Security Framework for Architects
Security Framework for Architects
SECURIT Y FRAMEWORK
(CESF)
A Process-Driven Approach to
Building Enterprise Security Architecture
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 2
Abstract
This Check Point paper outlines a new process-oriented approach
to developing enterprise security architecture. It draws from
both well-known open frameworks as well as Check Point’s rich
experience in architectural design and development.
Audience
Architects, engineers, and designers engaged in security
architecture will benefit from this paper. As a prerequisite, you
should be well versed in network and security design concepts and
generic security architectural concepts and frameworks.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 3
TABLE OF CONTENTS
1 Introduction........................................................................... 4
2 Open Frameworks................................................................. 7
3 Zero
o Trus
Trustt...............................................................................
............................................................. 9
7 The Workshop....................................................................... 16
1 Introduction
Check Point has always believed in extending proper, correct, and impartial security advice to our customers, and the
value in being trusted as security architectural advisors.
Check Point has developed this approach into a complete architectural methodology
and process framework. With great pride, we’re excited to introduce this to a wider
audience as the Check Point Enterprise Security Framework - CESF.
• Building security without a carefully considered plan is at best complicated, and at worst can lead to a compromised
security posture and increase your costs.
• Measuring the success of security spend is vital. Good security architecture adds structure to spending decisions
and improves accountability.
• Check Point believes that security architecture should have a clear and concise methodology.
• Meet our customers’ requirements for a structured and systematic approach to design, architecture, and digital
transformation that results in a tangible implementable solutions.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 5
• Be a methodology that delivers digital transformation; from concept to the completion of real-world security
solutions
• Strategic: The CESF helps define near, medium, and long-term goals, reducing technology overlap and unnecessary
spend. Having a view of a long-term strategy reduces the need for point solutions and helps build a strong, complete,
security ecosystem.
• Complete: The outcome of using the CESF is a security architecture roadmap and reference architecture, one
designed to support the client’s business while maturing the overall security posture.
• Justified: The CESF delivers a bespoke detailed design blueprint that enables clients to build a complete security
ecosystem. Solutions and spend can be justified against measurable requirements. Solutions and spend can also be
justified to the board.
• Independent: Because it is built and based on open standards, clients have full visibility of the decision making
process and how the architectural solution was developed.
• Professional: A collaborative approach to developing security architecture brings Check Point and client architects
into a closer working relationship.
CESF AS A PROCESS
We can explain the CESF process as a logical methodology that consists of a collection of phases. Each phase has a
specific function and output. The combination of these phases allows us to deliver security architecture in a manner
that is accountable, and fully documented. Expressing the CESF as series of linked phases helps simplify the
process and means we can use different resources at different points of engagement.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 6
• Review and Architecture: This phase of the process is for business and architecture reviews as part of a CESF
workshop. This phase is for data-capture, business modelling and risk assessments.
• Design and Build: This phase is for CESF architects to develop a response to the requirements and to build
customized logical design blueprints and recommendations.
• Implementation: This phase is for professional services, partners, etc. to add low-level design details and deliver
statement-of-works for real-world solutions.
• Service Management: This phase is for continuous development and improvement of the security posture.
CESF FUNDAMENTALS
Before we look into the CESF process, it is important to understand the key components and drivers that have
influenced its development; namely SABSA (Sherwood Applied Business Security Architecture) and Zero Trust.
SABSA is widely used outside of network or cyber security requirements to develop business-driven solutions and Zero
Trust has become a mainstay of enterprise architecture. Both of these open frameworks are widely used and respected
by the security industry for their approach and relevance. They are by their nature, both broad and, relevant to all
disciplines of security.
Check Point's deep understanding these subjects has influenced and shaped the development of the CESF process:
• The CESF process has re-interpreted and reformatted these two key influences so that the CESF process is
focused on delivering a holistic network and cyber security architecture relevant to our clients.
• The Check Point CESF process combines the best parts of these existing open frameworks with our world-class
understanding of security, its design, implementation, development, and support.
• The CESF process is designed to deliver realistic, real-word security architecture and must result in blueprints
and recommendations that are actionable and achievable.
+
Figure 2: The key influences
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 7
2 Frameworks
OVERVIEW
Let us look in more details at the SABSA open framework Check Point has used to develop CESF. SABSA is one of the
most widely recognized security architectural methodologies. Its framework allows security architects to develop
a business requirement into a security design, and then to manage implementation in a controlled manner while
maintaining a business-driven focus. Every security solution is based on, and linked to, a business requirement. The key
tools in delivering security architecture through SABSA are the use of the SABSA framework and SABSA views.
