Microsoft and Check Point Protect Employees from Leaking Sensitive Business Data

It is clear that confidential data leakage, whether malicious or unintentional, can cause serious damage to any organization. Preventing sensitive and valuable information, such as customer records, intellectual property, and financial reports, from falling into the wrong hands has become a major priority for most organizations. 

To protect organizations from data loss, Microsoft and Check Point has been working closely together to integrate Microsoft Azure Information Protection (AIP) with Check Point Next Generation Firewall Security Solutions.  The integrated solution keeps sensitive business data absolutely safe, regardless of where it travels or how it is shared, including via email, web browsing or file sharing services that are not included within the Microsoft eco-system.

Customers of both Check Point and Microsoft can rest assured knowing their employees will be prevented from accidentally sending sensitive and valuable business data outside of the corporate network, not just when using Outlook or Microsoft Exchange, but also when using popular applications and services such as Gmail, Dropbox, FTP & Box. By leveraging the Check Point capabilities of policy enforcement across the network, Microsoft Azure Information Protection file classification and protection capabilities are extended and substantial security gaps are sealed. Therefore, joint customers can enjoy a comprehensive Data Loss Prevention solution, their security teams can track and control the exposure of sensitive information and take corrective measures to prevent data leakage or misuse.

How Data Loss Prevention works from the end-user perspective      

Let’s take a look at a common data loss scenario. Your company’s CFO just finished creating a highly confidential financial report using Microsoft Office Word.  Azure Information Protection (AIP) recognizes the sensitive content in the document and prompts him to label the document as “Confidential Financial Data”.  With the proper confidential label, no one in the company will be able to accidentally send this file to an external recipient or location outside of the corporate network. Regardless of the application (Outlook, Gmail, Dropbox, FTP), Check Point Data Loss Prevention (DLP) will block any improper distribution of the document and immediately notify the user.  Not only does this process educate the user about any improper data handing, it helps prevent any future issues.

Data Loss Prevention – the Admin perspective

Let’s take a look at this same CFO data loss scenario from an IT administrators perspective.  Many IT organizations that use Office 365 productivity solutions have also adopted AIP to classify, label and protect their sensitive information. AIP sensitivity labels can be applied automatically based on IT administrator rules and conditions, manually by end users, or in a combination where end users are given recommendations.  In the use case of the CFO data loss, the IT security team has pre-configured an AIP label called “Confidential Financial Data”. Based on this label, the security teams have also defined a Check Point unified security policy rule (that includes a Content Awareness AIP data type) to protect confidential financial information from being sent outside of the organization.  Once the AIP label was applied to the CFO financial report, Check Point Security Gateways were able to detect and enforce the confidential designation, regardless of where the document was sent or how it was shared.

Unified Data Loss Prevention Across the Enterprise

Because Check Point DLP enables policy enforcement of data in transit at the network level, the IT Security teams can track and control how documents are being shared and immediately take corrective measures to prevent data leakage. In addition, DLP is integrated into Check Point’s security management platform enabling enterprises to apply a unified document protection policy across the organization while also managing access control, threat prevention policies, and incident analysis.

About Azure Information Protection

Azure Information Protection (AIP) is part of Microsoft Information Protection solutions, which can leverage the security capabilities of partners like Check Point.  Azure Information Protection enables customers to classify, label and protect sensitive documents and emails.Sensivitity labels can be applied automatically based on the system administrator’s rules and conditions, manually by users, or a combination where users are given recommendations. Since Azure Information Protection has rights management capabilities built-in, it can be used to protect documents by defining granular user access rights down to specific groups or users.

About Check Point DLP

Check Point DLP is part of Check Point’s Next Generation Firewall Gateway products. It  combines multiple technologies and processes to revolutionize Data Loss Prevention helping businesses to pre-emptively protect sensitive information from leaving the company, educating users on proper data handling policies and empowering them to remediate incidents in real-time!  By enforcing security policies on all data transmitted over networks, Check Point Security Gateways offer a wide coverage of traffic transport types, including deep application awareness that protects data in motion, such as e-mail, web browsing and file sharing services.

