What is our primary use case?
The primary use case of Tufin is firewall management, firewall reviews, and eventually, to do rule deployment.
It was more to start standardizing our prior work changes. The initial first step is to understand and make sure that whatever change goes in is complying to our policies and standardized. The eventual goal is to get everything automated.
We are using SecureTrack at the moment, but we do have licenses for SecureChange as well.
How has it helped my organization?
We use this product to sharpen our change cycle. A request used to take quite a while as we did manual assessments. A lot of that is now done through SecureTrack.
At this stage, we are doing only manual checks. We are only using SecureTrack to verify the flows through Tufin. At a later stage, when we will also automate certain types of rules to be done through SecureChange, this will tremendously help us. We are not there yet, but this will help us in terms of time and resource costs.
In the past, we would do certain things because of private knowledge of people's own understanding of the network. We don't have to rely on just that piece of it, because of the topology. We now know which firewalls come into play.
We use Tufin to help us clean up the firewall policies. It provides very easy reporting. We get all the aged or unused rules listed very quickly, as soon we run the report. It's a quite easy way of doing it. However, we have not automated our process. We are hoping that at some point that we will be in a position to automate that process.
We use the solution to automatically check if a change request will violate any security policy rules. If a request comes in, and it is from an Internet zone going straight out to an inside secure zone, then we definitely flag it. There are other policies that we find in our USP, which we flag. These are the type of things that we check.
We definitely use the compliance reports, which has simplified things. However, we haven't fully integrated it into the GRC process with Tufin yet. The desire is to make sure our GRC resources are fully aware and engaged in our Tufin deployment.
We are leveraging some components to provide reports for our GRC process, but there is no plan to integrate those processes. Those are run by different teams. We were planning to integrate our ticketing system (ServiceNow) with Tufin, which is ongoing. We are working on that now.
What is most valuable?
The central repository of information provides a consistent way of doing things, eventually shortening the time period to make changes. This is the most valuable thing at this point in time.
I'm very happy with the visibility component. It gives us a reasonable insight into the most of the application flows. Obviously, most east-west application flows are missing from what we have. That is a component which we will need to eventually fill in the gaps.
Between the cloud and physical data centers, we definitely share Tufin policies. That definitely gives us visibility into both.
What needs improvement?
I would like to drive value from is to getting to a point where we are almost like a DevOps operation for security changes.
We have put in a lot of requests. Some of them are high level related to cloud. Others relate to some of the reporting structures that we have. E.g., some of the automated reporting capabilities for specifics on certain regulations. Certain countries have certain regulations, and with GRC, if we can associate that on certain regulations, then we can spit out reports from that.
We would like to see integration of the different versions of this product, e.g., SecureChange and SecureTrack. They eventually need to start amalgamating all these into an end-to-end product for visibility.
What do I think about the stability of the solution?
We do have an ongoing issue with capacity. If one of our resources is working on it, nobody else can do anything. If a particular report is being run on the server, nothing else seems to work. We haven't done anything about it as of yet. Maybe some of my team members have opened tickets to Tufin for it.
What do I think about the scalability of the solution?
I am not sure about the scalability. The product that we have deployed for our main process gets bogged down in terms of its response. Maybe, we need to deploy a slightly smaller box. Eventually, we need to discuss this with Tufin is to see if we can move over to some sort of VM environment where we can add more processing power to it.
We have a global implementation.
How are customer service and technical support?
Whenever we have had a problem, some of my engineers contact Tufin and they have been very easy to get a hold of. From my team, they have not had any problems with the technical support.
Which solution did I use previously and why did I switch?
We were using Tufin before, as well, but it was not the same. It was separated into localized instances and regions.
We sort of saw that the volume of changes were coming in high. The patience from the business side was getting low to invest the time that it used to take to make firewall changes. Therefore, it was inevitable that we need to purchase a solution.
How was the initial setup?
Our initial setup was complex from two dimensions, because we were deploying it globally and had to have a centralized view, but a distributed approach. We had it in Asia and North America (US and Canada), causing a slightly complicated approach. Prior to Tufin, we had three instances which were separately managed, so we did not have end-to-end visibility. Therefore, we rearchitected the Tufin environment and created one global Tufin instance. The retail instances became local collectors, which reported back to the single environment.
From the start of the project to the end of the project, the deployment took us a while, at least five to six months. Most of the time involved was not because of Tufin. It was primarily for us to handle all of our separate service providers and outsourcers globally, so they could all provide us with read-only access to the firewalls that they manage.
What about the implementation team?
We deployed the solution in-house. It was pretty straightforward to deploy.
What was our ROI?
The solution has helped us reduce the time it takes us to make changes from weeks to days.
Engineers are spending less time on manual processes by about 15 to 20 percent. I would like to get a bigger number.
We didn't buy this based on ROI, so we didn't measure ROI. Overall, from a time savings perspective though, it is definitely there.
What's my experience with pricing, setup cost, and licensing?
The licensing costs are around $250,000 to $300,000.
There are ways to deploy the license to different types of firewall. However, if we decide to change the physical brand of the firewall, we need to go back to Tufin and modify the licensing. This is a hassle.
Which other solutions did I evaluate?
We did not consider anyone else, because we already had an unused, unimplemented Tufin license. We eventually thought to start consolidating everything into one place.
We decided on Tufin because:
- It was an existing tool.
- It served our purposes. It provided us the essential components for managing a varied environment of different types of firewalls.
- We felt that there was enough potential in the organization to grow with us and provide capabilities, like cloud, VM environments, etc., under the same umbrella.
What other advice do I have?
It gives us visibility and the ability to make changes automatically with less mistakes. Overall, it's a decent product.
Tufin is definitely a good contender to come as a winner. It has the potential to look not only at firewalls, but also network devices and other cloud-native solutions. It is a pretty broad base product, which will eventually be a good future tool to have in a toolkit.
We haven't used the workflow from Tufin. We use our own ticketing system for that. We are busy integrating our ticketing system with Tufin right now using an API. We are just in the process of doing that.
Tufin helps us understand and ensure that security is being applied. Tufin is not a security tool. It just gives us all the information about security, firewalls, etc., and that they are doing their work. From that perspective, it would be a long stretch to say that Tufin provides us security. However, Tufin provides us the information that we have security across hybrid environments.
All of our cloud-native security features are directly taken from cloud management tools. We don't have anything deployed yet from Tufin for cloud-native security features, but there is a desire for that.