The Orchestration Suite actually comprises three products: SecureTrack dashboard (change tracking, risk analysis, etc.), SecureChange (change automation-ticketing) and SecureApp. It provides end-to-end, policy-based change automation that provides necessary security and compliance checks for each change, boosts agility and security of application migration with automated provisioning and built-in security and compliance, supplies risk analysis against the enterprise security policy baseline and provides automated change design.

Basically, the Suite orchestrates the management, application and change control for security policies across networks. It integrates cleanly with third-party products and supports compliance with most regulatory requirements. Although it is housed in a physical appliance supplied by Tufin, it can support cloud-based environments, such as Amazon Web Services. The appliance can be installed in a virtual environment but it must be on premises to enable poling the devices on the network.

One of the product's most valuable functions is doing comparisons to show what has changed on the enterprise. However, because it does not do auto discovery, this can be a tedious process and may not be completely reliable. Change discovery is only as reliable as the system's knowledge of what devices on the enterprise may be subject to change. While the Suite consumes data from third-party tools - certainly an acceptable approach - the data on enterprise devices are only as accurate and complete as what is provided by the third-party tool.

A key benefit of Orchestration Suite is users gaining visibility of what is going on in the enterprise presented under a single pane of glass. The SecureTrack module is, actually, that pane of glass, at least as a starting point. It proved an excellent dashboard and it was where we landed when we began the evaluation. We were presented with a high-level view of the enterprise and, grossly, what was going on in it. From the gross view we could tune down to a finer view using excellent drill down.

There is a solid policy generator that helps select the level of permissiveness of rules. The product has a unified security policy and the user can create matrices that help put various findings in context. Although Tufin provides rule templates, you will need to map the network into zones. We found this tedious - mapping usually is - but we know of no way around it given the architecture of the product.

However, Tufin does not provide any policies. You will need to create your own (e.g., PCI). The setup seems to us to be very tedious. For example, the tool does not do auto discovery. Devices must be added manually or through a third-party tool. Manual configuration of enterprise devices can be accomplished in a number of ways. For example, you can use a CSV file generated by some other tool. This semi-automates the process, but you are at the mercy of the third-party tool's accuracy and completeness.

The good news is that a topology map is created by mapping devices that the user adds manually. Since a lot of risk is generated by reachability, working from a topology map is a distinct advantage. Of course, all of the tools must have read-access passwords. But that can be scripted. There is a proprietary algorithm to do all of this, but in some regards this feels very tedious and old school to us.

SecureChange is the change automation module and it is based on workflows. We really liked this because this type of product can succeed or fail on the basis of how complete its workflows are. Policy and risk management tools can be extremely tedious to manage because of their size (in a large enterprise, anyway) and the precision required for regulatory compliance.

Workflows must be created and entered manually and, given that all organizations are different, Tufin supplies templates. However, because large enterprises have their own workflows, organizations can develop their own templates if they wish. The tool integrates with ticketing systems, such as Remedy or Service Now. The workflows automate the ticketing process for violations of policies.

The SecureApp module looks at application layer activity, such as Active Directory. In its dashboard you want to make sure that the application is connected. The module has the same type of mapping for Layer 7 that the Layer 3 devices have.