Product: Tufin Orchestration Suite
Price: Starts at $30,000 (includes implementation and support)
- Tufin does an excellent job with providing automation options, such as firewall tasks, policy-based automation for network security changes and application-driven automation. This lessons the time administrators will have to spend doing manual tasks which his always a great thing.
- None that we observed.
- This tool is one of the best for providing user end-to-end visibility and control of network security policy.
SC Labs Reviews
Reviews from our expert team
Tested by: Matthew Hreben & Katelyn Dunn
Tufin Orchestration Suite provides users with a tool chest of features that support controlling policies for keeping an organization secure while also establishing its regulatory compliance. The solution can transform any flat network security policy into a maturity model comprised of three segments: (a) Basic Monitoring; (b) Compliance, Governance and Control; and, (c) Policy Based Orchestration for Business Agility.
To this end, Orchestration Suite offers through RESTful APIs. SecureTrack is geared towards security and compliance. SecureChange allows for network change automation, directly or via integration with several third-party tools. SecureApp focuses on application connectivity and automation.
SecureTrack serves as the basic repository at the heart of the suite and lays the groundwork for monitoring. It pulls in all the network’s structural information and populates a topology map after devices are selected. This map is interactive and users can zoom in to select any device and view its full connectivity path, from source to destination.
Once in place, Tufin’s automated Policy Generator provides policy recommendations to proactively identify unnecessary access, provide risk reduction options and suggest policy for greenfield environments. With the Policy Browser, Tufin consolidates policy data from all monitored devices in the network. It then enriches the policy data with Tufin metadata and conducts comprehensive searches to ensure relevant results. This abstraction of data simplifies network security policy management for users. They can also visualize how compliance is supported by a zone-to-zone connectivity matrix. This allows for creating benchmark zones between different platforms for operationalization of security policy. Another tool, Unified Security Policy, allows for detailing this security posture as the organization continues building matrices around these security zones.
Once the compliance model is in place, users can assess for both risk and compliance of the rules themselves and take action using SecureChange. Users open tickets for a specific action required to accomplish policy rules (recertification, for example). What the workflow does is change the data to whatever the specific ticket is. SecureChange gives users the ability of automating work requests. It has fully automated firewall change requests and the workflows are completely configurable for full user flexibility.
SecureChange also features a Designer Tool that allows users to update all policies on a vendor/device. This is ideal for Firewall administrators who refer to API documentation that is readily available within the GUI. For example, a fully automated firewall change request can be executed as a series of six steps. It begins with prompting the user to enter their request, then moves to business approval, identifying targets and risks, risk review and approval (escalation), technical design and provisioning and auto verification.
Beyond automated workflows on the network, SecureApp, allows DevSecOps to track and manage individual applications, especially the rule changes that would need to be made to spin up a new application. Tufin claims more than 80 percent of network professionals’ time is spent on implementing and troubleshooting application-related changes. With the connectivity map, every point to which the Active Directory connects is visible. This makes adding new connections on the fly quite easy. We believe this ability to handle change windows and provisioning with zero need for an engineer is Tufin’s standout feature.
The breadth and depth of what Tufin supports and interfaces with is what they see as their big differentiator in this space. Orchestration Suite allows for integrations with third-party clouds, firewalls and networks, professional service integrations and tech alliance partners. It also has a vulnerability scanning integration capability. These integrations include AWS, Blue Coat, Check Point, Cisco, f5, Forcepoint, Fortinet, Juniper, Azure, Netfilter, Openstack, Palo Alto and VMWare NSX.