Check Point CloudGuard CNAPP Reviews

The primary use case has been for auditing the cloud infrastructure in terms of security, because our company has been audited a lot of times. For the cloud, this is a tool that we use to audit the cloud environment. For example, all of the S3 buckets are encrypted to know if we don't have servers exposed to the Internet where they shouldn't be. This solution runs some compliance reports. That is why we use it.

We use it the most to check if things are complaint, because the compliancy checking is accurate.

On Dome9, you can have reports on compliance, users created, and EAM access to the cloud infrastructure. For example, if some machine is exposed to the Internet, importing and exporting to the Internet when it shouldn't, we get immediate alerts if someone does this type of configuration by mistake. Dome9 is very important because AWS doesn't protect us for this. It is the client's responsibility to make sure that we don't export things to the Internet. This solution helps us ensure that we comply with our security measures. 

We use the compliance rule set to run some reports on our infrastructure. According to the report, we know if we are secure or compliant with our security recommendations. We wanted a default security compliance toolset. So, we cloned it, then we did some customization of some security measures that we wanted. 

We run the compliance rule set report, then the InfoSec team receives that report. They go through it and see if we are compliant and need to do some security measures on some of it resources. It helps us towards visibility and security.

We use the solution to enable customizable governance using simple, readable language. We are not just stuck with the default rules set. If we think the security measures they recommend are not needed, then we can add some others instead, change them, or customize them.

We have full visibility of our cloud infrastructure in terms of compliance and security. For example, if someone has a machine that doesn't comply with the company policy, then we get an alert.

Security visibility is very good. Usually, when it's the security report, they match the reality and are correct, then they raise some alerts. Almost 100 percent of the time, we will need to do some tweaking to fix issues.

It is a very good tool for both cloud compliance and governance. We use it for both. We can monitor our entire cloud infrastructure. It provides reports on our security, then if we have to fix something in regards to the security, we can do it in a centralized tool. If you go to AWS and check each tool and server if it is compliant, then it's a mess, but this tool works. It is very simple for governance and reducing the risk.

The solution helps us to minimize attack surface and manage dynamic access. With Dome9, we are sure our machines are not exposed to the Internet. We have reports about users who access of our AWS accounts with the EAM function, which reduces our attack surface.

This solution provide a unified security solution across all major public clouds. We have all our infrastructure integrated on Dome9, so it provides us security on our entire cloud infrastructure, both AWS and Azure, which we are currently integrating. 

The main issue that we found with Dome9 is that we have a default rule set with better recommendations that we want to use. So, you do a clone of that rule set, then you do some tweaks and customizations, but there is a problem. When they activate the default rule set with the recommendations and new security measures, it doesn't apply the new security measures to your clones profile. Therefore, you need to clone the profile again. We are already writing a report to Check Point. I think they have solution to this issue.

We have been using it for approximately a year and a half.

It is very scalable since we only need to buy licenses for more protective items. However, the overall license is very protective.

Dome9 integrates security best practices and compliance regulations into the CI/CD, across cloud providers. We are also currently integrating our ancillary environment on the domain. At the moment, we have more than 500 servers and domes protected by Dome9. Therefore, it's a tool that can accomplish security for almost all call environments.

Dome9 is used by the technical team. It is utilized in production and nonproduction. It is also integrated with Azure along with Office 365.

Dome9 has 100 percent adoption rate, as all our environment will be integrated with it. 

There are two types of users:

• My team who implements the domain.
• The infrastructure team who looks at the report. There are three guys on the infrastructure team.

I would rate the technical support an eight out of 10. We received a lot of support when implementing the solution directly with the product owners of Check Point, which is not their regular support. They were very useful and helpful, which was very good. We haven't had many complaints.

The solution helps save our security team time. Before we had Dome9, our security team had to go through each problem and check it. Nowadays, we just need to analyze one report and use one tool. We don't have to go through all the accounts with all their data. Dome9 is saving them approximately 10 hours a week.

We implemented Dome9 as soon as we started having some production services on our current environment and started our cloud journey three years ago. 

The initial setup process was very quick: Create the user on AWS, then you can log in and have all your information. On the domain side, it was very quick to log in with the account created on the AWS.

The deployment was one or two days. We had three remote session, where two of those sessions were about how it works. 

Our approach was to have our accounts on Dome9. After adding accounts, we ran some reports and compliance rule sets based on the security measure recommendations from Dome9 for our AWS product. We also went through the recommendations and made some changes on some of them. That is how we deployed the solution.

Our implementation strategy was to first only add the key accounts in the first stage, seeing how it worked. Then, after some weeks of working with it, we added the rest of the accounts to production.

We did the initial setup directly with Check Point. They were very good and helpful because we were one of the first customers after they bought the domain company. They were very interested in helping us. We didn't have any complaints.

Dome9 helps developers save time. If you enable the remediate mode, then it will help you save time as it eliminates manual work. The reports also save time because you don't have to go into the tool and search for information. The reports save about five hours a week.

This solution has enabled us to reduce the number of employees involved in managing our cloud environment, especially the personnel who have had to analyze reports and implement security measures to mitigate risks. Before we had the tool, we had more people working on this task. Now, we only need one or two people to look through the report to review the risks.

