ESSENTIAL NET WORK SECURIT Y:

A COMPREHENSIVE CHECKLIST
 ESSENTIAL NETWORK SECURITY 2

The threat landscape for enterprise security

is always changing and requires constant
adaptation. The latest evolutionary demands "There are multiple business
for corporate networks include the cloud and benefits when using a
remote work—environments where the old
hub-and-spoke approach is less than ideal.
cloud-based network
security solution."
Cloud-based network security is purpose-built
to secure resources wherever they reside.

Cloud-Based Network Security in Brief

Zero Trust Security SWG
Zero Trust means only permitting access to A Secure Web Gateway (SWG) protects
those who require it and continually verifying company employees while web browsing. It
that each person is meeting pre-determined prevents outbound traffic from accessing
access policies. Zero Trust Network Access restricted content such as gambling sites,
(ZTNA) secures company resources at the as well as known or suspected malicious file
application level employing standard logins destinations. It also scans inbound traffic for
and MFA authorization, as well as at the malicious web content.
device level utilizing posture checks, and
context-based permissions such as time of High-performance connectivity
day and location. A network security solution should be
responsive and provide a smooth user
FWaaS experience. To enable this, the solution should
Firewall-as-a-Service works with ZTNA to ideally be cloud-based with points-of-presence
prevent anyone from accessing resources (PoPs) distributed throughout the globe.
without an authorized identity such as Companies can then choose PoPs in locations
a specific user, group, or originating IP near their employees, for better
address. Just like on-premises firewalls, responsiveness and connectivity rather than
FWaaS defends against unwanted entry into backhauling traffic through physical data
company resources and networks. centers.
 ESSENTIAL NETWORK SECURITY 3

Network Security Checklist

1 Map Your Network’s Architecture (user devices, on-prem services and appliances,
cloud services, etc.)

2 Assess Your Needs (VPN replacement, cloud firewall, Zero Trust solutions, DNS
filtering, device posture check, etc.)

3 Enable SSO With MFA

4 Define Group Access Policies

5 Define Compliance Needs

6 Research Solutions Based on Assessments Above

 ESSENTIAL NETWORK SECURITY 4

The Checklist Explained All of these issues need to be taken into

consideration. If you’re moving to a cloud-
Map Your Network’s Architecture based network security model from the
The first thing you need to do is assess what traditional hub-and-spoke approach then we
your corporate infrastructure looks like, be strongly recommend adopting a zero trust
it as a list or a diagram. It’s important to model. This includes Zero Trust Network
understand your on-premises needs such Access (ZTNA) for company devices, as well
as the number of data centers your company as an agentless option for unmanaged devices
has. and third-party access such as by contractors.

Also include all the cloud services the Enable SSO with MFA
company uses—at least the ones you know Using an identity provider (IdP) with single
about. Again, try to be as exhaustive as sign-on (SSO) support and multi-factor
possible, not forgetting about that one authentication (MFA) is highly recommended
Heroku app that DevOps is using. when moving to a converged network security
solution. An SSO IdP provides a better user
Then it’s on to endpoints. What kind of
experience that avoids the need to perform
devices are your remote employees using?
multiple logins every day. It also makes it
Is it all company-owned Macs, a mix of
much easier to gain visibility over logins and to
Windows and Mac, what about phones
group users for Zero Trust access purposes.
or tablets that might be used to access
company resources? Also consider BYOD If you have your own homegrown identity
devices and what employees are currently management system then look for services
using those for. that support the System for Cross-domain
Management (SCIM) specification. If your
Locations are also a key part of assessing
company uses multiple providers, support for
your needs since this will help determine the
Security Assertion Markup Language (SAML)
optimal PoPs to connect to.
2.0 is also a must.

Assess Your Needs Define Group Access Policies

Next, it’s time to consider what we’re trying
Once you have your identity provider worked out
to accomplish with the move to a cloud-
and implemented it’s important to consider user
based network security provider. Is it purely
a VPN replacement with better latency group permissions for your future Zero Trust
for employees spread out across multiple Network Access approach. Sales and marketing
locations? Do you want to boost security with may need access to Salesforce, for example,
a modern Zero Trust approach that includes but those departments don’t need access to the
more restrictive permissions instead of codebase on GitHub, or the production database
providing carte blanche access to the for the website. These kinds of finely segmented
network and resources? permissions make it easier to control who has
access to what, and limit the impacts of a breach
What about adding a SWG for secure web should the worst happen.
access and malware protection, as well
as logging activity for incident response
purposes? Do you need static IPs, or access
control at the DNS level?
 ESSENTIAL NETWORK SECURITY 5

