Check Point CloudGuard CNAPP Reviews

We use CloudGuard for compliance and auditing. About 20 people in our company use it, including our cloud administrators use it and security personnel. And now even our managers, our scrum masters are using it.

CloudGuard makes the management of our security controls in AWS more transparent. 

The dashboard is intuitive. You know if you're compliant or not, and then it gives you a remediation plan.

CloudGuard could be more customizable. It has built-in standards for things like GDPR compliance. But depending on your business lane, you might want to build your own controls based on your own standards. 

I've been using CloudGuard Posture Management for at least six months.

CloudGuard is pretty stable. It's rock-solid.

In terms of scalability, CloudGuard requires a little bit of work. Sometimes it does take longer for the checks to come through, but it depends on how busy you are in the cloud. 

Check Point tech support in North America is pretty good.

We really liked this other solution offered by a smaller company, and then a larger company bought it. I forgot the company's name, but the roadmap just went to pieces when it was bought out. All the tech people left the company then the chief technical officer resigned. It was terrible.

Setting up CloudGuard is pretty straightforward. The initial setup only took a few minutes. It's essentially turnkey. However, the total deployment took about half a day. For maintenance, we have two cloud administrators. That's two in case one goes on vacation, resigns, or gets sick. So you need backup.

The license for CloudGuard Posture Management is about $80 a year, and it's based on your cloud footprint, not the number of users. So you could have a million users, and it doesn't matter. 

I rate CloudGuard Posture Management seven out of 10. I would rate it higher, but I think the price point is pretty high for what it does. However, I know it's a burgeoning market. So I think the price point and some of the other features that I already mentioned, like customization, are pretty lacking. Still, if you want some cover for an internal or external audit, this is a tool for you. 

The product provides complete visibility of our cloud security posture. It supports servers and Cloud-Native Services. It provides a centralized solution for Cloud Security with risk and compliance management. 

We required it to manage various compliance requirements including live ISO, SOC, PCI and it supports everything. Our Organization is in a hybrid structure and in it, we are using various AWS and Azure accounts. Earlier, we managed everything individually, however, after the implementation of it, we now manage everything from a single solution. The single solution helps with the system, network, and security administration.

The solution provides the complete visibility of Cloud Security, as well as a number of baseline policies and rules. This helps us to manage cloud posture with less effort. After implementation, it reduced administrative effort in terms of managed security over the cloud. Now, we are not dependent on individual tools for each account as well as cloud service providers. 

After implementation, the team can generate reports from a single console for all compliance needs.

Auto Remediation is a very effective feature and it improves the need for manual intervention from the security and cloud administrator.

The baseline policy and the integration with the public cloud are very easy.

The number of compliance rulesets along with the baseline policy, support of cloud-native services, and license management are easy. Support of the CI/CD pipeline security (Code Security), Kubernetes, et cetera, is useful. 

There are very helpful and various types of reports. Reporting features are very good and anyone from the compliance team can view/generate a report according to compliance support.

Auto remediation is a very effective feature that helps ensure less manual intervention.

Support of AWS Lamda and Azure Functions helps for any potential breaches.

Almost all features are good, however, they still require improvements to the code security portion on which integration with the major source code repository is required.

Integration with CI/CD is an important aspect as it is needed to secure the environment. Having it will help a lot.

Integration with Docker is also a key feature that needs some improvements.

Integration with other third parties and with SIEM is an important aspect that should be addressed.

Currently, it provides integration with Tenable, but it would be good if it had support other VAPT software as well.

We have been using Check Point CloudGuard Posture management for the last 8+ months.

The solution is very stable and we have not found any gaps. It provides seamless integration with the public cloud.

It's a highly scalable solution and integration with the public cloud is very good. The way you can centralize the dashboard of entire cloud infra is a very impressive.

Support has been good. We implement it with the help of OEM support and whenever we've required help we've received a good response.

Earlier, we tested other tools as well, however, the features which were available via Check Point are very good and the future roadmap is also very good in regards to cloud security.

The setup is straightforward and seamless.

We implemented it with help of Check Point support. The rest was managed by our internal team as it's easy to handle.

Security is very important and gives us ROI from security itself. We also get an ROI as we have less administrative effort. We can see an ROI with the compliance and risk management on offer too.

The setup cost is very affordable and very easy. Integration with the public cloud is very easy. The licensing calculation is also very good and no manual effort is required.

We evaluated other tools like Rapid7, Qualys, and AWS native security tools, as well as Azure native security tools.

It's a very strong solution for cloud security posture management and very effective for large and mid-size environments. Any organization moving towards the cloud would benefit from this.  