CloudGuard IaaS supports VMware’s new NSX-T 2.4 release - Private Cloud Security

VMware has been taking real action to back up CEO Pat Gelsinger’s assertion that hybrid-cloud is the new norm, most recently through updates to their NSX-T Data Center network virtualization platform for on-prem and cloud environments. NSX-T version 2.4 was a major milestone that saw the introduction of new advanced security capabilities.

Check Point was a design partner for the new version, which is fully supported by Check Point CloudGuard IaaS. This makes sense considering the close relationship between Check Point and VMware, and that CloudGuard was the first VMware partner product to be certified for NSX-T North/South service insertion.

(The supporting version of CloudGuard IaaS is currently in final stages of certification.)

Let’s dive into a few of the security enhancements in NSX-T version 2.4 and how CloudGuard IaaS uses them to harden private cloud security for Check Point customers

Network Topology

CloudGuard supports NSX-T Inventory.

CloudGuard reads the inventory from NSX and allows the security operator to use objects from the inventory as part of the security policy. CloudGuard watches these objects and updates the gateway regarding any change that might occur on the NSX side.

NSX-T v2.4 allows the dynamic export of network topology, providing CloudGuard with immediate access to all network configuration changes.

Dynamic, Context-Based Grouping

NSX has rich contextual knowledge of the workloads it’s protecting. Instead of using grouping and rules based on where something is in the network, with NSX customers can use constructs based on specific characteristics of the workload, including for example the workload’s Operating System or name. By applying Security Tags, workloads can also be grouped based on criteria such as the function of the application, the application tier the workload is part of, the security posture, regulatory requirements or the environment the application is deployed in.  Through the use of Security Tags, policies can be applied automatically to new workloads, thus reducing manual administrative overhead. For example, when you add a new VM: as soon as you apply a meaningful tag to the new VM, it automatically assumes the relevant policies of the tag’s groups.

You can also apply these policies automatically to new workloads, thus reducing manual administrative overhead.

For example, when you add a new VM: as soon as you apply a meaningful tag to the new VM, it automatically assumes the relevant policies of the tag’s groups.

Using VMware NSX-T and Check Point together provides strong security for North-South traffic entering the data center from the outside. This is done by connecting the CloudGuard IaaS security gateway to the T0-T1 router. NSX handles the deployment, plumbing and selective redirection of traffic to the CloudGuard IaaS security gateway.

CloudGuard IaaS provides powerful private cloud security features such as Firewall, Intrusion Prevention System, Anti-Bot, Antivirus, Application Control, and URL Filtering; as well as Threat Emulation and Threat Extraction for complete protection against the most sophisticated threats and zero-day vulnerabilities.

But what about East-West traffic?

“Firewalls are conceptually sound, but execution often leaves network and security teams scrambling to patch flaws and fix mistakes that hackers have already discovered and exploited. Worse, once bad data packets such as malware enter into the network they may have unimpeded access to that “East-West” traffic inside the network.”

In other words, a breach of a single network can propagate across the data center, compromising all applications. Even attacks on low priority services can expose critical or sensitive systems.

With the Distributed Firewall, NSX-T enables micro-segmentation, enabling customers to provide granular firewalling for East-West traffic within the datacenter.

VMware NSX-T 2.4 introduces the enhancement of Policy-Based Service Insertion enabling partner solutions like Check Point CloudGuard to enhance the security of East-West traffic, without making changes in the topology.

Checkpoint CloudGuard IaaS is integrating with NSX-T 2.4 East-West Service Insertion in order to provide robust protection of lateral traffic between different entities inside the cloud deployment. This lateral traffic may also be automatically redirected according to context-aware policies, as explained above.

How Can You Improve Your Private Cloud Security?

Take precautions, including:

• Keep yourself and your organization up-to-date on cloud threats and trends
• Implement and enforce cloud security best practices across your organization, for example in this article
• Define your organization’s security considerations, then choose a best-of-breed cloud security solution with advanced threat prevention

Check Point CloudGuard provides best-of-breed private cloud security, which is further enhanced by the above security enhancements introduced by VMware NSX-T 2.4.

CloudGuard provides consistent security policy enforcement and full threat visibility.

CloudGuard is well suited to dynamic multi-cloud and hybrid environments and supports the widest combination of private clouds and public clouds.