The SABSA methodology is to analyze the business requirements at the outset, and create a chain of traceability
through to logical design and implementation. The main features of SABSA are the “views” and “layers” components of
the SABSA framework. In the next section we will look at how these are used and their importance.
VIEWS
The first component of the SABSA process that we will look at is the SABSA “view” concept, which describes how
the framework engages with different stakeholders as we move through the process of security architecture. The
end-to-end process of building security needs to account for all
SABSA View Description
points’ of view. Each layer of the process is relevant to someone’s
point of view. Business View Contextual Architecture
The table to the right shows the various layers of the SABSA
Architect's View Conceptual Architecture
design methodology and the “views” that are attributed to Designer's View Logical Architecture
each layer. Builder's View Physical Architecture
For example, the "Designer’s View" is concerned with logical Tradeperson's View Component Architecture
architecture, and the "Service Manager’s View" is concerned with Service Manager's View Physical Architecture
the operational architecture.
Figure 3. SABSA views1
LAYERS
The SABSA framework is a top-down process that SABSA View SABSA Layer Description
moves through a number of "layers". Each layer has
Identify business risks and
a specific purpose and has a specific “view” as seen Business View Contextual
drivers and review architecture
above. When combined, they make up the entire
SABSA process. Each “layer” has a specific job in Architect's View Concept Define security objectives
the overall process and is a pre-requisite for the The security services that
Designer's View Logical
subsequent layers. Each “layer” represents a specific will be required
set of processes designed to elicit the data needed The tools, standards and
to complete the layer’s objective. Each layer plays a
Builder's View Physical
physical devices
fundamental part in the overall design process. The specific vendor
Tradeperson's View Component
components and sizing
In the table to the right, we have listed the various
layers and their function in the overall process. The ongoing management
Service Manager's View Management
and support
Figure 4. SABSA framework
1 Source: https://sabsa.org/sabsa-executive-summary/
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 8
In its simplest form the SABSA framework is a roadmap to deliver business-driven accountable security by collecting
answers and asking questions at each layer.
Key Point: The framework starts at the ‘contextual’ layer and moves across and down.
Because SABSA has been designed to help in all fields of security architecture, Check Point chose to adopt some of its
guiding principles but to tailor these specially for our own audience and customer-base. The result is a more targeted
process designed to deliver on the requirements of Check Point customers.
Check Point’s adoption of SABSA into the CESF process also means that we are able to borrow common terminology
and act as an open framework.
3 Zero Trust
Zero Trust was introduced to the world as a model for security architecture in 2010 by John Kindervag of Forrester
Research,3 and it’s another key influence on the CESF process.
In this section, we will explore Zero Trust as a wider concept and architectural methodology, before exploring how
CESF uses Zero Trust.
A core premise of Zero Trust is that to think about cyber-risk correctly, we should first assume the internal network is
compromised; we just do not know it yet. If we follow this assumption, we can conclude that internal connections must
be authenticated before they are trusted.
Zero Trust is now an industry standard design methodology. Its approach is a move towards a label-based architecture,
which uses identity and connection-context to make access decisions for users, data, and networks irrespective of location.
In a true Zero Trust network, designers would approach the internal and external networks as essentially the same in
terms of trust, risk, i.e., the internal and external networks are ‘toxic'.
3 Webinar: No More Chewy Centers: The Zero-Trust Model of Information Security,” by John Kindervag, Forrester, August 9, 2010
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 10
The following drivers are commonly quoted as reasons for adopting Zero Trust:
• Email, web access, and all encrypted traffic (VPN, SSL, SMTP-TLS, etc.) cannot be filtered efficiently or effectively at
the corporate perimeter.
• Once inside the perimeter, those traffic items may carry hostile payloads that can work their way transversely to
attack resources they were never intended to contact.
• A hard perimeter is at odds with modern business models; organizations are often disparate with users working
from multiple locations.
• Cloud transformation is a key strategic goal for many organizations. This often means an organization’s intellectual
property and core workloads are now located in shared-ownership platforms. Traditional models of security aren’t
equipped to secure these business models.