Define Compliance Needs Check Point Harmony SASE Checks

Compliance is a key concern for any business
that works in sensitive industries like All the Boxes
healthcare, or a company doing business in
Europe that must comply with local laws. Check Point Harmony SASE is a full-featured,
cloud-based network security solution that
Even if you know your compliance can help segment your resources, and keep
your employees and data secure. Our ZTNA
requirements well, listing them all (ISO
solution allows companies to continually verify
27001 & 27002, HIPAA, GDPR) is a key step
that employees are meeting authentication
before looking at any service provider.
standards for accessing company resources
with DPC and context-based checks.
Research Solutions Based on
Assessments Above The platform also supports the major single
Once you’ve got everything figured out in sign-on identity providers including Google,
terms of infrastructure, needs and goals, Jumpcloud, Microsoft’s Azure Active Directory,
and compliance requirements, you have an Okta, and OneLogin. There is also SCIM
excellent list to take with you during product support for those with homegrown SSOs, and
research. SAML 2.0 for companies that use multiple
providers. Check Point Harmony SASE’s
platform can help you meet compliance
There are many different options to consider burdens for ISO 27001 and 27002, HIPAA, SOC
here as well. Do you want a full Software-as- 2 Type 2, and the GDPR. Finally, the Check
a-Service (SaaS) or Network-as-a-Service Point Harmony SASE platform can build a
(NaaS) platform where all deployment network for your company in minutes and
is taken care of by the service provider, have you up and running in just a few hours,
or do you want something more DIY and depending on company size.
customizable?

Most companies want a service that reduces "Check Point Harmony SASE’s
the burden on their IT teams so they can
spend more time monitoring for threats, and full-featured, cloud-based
assisting end users. network security solution
checks all the boxes."
Nevertheless, there are cloud solutions that
require more manual deployment; however,
these companies tend to be pure cloud VPN
or Zero Trust solutions without additional What Cloud-native Network
components such as cloud firewalls and
secure web gateways–key factors for a Security Can Do for Your Business
complete cloud-based network security There are multiple business benefits when using
solution. a cloud-based network security solution. It’s
fast to deploy since there is no hardware burden
for your internal team. Deployment is just a
matter of choosing the best PoP locations
for your cloud network and connecting your
services.
 ESSENTIAL NETWORK SECURITY 6

There are also significant cost savings since Contact us today to set-up a demo to see the
a cloud-native solution helps you do away Check Point Harmony SASE platform in action,
with expensive appliances such as SD- or start building your secure network right
Wan, VPN, and branch office firewalls. The away via our intuitive dashboard.
reduction of hardware also relieves your
team of significant maintenance time for
urgent security patches, operating system Meet Check Point Harmony SASE
upgrades, and, in some cases, malware 2x Faster Internet Security | Zero Trust
signature updates. Access | SD-WAN
The internet is the new corporate network, leading
There’s also no need to worry about
organizations to transition to SASE. However
oversubscribing with Check Point Harmony current solutions break the user experience with
SASE since you only need to purchase the slow connections and complex management.
number of seats you need. Then as the
needs of the business grow you can expand Offering a game changing alternative,
your requirements at the click of a button. Check Point Harmony SASE delivers 2x faster
Compare that to the legacy approach where internet security combined with full mesh
“forklift upgrades” to more costly machines Zero Trust Access and optimized SD-WAN
with greater capacity are the norm. performance—all with an emphasis on ease-of-
use and streamlined management.
Reaching Internal Consensus Combining innovative on-device and cloud-
If there are other stakeholders that need delivered network protections, Check Point
to get onboard with your move to cloud- Harmony SASE offers a local browsing
native network security we suggest showing experience with tighter security and privacy,
them what the day-to-day benefits will look and an identity-centric zero trust access policy
like from tools such as ZTNA (our ZTNA that accommodates everyone: employees,
datasheet can help you there). BYOD and third parties. Its SD-WAN solution
unifies industry-leading threat prevention with
optimized connectivity, automated steering for
Another option is to show a scenario of what
over 10,000 applications and seamless link
a potential breach would look like without
failover for uninterrupted web conferencing.
a cloud-native network security approach
versus having one in place. Imagine a hacker
obtaining employee login credentials from a
marketing employee, for example, and how
they wouldn’t be able to use that login to
break into the codebase or HR records–or
gain access at all if location and time-of-day
contexts are used.

© 2024 Check Point Software Technologies Ltd. All rights reserved.