Right now, we have licenses on 500 machines, and they are not cheap.

They didn't find many other competitors for this type of domain and security tool.

The cloud providers give you the tools for their solutions to be secure, but they aren't easy to implement nor are they clear how to use because each tool that we have has its own security measures. This solution provides clarity for what you need to do to be secure in one centralized tool.

Try it in read-only mode. 

We do not use remediation at the moment. We do the remediation manually, since we are still using Dome9 in read-only mode. I don't know if we will use the remediation in the future because we prefer to do it ourselves. We don't know what will be the impact of doing it automatically from the tool. 

If you use the remediate mode, which we currently don't use, it will leave you with automation to help out with your call environment for compliance. However, if we wanted to use it, we do have the tool.

Biggest lesson learnt: Securing the cloud is more difficult than we originally thought.

I would rate this solution as an eight out of 10.

1. Visibility for cloud workloads, including server, serverless and Kubernetes.
2. Security configuration review along with automatic remediation.
3. Posture management and compliance for a complete cloud environment.
4. Centralize visibility for a complete cloud environment of the workload hosted on multiple cloud platforms (AWS and Azure).
5. Baseline for security policy as per the workload based on services, such as S3, EC2, etc.
6. Visibility of an API call within the environment.
7. IAM management providing access to the cloud network in a controlled manner.
8. Alerts and notifications for any security breach/changes in the cloud environment.
9. Flow visibility of traffic to and from the cloud environment.
10. Real-time alerting for any security incidents.

They provide support for Azure, Amazon, GCP, and Alibaba. However, we just have AWS and Azure.

1. Provides complete visibility of the workload hosted on different cloud platforms (AWS and Azure) along with multiple tenants. 
2. Helps in enhancing security for cloud environments by providing reports, both in terms of security and compliance. 
3. Provides complete visibility of traffic flowing to/from the cloud platform.
4. Provides best practice policy that helps to strengthen the security of the workload.
5. Assets inventory and API calls can happen from the cloud.
6. Provides control in terms of accessing the cloud workload. As a policy is created, this will block direct access to the cloud environment in case the same is not define or approved in Dome9.

Security visibility with Dome9 is excellent. Normally, without this type of solution, especially if you have some workloads hosted on Azure, they give you minimal tools to be able to analyze the loss. There are different consoles that need to be checked for analyzing any incident. In the case of Dome9, it gives you the loss provided in a report on a centralized console. It gives you complete visibility, including the IP to IP Flow, which is happening from the workloads to the Internet or the Internet to the workloads. Even in case of getting a threat intelligence from Check Point, which we have the integration, if some workflows are communicating any suspicious IPs, then the reports are available on the flow logs. On top of that, it also provides a report where you will be able to find out from which location or country you are getting the traffic to your workloads. Therefore, if you want to block certain geo-locations from communicating with your network, then you can also do that using Dome9.

The workload, which was taking a day's time, now can be turned out within hours. We are able to analyze the logs in real-time. Previously, if we enabled some services, then the email needed to be sent to the security team who would do the scanning, might submit the reports, and post some action to be taken by the developers. Using this solution, we are getting the reports in real-time. The remediation can also be applied automatically. The developer can take the necessary action immediately. It provides us what action needs to be taken.

Unless we did some scanning, we used to not know that there were security flaws within particular services. However, by using Dome9, as it has complete visibility, we are getting those details much faster.

The firewall normally has been managed by security team. Admins can bypass through firewall to create any policy. They can go outside and downloading/uploading anything from their workloads. This solution provides that control as well.

1. The IAM role gives us complete control over the cloud environment. In case someone tries to bypass and create a user or policy locally, which is not allowed or defined in Dome9, changes will be rolled back and a notification will be sent to the concerned team.
2. It's always ON and available on a mobile device using the app.
3. There is complete visibility of the traffic flow with threat intelligence provided from Check Point. It even provides communication detail on any suspicious IPs.
4. Provides detailed information if some workload tries to directly access and bypass any firewall policy.
5. Provides a granular level of reports along with issues based on compliance standards, which are defined depending upon organizational requirements.
6. Task delegation as a particular incident can be assigned to a particular individual. The same can also be done manually or automatically.
7. Customizes queries for detecting any incident.

The solution is pretty straightforward to use, as it is only a SaaS model. You just need to enable the accounts for which Dome9 needs to do validation, and that's it.

Compliance checking capabilities: When you enroll your account, we have multiple accounts. Once you enter that on Dome9, it does a complete scan of your account based on these flow logs. It checks: "What are the security flaws?" So, the compliance depends on the company and what they are using as a benchmark. Normally, for India, we use the CIS as a benchmark, then whatever flow logs are available, those are provided in the reports. Then, we check those compliance reports against the CIS benchmark, and accordingly, take actions. We can then know what are the deviation on the cloud platform and on the account, with respect to the CIS.

There are some use cases where you will not have reports readily available or not get the dashboard for particular outputs. You can create a query on the console for those, e.g., if a particular EXE file started on a workload, we can find out if that is running anywhere in the cloud. While it does not provide details on the process level, it will provide us with which sensor is communicating to which IP addresses as well as if there are any deviations from that pattern.