As previously discussed, CESF is the Check Point interpretation of the SABSA process combined with best practice
and Zero Trust architecture. In this section, we will convert SABSA “views” and SABSA “layers” to CESF “views” and
“layers”, and incorporate Zero Trust into the CESF process.
We built CESF around number of layers, each with a specific goal and conducted sequentially. Each layer plays a
role in collating and processing the client’s business and security requirements in such a way as to arrive at the
required output. The combination of these layers is a complete security architecture that is fully accountable to
business requirement and fully documented.
SABSA TO CESF
Check Point’s interpretation of the SABSA “layers” has SABSA Layer Check Point CESF Layer
resulted in the same amount of layers, but now described to Contextual REVIEW
be more relevant to our goal of building network and cyber
security solutions. We will look at each layer in more detail
Concept ARCHITECTURE
in a later section of this paper. For now, it is important to Logical DESIGN
understand the conversion that Check Point has made, as Physical BUILD
illustrated in the table on the right.
Component IMPLEMENT
Management MANAGE
CESF uses the principle of views in the same way as SABSA: a view describes the ownership for a layer. In the CESF
framework, we can find the owner of the layer in the "owner" column, as shown in the table below. We will refer to
CESF views throughout this paper, as they are a key part of the SABSA framework and CESF.
Key Point: A difference between SABSA and CESF is that the CESF architect assumes responsibility for multiple views.
CESF L AYERS
Like SABSA, CESF is comprised of a number of layers, each with a specific goal and conducted sequentially. Each
layer plays a role in collating and processing the client’s business and security requirements in such a way as to arrive
at the required output.
The framework below shows the complete CESF table and all its components; in the following sections, we will explore
each layer and their respective inputs and outputs.
NAVIGATION
Before we discuss the various components of CESF it is important to understand how we navigate the table. We have divided
the framework into a number of layers, with specific tools and deliverables at each phase. Each layer is addressed sequentially
and from left to right, as shown below:
This information is provided in the “when” column. The key data-gathering phase of the process is the workshop, which
encapsulates the “review” and “architecture” layer. The post-workshop “design” and “build” layers follow the workshop. The
CESF process then moves to the “implementation” and ongoing support layers.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 14
• Review and Architecture: Check Point teams capture requirements from the client though a tailored CESF workshop,
during which we capture statements and data relating to business context, strategy, organizational aspirations and
security posture. This phase centers on capturing requirements, problem statements as well as performing tasks
such as risk and gap analysis.
• Design and Build: CESF architects develop recommended responses to the requirements that align with security
best practices, open standards, such as Zero Trust and CESF design principles.
• Implementation: Professional services, partners and engineers are able to add low-level design details to the
recommendations delivering on the business-driven solutions built through the CESF process. Engagement of
specialist teams such as incident response and strategic alliance, and.vendor specific design patterns, such as the
Check Point Infinity architecture, can be applied.
• Service Management: Continuous development and improvement of the security posture by Check Point. Account
management and technical post-implementation support.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 15
• The Workshop is the core, and only, vehicle for data-capture and discussion with the client. There is no way to
complete the CESF process without a CESF workshop.
• Review Layer is used to capture the business requirements, risks, goals and strategy. The “review” layer is
business-centric.
• Architecture Layer is used to capture security objectives and perform the required technology-centric
analysis.
7 The Workshop
OVERVIEW
The CSF workshop is a core component of the CESF process. We consider it critical to the success of the process.
Without the workshop, we are not able to collect the information required. The value of the workshop cannot be under-
represented; consequently, they are always conducted face-to-face, in a forum format, designed to allow our clients a
platform in which to articulate their organization’s business and security requirements.
In this section, we will look at how the workshop is conducted, the people required to be present, and show some of the
workshop components. We can describe a Check Point workshop as follows:
The Enterprise Architecture Workshop is an exclusive and focused single day meeting between the client and Check Point
professionals to openly discuss, review and advise on all aspects of the existing, and future, security ecosystem.
As with any client-facing process, there is a specific engagement timeline as shown below. The key point is that the
workshop is an open-forum, face-to-face exercise containing a significant whiteboard session that’s followed by a report.
