Pentesec Ltd

Dome9

CloudGuard Dome9 is a comprehensive software platform for public cloud security and compliance orchestration. Using Dome9, organisations can visualize and assess their security posture, detect misconfigurations, model and enforce best practices, and protect against identity theft and data loss. Dome9 integrates with Amazon Web Services, Microsoft Azure, and Google Cloud.

Features

  • Comprehensive compliance management including automated continuous enforcement of best practices.
  • Active Protection: Providing dynamic access leases
  • Active Protection: Tamper protection, region lock & IAM safety.
  • Real-time detection of misconfiguration that pose a threat to instance.
  • IAM Protection: real-time privileged elevation over users, roles and actions.
  • Auto-remediation in AWS, resolve dangerous misconfigurations and enforce compliance.
  • Tamper Protection: Continuous monitoring and automation reversion of unauthorised modifications.
  • Just in-time privilege elevation with out-of-band authorisation for IAM actions
  • Visual view of your cloud network topology exposing potential misconfigurations.

Benefits

  • Allows easy security and compliance management of public cloud environments
  • Enforces top security standards with auto remediation of unauthorised changes
  • Spot misconfigurations quickly and easily, potentially preventing exposure of data.
  • Ensuring compliance with best practices by spotting misconfigurations in real-time
  • Ability to provide real-time privileged elevation for AWS users.
  • Provides auto-remediation of dangerous misconfigurations, saving on overheads and time.
  • Tamper Protection: Deny unauthorised changes to network security groups
  • Granular visibility and control of users activities over native controls.

Pricing

£15,000 a unit a year

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at richard.bass@pentesec.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

1 2 3 3 0 4 6 7 5 3 9 1 7 6 1

Contact

Pentesec Ltd Richard Bass
Telephone: 0845 519 1337
Email: richard.bass@pentesec.com

Service scope

Software add-on or extension
Yes
What software services is the service an extension to
Dome9 is an extension to Microsoft Azure, Amazon Web Services and Google Cloud Platform.
Cloud deployment model
Public cloud
Service constraints
No
System requirements
To utilise Dome9 you need AWS, Azure or CG

User support

Email or online ticketing support
Email or online ticketing
Support response times
" Standard Support Customers have an SLA of 4h for Severity 2,3,4 Questions and 30 Minutes for Severity 1 Questions.
Premium support customers have an SLA of 4h for sev 3-4, 2h for sev 2, and 30 mins for sev 1.
Elite support customers have an SLA for 4h for Sev 3-4, 30 mins for Sev 1-2. "
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
Yes, Customers are able to use our chat portal and speak to an engineer on web chat. This is dependant the user is a designated support contact on the customer account.
Web chat accessibility testing
Customers can log into Check Point Web Chat via www.checkpoint.com, Then they would click support, support center and the underneath "Get Help" select Live Chat.
Onsite support
Onsite support
Support levels
"1. Check Point Standard Support: SLA 9x5 Buisness Day. Response Time Severity 1: 30 Minutes, Severity 2,3,4 4 Hours.

2. Check Point Premium Support: SLA 7 x 24 Every Day. Response Time Severity 1: 30 Minutes, Severity 2,2 Hours and Severity 3 & 4 4 Hours.

3.Check Point Elite Support: SLA 7 x 24 Every Day. On Site Engineer for Critcal SRs Response Time Severity 1: 30 Minutes, Severity 2 30 minutes and Severity 3 & 4 4 Hours.

we can provide a TAM at a cost from Professional services and any support tickets that arise associated to the platform will be dealt by engineers skilled on the platform.

The cost of support is often done on a percentage basis, per total license cost of entire purchase.

Standard is free and allows customer to file support tickets with Check Point. Premium Support is priced at 7% the total Subscription price and Elite is priced at 10%."
Support available to third parties
Yes

Onboarding and offboarding

Getting started
"Once purchased an admin and admin email must be nominated for initial providing of the link and account creation.
More onboarding details can be found here - https://helpcenter.dome9.com/hc/en-us/articles/360003383253"
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Users can create reports of final audit logs, compliance checks, asset reports, policy reports etc before access to the service is ended, as would have taken place during normal operation of the service.
End-of-contract process
When a contract is ended, the entire customers tenancy is deleted on the backend and all customer data is removed from the database systems associated with that tenancy ID.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
The Dome9 mobile application can be used to create dynamic access leases or to open authorisation windows for IAM users.
Service interface
Yes
Description of service interface
You can access the web interface from a URL that after purchase can be linked to your domain. The mobile application can be downloaded from the Google Play and iOS app stores.
Accessibility standards
None or don’t know
Description of accessibility
You can access the web interface from a URL that after purchase can be linked to your domain. The mobile application can be downloaded from the Google Play and iOS app stores.
Accessibility testing
Don't know
API
Yes
What users can and can't do using the API
"Application developers can access Dome9 functionality from within applications using the Dome9 API. With version 2 of this API, developers can access functions using RESTful HTTP requests.