It has remediation capabilities, and there are two options available:

1. You can do automatic remediation, where you need to define the policy for which unit that you are doing remediation. 
2. It can be assigned to a particular team or group of people for its particular vulnerabilities of security flaws. That ticket can then be raised to service quotas be remediated manually.

1. Policy validation should be available before it is deployed in a production environment using a cloud template.
2. Automatic remediation requires read/write access. When providing read/write access to third-party applications, this can add risk. It should have some options of triggering API calls to the cloud platform, which in turn, can make the required changes.
3. A number of security rules need to be added in order to identify more issues. 
4. The reporting should have more options. The reports should be more granular.
5. It should support all container platforms for visibility of a complete infrastructure single console, such as, PCF.

Three months.

Until now, we have not faced any issues in term of downtime or outages. It seems to be quite stable.

Scalability is not an issue. There are a number of workload licenses that need to be procured, then it is straightforward.

There are between eight to 10 security admins and auditors who have access to Dome9.

Our complete cloud workload is managed through Dome9.

The support is excellent. They regularly review our cloud infrastructure and provide suggestions to help us have a better security posture.

Initially, we were using tools provided by the service provider, such as, ScoutSuite, AWS Config Rules, AWS Trusted Advisor, or Amazon GuardDuty for monitoring, and similar tools for Azure as well. Then, we needed to go through a different console to identify any incidents.

Initially, we used submit a report, but there was no remediation nor information provided how to remediate workload issues. In our current scenarios, we are able to get the complete visibility. The complete visibility of the solution has been a key to the increase in our productivity.

The initial setup was straightforward. The only thing that was required from our side was a cloud template, which was provided by Dome9. We need to executed that template in our cloud environment for AWS and Azure. It automatically creates a read-only ID on the AWS platform for Dome9 to connect with. There is some configuration which needs to be done on Dome9 as well as AWS, but the deployment takes around 15 to 30 minutes.

Check Point's team was available, but we implemented it in-house with our support team.

We don't require staff for deployment and maintenance of this solution.

As it is a security product, the ROI will not have that much importance because it is enhancing your security and/or providing more security to your infrastructure. If there are any security incidents, then Dome9 is able to protect us.

Initially, once the solution was deployed into production, then the scanning used to happen and we used to see the environment's visibility. In the current situation, as everyone is moving to the DevOps environment and using the CI/CD pipelines, it helps us to analyze vulnerabilities way before they get installed in production and the web. It gives us more security in the production environment.

The licensing and costs are straightforward, as they have a baseline of 100 workloads (number of instances) within one license with no additional nor hidden charges. If you want to have 200 workloads under Dome9, then you need to take out two licenses for that. Also, it does not have any impact on cloud billing, as data is shared using the API call. This is well within the limit of free API calls provided by the cloud provider.

We evaluated Prisma Cloud by Palo Alto Networks and Trend Micro Cloud One Conformity.

Normally, the policies are accessible only on the browsers, e.g., if you compile them from Prisma Cloud, they're available as a part of a browser. However, for management users, especially for CIOs and CTOs, it becomes difficult for them to type URLs, then login. In the case of Dome9, they provide an app. With that app, you can directly login with single sign-on. It is much easier to access using the app compared to the browser option.

Most things are the same for all three providers. The major difference between Dome9 and Prisma is the IAM roles. The maturity of IAM roles available in Dome9 are much better than the other two solutions. Currently, our focus is mostly on what is happening and who is making the changes in the environment. Another thing is the visibility that Dome9 provides through its intel is better than the other two solutions.

The other two solutions have system capabilities better than Check Point.

I would recommend Prisma as well as Dome9 because they both have the visibility. In our case, the IAM was a critical piece of our requirements.

The cloud and on-prem environments are completely two different networks.

They should offer the cloud in India. Soon, there will be GDPR and India will have its own data protection laws. This might create some issues in the case of the data residing outside India. Because we are collecting metadata from the internal networks for the cloud environment, this is the reason that I suggest that they should have some plans to have the cloud in India. However, neither Prisma nor Trend Micro have cloud in India.

I would rate this solution as an eight out of 10.

We use Check Point CloudGuard for full visibility across our workloads in the cloud and on-premises.

The GSL builder's graphical interface makes writing custom rules and policies easy, but some knowledge and training are still required. The training required takes around two weeks to complete.

The GSL builder helps reduce human errors by almost 80 percent because it provides compliance rules and performs intelligence queries on our behalf.

The GSL builder saves us time creating custom rules. Initially, defining the rules takes time, but once that is downloaded, it becomes an automated process. We save around ten hours per week.

Our organization requires the use of Check Point's auto-remediation feature. This feature automatically analyzes and remediates threats, enabling us to perform forensic analysis on detected events. By implementing this feature, we benefit from several detection capabilities, including anti-ransomware and behavioral analysis, which ensure comprehensive threat detection and analysis. Additionally, the auto-remediation feature automatically quarantines and remediates malicious files, preventing data breaches. As a result, we can leverage the forensic report to enhance our endpoint security posture and effectively protect our internet connectivity.