WORKSHOP PRINCIPLES
Onsite workshops are hosted by dedicated architects and are designed to systematically and methodically capture all
the information required by the framework process. The guiding principles of the workshop are:
• An open, honest, and interactive one day session
• A vendor-neutral security best-practice discussion
• Business processes and context focused
• Security requirement and security concept focused
• Not a technical deep-dive
WORKSHOP GOALS
The workshop is the single most important point of contact between Check Point and the client. The main goals are:
• To better understand the client’s business objectives and how this relates to their security technology choices
• Help clients achieve their architectural goals
• Challenge ideas and explore what is possible
• Help clients align with security best practices
• Write, record, report and present recommendations
OUTPUT
At the conclusion of the review we will have:
• A corporate strategy as it pertains to security
• The client’s business and security drivers
• A collection of business processes and attributes
• The client’s risk appetite
• An analysis of existing security controls and high-level security architecture
• Future or target architecture as the client sees it
• A complete business impact assessment
Stakeholder Interviews
We always start by collaborating with senior security stakeholders to discuss the business drivers. The main vehicle for
collecting requirements is through stakeholder interviews, conducted with senior managers, program managers, and
C-level representatives. The interviews allows the architect to hear first-hand the client’s business objectives and
security challenges. These interviews are critical for establishing what really matters to the organization.
In this opening section of the workshop, the client’s senior managers, program managers, etc. will articulate:
• What the business does and how it achieves its goals
• The key business process that the client is engaged in
• The impact of security on business functions
• The perception of security requirements to the business units
• Future business objectives
• The impact of change on the business
• Security architectural review: Identify and cover immediate, mid- and long-term security challenges.
• Security network and threat prevention design: Provide a secured and flexible network and security design aligning
with the security best practices.
• Understand existing security controls: The security infrastructure review session must capture the current state of
the architecture to a sufficient technical depth, without unpacking the entire configuration. The architect will use a
security control matrix to make sure all significant areas are covered.
Participation
The success of this phase is very much dependent on gaining the correct level of commitment and "buy-in" from the
client.
The value of the designs developed though the CESF process is conditional on us collecting the correct level of
information during the workshop. For example, in many organizations top-level managers can articulate the business
strategy and future business aspirations, fundamental information for the CESF process. The most effective workshops
are those that have the correct C-level sponsorship.
While every organization has its own internal structure, a good example of the various participants is in the table below.
In the previous section, we discussed the workshop and the workshop process. We complete this layer during the
workshop. This layer describes the process of capturing business objectives, requirements, aspirations, and near-,
medium- and long-term goals. It is the only layer dedicated to the client’s business and its objectives.
1 2
Stakeholder 3
Business Drivers for
Interviews Attributes
Requirement Security
Figure 19. The components of the review layer are all critical to understanding the client business requirements
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 20
Definition: A business requirement is a resource, process, or condition that is vital for the continued success and
growth of a business. Below is an example of a business requirement captured in a data-capture template:
Business drivers for security are very specific to each client and it is only through the workshop interviews that we
are able to capture these in detail. Often business requirements are too general in definition. The BDS gives them
more focus and relevance to security architecture.
Key Point: Business drivers for security are aways inked to the business requirements and processes. BDS’s provide the
security context to the BRs.
Below is an example of a business requirement and its corresponding BDS.
3. Attributes
The next and final stage is “business attribute mapping.” This is the process of assigning a number of attributes to
each requirement identified during the workshop.
We will discuss what an attribute is in the following section and they feature prominently in this paper. However, for now
it is important to note that “attributes” play the role of providing a link between the requirement and the recommendation.
An attribute is a conceptual abstraction of a business requirement. The attributed terms are abstract in nature but
are an excellent mechanism to map out security controls. There are no fixed rules on how attributes are used and
their use is often subjective. It is the CESF architect's responsibility to use attributes correctly.
De inition: SABSA defines an attribute as a conceptual abstraction of a real business requirement (the objectives,
drivers and targets) which are modeled into a normalized language that articulates requirements and measures
performance in a way that is instinctive to all stakeholders.
Key Point: Defining attributes also helps us to prioritize the business requirements and security drivers. Attributes can be
given different weightings. Later in the CESF we will use the attributes to define the security controls that are required.
For the sake of simplicity we have borrowed the SABSA attribute table. However, it is possible for the architect to
express their own attributes. The example below shows how we collect the attributes into our business process table.
Figure 22. A security attribute map used to link business requirements to business drivers for security
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 22
ATTRIBUTE MAPPING
In complex cases it is common to find multiple attributes linking to multiple requirements. Another way to present
these complexities is using an attribute map. The example below shows an enterprise’s goals and security objectives
connected to security attributes.
