SEP2 LIMITED

Check Point CloudGuard IaaS for AWS

Check Point CloudGuard IaaS delivers advanced, multi-layered security for the AWS cloud environment, protecting assets in the cloud from attacks whilst enabling secure connectivity from enterprise networks to the AWS cloud. Features include Firewall, IPS, Application-Control, URL-Filtering, IPSEC-VPN, AntiVirus, Anti-Bot and Zero-Day Threat Protection using industry-leading SandBlast technology.

Features

  • Stateful inspection firewall and industry leading Threat Prevention System
  • Antivirus and Anti-Bot protect cloud resources from malicious attack
  • IPSec VPN secures communication between AWS cloud and on-premise
  • Provides lateral Threat Protection within the cloud environments
  • One-click deployments possible
  • Auto-Scaling deployments possible
  • Data Loss Prevention and Content Awareness protects sensitive data
  • Mobile Access VPN for client devices

Benefits

  • Easily extend security to AWS cloud environments
  • Protect cloud based resources against malware
  • Provides CPU-level security in software-defined networking environment
  • Provides the full-suite-of protections of the Check Point Infinity Architecture
  • Safeguards against data and infrastructure breaches
  • Single pane-of-glass management
  • Centralised policy management across all environments

Pricing

£1,120 a licence a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@sep2.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

6 7 4 2 6 7 1 1 5 1 9 1 8 2 3

Contact

SEP2 LIMITED sep2 sales team
Telephone: 03300437372
Email: sales@sep2.co.uk

Service scope

Service constraints
Check Point CloudGuard IaaS provides next-generation security protections across the AWS cloud environment. Deployed and auto-scaled within minutes, protections can be enabled ensuring all network flows within the AWS environment are checked by the market-leading Check Point Sandblast engine. Powered by the Check Point Infinity Architecture, CloudGuard IaaS protects all of your data, across all of your applications, across all of your devices, wherever they are accessed from. The Check Point IaaS for AWS system will require suitably sized compute resources within the AWS system.
System requirements
  • Suitably sized compute platform within the AWS system
  • Appropriate connectivity from your network
  • Check Point Management platform may be required depending on requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Sep2 support provides 24x7x365 support for Priority 1 incidents, with a response time of 30 minutes. Priority 2 incidents are responded to during office hours within 1 working hour. Priority 3 incidents are responded to during office hours within 4 working hours. Priority 4 incidents are responded to during office hours within 12 working hours.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
All sep2 customers have an aligned account manager who manages all aspects of the customer relationship. sep2 support is priced depending on the size of the environment and the number of licenses included. sep2 have 5 Check Point Security Masters working within the support team, ensuring a Subject Matter Expert is available to support our customers as required. At an additional cost, a technical account manager can be aligned to a customer where additional technical resources are required.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Once CloudGuard IaaS is purchased, a Check Point UserCenter will be created if one is not already in use. The purchased licenses will then be added into the this UserCenter for the user of the Check Point CloudGuard IaaS platform to make use of as required.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Customers can export/extract the settings and configuration of the Check Point CloudGuard IaaS platform at the end or during the contract through tools provided within the system.
End-of-contract process
When the contract is ended, the Check Point CloudGuard IaaS platform will continue to operate at a degraded functional level, with no ongoing updates across the subscription-based Check Point Software Blades, no access to support and no ability to upgrade to later versions or releases.

Using the service

Web browser interface
Yes
Using the web interface
The web interface of the Check Point CloudGuard IaaS system allows for access to and configuration of the platform settings including hostname, DNS settings, IP address settings, routing protocols, administrator configuration etc.
Web interface accessibility standard
None or don’t know
How the web interface is accessible
The platform is deployed via the AWS marketplace, and is then initially configured via a HTTPS connection to the CloudGuard IaaS instance. Further and advanced configuration may require connection to a Check Point Management Server
Web interface accessibility testing
None
API
Yes
What users can and can't do using the API
After the Check Point CloudGuard IaaS platform is deployed, the API can be leveraged to automate many actions that relate to policy and device configuration. Full documentation as well as working code samples are available and actively shared on the Check Point user community forum.
API automation tools
  • Ansible
  • Chef
  • OpenStack
  • SaltStack
  • Terraform
  • Puppet
API documentation
Yes
API documentation formats
  • HTML
  • PDF
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
  • Other
Using the command line interface
Command line interface configuration allows for the same host-level configuration as via the HTTPS interface, including settings such as hostname, IP addressing, dynamic routing etc

Scaling

Scaling available
Yes
Scaling type
Automatic
Independence of resources
Check Point CloudGuard Auto Scaling Groups can auto-scale to meet traffic demands, limited only by licensed constraints.
Usage notifications
No

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Check Point Software Technologies

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Yes
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Hardware containing data is completely destroyed
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
Yes
What’s backed up
Check Point host level configuration
Backup controls
Scheduled backups can be configured via the Check Point CloudGuard IaaS platform web interface
Datacentre setup
  • Multiple datacentres with disaster recovery
  • Multiple datacentres
  • Single datacentre with multiple copies
  • Single datacentre
Scheduling backups
Users schedule backups through a web interface
Backup recovery
  • Users can recover backups themselves, for example through a web interface
  • Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Availability of the Check Point CloudGuard IaaS system depends on the design of the deployment, and if use of AWS platform features have been used to provide resilience. As this service is running on the AWS platform, all availability guarantees are based upon the underlying AWS platform.
Approach to resilience
Check Point CloudGuard IaaS for AWS can be deployed in a resilient way through use of suitable AWS concepts for resilience and scaling
Outage reporting
The Check Point SmartEvent and SmartLog tools can be utilised to provide information on service outages.
Service Outages of the AWS infrastructure are available from the standard AWS service information system.

Identity and authentication

User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Check Point CloudGuard IaaS systems can integrate with different access management systems via standards such as RADIUS, TACACS, SecureID, LDAP etc
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Dedicated device over multiple services or networks

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Third Party Accredited
ISO/IEC 27001 accreditation date
Confirmed by Amazon
What the ISO/IEC 27001 doesn’t cover
N/A
ISO 28000:2007 certification
Yes
Who accredited the ISO 28000:2007
Third Party Accredited
ISO 28000:2007 accreditation date
Confirmed by Amazon
What the ISO 28000:2007 doesn’t cover
N/A
CSA STAR certification
Yes
CSA STAR accreditation date
Confirmed by Amazon
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
N/A
PCI certification
Yes
Who accredited the PCI DSS certification
Third Party Accredited
PCI DSS accreditation date
Confirmed by Amazon
What the PCI DSS doesn’t cover
N/A
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
Sep2 are accredited to ISO27001 and have a defined Information Security Management System.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change management is managed entirely by the customer
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Vulnerability management is entirely managed by the customer
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Protective monitoring is entirely managed by the customer
Incident management type
Supplier-defined controls
Incident management approach
Incident management is entirely managed by the customer

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Third-party
Third-party virtualisation provider
AWS
How shared infrastructure is kept separate
Amazon AWS provides this virtualisation and seperation as part of their underlying service which the Check Point CloudGuard IaaS system uses.

Energy efficiency

Energy-efficient datacentres
Yes
Description of energy efficient datacentres
https://aws.amazon.com/about-aws/sustainability/

Pricing

Price
£1,120 a licence a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
A 30 day trial of the Check Point CloudGuard IaaS platform can be requested

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@sep2.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.