The auto-remediation feature stands out for its ability to prioritize alerts. It focuses on high-risk issues first and then remediates them accordingly.

The unified security management console, a component of the monitoring tool, offers a comprehensive overview of our platform's security posture. This holistic view enables us to promptly identify emerging environmental threats and conduct thorough investigations, ensuring swift and effective responses.

The evaluation of the application depends on its criticality. For example, in an airport scenario, an AODV application is used for critical operations. This means that the AODV application is of high importance and requires a more thorough investigation or a faster response in case of issues.

Check Point CloudGuard has significantly improved my cloud threat handling. It has been a great asset in increasing my security posture score due to its automated remediation capabilities. Additionally, its threat intelligence provides valuable insights, making it a comprehensive security solution. Furthermore, CloudGuard offers comprehensive lifecycle security for all my applications, including new deployments. It also addresses complex security needs within my cloud environment, ensuring compliance with all relevant regulations and governance requirements.

CloudGuard provides good performance for automating our organization's security across assets, workloads, and multiple clouds.

The agentless workload posture plays a crucial role in determining our organization's security posture. This includes security and posture management, threat prevention, and high-availability posture management. All these aspects are highly important, and they also help automate my DevOps multi-cloud security threat level.

Network security helps us reduce the amount of compliance and audit activities we need to perform. It provides advanced threat protection, allowing us to inspect all traffic entering and leaving our private subnets within our entire virtual network. This comprehensive approach ensures robust network security and ongoing time savings.

CloudGuard can help free up around six hours of our staff time because it can be integrated with different applications and systems. 

CloudGuard's unified platform can free up an average of six hours per day, a feat impossible for any human worker. However, the system's automated configurations can function around the clock, achieving this level of efficiency.

The most valuable features are the ability to create pipeline rules, the enhanced NetOps security, and the deep visibility across our entire infrastructure. 

Check Point CloudGuard also helps us adhere to the compliance and regulatory requirements, I can ensure best practices are implemented, prioritize risk management, and prevent critical attacks.

Automation and advanced threat prevention have room for improvement. I would like the rules configuration which are manually reviewed to be automated according to the defined rules.

I have been using Check Point CloudGuard for two years.

Check Point CloudGuard is stable.

Check Point CloudGuard is scalable.

The technical support is good.

Positive

The initial deployment required knowledgeable people. We had already planned the required configuration type, the necessary posture management approach, and the rules that needed to be defined. We had discussed these requirements with the CloudGuard team member and implemented them together. Four people were involved in the deployment.

A person from CloudGuard helped with the implementation.

We have the enterprise-level license and we renew it annually because it is worth the cost.

I would rate Check Point CloudGuard an eight out of ten.

Check Point offers a bundled solution that includes cloud threat hunting, cloud migration security, DevSecOps, and cloud security compliance. This comprehensive package is a superior choice as it provides a unified approach to cloud security.

We have Check Point CloudGuard deployed in one location with 400 users.

A team of four admins performs maintenance on CloudGuard every quarter.

CloudGuard boasts advanced threat prevention for network security, seamlessly securing public, private, and hybrid cloud environments. It also provides unified security management and simplifies complaint handling.

CloudGuard is a tool for evaluating the health and configuration of an account. We primarily use it for AWS, but we also use it for Azure. I also use it for inventory and historical reporting.

We work with 50 AWS accounts. Four teams across a couple of time zones use CloudGuard. Our security and DevOps teams are the primary users, but the support team occasionally uses it. Management consumes the output and the reports. I think it makes them feel good, so that's nice. 

I recently transitioned into a management and architecture role. CloudGuard helped me delegate to my engineers the day-to-day tasks of operational care and feeding and health assessments of the environments. I previously spent more time building rules and implementing automatic remediations. Now, I let it fly, and my engineers operate it. 

I helped with the design and build, and I was originally in charge of the run. I've now handed off the run, which enabled me to do more. I think it helped those guys to be effective and do more. I'd say it freed up the equivalent of a quarter to an eighth of an FTE.

CloudGuard allows us to scale. As we bring on customers, more accounts come online, and more platforms are deployed in our environment, I don't have to scale my team linearly with the growth of our product. These rules work over and over on the number of accounts. I think that's a place where it will help us as our customer base grows.

The security operations team saved some time. I'm on the team, so I do a lot with this. It's one of the essential tools. Depending on the incident, Check Point can be extremely helpful in understanding the configuration. I use it ad hoc or tactically in those conditions. At the same time, other operations or security incidents are out of view of Check Point and Dome9, so it doesn't come into play. When the problem is at the account or configuration level, it makes remediation and troubleshooting an investigation easier.

It saves time because I can look across the organization. Instead of checking 50 different accounts atomically and spending 15 minutes investigating each, I can spend 15 minutes exploring all 50 accounts. It allows me to quickly look across the org for similar problems when one comes up. That's a huge time saver. 

The most valuable feature is the ability to create a reference rule set and use that to evaluate an account's health. It provides daily reports on any drift from that rule set and real-time alerts. Some of the automated remediations are also helpful.