Figure 23. A security attribute map used to link business requirements to business drivers for security
Maps like the one shown above will be expanded on during the next phase of the CESF process, for now it is
important to appreciate that a single attribute might decribe multiple requirements.
In the following example, we have added the attributes to the data-collection table.
Key Point: This layer represents the workshop’s architectural review process, and it should be considered one of the most
important layers in the CESF process.
Combined with the review layer, the architecture layer will produce a complete business and technical data set on which
the following phases will depend. In the following section, we will outline some of the key processes that define this layer.
RISK ASSESSMENT
A key component of this layer is performing a risk assessment that captures, in a systematic fashion, the various
security components currently in the network. We use the risk assessment to measure and record the organization's
security posture, in its current state.
The assessment is designed to probe the customer's security architecture. Through the assessment, the CESF
architect can record how effective an attack might be and record the potential impact of a successful attack. This
process analyses the risk and impact of various breach types, and the damage that would be caused.
A risk matrix gives us a structured method to work through various pre-defined controls and score them depending on
the risk that a failure of this control would mean to the organization.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 24
“A way to think about cyber threats is to assume you have already been compromised; you simply don’t know it yet.”
Forrester5
Adopting this position allows for a higher degree of speculation about existing security postures, which results in a
complete and thorough appraisal of the network. We will cover this topic in depth during the workshop stage of the
CESF process.
Risk appetite is the level of tolerance that an organization has for risk. One aspect of the definition is to understand how
much risk an organization is willing to tolerate, and the other is thinking about how much an organization is willing to
invest or spend to manage the risk. Risk appetite sets the boundaries for prioritizing which risks need to be treated.
Security Productivity
Adopting this position allows for a higher degree of speculation about existing security postures, which results in a
complete and thorough appraisal of the network. We will cover this topic in depth during the workshop stage of the
CESF process.
THREAT ANALYSIS
A useful tool for analyzing a client’s current architecture and security posture is through a managed Check Point
CheckUp. We can use CheckUp results to understand network traffic and Internet usage. Often this level of insight can
draw attention to operational issues, such as a lack of security visibility.
In the following phase, we will use this information to formulate a security architectural blueprint, roadmap and report.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 26
• Design Layer, which uses Zero Trust, network segmentations, attribute mapping and security best-practices to
define the security components required to meet the BRs.
• Build Layer, which pulls all the design components together into a logical security architecture blueprint and
completes the reporting element of the process.
From the CESF table below, we see these phases complete post-workshop. They are the last layers under the
CESF architect's complete ownership. Once the “design” and “build” layers are done, the design is passed to other
teams for implementation.
MANAGE Ongoing management and Account services, life-cycle-management and Account Manage-
support. ongoing support. ment, IRT, TAC
Figure 28. The CESF table showing the design and build phase
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 27
The following techniques, processes and tools are used as part of this layer.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 28
LOGICAL DESIGN
This section explains the technology design process. As explained in previous sections, the CESF architect will use
information in the preceding layers, combine this with Zero Trust, reference architecture and best practices, and
produce a design template and solution.
Before we can start building the logical design, we need to know what security components are required. For this, the
architect will use the “attribute-to-service” mapping. This process is similar to the “business-to-attribute” mapping that
we discussed in the review section. However, this time we are using the attribute to help define security services.
USING ATTRIBUTES
We first discussed attributes in the “review” layer and explained that each business requirement needs to have a
number of them; a requirement would have between 2 and 20 attributes.
In this phase, we will map those attributes to specific security components and services. These components are key to
the solution as they meet the needs of the various business requirements. This process does not let the CESF architect
know where to put the component in the design, only that the component is required for the design to be complete.
Definition: A component is a vendor agnostic description of a thing that has a specific security function. For example, an
IPS is a component.
It is the job of the CESF architect to consider each attribute and define the service, or controls, that are appropriate to
meet the expectation of the attribute. As we have stated before, the attribute is the single most important link between
the review and architecture layer and the design and build layers.
Requirements Attributes
Definition: A security control is defined as a process, object or action that results in a specific security action or event.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 29
In the context of the CESF framework, the design layer is only concerned with defining these controls and
security services. Some examples are shown below:
This step is critical for a completed architecture as it maps the attributes to real-world security technology and, where
appropriate, to Check Point technology.
