement
 If a proxy server is used for caching or for other functions,it should be placed in a DMZ to protect the internal network
againstpotential attacks from the Internet on the proxy server itselfand to provide an enforcementpointthat sees
network interactions as transmitted by the user before aggregation by the proxy
PROTECTIONS
The following securitycontrols are typical for the Internet Access design pattern:
Inbound Access Control
 Firewall prevents attacks from the Internet
 IPS enforces protocol and data compliance Outbound
Outbound Access Control
 Firewall allows authorized outbound interactions.Application control prevents access to known malicious sites and use
of applications associated with malware and data loss
 Network Address Translation (NAT) provides information hiding
Pre-infection Threat Prevention
 IPS blocks exploitation ofknown application vulnerabilities
 Anti-malware blocks exploitation ofdata-driven application vulnerabilities.Threatemulation is used to emulate
application behavior in order to identify and block malicious active content
 DoS protection blocks attempts to overload system resources
Post-infection Threat Prevention
 Interactions with bot C&C servers are blocked
Data Protection
 Data loss prevention controls block leakage ofclassified data to destinations outside ofthe organization

SECURITY PROPOSAL
18
3.8.2 DESIGN PATTERN: SERVERS (DATA CENTER)
The servers design pattern is typically used in data centers and medium -to-large offices. This design pattern describes the
collection of servers and supporting network equipment that provide services both internally and externally.
Data Center design pattern
GENERAL GUIDELINES
 Step 1: Each atomic segment contains server hosts and network elements that share a simple security profile that
is defined in relation to business objectives (system ownership, business owners, managementresponsibilities),
assets (information ownership, volume of information, service level), access (users, applications, operational
profile) and assurances (physical, host, network). For example, a messaging application and an ERP application
would be separated as they most likely have different security profiles
 Step 2: Hierarchical grouping is used to segmentareas ofthe data center that have distinctly differentsecurity profiles.
For example,some applications maybe authorized for access by a restricted setof users,others maybe used by any
user in the organization,still others may be intended for customer use only.Place applications thatare purposed for
specific business units in dedicated segments separated from those used enterprise-wide
 Step 3: Each segmentis protected using an enforcementpointatthe segmentboundary.By using VLANs, a single
security gateway appliance connected to a switch trunk interface can be used to provide protection for large numbe rs of
server segments.Where segmentseparation is impractical,on-hostsecuritycontrols can be configured to prevent
unauthorized interactions between servers with securitypolicyprofile differentials
PROTECTIONS
The following securitycontrols are typical for the Servers design pattern:
 Performs clientidentification and authentication in supportofthe Access Control rules at the security gateway or
application-level securitylayers, based on organizational identitymanagement infrastructure
 Enforces firewall securitypolicy authorizations based on whether the external client(e.g., user,host, program) is
authorized to access the server (e.g., host,service, application) according to clientand server identities
 Enforces application control policyauthorizations based on whether clientis authorized for specific application -level
requests (e.g.,insert,delete,upload)
 Enforces IPS protocol compliance checks for authorized interactions
 Enforces Firewall protection of shared infrastructure (e.g.,managementservers,network elements) from unauthorized
access originating from outside ofthe servers segments
 Firewall allows onlyauthorized outbound interactions based on clientand server identities and service request
 IPS blocks exploitation ofknown application vulnerabilities within the servers segmentboundary
 Interactions with bot C&C servers are blocked
Data Protection
 Prevents leakage ofsensitive information to unauthorized users,both external and internal
 Supports segmentation byestablishing trusted channels with interacting segments for distributed departmental server
segments or the public cloud