I like the GSL Builder, which helped us reduce human error. It helps answer a question quickly in real-time that I might not want to put into a specific rule that I evaluate across all my accounts all the time. In many cases, we've built rules that we consider everywhere for the posture of all our essential accounts. However, I often work on an issue or question, and I just want to see who has this configuration or misconfiguration. GSL Builder lets me quickly locate all the S3 buckets with a faulty configuration. I use it tactically like that sometimes.

I'd be sad if it went away. However, you couldn't throw an inexperienced person at it and expect them to get any value from it without some handholding or spending time to read the documentation and think about it. You must know about the asset you interrogate to write a good rule or to do a good evaluation. That isn't a Check Point problem, but it's a general issue in cloud security. 

CloudGuard offers several pre-packaged rules for various evaluations, such as NIST, 853, etc. I went through them, found 50 rules I think are handy, and put them into a custom rule set. Then, I spent time writing about 30 rules specific to my environment. I use those to evaluate the health of my accounts continuously. 

We check health insurer information because all this data is highly confidential and protected by HIPAA. We use these rules to evaluate our cloud properties constantly. I can't imagine the time that would take to perform this kind of evaluation by hand or using another tool. That's why we have Check Point.

There are many auto-remediations available. We use a few and wrote a couple of our own. It's an excellent risk management tool. We use it because we're so paranoid about the security of our environment. I've used this tool at other companies in different industries, and they've been apprehensive about automatic remediation. It depends on the part of the world you live in. I use it, and it stopped problems, so I've gotten tremendous value from auto-remediation.

The ability to prioritize alerts has been handy. It enables me to focus on critical issues instead of common misconfiguration. The visibility into my workloads is pretty good but not great. I don't use it at a granular level. I'm primarily focused on protecting my overall cloud posture and the health of the account with CloudGuard, but I also look for some common misconfigurations that might be workload-induced.

Making basic rules is easy, but it's complex if you want to do something a little more nuanced. I've been unable to make some rules that I wanted. I couldn't evaluate some values or parameters of the components I look for. I haven't always been able to assess them.

It feels like some attributes of resources can't be interrogated through the GSL the way I would like. For example, I wanted to figure out all the systems launched with a particular image that had been running for 31 days or more. Until I talked to the Dome9 people and the support team, I didn't understand how to frame that query in GSL. The support team told me how to do it, but I couldn't figure it out alone. The documentation is a little unclear about how to do some of those configurations. More tutorials and examples on the blogs and support pages would be helpful. 

I had another problem when we tried to encrypt all of our storage volumes. There is a feature called batch jobs or Elastic MapReduce jobs. CloudGuard sometimes can't detect the encryption status of the underlying disks of those systems that process my workloads. It pops up with a bunch of alerts that say, "Non-encrypted volumes have been found in your account." 

Those jobs are dynamic, so they spin up, run for an hour or two, and all the systems are destroyed. By the time I checked it, all the systems were gone. CloudGuard threw a bunch of alerts in the middle of the night when all these things happened, and I went back to evaluate the configuration. I know they were all encrypted because I can see how it was deployed. It didn't have a great insight into my actual workload, but it generally tells me when people launch unencrypted things. It isn't perfect, but it's okay.

I have used CloudGuard for four years.

CloudGuard has been solidly stable. I'd say nearly perfect.

CloudGuard's scalability is decent. They're switching to a new onboarding methodology that I'm not in love with, but I think we'll find a way to make it work and continue to scale. It has been good.

I rate Check Point's support an eight out of ten. I've contacted them with a few questions or issues and always had good support experiences with them. I'm not a huge customer paying millions of dollars a year. I work for a small startup on the bleeding edge of technology, and I feel like Check Point and Dome9 meet me where I am. 

It wasn't trying to shove a network firewall, like a data center security tool, down my throat. Palo Alto and Check Point are old-school network security appliance vendors that are out of their depth in cloud security, so they bought tools like bought Twistlock and Dome9. Check Point's acquisition and management of Dome9 have been excellent. I can still talk to people at Dome9 and get support for this tooling, but it has been difficult for me to do that with their competitors. 

Positive

I've used Palo Alto Prisma Cloud, but I've also used Palo Alto's Cloud Security Posture Management tooling. I prefer Check Point, which is why we have it.

I still have both solutions, but I use Palo Alto for something else. I use Twistlock, a Prisma Cloud module, for runtime protection of containerized workloads. I also use Dome9 for CSPM. I did not like using Prisma Cloud for CSPM because I did not care for the rule language or configuration. 

Also, I feel like Check Point, and Dome9 listen to their users. If I'm dying for a new feature to improve the solution, they would hear me out and consider it. I guarantee you that Palo Alto doesn't care.

Deploying CloudGuard is straightforward. I deployed it and configured the auto-remediation alone, but I also worked with another architect to discuss the design and workshop some ideas, so we could say a team of two deployed it.
After deployment, maintenance has been very low.

We've seen a return. It still makes sense to write a check. I can't imagine going back to doing it the way I did before. It's essential for my compliance program to have this tool in place. If I could save the $100,000 or more I pay annually and use cloud-native tools, the additional time I would spend tuning and doing everything I'm doing with CloudGuard wouldn't be worth it, at least not in the first year. 

CloudGuard is fairly priced.

