Posted on Jul 15th, 2021 by Tufin

We are pleased to announce the release of the Rule Lifecycle Management (RLM) app, an app that helps our customers automate the rule review and certification process. The RLM is a subscription-based app that operates in conjunction with SecureChange and is now available for a free 30-day trial. Download the RLM app here.

RLM is part of the Tufin Marketplace – a digital platform offering applications that complement and extend Tufin’s capabilities. The Marketplace provides apps to help Tufin customers find and deploy extensions to enhance the overall value of their security policy management implementations.

Without Automation, Rule Review is Time-Consuming and Tedious

Rule review has historically been a complex and manual process in most large, heterogeneous environments. It requires the coordination of knowledge and capabilities across multiple teams:

  • the team responsible for provisioning and managing rules
  • the team responsible for security
  • the team who understand if the rules are needed and provides approval
  • the team responsible for overseeing personnel leave and departures.

Furthermore, those without an official process to conduct and document rule reviews and recertification will have blind spots in their program and still face significant expenditures of time. The coordination effort is significant.

Organizations face three main challenges with the rule review and recertification process:

  1. Who is responsible for reviewing this rule? Network admins spend a lot of time trying to determine who in the organization should be assigned to review and decertify/recertify specific rules. Due to organizational and personnel changes, network owners are constantly changing. In addition, many rules are associated with several owners, and some rules are assigned to inactive owners such as those on leave or those that have left the company. 
  2. What policies need to be updated and retained, and which ones disabled or removed? Organizations need to fully understand what changes to rules are required, and to recertify rules to avoid breaking valid connections when decertifying and disabling expired rules. After confirming ownership and continued business justification, organizations further need an automated rule modification to remove decertified networks and only retain certified networks. 
  3. How do I make sure access is only available for as long as it’s needed? Rules have a lifecycle; access is not indefinite. Defining an expiration date ensures a policy is monitored by the Rule Lifecycle Management app. Rules are periodically reviewed by network owners and retained due to business or compliance requirements, or conversely removed as the access is no longer needed. When the rule’s lifecycle is orchestrated from creation to removal, access policies are only in place for as long as needed. Workflows enable support to automatically complete the technical administration of the full rule lifecycle. 

Using Tufin, network admins can map networks to rules and, with the RLM, orchestrate the rule review process across owners and devices, effectively eliminating many of the manual steps usually required for what is often a complex process. 

Automate orchestration to certify, modify, disable and/or decommission rules

RLM orchestrates the rule review process across owners, networks, admins and devices, enabling single-click recertification or initiation of processes to disable, modify or decommission a rule. The RLM enables collaboration across the organization by providing interfaces for network or security teams responsible for certifications and for network owners who understand if access has business justification.

With the RLM app you map rules to network owner(s) so someone who understands the business justification for connectivity can recertify or decertify the rule. The app identifies inactive owners for rule reassignment and orchestrates certification across multiple rule owners. If the rule owner/s decide to decertify the rule, the app triggers a rule decertification ticket and can also decommission the decertified access automatically. All recertification and decertification actions are documented for audit and compliance purposes.

Rule review is required at regular intervals in accordance with major compliance mandates and as part of good practices. For example, ECB/PSDII and PCI-DSS require recertification every six months.

How the Rule Lifecycle Management App Works 

The RLM coordinates interaction, data and insights across many systems and people, as shown in Figure 2 below.   

Figure 1: diagram of the different RLM workflows.

The RLM app (#1 in Figure 1) automatically discovers expiring and expired rules, and (#2) maps them to relevant rule owners. The updated list of owners can be imported via .csv from any CMDB or other data source. Once rule owners are assigned, (#3) the certification request is routed to the rule’s network owner/s for recertification or decertification action. Outcomes based on their certification action result in (#4) automatic recertification, designation for modification (and consequent automatic recertification), or decertification and disablement if desired. Outcomes are driven by workflow configuration resulting in a process that can be orchestrated to only generate the appropriate tickets, or fully automate the policy changes.

Figure 2: Recertification dashboard to help a network owner track and measure progress

Recertification Reporting 

Parameters can be set for certification which include pre-scheduled notifications about: expired rules, how many days in advance you would like to send notification to rule owners, how long the renewal process should take, if the decertification process should be implemented automatically or not, and more. An integration and configuration screenshot can be seen in Figure 3 below.

Figure 3: Screenshot of the admin dashboard showing the different parameters available for defining your recertification process

Finally, with the Tufin RLM app, you enable the orchestrated review of rules by automatically assigning an owner or multiple owners to rules, initiating and implementing an automated process for rule certification and decertification, monitoring progress, setting alerts to easily manage the recertification process, and complying with multiple regulation and security mandates.

Tufin aims to consistently deliver new innovations based on real user experience. We invite you to check out Tufin’s Rule Lifecycle Management app and tell us what you think.