Key Point: Mapping controls to business attributes means that we never loose focus on what is important to the business.
Every control is there for a reason.
Key Point: CESF architects will use a list of known mappings. However, the main point to this process is being able to justify
why a specific component, technology or service is being used.
This process provides us with the list of security controls we will use in our design. In the map below, we can see how the
security attributes that were collected as part of the previous phase are now mapped to security services and controls.
Figure 31. The language used to describe security is different at each layer
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 30
In the following section, we will look at the building blocks of Zero Trust design, as defined by Forrester, and how we
applied them to the CESF process.
Toxic networks – In Zero Trust architecture workloads should be available and accessible regardless of location. Zero
Trust demands that security professionals protect internal data from insider abuse in the same manner as they protect
external data on the public Internet. This has an impact on the security controls that we would use in the design.
Key Point: A Zero Trust design principle would be to restrict a user’s access
to only the resources they need to perform their job, and, instead of trusting
everyone, we verify that they are the intended user for the resource.
• Encryption: A key point that resonates with many security professionals is the percentage of encrypted traffic
traversing perimeter gateways, and how effective perimeter security can be given the levels of encryption. For
example, VPN, SSL, and TLS all traverse without inspection and to properly inspect this traffic will involve monetary
and time resources.
• Security effectiveness: Zero Trust helps security architects deal with the role of network security in modern
environments. The effectiveness of network controls is reduced due to end-to-end encryption and the ability to place
network security controls in-path.
• Micro-segmentation and visibility: In order to keep threats isolated and any infection blast-radius contained,
highly segmented or micro-segmented networks are needed. Increasing the amount of segments gives us more
opportunity to monitor and record traffic. This should result in a high-degree of network visualization.
• Flat networks: Zero Trust can often be an effective way to address security in flat networks or where an organization
wants to change fundamental ways of working, i.e., mobilization and worker agility. In such cases it can often
be easier to move to a Zero Trust architecture that puts identity at its core, as opposed to creating traditional IP
segmented networks.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 31
Changes to operational and business processes can often lead to more secure and manageable security solutions.
The CESF process acknowledges the value of such changes to the overall security architecture.
Workflow Process
How customers manage, their environment has a significant impact on the technology used. In some instances, the
client may not have the capacity to manage a complex security ecosystem, so the architect might propose changes to
the workflow process in order to enable a simpler, more manageable security.
Recommendations that address changes to workflow processes can often include use of new technology, such as
automation, and:
• Simplification of the security policy
• Simplification of the change control process
• Sharing responsibility for the security policy with other teams, such as application owners
Operational Efficiency
How the client’s operational team conducts the management of their security estate has an impact on security
effectiveness. Often when security infrastructure becomes more complex, the size of a security team remains static.
The CESF process recognizes this potential issue and is cognitive of the impact changes to security controls, services
and processes can be.
We must consider the people and process component of security architecture as the part of the design process.
Recommendations should be cognitive of the impact on the operational team’s workload and responsibilities.
When relevant, the CESF architect will make recommendations to operational practices for the betterment of the
overall security architecture. Often the CESF architect will be able to draw on first-hand experience of security
operations (SOC) and share their relevant knowledge.
• Adoption of design templates from a pre-built service catalogue in order to reduce the design cycles.
• Changes to the change-control process so that pre-approved changes are allowed, resulting in security changes that
can be implemented quicker.
• DevOps teams take control of intra-zone access control policies in order to reduce the change to
implementation times.
• Assistance to help define the network as a cloud platform in order to help simplify cloud transition.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 32
The design blueprints produced at this layer are a key deliverable handed back to the client, and define the CESF
architect’s vision for the client’s architecture.
The main technology deliverables from this layer are the document;
The CESF process relies heavily on Zero Trust to inform how we approach segmentation. A key tenet of Zero Trust is to
design a network that enables micro-segmentation for the purposes of increasing security visibility and reducing risk.
Practitioners of cyber security will know the security benefits of moving to a properly segmented network and CESF
architects will use segmentation best practice as a core design principle.
Key Point: It’s norma to find that organizations are not abe to immediatey convert to a compete Zero Trust architecture.
However, because the architect knows the key attributes required in the design, they are abe to seect what components of
Zero Trust are the most appropriate.