We primarily use this solution for:

1. Posture management and compliance for the complete cloud environment (AWS).
2. Centralized visibility of our cloud assets across multiple accounts in our cloud environment.
3. Monitoring and alerting of cloud activity (API calls) happening across all the accounts.
4. Reviewing security configuration (network configuration of security groups).
5. Scanning serverless functions for existing vulnerabilities.
6. The baseline for security policy as per workload based on services such as S3, EC2, et cetera.

This solution helped us improve by:

1. Improving the overall security posture of our cloud environment.
2. Maintaining Asset inventory for Cloud.
3. Continuously reporting and alerting for reactive approach.
4. Providing a best practice policy helping in strengthening security of workloads. 
5. The biggest lesson that I have learned from using this product is that organizations are very uninformed about their cloud presence, what assets they have, and what shape it's in which this solution is capable of and provides better visibility.

1. The queries for detecting any type of incident are great.
2. The solution provides a granular level of reports - along with issues based on compliance.
3. Alerts of cloud activity happening across all accounts is helpful.
4. Customization of rulesets as per our cloud security policy is useful and strengthens the security.
5. Reporting against compliance is an important feature that helps you comply with policies and standards within our organization.
6. Assets Management is excellent as it provides complete visibility of our workload in our EC2 instance. 

The following things can be improved:

1. Reporting should have more options.
2. Investigation of security events should be more comprehensive be it for cloud activity or traffic activity.
3. The false positives can be annoying at times.
4. We do not use remediation at the moment. We do the remediation manually, since we are still using Dome9 in read-only mode. I don't know if we will use the remediation in the future as we prefer to do it ourselves.
5. The price of this solution should be reduced so that it is more affordable to scale.

We have been using this solution for last year.

This was the first time we used any CSPM solution.

The price of this solution should be reduced so that it is more affordable to scale - specifically for features like Intelligence Pro.

We evaluated Prisma Cloud, however, we found many of the features that we won't be using we would still be paying for unnecessarily.

We primarily use this solution for:

1. Visibility for cloud workloads; server, serverless & Kubernetes
2. Security configuration review along with auto-remediation
3. Posture management and compliance for the complete cloud environment
4. Centralize visibility for the complete cloud environment hosted on multiple cloud platforms (AWS, Azure)
5. The baseline for security policy as per workload based on services such as S3, EC2, etc
   
6. Visibility of API calls within the environment
7. IAM management providing access to the cloud network in a controlled manner
8. Alert and notification for any security breach or changes in the cloud environment
   
9. Flow visibility of traffic from and to the cloud environment
   
10. Cloud availability within India

This solution has improved our organization in several ways, including:

1. It provides complete visibility of workload hosted on different cloud platforms including AWS and Azure, along with multiple tenants.
2. Helped in enhancing security for our cloud environment by providing reports both in terms of security and compliance.
3. Provides complete visibility of traffic flowing from/towards the cloud platform.
4. Provides best practice policy, which helps to strengthen the security of our workloads.
5. Asset inventory and API calls happening from the cloud.
6. Provides control in terms of accessing our cloud workloads. A policy has been created that will block direct access to the cloud environment in case the same is not defined or approved in Dome9

The most valuable features of this product are:

1. IAM Role gives complete control over the cloud environment. In case someone tries to bypass and create a user or policy locally, which is not allowed or defined in Dome9, the changes will be rolled back and a notification will be sent to the concerned team.
2. It is always on and even available on a mobile device using the app.
3. Provides complete visibility of traffic flow with threat intel provided from Check Point. It even provides communication details for any suspicious IP.
   
4. Provides detailed information if a workload is allowed direct access, bypassing any firewall policy.
5. Provides a granular level of reports, along with issues based on compliance. The standard is defined, depending upon organizational requirements.
6. Task delegation, as a particular incident can be assigned to a particular individual, and the same can be done manually or in an automated fashion.
7. Customize queries for detecting any type of incident.

There are several things in need of improvement, including:

1. Policy validation should be available before it is deployed in a production environment using a cloud template.
2. Auto remediation requires read/write access. As providing read/write access to third-party applications can add risk, it should have some option of triggering API calls to the cloud platform, which in turn makes the required changes.
3. A number of security rules need to be added in order to identify more issues.
4. Reporting should have more options.
5. It should support all container platforms for visibility of complete infrastructure using a single console such as PCF .
   

I have been using Check Point CloudGuard Posture Management for three months.

Initially, we were using tools provided by the service provider. These included Scout Suite, AWS Config, AWS Trusted Advisor, and Amazon GuardDuty. These are monitoring tools, and we used similar tools for Azure as well. We needed to go through different consoles to identify any incident, which was not convenient.

