What is our primary use case?
We are an integrator, and we implement this solution for our clients. Most of them use USP extensively. It is also commonly used for firewall rule clean up, automation, and change control.
We have a whole range of use cases in different fields. We've got energy companies, banks, and healthcare is a big one. The vast majority of them use both SecureTrack and SecureChange and almost all of their features, rule cleanups, risk avoidance, and change automation.
I, myself, typically lean a little bit heavier to the integration and coding side, and interacting with the APIs. But I also do plenty of installations and initial configurations and also some first-level support and maintenance.
How has it helped my organization?
I have seen our customers benefit by taking out massive amounts of duplicate objects, and overly permissive rules. Tufin helps to clean up their firewall policies. A common scenario we see is one where clients have a whole lot of shadowed rules, duplicate rules, in their firewall policies. Tufin's Policy Browser allows them to filter them and search for them. They can also search for those rules that violate certain Unified Security Policies that they've defined.
Every single one of our SecureChange customers has seen significant improvement in the time it takes to make a change.
What is most valuable?
The APIs are the most valuable feature of this solution, as they facilitate integration with ServiceNow and other solutions. I'm a little biased because that's what I work with the most, but I have found, especially in comparison to other products I've interacted with, that the Tufin APIs are very well-documented. And the big thing about them is you can do pretty much anything with them that you can do in the UI. From what I've seen, the big focus of SecureChange, in particular, is automation. And you can't have automation - or complete automation - without the ability to interconnect with other systems. The APIs really assist with that.
All of the customers I have worked with who have the SecureChange product use the change request violation risk analysis in the workflows. It is usually the third step of every workflow that I configure. For example, we have an energy customer that has a particular team of people which deals with a given workflow if it has risks. They have Tufin set up to automatically run the risk reports and, in the next step, if the risk is considered low, it goes to one team; if it's considered medium, it goes to a different team. That really allows them to move their changes along without too much human intervention or too much delay.
The solution allows for the creation of custom policies, which is helpful for rule cleanup and USP.
The visibility is as good as I’ve seen in any network product. It also has its own firewall stuff for Cisco routers.
The support for cloud-native security is pretty good. We have a large customer that uses AWS and AssumeRole, and they have 200 or 300 AWS accounts. They are pretty satisfied with the solution.
Tufin also supports all sorts of devices, cloud or otherwise. I've definitely seen unified security policies applied to both cloud and regular devices. Cisco, Palo Alto, you name it.
What needs improvement?
Support for Firepower is still ramping up, but meanwhile, some things are missing.
I would really like to see a new UI for SecureChange. SecureTrack 2.0 has quite an improvement in the UI and it flows more smoothly. The current SecureTrack and SecureChange are a little blocky, and sometimes loading a tab or a page is required to refresh information. Whereas in SecureTrack 2.0, they're starting to improve on that.
This solution would benefit from the inclusion of support for Service Groups and their Group object change workflow.
There are also some edge-case devices that aren't supported for certain features. For example, there is no provisioning for zone-based firewalls on Cisco routers, yet. That's something that I don't see very often but, every once in a while, someone asks if we can provision these. Unfortunately, the answer is, "Not without Professional Services."
What do I think about the stability of the solution?
I haven't run into very many issues with stability. HA is the only weak point that I've seen. In the past, a lot of the HA upgrades had to be done separately. Recently, I had an HA upgrade that failed during the process, and we had to restore from a backup.
What do I think about the scalability of the solution?
This solution is extremely scalable. I've seen customers with multiple hundreds of firewalls and there are no issues. The specs that they post on their Knowledge Base are pretty accurate as far as performance goes.
How are customer service and technical support?
Technical support for this solution is very good. Every time I run into an issue that I can't resolve with a customer, I reach out. There has not been one that was not resolved.
If you previously used a different solution, which one did you use and why did you switch?
Clients typically choose Tufin for a feature that it supports which other solutions don't have: a certain firewall or perhaps provisionings on a certain firewall. Tufin tends to release new versions very quickly with changes that are high-value. Also, as mentioned, the SecureChange workflow solution is very flexible.
How was the initial setup?
The initial setup is pretty straightforward, as all you need to install it are IPs and credentials for your firewalls. However, once you go beyond that, the effort you put in is what you get out. In terms of creating zones and Unified Security Policy, those are things that you work on for years.
What about the implementation team?
We handle the installation and configuration of this solution for our clients.
Which other solutions did I evaluate?
There are certainly clients that consider FireMon and AlgoSec.
What other advice do I have?
The change workflow process is very flexible and customizable. Most of what I do is integrate SecureChange with ServiceNow. I've done a couple with HPE SM and RSA Archer. It’s great that they not only have an API to push changes to SecureChange, but also triggers for advancing and canceling workflows. It's a fairly standard REST API that is easy to work with and scripts can be triggered at any step, at any point in the step. It really provides a great environment for automation.
The benefit that our customers have realized in terms of time savings has largely depended on how willing they are to automate. Some have automated more fully and even made certain processes completely automatic.
This is a great product and we are doing very well with it. There are a ton of features and they have very few issues. They are very responsive as a company and they correct errors pretty quickly. That said, the UI needs to be updated and there is always room for improvement in features for firewalls and workflows.
The only advice I have for anybody who is considering this solution is to find a good reseller. Tufin is a very large product and it has a lot of configuration items. So you should find a value-added reseller or get Professional Services. There is a lot that can be sped up in Tufin if you have someone to help you through it; someone to help configure Unified Security Policies, reporting, and help configure the workflow. Tufin really is quite a large, extensive product.
I would rate this product a nine out of ten. There is a lot that can be sped up in Tufin if you have someone to help you through it.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
See it in Action
Schedule Your Tufin Demo Now