For a long time many pundits have spoken about a time when security does not exist in a separate silo but is instead integrated into the larger IT mission. Combining this with development processes represents a holy grail for some in security as well as to the adherents of DevOps. Tufin Technologies last week announced an enhanced vision of their product suite that seeks to make this goal a reality.
Tufin's bigger focus recognizes that both development and IT operations have more than a small share of interest in how, when and where security policies should be implemented and maintained in the organization. In order for security policy management to be successful these teams within the organization need to have both insight and the ability to establish and manage the policies.
On top of this, the speed at which organizations work today make many manual policy reviews of things, such as inserting firewall rules, a drag on an organizations ability to act in the real world. Like so much that is happening with the broader IT management and development world, automation is a must in order for today's organizations to be nimble enough to move at the speed of business.
Tufin recognizes this new reality and has seen their product migrate over the last years to incorporate automation, as well as reach out to a broader audience within organizations.
I had a chance to speak with Ruvi Kitov, CEO of Tufin regarding the announcement. Kitov sees his company's product evolving from just a firewall rule manager to a true platform for IT security automation. This automation, which he calls orchestration, allows Tufin customers to institute process and policies that make the management of firewalls, routers, load balancers and other network devices much faster, easier and leave an organization running leaner and more secure. Sounds like a win all around.
Of course, one person's orchestration is another's automation. I have spoken to other CEOs of companies that are also seeking to bring more automation to IT ops, development and even yes, security. In fact, automation is a cornerstone of both the agile and DevOps movements. In security, a Tufin competitor, Firemon has been talking about automation for some time as well.
Call it automation or orchestration, John Allspaw of Etsy has written a ton about the inevitable effect it will have in our organizations and IT in particular. I have been spending a ton of time lately immersing myself in the DevOps world. I do believe that automation or in this case orchestration is the logical place for security to proceed.
I give Ruvi and Tufin a lot of credit for striking out publicly in this direction. Of course it also gives Tufin a bigger sandbox to play in and potentially a bigger market. But it is not a small task to take a relatively successful company like Tufin and decide to try and lead the way to a new arena with a bigger bag of marbles.
One of the questions I asked Ruvi was whether this changed who his customer was within an organization. Somewhat surprisingly, Kitov said not really. While of course the security department was always involved in the sale process, rule and security policy management has been so integrated into network IT operations that Tufin has been dealing with business and financial stakeholders in both network IT and development for some time now.
Kitov said that the Security Policy Automation branding may be new from a marketing perspective but is actually where Tufin has been going with its product for a while now. In some respects, it may be a case of the marketing catching up with the product. Now that is a change.
In any event, it will be interesting to see if IT Security Policy Orchestration helps bridge the gulf between security, IT operations and development. I really do think this is where it is all going and Tufin as well as other security companies will be heading in this direction.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.