Tufin Secure Cloud Hybrid Cloud Security – without Compromise Domenico Dominoni Flavio Di Cosmo Roberto Ciccateri
Tufin Secure Cloud
Hybrid Cloud Security – without
Compromise
Domenico Dominoni
Flavio Di Cosmo
Roberto Ciccateri
2
Over 2300Customers
Foundedin 2005
The Leader in Network Security Policy Orchestration
Over halfof the Fortune 50
IPOApril 2019
TUFN
Protected Patents14
Industry Recognition and Awards
3
FINANCE COMMUNICATION MANUFACTURING ENERGY HEALTHCARE & PHARMA RETAIL
Leading Global Enterprises Rely Upon Tufin Policy Orchestration to Manage Their Security Policies and Protect their Brand
- Confidential -
4
Cloud Challenges:
• Visibility
• Security/Compliance
• Automation
• Conflict Between
Development and
Security Priorities
• Expanded Attack
Surface
Cloud Benefits:
• Scalability
• Business Agility
• Agile
Development
• Reduced IT Cost
• Control
Hybrid clouds are the new norm, presenting new security challenges
5
Cloud security is a widely recognized threat and urgent priority
Source: Datamation May 2019
6
App
Switches and Routers
Firewalls
Compute
Load Balancers
Cloud
Service Service Service
Service Service Service
Service Service Service
App
Dev
IT / Security
Dev
DevOps
NewOld
New roles and responsibilities
7
Visibility
Balance agile and secure with automated network security policy management
Agile but Risky
Secure but Slow
SECURITY
BUSINESS AGILITY
Secure and Agile
Zero-TouchAutomation
Compliance & Cleanup
Application Driven Automation
Analysis & Design
DevOps
NetSec
8
Traditional security does not work in hybrid environments
Front end
Score
Front end
Chat Svc
Front end Front end
Balance
k8s config Deployment
descriptor
NGFW
Servicemesh control plane
Servicemesh
policy
CNFWSecurity groups IAM Policy
Terraform
Templates
Firewall
Customer
Records
SSO
Billing
Logging
Loan
Requests
Node Node
Kubernetes Cluster
VPC / VNet
On-premises
NGFW
Public Cloud
VPC config
VPC / VNet
Node
Balance
Chat svc
Front end
Score
Transfer
DMZ Zone 1
PCI
Web App
9
Traditional Security solutions do not recognize cloud assets
Front end
Score
Front end
Chat Svc
Front end Front end
Balance
k8s config Deployment
descriptor
Servicemesh control plane
Servicemesh
policy
CNFWIAM Policy
Terraform
Templates
Customer
Records
SSO
Billing
Logging
Loan
Requests
Node Node
Kubernetes Cluster
VPC / VNet
On-premises
Public Cloud
VPC config
VPC / VNet
Node
Balance
Chat svc
Front end
Score
Transfer
DMZ Zone 1
PCI
Web App
NGFW
Security groups FirewallNGFW
10
• Who is talking to whom?
• What is talking to what?
• Are my existing security policies being enforced?
• Which security controls require changes?
• How do I ensure continuous compliance?
Security requires having answers to simple questions
11
Gain Visibility and Control of your Security Posture across Hybrid Cloud
Environments to ensure Continuous Compliance and achieve Zero Trust
– Without Compromise
SecureCloud
12
Challenge
Understanding what assets are deployed, what can talk to what and who can talk to who across
Hybrid Cloud Environments. Gaining visibility to ensure assets comply with business and security
policies.
Tufin SecureCloud
• Application-centric topology viewerIdentify and view all cloud assets, configurations and security settings
• Hybrid-cloud supportPublic cloud, Kubernetes, On-premises
• Partner integrations Enhanced security posture insights
Visibility into cloud security posture
13
Automatically visualize traffic flows
14
Challenge
The dynamic nature of cloud-native environments and continuous deployment models require real-
time visibility, reporting, and intervention to ensure compliance
Tufin SecureCloud
• Continuous Alerting & NotificationReal-time alerts for policy compliance violations
• Policy Enforcement Automatically generate policy and necessary security configuration to match desired security policy
• CI/CD and DevOps Tools IntegrationEnsure continuous compliance while enabling DevOps
• Continuous App Lifecycle monitoring and alerting Ensure compliance across containers, public cloud services, firewalls - throughout app lifecycle
Ensure continuous policy compliance
15
Unified dashboard provides continuous reporting
16
Challenge
Defining, implementing and monitoring Zero Trust security can be complex
Tufin SecureCloud
• Automated Microsegmentation policy generation
• Multi-cloud and hybrid support
• Support Shift Left
Implement Zero Trust security model
17
Challenge
Remove the process and technology hurdles that traditionally have made security the bottleneck that
slows business agility. Maintain security without compromising agility.