Depending on the outcome of the workshop phase, the CESF architect would define one, or all, of the Zero Trust
building blocks to be included in the final design. According to the principles of CESF, which we have discussed in
previous sections, the design must be based on clear business requirements. Consequently, how Zero Trust is
implemented is conditional on the outcome of the workshop. Below are the various Zero Trust designs that could be
used.
• Zero Trust Networks: Reduce the risk of lateral movement with micro-perimeters and identity-based policies.
• Zero Trust People: Use multi-layer authentication to identify and verify all corporate access to any internal asset.
Figure 34. The components required for Zero Trust people design
• Zero Trust Devices: Secure, control, and isolate every device on your network.
• Zero Trust Workload: Secure data and applications in public clouds and data centers.
• Zero Trust Data: Keep data secure, anywhere, with comprehensive multi-layered protection.
• Visibility and Analytics: Full threat visibility with a single view into security risks, integrating Security Information
Management (SIM) and more advanced security analytics platforms like Security User Behaviour Analytics (SUBA).
Other analytics systems can also be enabled to know and understand what is taking place in the network.
• Automation and Orchestration: Automate all processes and tasks using flexible APIs and rich 3rd party integrations.
Providing the ability to have positive command and control of the many components that are used as part of the Zero
Trust strategy is a vital piece of the extended Zero Trust ecosystem.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 34
DESIGN BLUEPRINTS
The completion of the build phase is the publishing of the Check Point workshop report, which we will discuss in the
next section. A core component of the report is the design blueprints. These present the recommended logical security
architecture, the security components, and their placement within the network.
The CESF architecture will draw on a number of resources in this part of the process. Some of these are:
• Security Control Matrix: The controls, components and services that were identified and linked to the business and
architectural review will now be transposed to the design blueprints.
• Best Practices: Applying the industry and Check Point security best practice guides, as well as our own industry
knowledge means that design blueprints are able to form the basis of any low-level design that might follow. The
components are placed in the design relative to the required position and in relation to other security components.
• Segmentation: The segmentation architecture, including alignment with Zero Trust, as well as a proposal for
segmentation rules.
• Reference Architectures: CESF architects have been conducting workshops for over five years. As a consequence
the architects are able to draw on a design repository in the creation of the design blueprint and report. This allows
designs to be referenced across industry verticals.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 35
Network Security
Segmentation Controls
& Zero Trust Matrix
Reference Best
Architectures Practice
Figure 36. Combining the various elements into the CESF process in order to define security architecture
The graphic below shows a client’s network in which multiple enforcement points have been established. As part of the
CESF “build” layer, each of these enforcement points should be understood in the context of security and business
requirements.
• Attack Surface: A single-platform approach where security products form each part of the network, including
endpoint, cloud, and mobile, work together as a single security ecosystem.
• Complexity: Multiple security platforms normally means multiple management platforms, all of which need to be
supported. Multiple point solutions can reduce overall security effectiveness. Building a security ecosystem means
the sum of the total is more than that of the individual components.
• Operational and engineering teams are under increased pressure to deliver projects faster. Using the Infinity
architecture approach means less complexity because the entire security infrastructure is managed from a
centralized security policy.
• Intelligence: At the heart of Infinity architecture is the concept that by combining and sharing threat intelligence,
from multiple sources, we are better able to protect the network, users and workloads.
Check Point Infinity architecture is described in the graphic below, where the entire security ecosystem is integrated
with a cloud-based, threat-intelligence data store, and where management is consolidated.
Key Point: Check Point Infinity is a cyber security architecture which future-proofs business and IT infrastructure across all
networks, including cloud and mobile. The architecture is designed to resolve the complexities of growing connectivity and
more challenging security.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 37
While the logical architecture must reflect business requirements, it should also be aligned with relevant architectural
practices. For example, the Purdue model is widely used when developing SCADA security architecture.
THE REPORT
If the CESF process is going to be an effective means of communicating a long-term vision for better security, then it
must be properly documented. At the completion of this layer, the architect will have created a bespoke report that
outlines the key design and security concepts that Check Point would recommend for meeting the client’s
requirements.
The report is the only deliverable from the workshop that documents the design process from conception to
completion.
REPORT CONTENTS
The standard report aims to be a single source of high-level design recommendations based on business requirements
and security drivers. At a minimum, a report contains:
• Review and Architecture: What data was captured during the workshop and the existing network topology
highlighting the components that should be considered as part of the overall security posture.
