It’s growing more difficult to monitor and manage the near-constant changes to network configurations. Tufin Technologies introduces security policy orchestration is order to bring automation, collaboration and integration to the process. The benefits include reducing the time to make secure changes from a week to a day.
Enterprise networks have become so large and so complex that it’s practically impossible today for humans alone to manage device configurations and policy changes in order to maintain a secure network. This is the premise behind the discipline known as security policy management.
A variety of technology vendors offer products that monitor changes to firewalls, routers and switches and assess the risks that such configuration changes may pose to the enterprise. These tools allow you to audit and report on changes to help you maintain compliance with your own corporate policies as well as government and industry regulations.
Tufin Technologies is one of the vendors that has traditionally provided a suite of security policy management tools. Now the company is pushing the direction of its products beyond monitoring and reporting and into orchestration, creating a new product category it calls security policy orchestration. According to Tufin, the new direction is about how to automate changes, integrate the different systems that network teams are using, and enable collaboration to the point where changes can be implemented in a day instead of a week, and more securely.
The three key elements of security policy orchestration are automation, integration and collaboration. Let’s break those down and look at what they mean in Tufin’s approach.
Automation refers to the process of designing and implementing changes to the network infrastructure. In a heterogeneous environment, you are likely to have firewalls, routers and switches that come from different vendors. Tufin is able to build a topology map of all the devices, including how they are interconnected, and then use that map to design configuration changes.
Let’s say you want to make a few changes to support a customer-facing application. Tufin can suggest what the correct network design is and build a cookbook on how to implement that change on the correct network device. Tufin can push that change automatically without you having to go open the command line and make changes to the device. The process also enables automatic risk analysis, compliance checking and business continuity testing to see what the impact of that change will be before it is implemented.
As networks become more complex, collaboration become a more important component of security policy orchestration. It’s common that a change request is initiated by a group (such as applications development) that is siloed from the change implementation team. So you might have the requestor being the application team, the approvers being the network security team, and the implementers being the network team. These teams don’t necessarily speak the same business language, resulting in poor collaboration.
Tufin tries to bridge that gap with change request templates that the network team builds and the application team uses to generate a request. This approach takes into account that people responsible for various applications often request the same kinds of network changes over and over. The network team bakes the technical details into templates so the applications people don’t have to worry about the device details.
When the network team gets the change request ticket, the underlying technical details are already there, such as which networks are involved, and what port numbers are involved. In effect, the app team is able to describe its requirements in a relatively simple fashion and the network team can actually understand them. These templates are a common foundation for collaboration as well as automation so that changes can be pushed through the system very quickly.
And the third element of orchestration is integration. Tufin’s Security Policy Orchestration Suite supports RESTful APIs to enable other systems to exchange data with the Tufin system. For example, you might want to import data into the Tufin system from a ticketing system to automate configuration changes. Or you may want to export data from Tufin, such as access control lists or firewall policy information for a compliance audit.
One of the value propositions of using an orchestration solution is the time savings. By using a high level of automation to request, design and implement a change, the whole process can be reduced from a week or more to just a day or two.
Security policy orchestration is indicative of the maturity of the security policy management market, as well as the increasing complexity of network environments due to virtualization, cloud and IPv6. It’s no longer feasible for a network team to try to manage everything without a high level of automation, and Tufin is helping to push the market in that direction.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.