Tech how-to: use Tufin's new cloud tag policy feature

Tufin recently released the latest update to Tufin Orchestration Suite. R16-4 has many new features. Today we're going to take a closer look at the cloud tag policy feature.

It's no secret that more and more organizations are moving workloads to the cloud. While this was once thought to be done for cost reduction purposes, it is clear today that the primary driver is agility: being able to move fast and continuously deploy capabilities to enable business growth and customer satisfaction. However, one of the concerns with cloud migration is security. According to a recent study of information security professionals, 62 percent of respondents are concerned that unauthorized outsiders could access data stored on public cloud services. Using an automated approach to define and enforce a central cloud tag policy is an effective component of a strong cloud security strategy.

The automation of security policies based on cloud tags can ease complexity and human error while increasing visibility and control.  Cloud tags are a critical part of managing cloud instances and ensuring that the environment is properly maintained. Tufin's cloud tagging feature enables cloud security administrators and cloud architects to define, manage, and enforce a tag policy for workloads running in the cloud that will allow them to create and align best practices for ensuring compliance in cloud environments.

What are tags good for?

  1. Organize resources and distinguish between them
  2. Control proliferation of workloads (save costs)
  3. Simplify deployment (for example: a new resource using other resources)
  4. Billing
  5. Assign security and compliance levels

Use Tufin's Unified Security Policy to define, control, and enforce tag policy for workloads running in the cloud and for instances as they are being spun-up.

Here is how to get started using Tufin's cloud tag policy:

How to define your policy:

When you create a cloud tag policy file to import, you can include requirements for mandatory tags or valid values or both. You must include these fields:

  • For mandatory tag requirements:
    • policy name - The name of the cloud tag policy
    • policy description - A description that is shown in the list of USP components
    • requirement type - mandatory_tags
    • requirement name - The name of the requirement in the cloud tag policy
    • requirement description - A description that is shown in the list of cloud tag policy requirements
    • requirement severity - A label that identifies that the requirement is either: Critical, High, Medium, Low
    • tags - The tags that are required for every instance (case-sensitive)
  • For valid values requirements:
    • policy name - The name of the cloud tag policy
    • policy description - A description that is shown in the list of USP components
    • requirement type - Either mandatory_tags or valid_values
    • requirement name - The name of the requirement in the cloud tag policy
    • requirement description - A description that is shown in the list of cloud tag policy requirements
    • requirement severity - A label that identifies that the requirement is either: Critical, High, Medium, Low
    • tags - The tag that the values apply to
    • values - The list of values that are valid for the tag

Tag policy example

How to enforce your policy: Cloud tag policy requirements configured in Audit Compliance Unified Security Policy (Only critical violations)

After you import a JSON file with the specific Amazon AWS cloud tag requirements, you can see a table that shows those requirements. You can easily find violations of the cloud tag requirements in Home > Violations. Violations are updated when a new Amazon AWS revision is retrieved.

You can define requirements for:

  • Mandatory tags - The list of tags that every instance must have. Any instance that does not have all of these tags is shown as a violation of the requirement.
  • Valid values - The list of values that are possible for a specific tag. Any instance that has a tag value that is not in this list is shown as a violation of the requirement.

What can I do on this page?

  • Import a cloud tag policy - Click the import button to import a cloud tag policy file.

You must first prepare a cloud tag policy file.

  • Export the matrix - Click the export button to export the matrix displayed to a JSON file.

How do I get here? To view a specific USP cloud tag policy:

  1. Go to the listing of your security zones.
  2. Click on the name of a specific cloud tag policy. The cloud tag policy is shown.

Cloud tag policy

Tufin Orchestration Suite R16-4 is now generally available. Visit the Tufin Knowledge Center to learn more about cloud tag policy and other new product capabilities.