SECURITY PROPOSAL
19
3.8.3 DESIGN PATTERN: CLOUD
Cloud computing is used to achieve economies of scale and to leverage corporate computing, storage and networking
resources. A cloud environment is composed of large numbers of network-connected hosts that run virtual machine
hypervisors. Hypervisors provide an execution and virtual networking environment for multiple virtual machines. Cloud
computing may be provisioned for exclusive use by a single organization (private cloud), or it may be operated by a third
party servicing the general public or a specific user community (public cloud). A private cloud may also be implemented as
part of a servers segmentor on the Internet.
Cloud Access design pattern
GENERAL GUIDELINES
Segmentation and security controls for both private and public cloud computing resemble those used for physical networks
(see Servers design pattern above):
 Security gateways can be introduced on the physical network to segmentthe cloud into multiple distinctclouds thathost
applications ofa given security characteristic or ownership
 Virtual machines (VMs) can move freely within a cloud,but not between segmented clouds
 Within each cloud,virtual securitygateways can be integrated into the hypervisor or executed within their own VM to
control interactions between VMs. Both hypervisor-level and VM-level virtual securitygateways can be kept updated
using orchestration APIs to track VMs as they move within the cloud, enforcing a consistentsetof protections
 Security software running on the VMs’ hosting applications can provide fine-grained control for each hostas an atomic
element
 A trusted channel should be used to protect the communication path between the enterprise and the cloud.The channel
can also be used to assess user identity(e.g., using SAML credentials) based on user authentication credentials
PROTECTIONS
Cloud environments pose unique challenges for data protection because sensitive data may be processed and stored on multi-
tenant systems,as well as retained in VM images and virtual storage locations thatare dormantafter a VM moves to another
location.In addition,organizations often need to maintain control over the geographical location oftheir data. Data Protection
controls can be used to encrypt data to counter data access threats.

SECURITY PROPOSAL
20
3.8.4 DESIGN PATTERN: MOBILE
Users may need to access enterprise information systems while they are physically away from the organization’s
premises.Such access may be performed via laptops, mobile devices (e.g., smartphones and tablets) or from personal
computers that are beyond the organization’s control (e.g. home PCs or Internet kiosks). These devices pose unique
enterprise security challenges. All mobile devices are vulnerable to physical theft and physical access. While some
enterprises may distribute managed smartphones or tablets to their employees, the more popular trend nowadays is for
employees to use their personal mobile devices to access enterprise resources (i.e., Bring Your Own Device or BYOD
programs). Under this scenario, the enterprise has limited control. In addition, because mobile devices connect to public
networks, they are more susceptible to malware compared to workstations located within the enterprise network. Another
challenge with mobile devices is the diversity of existing platforms and operating systems. This diversity makes it hard to
develop generic enforcement points that can run all protection types on mobile devices, especially given that some of
these platforms provide limited processing and storage capabilities.
Mobile design pattern
GENERAL GUIDELINES
 Mobile devices are considered atomic segments and must be protected using on-device software. The device
connects over a trusted channel to a mobile access server hosted on a DMZ segment within an enterprise-
managed site
PROTECTIONS
The following securitycontrols are typical for the Mobile design pattern:
 Firewall restricts authorized network traffic on mobile devices to outbound interactions tunneled to mobile access server
 Multi-factor user authentication is used prior to granting access to enterprise assets
 Firewall allows authorized outbound interactions.Application control prevents access to known malicious sites and use
of applications associated with malware and data loss
 Network Address Translation (NAT) provides information hiding
 IPS blocks exploitation ofknown mobile application vulnerabilities
 Anti-malware blocks exploitation ofdata-driven application vulnerabilities.
 Cloud-based sandboxing is used to emulate application behavior in order to identify and block malicious active content
 Mobile device is scanned for malware
 Mobile access server detects attempted connections to bot C&C servers
 Containmentpolicies are enforced ifindicators ofcompromise are found
Data Protection
 VPN establishes trusted channels between mobile device and Mobile Access server
 Enterprise data stored or cached on the device is encrypted
 Remnantinformation is deleted on the mobile device upon termination ofthe user’s session with the Mobile Access
server

Security architecture proposal template

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Security architecture proposal template

Similar a Security architecture proposal template (20)

Más de Moti Sagey מוטי שגיא

Más de Moti Sagey מוטי שגיא (18)

Último

Último (20)

Security architecture proposal template