This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cryptochrome
Contributor
3 weeks ago
Jump to solution

Harmony Email & Collab is a gaping security hole for Google Workspace customers

Hi,

While this may seem like a bit of a rant, I actually want to raise awareness, get feedback from Check Point product owners, and start a discussion about what I believe is a massive security risk inside the Harmony Email & Collab product, otherwise known as Avanan.

Disclaimer: I tried to talk to Check Point directly before I decided to write this post, but received no feedback whatsoever. 

The Problems:

The way the product integrates into Google Workspace is not at all based on Google Workspace APIs. The "integration" simply re-routes all emails through a Check Point owned MTA, where emails are evaluated for risks, and then routed back to Google Workspace. It's all simple SMTP MTA routing.

That in of itself is not really an issue, apart from the fact that the marketing is misleading.

The problem lies in how this is achieved:

  1. Check Point requires you to hand over a Google Workspace "root account" (e. g. super admin).
  2. Check Point requires you to hand over the password for that root account
  3. Check Point requires you to disable 2FA for that root account*
  4. Check Point requires you to keep this account active at all times and never, ever, change its password
  5. Check Point requires you to disable comprehensive email storage in Google Workspace, which is an important feature for compliance (email archiving through Google Vault)

Why do they do this? Because their "integration" is not an integration. They use the root user to log in to your Google Workspace admin console and change a bunch of settings to accomplish the re-routing of emails (technically, MTA hosts are added, routes are added, and compliance rules are added). This is, of course, automated, but the fact that a root user with disabled 2FA* has to be handed over to Check Point is a massive red flag. I am not even touching on the point that this requires an additional Google Workspace license, as that is just the icing on the cake. 

Google offers a vast array of APIs for Google Workspace, and Gmail, in particular, offers proper authentication with OAUTH, etc, yet here we are. 

I tried to address this issue all the way back when Check Point acquired Avanan, and I tried to address this multiple times after. This wasn't even acknowledged nor did I ever get a meaningful response - despite being a Check Point partner. 

I would like to understand why Check Point is not addressing this gaping security hole, and I would also like to see some commitment to changing this in the future and enhancing the product with proper API-based integration into Google Workspace. 

 

*Note: Upon checking the most recent version of the documentation, it is no longer mentioned that 2FA has to be disabled. It looks like Check Point is enabling 2FA for that account, but the documentation is not really clear about this. 

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
a week ago
Jump to solution

Hi Sascha, thanks for your feedback. Following the internal discussion, I have received a reply from Gil Friedrich, VP Email Security, stating the following, quoting in full:

  1. 2FA can be enabled for this account. In fact, this is our recommendation to the end-customer
  2. The password is securely stored in KMS, AWS’s secret storage
  3. The account can be disabled (Recommended) or even deleted after the installation is completed. Thanks for your feedback, we are going to auto-disable the account once the configuration is completed (Coming soon)

Finally, we will make sure the documentation is updated the documentation with the above points and the new documentation is available from here

I hope this answers your concerns. If not, please let me know again.

 

View solution in original post

12 Replies
_Val_
Admin
Admin
3 weeks ago
Jump to solution

Hi Sascha, 

Finally, you mentioned that you tried to reach out to Check Point to raise your concerns. Who did you speak to? I can hardly believe nobody got back to you on this. I will make sure someone talks to you to address your concerns. It may take a bit of time, as today is the weekend in Israel already.

 

0 Kudos
cryptochrome
Contributor
3 weeks ago
In response to _Val_
Jump to solution

I would like to make up my mind about MFA, but as I mentioned, it's not clearly addressed in the documentation. In earlier versions, customers were specifically asked to disable MFA for the account. In the current version, it asks to "allow the account to enable 2FA" - what that means is not clear. Does Check Point actually enable 2FA for that account?