Licensing and costs are straightforward, as they have a baseline of 100 workloads within one license and no additional charges.

Also, it does not have any impact on cloud billing because the data is shared using API calls, which is well within the limit of free API calls.

The complete solution should be provided in a single license including storage, as Check Point charges extra for logic.

We evaluated RedLock from Prisma (Palo Alto) and Conformity (Trend Micro).

We currently have hybrid cloud environments, so different cloud platforms are being used by the business for different use cases and systems are being deployed at a very fast pace. It's very challenging to enforce security and have eyes on everything that exists in the cloud unless you have centralized tools helping you accomplish this goal.

Today Dome9 is helping us analyze what we have out there and what our priorities should be from a remediation perspective. We do have multiple accounts today with the different cloud providers, so it's imperative to use a tool like Dome9.

We have been able to expand our visibility and security enforcement into all of our cloud environments by leveraging Dome9. The features allow us to constantly scan and take action on any configurations implemented, that aren't meeting compliance regulatory requirements.

This tool has also allowed us to keep an inventory of assets and an overall picture of what infrastructure exists today on the different cloud platforms we own. It helps to avoid unnecessary misconfigurations due to the lack of knowledge on what has been deployed.

The most valuable feature is the CloudBots for auto-remediation of security findings. It is helpful because my team handles so many security tools that it would be almost impossible with the current staff we have to support the on-premise network and have enough time to go in and maintain the desired/required security postured on the different cloud environments we own today.

One of the main reasons why we started looking into a centralized tool is so that could help us bridge that gap, and Dome9 so far has been very helpful from that perspective.

The tool has a lot of potential, but today, it lacks a lot of Scripts/Bots for Azure. This is one of the main cloud providers, so it's imperative to make this a priority in order to bring a lot of value to this tool.

The idea is to leverage Dome9 as the main central place for auto-remediation of all cloud environments so that customers don't have to spend a lot of time manually remediating. Manual remediation is very challenging once you have so many cloud accounts to support on a regular basis, and Dome9 can help do part of the job.

I have been using Dome9 for about one year.

We did not use another solution prior to this one.

We did not evaluate other options before choosing Dome9.

CheckPoint Dome9 is a cloud security management solution for our Azure cloud environment, and we have Azure for our cloud services. With this solution, we manage our network security policy management and automation for our cloud environment across providers, accounts, and regions.

Dome9 provides us policy compliance based on our requirements. If we request SOX or HIPPA, based on that we will enable the policy and we will get the reports as well.

We also create users and set policies and we can monitor the logs.

Dome9 is a very good product for us as we are using a hybrid solution. We have some of the services on-premises and some of the services on the cloud. With Dome9, we very well manage our security policies and also set the compliance policies based on requirements.

Now, we can also support the asset management of our cloud resources, posture management, and many more.

IAM is a very good and unique feature of Dome9. IAM gives us complete control of our cloud environment. For example, if someone tries to bypass the policy and attempts to configure or create some users, then it will not allow them to do so. Also, it sends a notification to the concerned person.

We can monitor each activity from our mobile devices, so there is complete visibility of our cloud traffic flows, with threat intelligence provided by Check Point. The IAM provides us complete safety and security.   

In Dome9, there should be a policy validation option where we can validate the policy before we push it into production. This option is very important, as we are working in a critical and complex environment. This option would give us more confidence in our activities or policy pushing.

We could see the option is available for on-premises devices. 

Automatic remediation requires read/write access.

Otherwise, overall this product is very good for our cloud environment, and we are satisfied with this.  

We have been using Dome9 for the past six months.

It's a very stable product.

Dome9 is very good in terms of scalability.

The technical support is excellent.

We did not use another solution prior to Dome9.

The initial setup is straightforward.

We implemented using a vendor team.

We did not evaluate other options.

We use the Check Point CloudGuard IaaS within our company is for the protection of our cloud assets. It is deployed on Google Cloud Platform with the help of the Firewall, Application Control, and Intrusion Prevention System software blades.

In addition, we rely heavily on the GeoIP module to restrict undesired countries from accessing our services, as for now, you can't achieve it with the GCP firewall.

There are about 30 Google Cloud projects of different sizes ranging from 10 to 250 virtual machines, and they are used for development, staging, production, etc. For every project, there is one dedicated scalable instance group of the Check Point CloudGuard IaaS gateways.

Dome9 is used as an additional compliance tool to improve the security of these environments and avoid any configuration errors.

