Tufin SecureCloud Automates Security, Policy Compliance for Cloud, Hybrid Environments

Tufin has rolled out a security policy automation solution to automate security and compliance for hybrid and cloud-native projects. The SecureCloud security policy automation service is for enterprises that need more visibility and control over cloud-native and hybrid cloud environments

by Tom Donoghue

Tags: automation, cloud, compliance, DevOps, policy, security, Tufin,

Security policy governance Tufin has rolled out a security policy automation solution to accelerate and automate security and compliance for hybrid and cloud-native projects.

The company’s SecureCloud security policy automation service is for enterprises that need more visibility and control over cloud-native and hybrid cloud environments. It automatically does policy discovery and visualizes workloads to secure complex and tough-to-manage cloud environments, according to Tufin execs.

In specific, SecureCloud can provide quick, granular and often auto access to many gnarly and time-consuming tasks associated with cloud security and policy compliance, including:

Secure Kubernetes clusters with strict security policies
Automate network security checks into the DevOps CI/CD pipeline
Leverage firewalls as a second layer of defense around Kubernetes clusters
Apply network access controls consistently across Kubernetes, cloud platforms and firewalls

Tufin Co-founder and Chief Technology Officer Reuven Harrison described how SecureCloud takes a different and more streamlined approach to policy enforcement

Applying network access policy to workloads in the cloud differs significantly from the perimeter-centric approach to network security in a data center, according to Harrison. The shift of security boundaries from zone to workload, the continuous workload deployment using DevOps practices and Kubernetes, combined with the need to control traffic traversing the hybrid environment, requires automated security policy now more than ever, he added.

In specific, SecureCloud’s policy automation empowers DevOps and security teams by removing the need for introducing new processes or technologies that traditionally impact business agility and create friction, Harrison noted.

SecureCloud’s DevOps-friendly approach balances security and agility – without disrupting agile processes by embedding security into shift-left practices of today’s DevOps CI/CD pipelines. Also, SecureCloud natively integrates with DevOps to provide application network traffic risk analysis. This means teams can discover and fix security issues early in the development cycle, which accelerates the delivery of trusted, secure applications.

In a blog post, Tufin’s Thorsten Geissel, director for sales engineering EMEA described in more detail SecureCloud’s DevOps-friendly automation approach.

The widespread emergence of DevOps proves the value of agility; however, security often prevents full realization of DevOps’ benefits. Network change requests can take weeks to approve, introducing delays of the supposedly agile releases. How can an organization be agile and automated, yet suffer the delays of security?

The DevOps model, involving continuous updates, reacting to ever-changing market forces, is facing a security bottleneck. Legacy network security processes hinder agility by forcing a tradeoff between speed and security. The DevOps benefits require changes to be rolled out to the network at the rate of DevOps releases. Furthermore, manual and piecemeal work is inefficient and error-prone. Luckily there is a solution. Security policy and network change automation allow security to move at DevOps speed.

With immediate provisioning of network change requests, applications can be deployed as soon as they are ready.

Network automation allows network change provisioning to be completed within minutes. With a robust automation solution, furthermore, the DevOps team can be empowered to deploy their own code, while maintaining compliance with network standards. Policy-based network automation enables continuous delivery of dev team output, securely. IT can govern, yet be removed, from the deployment process for enhanced business agility, without compromising network security.

Tufin’s architectural approach to SecureCloud delivers these benefits:

Visibility and control

SecureCloud can automatically discover and visualize workloads. This lets users visualize all assets deployed, configurations, and security settings with SecureCloud’s app-centric topology view. Because of the visibility of app flows, users can also understand who is talking to whom (and what is talking to what) to detect policy violations and ensure only trusted workloads and traffic are permitted.

Fast detection and mitigation

SecureCloud automatically detects and alerts on unauthorized communication to mitigate risk and enforce security compliance. Integrates with SIEM and messaging systems (e.g., Slack) to notify security teams of misconfigurations and non-compliant applications.

Generate, test, and enforce micro-segmentation

SecureCloud also automatically defines and enforces micro-segmentation and policy guardrails based on workloads and application context. This provides users full visibility into east-west and north-south traffic to prevent noncompliant communications and reduce the attack surface. Also, it automatically configures and applies security policies to workloads that comply with least-privileges principle to secure workloads across hybrid clouds.

After launch, ensure continuous compliance

Post-launch, users can be confident their projects will perpetually be secure and in compliance. They will know their cloud resources and apps are always properly configured and comply with established policies using SecureCloud’s continuous monitoring of containers, public cloud services, and firewalls.

Deliver “Zero Trust” security models

SecureCloud also enables a “zero trust” security model because visibility and micro-segmentation are natively enabled. SecureCloud continuously monitors activities in the environment and automatically creates and enforces micro-segmentation policies to reduce attack surfaces.