I rate Check Point CloudGuard Posture Management an eight out of ten. I advise new users to start with a defined list of goals or problems and implement the solution in a way that initially prioritizes their most significant issues or primary goals. Don't try to boil the ocean. In other words, don't enable all the features and do everything at once. They will be overloaded unless they know what they're doing. Go feature by feature, function by function, and area by area. Determine where your critical risks are and implement the solution based on that knowledge.

I think there are some benefits to using a third-party tool. For example, these tools might simplify and enrich features or offer focus. You're adding another view or pane of glass to your security world, but once you start to look across clouds, it becomes interesting. I have to write all my own rules for Azure and AWS. At the same time, I can get the same report delivered to my inbox that I can then feed to my executives, showing them the health of these cloud properties. 

It looks cohesive and coherent instead of using separate native tools for AWS, GCP, Alibaba, and Azure and trying to compile all those reports and metrics. At least I can distill my posture into a commonsense readable score and transmit that to the executives. I can tell them, "Our posture's at 98% compliance." They can comprehend that and compare the scores from week to week. It helps me from a reporting angle.

We have our CSPM and CNAPP services powered by CloudGuard. Those are the two that we are doing direct services for today, but as a reseller, we offer all the pillars.

We are a value-added reseller. We are not necessarily using it as our own. We are not a dev shop, but those are the use cases. If one of our customers has a dev shop and is working out of the cloud, this is where they look to get some better understanding and control over what their development team or their DevOps team is doing and building. This is where CloudGuard CNAPP comes into play.

CloudGuard CNAPP definitely helps with bringing the controls, which can then play to compliance. We have a few key customers in the utility space, so compliance is a major driver. Being able to apply required controls through CNAPP helps and benefits them.

Security is not a No, where you have to say, "No. You cannot do it." By having the CNAPP toolset for the DevOps team, you enable them to do their work, and it is securely done.

We use CloudGuard CNAPP's Cloud Security Posture Management (CSPM) capabilities. We have been using CSPM for just over a year. We use it internally for our own IT security. We are a company with about 75 people, and our IT security uses CSPM actively not just to respond in time but also to help manage and keep an eye on all the controls and things.

Cloud Security Posture Management identifies the risks that are most critical to our business. It helps us to prioritize those. 

We do not use CloudGuard CNAPP's CloudGuard Workload Protection capabilities. We do not have a development shop. That is where the workloads come into play, but absolutely, that is where our customers could get some of the value to be able to keep their automations and speed going by having those workload protections in place. 

It is able to bring visibility into that cloudy space where the security departments do not really see what is happening on the DevOps side. It brings visibility, security control, and standardization. These are some key features.

I am not a technical person, but generically, the user interface can be a little more intuitive. Our staff has trained network security and cloud security professionals, and they get it, but when you are trying to get to the customers to be able to pick it up and maintain it, it can be a bit difficult, so the user interface can be a little better.

We have been using CloudGuard CNAPP for just about a year.

It is a Check Point product. It is not going anywhere. We have known CSPM for years, and it has only got improved every step of the way. Our impression is that CNAPP and the other pillars will do the same. They will continue to be steady and sturdy.

Their top-end technical support is excellent. Like anything else, it is hard to get to TAC, but we are an elite partner, so we have great channel support and strategic support. We have good experience with tech support.

We have not used any other solution. We have been a Check Point customer for a long time. When it started to come out, we started to take it on.

We are primarily on Azure, but our customers are in AWS and Azure. We do not have a lot of work with Google Cloud. We have a little bit of Oracle cloud, but AWS and Azure are the two big players we see our customers using.

I am not involved in its deployment, but I know that for CSPM, which is probably related, you discover as you go. You deploy it, and you are able to get the overall insights into what the environment is. I presume you would lead with that and then work on the workload and CNAPP, but I have not had to do it myself.

We have seen an ROI, but I do not have statistics to back it. Even for our small internal IT, it helps with efficiency and reduces the time in having to go through and try to find all the misconfigurations and other things. That time is money, and that is the return on the investment, for sure. I presume our customers feel the same way when they are using and deploying, especially things related to CNAPP. Once deployed and in action, they save a lot of time because one hour of prework saves ten hours as a rework, and that is what we get with CloudGuard CNAPP.

We evaluated Orca and Wiz. We are a value-added reseller, so we do sell them. Wiz has a lot of good and competitive aspects to CloudGuard features, but CloudGuard is very competitive with them, and we are deep partners, so we lean towards that.

To those considering this solution, I would say that it is pretty easy to get it started and get the evaluation going. Check Point has a whole cloud team that is there not to sell you anything but to help find where you are in the cloud journey and bring evaluation and other things forward.

CloudGuard CNAPP is definitely in the upper echelon. I would rate it a nine out of ten. It competes very well with other solutions such as Wiz. If you break it down, it competes very well with them. That puts it right up there at the top.

The solution is for used for protection of workloads.

It offers good detection. This capability allows us to effectively manage compliance. 

It helps us find misconfiguration. We use it to try to find possible storage accounts that may be misused or other misconfigurations.

The effectiveness of its cloud security posture management is good. It's really helpful for us and allows us to comply with various standards.