Initially, we had purchased the Dome9 solution just for its rich compliance possibilities. We have to provide the compliance reports on a regular basis to our partner companies and the regulators of the gambling and paying card areas, but now, we also rely heavily on the feature that "auto-heals" the configurations of the security groups and the firewall rules.

In addition, the Cloud infrastructure visualization feature is really good, especially for GP with its cumbersome firewall rules based on the instance tags and the service accounts.

1. This product provides a really nice visualization of the infrastructure, including network topology, firewalls, etc. It's cozy to configure stuff, and also to wander around the interface in general.
2. The Compliance Engine is powerful. We rely heavily on this feature since we must comply with the various security standards to work in the gambling sphere across the globe, and especially in the United States and European Union.
3. The solution continuously monitors config modifications and may alarm the relevant administrators, or even revert the configs automatically.

We were demotivated by the lack of native automation modules for the Terraform and Ansible tools. We think that in the era of the DevOps approach and practices, all the new products need to be released with such support, mandatorily.

In addition, we also hope that the Dome9 will eventually support the other Public Cloud platforms, like Alibaba, since we are planning to expand to the Asian market. Alibaba is the big player in this region due to the fact that Google Cloud and AWS are almost banned.

We have been using Dome9 for less than a year.

Dome9 is stable and works smoothly.

The solution is scalable. We have it run on about 30 projects without any issues.

No cases have been opened regarding Dome9 so far.

No, we are unfamiliar with the other solutions of the same kind.

The setup was straightforward, and the configuration was easy and understandable.

Our deployment was completed by our in-house team. We have a Check Point Certified engineer working in the engineering team.

I suggest that you pay attention to the product pricing because while there are no tricks, and the licensing model is transparent, the final numbers may surprise you.

No, we did not evaluate other options before adopting Dome9.

Request a free demo directly from Check Point and see whether Dome9 suits you.

I use it for cloud visibility detection and remediation. I also use it for reporting and dashboarding.

The most valuable features of CloudGuard CNAPP are its compliance engine and auto-remediation features.

CloudGuard CNAPP is a great tool that justifies its investment. Like any other tool, there are opportunities for improvement that can be addressed through a roadmap.

I have been using Check Point CloudGuard CNAPP for six years.

I would rate the scalability of the solution as a ten out of ten.

I would rate the technical support as seven out of ten. It is good when we get attention, but sometimes it is a bit difficult to get the attention we need.

Neutral

We opted for CloudGuard CNAPP over other solutions mostly due to its flexibility.

The implementation of the solution was easy.

There has been a significant ROI for me because now I can reduce risks effectively, and every risk I mitigate is a return on investment for the platform.

CloudGuard CNAPP has been crucial in giving us visibility into our cloud setup and has significantly lowered our risks by enabling better control over our cloud security.

I find that CloudGuard CNAPP 's cloud security posture management is exceptional for addressing both physical and digital security concerns. It offers extensive coverage and provides a straightforward yet sophisticated method for creating and implementing new security queries.

My advice would be to define your use cases very well when considering this solution.

Overall, I would rate CloudGuard CNAPP as an eight out of ten.

We use the solution to control all the emails that go out from the company. We also use it to protect our network by stopping unauthorized people from accessing it.

The product enables us to check the information that goes out of the company. We get to know if someone sends our sales emails to our competitors. We control the information that goes out of the company. It’s a good product.

The product must provide different features like antivirus.

I am currently using the solution.

The tool always performs very well. All the upgrades happen automatically. We haven't had a problem with it.

We haven’t needed much support.

Positive

The solution’s pricing is a little bit high. I rate the product’s pricing a seven out of ten on a scale of one to ten, where one is the lowest price, and ten is the highest price.

I would like to implement all the security solutions from Check Point in our company. Overall, I rate the product an eight out of ten.

We utilize Check Point CloudGuard Posture Management to gain visibility into our cloud environments and their configurations. The cloud services we employ include AWS, Azure, and GCP.

A while back, we deployed Kubernetes, and it was exposed to the internet, resulting in the environment being affected by malware. Check Point CloudGuard Posture Management has helped our organization prevent such attacks from occurring in our environment.

The most valuable feature is the single dashboard that enables us to manage the entire cloud environment from one place.

The dashboard customization has room for improvement.

I have been using Check Point CloudGuard Posture Management for four years.

Check Point CloudGuard Posture Management is highly stable. There was only one instance when the solution experienced downtime.

The technical support is good.

Positive

The initial setup is straightforward.

Check Point CloudGuard Posture Management is expensive.

I give Check Point CloudGuard Posture Management a ten out of ten.

Check Point CloudGuard Posture Management is an important component of a cloud environment that enables us to gain visibility across all areas and configure easily. I highly recommend this solution.