Tufin Orchestration Suite
Strengths: Very good example of a next-generation risk and policy management tool with solid orchestration capabilities.
Weaknesses: We would like to see a bit lower support costs, especially for standard support which should have no cost at all.
Verdict: Tufin is a progressive and capable vendor in this space. We have watched their product evolve over the years and it is very good example of the next generation risk and policy management genre.
The Tufin Orchestration Suite is made up of three modules: SecureApp, SecureChange, and SecureTrack. SecureTrack is the only mandatory module. It provides centralized management of network devices, rules, objects, and security groups, as well as network intelligence through visualization. It is the point of management of network and application layer security platforms, including such things as firewalls, next-generation firewalls, private and public clouds, routers, switches and load balancers across hybrid infrastructures.
This is a next-generation tool that does an excellent job of managing firewall rules. It removes redundant, unused, overly permissive and shadow firewall rules. But it does not stop there. It also provides fully automated rule and server decommissioning and group modification to eliminate manual change processes. However, it is not necessary to automate completely to the level of no-touch rule management, though you certainly can if desired. When you remove a server, Tufin automatically removes it from all rule sets and policies. Before you do that, though, you can do an impact analysis and decide if you really should remove it. This tool is very heavy on creating documentation for everything you do.
In addition to managing operational functionality, Tufin does a very good job of handling DevOps. The developers design the application and then tell Tufin what they did and what accesses they need without understanding networks. Tufin does the rest. Developers then can do their own compliance checks. This all is drag and drop from resources to the required accesses.
The policy browser is designed to have the look and feel of whatever device it is accessing a policy for. So, for example, a PaloAlto firewall policy in Tufin will look substantially like it does on the PaloAlto device. We are beginning to see this more frequently and we find it a very useful functionality. All of the translation between device look and feel and the policy data is automatic and does not involve the user.
There is excellent change management capability along with detailed auditing of trouble tickets to determine if the change was authorized and was it suitable for the intended task. There is the same detailed level of auditing for revisions. As well, for revisions, the tool tries to avoid extra rules by editing existing rules if possible.
Once a set of rules is determined - or changes to rules - before executing the updated rule set, a topology graph can be generated. This allows a "what-if" analysis of whether an attacker can access - and compromise - a specific victim device. There is easy integration with third-party ticketing systems as well as a large variety of other third-party tools. Overall, this is a very good example of being compliant because you are secure.
Documentation is as expected from a company with the maturity of Tufin. Standard support is 20% of the cost of the product, which we think is high given that it has become standard practice to include that level of support at no additional cost. Premium support is 30% which we also think is high. The website is quite good and includes documentation that will help the prospective buyer understand such things as deployment and administration. Pricing is very attractive and overall this is a first-rate tool.