0 Kudos
_Val_
Admin
Admin
3 weeks ago
In response to cryptochrome
Jump to solution

I am afraid to ask, did you check it during a trial? For me it seems, the documentation says, 2FA can be enabled. Is this all purely theoretical, or do you have a specific project in mind? Please let me know offline, this will help to get you a meaningful answer.

You already have my email.

0 Kudos
cryptochrome
Contributor
3 weeks ago
In response to _Val_
Jump to solution

When I trialed it last, which was some time ago, I was asked to disable 2FA. As mentioned above, I have inquired about this through distributors and with Avanan staff directly in the past and was told that's just the way it is. If it has changed since, I appreciate that, but it's just one point of many in my criticism. 

The core of the issue is that Check Point needs a plain-text-password root account in customers' Google Workspace tenants — a root account with maximum privileges for everything in it. 

0 Kudos
_Val_
Admin
Admin
a week ago
Jump to solution

Hi Sascha, thanks for your feedback. Following the internal discussion, I have received a reply from Gil Friedrich, VP Email Security, stating the following, quoting in full:

  1. 2FA can be enabled for this account. In fact, this is our recommendation to the end-customer
  2. The password is securely stored in KMS, AWS’s secret storage
  3. The account can be disabled (Recommended) or even deleted after the installation is completed. Thanks for your feedback, we are going to auto-disable the account once the configuration is completed (Coming soon)

Finally, we will make sure the documentation is updated the documentation with the above points and the new documentation is available from here

I hope this answers your concerns. If not, please let me know again.

 

cryptochrome
Contributor
a week ago
In response to _Val_
Jump to solution

Thanks Val, I appreciate the feedback, updated docs and improvements!

_Val_
Admin
Admin
a week ago
In response to cryptochrome
Jump to solution

No problem, we are here to help.

0 Kudos
cryptochrome
Contributor
yesterday
In response to _Val_
Jump to solution

Hi @_Val_,

have these changes been deployed yet? We created a new tenant about three days ago. Neither was the super user automatically disabled after onboarding, nor was 2FA enabled for it:

Screenshot 2024-04-29 at 14.00.41@2x.png

 Thanks

 

0 Kudos
_Val_
Admin
Admin
yesterday
In response to cryptochrome
Jump to solution

The quote above say "2FA can be enabled for this account. In fact, this is our recommendation to the end-customer" Can does not mean it is defined from the start.

Auto-disabling is also covered: "Thanks for your feedback, we are going to auto-disable the account once the configuration is completed (Coming soon)

 

I hope it makes sense. Also, why wouldn't you work with your local CP office? It is much easier to get help for your specific needs this way.

Please let me know if you need any assistance from my end, though

0 Kudos
cryptochrome
Contributor
yesterday
In response to _Val_
Jump to solution

Hey Val, I thought the community forum is a good place to talk about product questions. I can talk to the local CP office instead, if you prefer that.

I missed the "coming soon" part, as I was looking at the documentation, where it doesn't state coming soon. Hence my question.

If we enable MFA on the account manually, how would the account be able to still log in? 

Cheers

0 Kudos
_Val_
Admin
Admin
yesterday
In response to cryptochrome
Jump to solution

Hey @cryptochrome, please let me clarify what I mean.

 

When you want to make a general inquiry about product functionality and see what other experts think about it, yes, the community is a perfect place to do that.

However, if you have a solid project in mind, or you are in a sales cycle, it makes much more sense to work with your local SEs, they can be very helpful when it comes to getting the correct answers from the right people. I assumed it is your case. If this assumption is not correct, you can disregard the recommendation.

On top, any missing feature that you might want to add to the product can be an RFE, and here again, the local office is the correct route. 

Your SE and/or TAC should also be more helpful in answering specific technical questions.

I will chaise R&D to see who can answer your new questions. Please allow me some time. There is a national holiday in Israel today, most of ppl are unavailable for an immediate chat.

0 Kudos
cryptochrome
Contributor
yesterday
In response to _Val_
Jump to solution

No worries, it isn't urgent. Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events