It helps our company identify risks that are most critical to our business. It not only saves us time, it provides us with the visibility we need to manage the cloud.

I don't have any notes for improvements. I'd need some more time to work with it.

I have used the solution for one year.

The stability is good.

We haven't had issues with scalability.

We have not had any issues with customer service so far.

Positive

This was the first solution I tested. I have not used a different solution. 

The initial setup was straightforward.

The pricing is decent.

We only really tested the capabilities of native tools before we implemented this solution.

My overall product rating is ten out of ten.

We use CloudGuard to monitor the cloud IaaS, AWS, and Azure security postures, including cloud assets' configurations. Based on the framework in the rulesets, it will give us failing, passing, or partially compliant scores. It allows us to implement auto-remediation and guardrails. 

If a user exposes storage on the public internet accidentally or purposefully, a daily report is sent to the account owner. CloudGuard will automatically fix the issue if auto-remediation is appropriate. We have GCP, AWS, and Azure accounts. CloudGuard is a SaaS solution, and we onboard all our AWS accounts, whether public, private, or hybrid.

In our sandbox environment, auto-remediation kicks in, and everything is fixed. Users try to do it themselves but often don't know how because they're not trained to provide cloud support. We don't currently use complete remediation, which will break their production environment, but we're getting better by nagging the cloud account users. Our cybersecurity team can use the shared response score to encourage cloud account owners to fix the problem.

CloudGuard has specific instructions for how users should fix issues, but it's like pulling teeth sometimes. Users often don't respond, and we get to the point where we need to tell them that it's going through change management and we can't renew it. We will auto-remediate in production environments if they don't respond by that date. 

It helped some cloud deployment users understand how to improve security posture, but not all of them. It depends on whether they are reading the CloudGuard reports daily. Many don't want to manage that part, and we believe our cybersecurity will help fix that for them.

We automated account onboarding. When a user wants a new cloud account, the automation scripts kick in after the request is approved to create the cloud account. After the provisioning is completed, the account is onboarded into CloudGuard. It enables us to have full coverage because CloudGuard monitors all our organization's cloud accounts.

I wouldn't say that CloudGuard has freed up staff for other projects. I have two or three dedicated SecOps people to monitor and follow up with remediation when auto-remediation isn't possible. We also deal with CloudGuard account requests and just-in-time user account access. It's difficult to assign a specific user to view the cloud accounts only they can see. 

I'm an SME for the product and train people annually because SecOps folks come and go. So far, we have had this software for three years. A lot of other organizations will switch solutions after two or three years. Training is essential because it's a high learning curve for people unfamiliar with the cloud. I don't think CloudGuard has made it more accessible. While it has decreased the resources, we still need at least one full-time admin dealing with CloudGuard, especially with the bugs.

We saved some time. We always go for a Unified Enterprise Platform. In terms of Cloud Security Posture Management, we wanted an enterprise solution with GCP, AWS, and Azure support, so we chose CloudGuard.

The posture management and remediation features are the most valuable. We use GSL Builder to build custom rules in alignment with our organization's policies. CloudGuard has canned rules using multiple standard frameworks, but we also have additional rules. Building custom rules with GSL Builder is medium difficulty. They have several examples of other compliance rules you can use. The GSL documentation is decent. A non-technical person can learn to use GSL Builder in about a week. GSL Builder saved us time and reduced human error. 

The auto-remediation works when it works. It does its job and is based on the rule instead of the alert's severity. In our company, we say, "Okay, this rule is a high severity. We don't want the data to be exposed on the internet." For example, if someone puts a public IP on our database, we will set a rule to shut it down immediately. That's how we define remediation. 

It isn't based on the severity or the level of work. Some rules may be defined as lower severity by default, but they might be higher depending on the organization's policy. It kicks in when there's an alert matching the remediation rule. The effectiveness of the remediation is 50%. Some of their bots used to fix issues automatically need to be updated. We had to make a few custom changes to some bots because they don't wake up.

CloudGuard's effective risk management only scans accounts every hour. We have more than 150 AWS accounts and 20 Azure accounts. We sent Check Point a request asking them to increase the frequency to five to fifteen minutes. I want the flexibility to scan it as often as possible based on the account's importance. That part is lacking. 

When rules change, it messes up the remediation. They haven't found a fix for that yet. The remediation rule goes into limbo. It's an architectural design flaw within their end compliance engine—a serious bug. We must spend extra time reapplying the rule when they periodically update the compliance presets. Auto-remediation breaks if you're using that particular out-of-the-box rule. I haven't experienced this recently, so maybe they fixed that part. However, that's what it did in the past.

Check Point is slow to respond to bugs. They resolve bugs maybe once every two weeks, and their R&D is slow. They're in Israel, and it's not just the Israeli holidays. I would probably pick a large US company if we did this over again. 

They don't give us continuous feedback. I want live feedback when they change something. Stop breaking things. The company should let us know what they're doing when they add new features. They don't have an official beta program, so you can't test the new features. 

That's the other bad thing about this product, but I don't know about other Check Point products. They're a firewall company but not a software company. If you put out a beta, customers should have the option to test it and give feedback. I've been putting a lot of work into CloudGuard to fix all the bugs. They should have paid me to fix their bugs for them.