The resources and methods listed in this API cover the Dome9 functionality that developer applications need to onboard and manage their cloud accounts in Dome9.

The resources are grouped into Dome9 entities and Cloud Inventory entities.

Dome9 entities include functional features such as Clarity, Compliance, Dome9 Alerts, and entities such as access leases, Compliance bundles and rules, and Dome9 users and roles.

Cloud inventory includes entities such as Security Groups, instances, regions, and VPCs.

The API is based on HTTP requests and responses, and uses JSON blocks.
"
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Customers can write their own compliance bundles and queries

Scaling

Independence of resources
We have an autoscaling Service hosted on AWS that has been built from the gound up with multi tenancy in mind. The data segregation is implemented in all system layers, including the DB, allowing for seamless scaling with minimal impact between tenancies.

Analytics

Service usage metrics
Yes
Metrics types
License Consuption, billiable instances, number of assets protected, number of cloud accounts protected
Reporting types
Real-time dashboards

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Check Point

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
No
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
  • Other
Other data at rest protection approach
Strong encryption is used: AES-256-CBC, all aspects of physical protection, secured area, person entry and user access to physical servers are under responsibility of the cloud providers.
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users can export reports on compliance, indentity management and other aspects of their environment such as policies created, assets protected, alerts created and audit trails of changes made on the system as pdf reports.
Data export formats
  • CSV
  • Other
Other data export formats
PDF
Data import formats
Other
Other data import formats
Customers can script the onboarding of their Cloud accounts

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Other
Other protection within supplier network
Strong encryption is used: AES-256-CBC

Availability and resilience

Guaranteed availability
Users will be refunded via a credit scheme, where users will not be charged for the same amount of time that they suffered service degredations. SLA's can be found here - https://www.checkpoint.com/support-services/support-plans
Approach to resilience
Dome 9 is run in Amazon Web Services. To provide high-availability, Dome9 is ran from 2+ availability zones within the AWS “Northern Virginia” (us-east-1) Region.
Outage reporting
Yes via https://status.checkpoint.com

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Dome9 web applications and APIs are developed with a focus on OWASP controls. Providing strict protection against injections, CSRF, XSS, data segregations, and more
Authentication

MFA - Dome9 Web Console Authentication supports hardened authentication using TOTP MFA
Dome9 Agents are authenticated via x.509 certificates that are generated during the initial pairing process

API authentication uses HTTP Basic authentication over a Secured SSL (TLS) channel. It is disabled by default.

WAF
All traffic to the Dome9 production system passes through a Web Application Firewall. The WAF protects against attacks to the web application as well as providing protection against DDoS attacks
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
GRSee
PCI DSS accreditation date
02/2018
What the PCI DSS doesn’t cover
Dome9 was certiufied in DSS V3.2.
Other security certifications
Yes
Any other security certifications
SOC 2 TYPE II

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
For Check Point's internal processes strive to meet the same level as ISO 27001, however do not seek accreditation.
Information security policies and processes
Check Point strive to meet the same level as ISO 27001, however do not seek accreditation

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
"Dome9 is an Agile SaaS shop that constantly delivers enhancements to our Product.
All Dome9 SW is developed under a source control system where code commits are peer reviewed.
All Dome9 servers’ installation and configuration is controlled under a CM system (SaltStack), where all system configurations are source and version controlled too.
Code deployment is automated by the CM system providing consistency in deployments, ability to quickly push fixes, and allows safe rollback if and when a new critical issue is found.
No SW is installed on the servers except in the standardised, approved, and source controlled channel. "
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
"We have consistent yearly penetration tests, enable virtual patching through IPS signatures and NGTP security gateways protecting the environtment, the underlying servers and infrastructure is patched by AWS
information on potential threats come from Check Points Threat Hunting team and research team as well as our Threat Cloud which is the worlds largest database of secuirty feeds, signatures, Hash's IoC's etc "
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
"Our SEIM platform for the dome9 production env is monitored continuiously for potential threats, this is fed from our WAF, traditional network security controls, and yearly penetration tests.
All Dome9 servers are connected to centralized Log/SIEM system that is constantly monitored.
Underlying virtualization host is protected, patched and maintained under the responsibility of our cloud providers.
The environment is protected by network firewalls that are configured under strict policies as would be expected from FW management
company.
All non production environments (Dev/Test/ Staging) are segregated into different VPCs and accounts.
access to production enviroment is only through hardened bastion server"
Incident management type
Supplier-defined controls
Incident management approach
"As a market leading security vendor we have predefined processes for common events if there are any, users can report incidents from within the help option within the dashboard or by reaching out to Check Point directly.
If an incident happens then we will inform customers / users when we have a full grasp of what had happened and why. "

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£15,000 a unit a year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
Fully featured evaluation license to prove POC, Support from UK SE team to assist with any challenges in deploying and configuring, There is a limited time period for evaluation of 30 days
Link to free trial
Please contact enquiries@pentesec.com to set this up.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at richard.bass@pentesec.com. Tell them what format you need. It will help if you say what assistive technology you use.