• Best Practices: The Check Point architect’s methodology. This section explains how the various attributes have been
assigned and why.
• Conceptual Design: A comprehensive, high-level security architecture report (50-80 pages) with findings and a
recommended design. Personalized reports are crafted for each client.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 38
Key Point: It’s important to remember that the report is ony designed to give high-eve recommendations, design advice,
and conceptua architecture, and not ow-eve design. The transition from high-eve concepts to ow-eve, impementabe,
design is discussed in the next section.
The architect has now finished the “design” and “build” phase of the client’s security architecture.
Network Security
Segmentation Controls
& Zero Trust Matrix
Reference Best
Architectures Practice
Figure 41. Taking the outcome from the review /architecture layers and producing a workshop report
In the “implementation” layer, the logical design is handed to other teams so that the various components, services, and
processes can have real-world meaning and exist in the client’s network or as part of the client’s process.
We would expect that the recommendations are fully costed and that this is presented and agreed with the client.
Figure 42. CESF showing the implementation layer and its owners
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 40
Key Point: When the overadesign reaches this ayer, the ogica architecture woud have been shared with the cient and approved.
Key Point: At this ayer, the ogica architecture is now expected to become a reaity.
As part of the “design” and “build” layer, we have mapped the attributes to technology and operational processes.
The “implementation” layer represents the process of further developing these choices into the physical security
mechanisms and security services.
The table below shows how the CESF process expects the “implementation” layer to describe the design.
If the design blueprints are to be stood up as a working solution, then professionals with working knowledge of
the implementation must to do this. The Check Point teams that the CESF would expect to be engaged in this
layer are:
• Engineering – Check Point’s qualified engineers across all disciplines are able to address the low-level
requirements of the design. These teams are critical to realizing the design in real-world terms. Specialist
engineering teams will have practical working knowledge of the various components. Check Point engineers are
also able discuss how Check Point products work “under-the-hood” and engage with the client on proof-of-concepts
and product testing.
• Account Services – Designs that have progressed to this layer are fully costed and this information is shared with
the client. Ongoing service management is covered in the subsequent layer. However, professional services, incident
response teams, and component costs are considered part of this layer.
Key Point: As with aengineering work, component sizing is a key consideration. The purpose of this ayer is to compete this
process and to factor in elements such as future capacity requirements.
Figure 46. The output from the implementation layer should be enough to complete a working design
END-TO-END EXAMPLE
The following data-capture table shows a completed project whereby the business requirement has been translated to a
design and set of Check Point components. Using data-capture forms allows the entire process to be viewed on a single
page, albeit at a high-level.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 42
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 43
14 Service Management
The final layer in the framework completes the CESF process. The service management layer is important as it sets up
the ongoing process of design evaluation, in-flight account management, and the lifecycle management of the overall
security architecture.
At this layer, we have completed the design and implementation of the logical architecture. Engineers now need to test
and evaluate the solution.
The CESF owners for this layer are Check Point Professional Services, Check Point Incident Response Team, and
account management teams.
It is now the responsibility of the other teams to maintain the momentum of the CESF process. The account service
teams and technical support teams such as TAC and Diamond Services, who are responsible for the ongoing support of
the implemented architecture, own this layer. These teams will work with the client for the duration of the solutions.
Key Point: Account managers are responsible for restarting the CESF process.
CHECK POINT ENTERPRISE SECURITY FRAMEWORK (CESF) | 44
Account services and security engineers are in constant contact with the client, so it would be up to these teams to
decide when to re-engage the architectural process. As the business requirements change, so too should the security
architecture. The CESF process requires a Check Point representative to make sure the process does not stall and that
the customer’s solution is always relevant to their requirements.
Making informed architectural decisions based on clearly defined business requirements can help you understand the
benefits and the context for why a specific solution is recommended.
All designers and architects strive to achieve completeness of vision in their solutions. Working within CESF means that
only the requirements recorded are processed into solutions, allowing focus on solutions and justified results.
In addition, by developing a security architecture that is accountable and documented, the value of time spent designing
and developing a security solution is justified.
We hope that by using the CESF process our clients can develop quicker solutions, create solutions that have a longer life
cycle, and ensure that solutions are more efficient in terms of cost and security posture.
Worldwide Headquarters
5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: info@checkpoint.com
U.S. Headquarters
959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233
www.checkpoint.com
© 2020 Check Point Software Technologies Ltd. All rights reserved.