They need to decrease their bug resolution time. Anything longer than two weeks is problematic. It's why we don't jump into the deep end with all these other features they've added. Our primary feature is the CSPM cloud part. The solution is useless if the reporting or remediation breaks, as it has in the past. It requires an SME for CloudGuard to dig in deeper, which takes time away from our SecOps folks.

We've been using CloudGuard for three years.

CloudGuard is pretty stable.

CloudGuard is scalable. I don't need to worry about it.

I rate Check Point's support a seven out of ten. They respond within a day. 

Neutral

Setting up CloudGuard is straightforward, and it takes a few days. We handled the deployment in-house with two full-time employees. It's a SaaS solution, so the only maintenance required is backups. 

We implemented this solution in-house.

The pricing of CloudGuard increases annually, and we don't see the value because we don't use all the features. We're primarily using CSPM and maybe Workload Protection. We did the Kubernetes part and used Network Explorer as a one-off. We only used Network Explorer for diagnostics. 

We use the Intelligence module for CSPM but don't analyze network traffic with CloudGuard. It's an expensive subscription, so we don't use the intelligence part.

We evaluated Palo Alto Prisma Cloud and Twistlock. Back then, the solution was owned by an independent company called Dome9, and Check Point acquired them. It had the best rule set out there. We chose it because it had all the rule sets out of the box and supported GCP, Azure, and AWS. 

I rate Check Point CloudGard Posture Management a seven out of ten. CloudGuard does its job, but the remediation is not perfect. Other CSPM tools do a better job of using remediation exclusion rules, especially scanning and putting out reports at a custom frequency versus every hour.

If the price isn't an issue and you don't care about using all the features, it's an okay product for enterprises to use to cover all cloud IaaS. If you're thinking about implementing CloudGuard, you should consider two things. First, the price is marked up every year by 10-plus percent, whether you use a particular feature or not. It's an annual subscription model, so you can always cancel at any time. 

Second, you should think about the modules. Workload Protection is okay if you use Kubernetes. You can use intelligence if you need to analyze traffic within your cloud environment for regulation-specific reasons, but it will cost you extra. CloudGuard's strong suit is that they support a lot of the features and AWS cloud assets.

We are a VAR. We use posture management in various client environments for different assessments. 

We do not use it internally. We use it in multiple client environments. We have different types of client environments with different sizes.

It is great for identifying misconfigurations. That is the part that I love about it.  It is very good at finding that needle in the haystack. It gives you an overall posture for every little thing, and if you dive into it and look at some of the findings, you start seeing that you have one or two servers that are misconfigured, and you have an open BLOB, open storage instance, unsecured web portal, or something else that you did not know about. 

The effectiveness of its Cloud Security Posture Management for providing compliance rulesets and security best practices is great.

Its Cloud Security Posture Management helps identify the risks that are most critical to our clients relatively quickly. I cannot put a number on that, but not having to go through every little configuration on every asset would probably save a week's worth of effort for the smallest client. 

Its traffic monitoring capabilities are good. Helps visualize traffic flows and possibly exposed assets.

The actual setup is pretty manual. It takes about an hour or two, depending on the client you are working with.

The rulesets and the findings are valuable. The actual core functionality of it and the efficacy of events are great. There is some triaging, but in terms of findings, it does seem to find the needle in the haystack.

The dashboards specifically are great. By just logging in and going into the portal, we can see the high-level dashboard views. We are able to dive into whatever we want to see there, and that is fantastic.

The network mapping and the traffic flow map, where it shows you which VMs might be possibly exposed, are also very valuable. It shows which systems might have direct access to the Internet and which systems do not. It shows you overall how the network flow is set up based on your security groups, routing, and everything. I have got a good use out of that.

The setup can be better. With every other Check Point SaaS product, the setup is scripted. You just approve deployment scripts,  and then you are off. The setup for this solution is still very much manual. I would like to see that transition to more of a scripted setup. That has been an issue when I set up a client because every client has different skill sets.

The general reporting also needs improvement. It is very cumbersome to pull the reports for big environments. I had a client environment with 50 tenants, and I had to manually run a CIS report for each tenant and download it. There were 50 different reports. I wish there was a way to get the reports for all 50 tenants in one report and not 50 different reports.

I have been working with posture management for 3 to 4 years.

I never had stability-related issues. That has always been fine.

It is scalable. You can do it, but you need to redo the setup for each and every additional account and visibility. It is scalable. It is just not quickly scalable.

I would rate their support for CloudGuard CNAPP a eight out of ten.

Positive

I have not used a posture management solution before.

Its setup is very manual. I would like to see that transition to more of a scripted setup. It is a very manual process. For the most part it is fine however I have definitely had issues with it. Sometimes, it just does not work, and I have had to open tickets.

I am an integrator and consultant.

Its price is very fair.

N/A

To the new users of this solution, I would advise not following the built-in guide while setting it up. Always open the admin guide for the most up-to-date information.

Overall, I would rate this solution an eight out of ten. Even with all the issues, what you do get out of it is very valuable. The reporting and the setup are holding it back from a ten. That is where it can be improved greatly.