Tufin Orchestration Suite
Strengths: One of the strongest, if not the strongest, tool taking a technology-driven approach to GRC.
Weaknesses: None that we noted.
Verdict: Tufin Orchestration Suite is a top choice for the technology-driven approach to GRC and it is a very strong contender in any event. We make it our Recommended product on the technology-driven side of GRC.
Tufin Orchestration Suite is a tool that decidedly is on the technical side of GRC management. There is a marriage between monitoring application needs and managing communications devices on the network. The tool - available in the cloud, as a virtual machine or an on-premise deployment - enables visibility, analysis and security policy management in the context of monitoring and managing configuration of communications devices.
Risk is managed in the context management for firewalls, routers and load balancers. Changes are tracked and associated policy is analyzed. The SecureTrack functionality is charged with this management. Its core purposes are monitoring configurations in the context of policies, reporting, optimizing policy and rule recertification.
SecureChange functionality is in charge of network change automation. It performs topology analysis, proactive risk analysis, verification and enforcement of security policy. It integrates with popular ticketing and help desk systems and, of course, supports multiple vendors.
SecureApp sees security policy from the viewpoint of the application. It performs automatic application discovery, migration and decommissioning. These three functions work together to perform the functions of the tool. Put simply, this system monitors the network, communications devices, applications and policies and ensures that all of these moving parts are working smoothly and in compliance with policies and regulatory requirements. At the same time, it provides full audit, compliance and risk management from the perspective of flows and configurations on the enterprise.
We entered the system through SecureTrack. The look and feel of this product is an interesting and effective mix of the familiar Microsoft-style tree on the left-hand side and typical dashboard landing pages in the right-hand frame. SecureTrack gathers information from all devices and performs discovery. The drill-down is, as one would expect, excellent. One nice feature of this module is cleanup. This function ensures that there is no superfluous information, configurations or policies on the enterprise.
Rule creation is simple and there is a complete audit trail and revision history. Query building is straightforward and queries can be saved and used to build reports. We liked the rules and the fact that policies are generated. Admins can create a set of rules to match a particular requirement and desired effect and the system will select how the rule must be written and allow users to test the rule before deploying it.
There is a full-featured policy-building wizard and, coupled with other rule-building activities, results in a unified policy - and a table shows all interconnections affected by the new policy. We liked the detailed topology map that the tool generates. This is not just a topology map, though. It shows the protocols running through the network and allows admins to track problems in connectivity and policy changes by observing what actually is happening on the network.
The SecureTrack module is reactive, allowing users to dig into and fix problems. When a new policy is deployed and it, in turn, makes rule changes to bring devices into compliance, things can break. SecureTrack helps you figure out what went wrong.
On the other hand, SecureChange is proactive. It manages the change management process. When a new policy is put in place and goes through the workflow, it may happen that a new rule will be needed. The rule is created automatically for the appropriate device(s) and pushed out to the device.
SecureApp manages the servers on which an application lives or it can update the application as needed. It creates a ticket and sends the ticket to SecureChange and the workflow to make the change is set in motion.
Tufin's support and website are very good. This is a system that has spent years gaining maturity and its pedigree shows. While it appears to be focused on managing communications devices, that is just the beginning. As it ties devices and apps together along with policies and superior reporting and policy management, this is a fine tool for those who want to take a technical approach to GRC. For everyone else, it certainly is worth a very close look given the state of today's threatscape and its impact on the business.