Tufin SecureCloud
• Platform APIAutomate all capabilities and integrate into customer processes
• CI/CD integrationDetect and correct policy violations in minutes
• GitHub and Slack integrationRaise app dev’s security awareness, reduce time to remediate.
Accelerate cloud adoption
18
SecureCloud - Policies Generation
• Automatic generation of Kubernetes Standard L3/l4 Network Pipeline
• All Network rules are versione to better integrate in the CI/CD pipeline
• Policy are base on Kubernetes Labels, fully compliant with the CI/CD process
• Unlabelled object ( namespaces, pods ) violate compliancy and are ruled out
• Egress/ingress policy managenent integrated with TOS for external firewall configuration.
19
• Gain Visibility and Control
• Ensure Continuous Compliance
• Achieve Zero Trust
• Balance Agile, Automated and Secure
• Accelerate Cloud Adoption
Tufin SecureCloud
Bridge the Gaps
20
Key Personas
Influence
Budget
CTO / App Owner IT Security/Cloud Security
Developers DevOps/SRE Cloud Engineer CloudOps
Productuser
Productuser
Productuser
21
• SecureCloud Opportunity- Does Security have visibility of the new
services/applications?
- Has Security defined access permissions for the new services/applications?
- Have security groups been defined?
- What Security parameters are in place to ensure new applications adhere to policy?
Are you looking at container technology?
Are you looking at orchestration tools like Kubernetes?
If ‘yes’ to these questions, start the next set of questions
More Questions for Cloud Optimized Environment
22
• SecureCloud Opportunity
- How are you managing network policy in your K8S clusters?
- How are you managing access to services in the cluster?
- How are you handling new services requiring network access where there is none today?
- How are managing which services can talk to other services?
- Are you planning to use container security solution(s)?
More Questions for Cloud Native Environment
23
Tufin Orchestration Suite - 4 products
IT ServiceManagement
Other 3rd PartySolutions
Scripting & Automation
Firewalls Public CloudPrivate CloudNetworks
Unified Security Policy
RE
ST
AP
Is
IT Operations
Enterprise IT
SecureApp™
SecureChange™
SecureTrack™
Cloud-Native
SecureCloud
Enterprise Applications
DevOps
CodeRepositories
CI/CD Tools
Containers
Collectors and Provisioning Engines
Analysis Engines
24
Subscription has 4 components
• Rights to use software Tufin SecureCloud
- Term: length (1 year minimum)
- Features: specific features are called out because not all new features will be “free”
- Updates Included: all product updates released during the term and within the feature scope of the subscription
• 1 Month Onboarding Service:
- initial product onboarding session and initial account and system set up
- Initial Security Policy setup & weekly update calls
- Proactive monitoring and outreach to facilitate product usage
- (Extension of service available for 11 months – co-term with 1st year of contract)
• Support: Technical help, bug fixes, user forums, knowledge base, enhancement requests
• SLA: for the product’s availability, performance, security certifications
Tufin SecureCloud Subscription – This is service that’s sold
Examples:
Custom reporting modules
Predictive threat analysis
25
Kubernetes Worker Nodes
• Easy to obtain and track
• Directly represents size and
complexity of application(s)
Value Metric
Public Cloud
• Any “Service” (workloads) that send
and/or receive network traffic
• Directly represents size and complexity of
application(s)
A “Service” is something that generates network traffic. Each
Cloud Provider “Service” calculation is done differently:*
• AWS: AWS is calculated by the number of EC2, RDS, ELB,
RedShift, NAT Gateway utilized.
• Azure: Azure is calculated by the number of Load Balancers, SQL
databases, Virtual Machines.
• GCP: Google GCP is calculated by the number of GCE, Cloud SQL.
* Lists not complete...
26
Reporting tools Container security Micro-cloud firewalls
Focus Provide visibility of compliance with
best practices and open standards
Vulnerability scanning, restrict what
processes can run within container,
restrict what files/folders can be
accessed within container
Manage traffic among containers and
cloud virtual instances
Examples Prisma cloud (Redlock), Dome9 Prisma Cloud (Twistlock), Aqua
Security
Illumio, Tigera, StackRox, Istio
Strengths Broad set of reports
Cloud templates support (ex:
terraform, cloudformation)
Reporting engine
Vulnerability scans
Protection within containers
Combined firewall and load balancer
benefits
Dynamic configuration
Why buy? You are only focused on compliance
at asset-level.
You are only focused on identifying
CVEs within your containers
You are only focused on managing
traffic among containers and VMs.
Limitations Asset focused
Does not support hybrid cloud
Multiple tools necessary
Does not protect access
Resource heavy
Requires an agent
Complexity
Tufin differentiation Hybrid-cloud visibility
Application-oriented
Hybrid-cloud policy management
Open platform – designed to
integrate with multiple scanning
tools
Hybrid-cloud policy management
Agentless
Open platform – does not restrict
choice of networking tool
Hybrid-cloud policy management
Competition
27
Be agile – reduce slides…