Posted on Apr 29th, 2020 by Hadas Lahav

Over the past few challenging weeks, my colleagues from product management and I had numerous conversations with organizations around the world, who shared their concerns about the shift to remote working, how to handle the surge in access requests, and how it’s affected their business continuity.

Despite operating in different countries and industries, their concerns and challenges were similar -- all relating to their ability to react quickly, with these three trends now emerging:

1. Increased demand for urgent network changes

Many organizations see a dramatic increase in the volume of network changes due to the shift to remote working. Employees working from home need to urgently gain access to various organizational systems.

These time-sensitive requests are on top of the routine network changes that frequently occur in every organization. A developer, for example, who completes one project and moves ahead to work on another, now requires new network access to a different app/resource. These simple, routine changes are often implemented manually, by modifying firewall rules one by one, or using a searchable index of rules, at best, taking days, if not weeks. But when it takes too long to implement a change, especially if the change is critical, firewall admins may be forced to make the changes without having the time to thoroughly investigate the total impact on the security posture of the company.

These changes presumably meet SLAs but expose the network to potential risks.

2. Lost in translation

Because of the surge in requests, plus remote communication, requests have become exceedingly more cryptic, requiring firewall admins to redo changes more often due to simple misunderstandings. When rework is completed manually, rule by rule, it can quickly lead to a chaotic, unmanageable rule base with shadowed, redundant, and even overly permissive rules that are hastily reconfigured to enable network changes.

Communication obstacles are compounded since so many functions are now potentially impacted by a connectivity change. These communication issues are added to an already long list of collaboration concerns between IT, security, and cloud teams. Almost every organization handles fragmented networks, where different teams manage different security policies for different platforms and network devices. This can result in a lack of collaboration, where the cloud team, for example, makes changes to security group rules that impact firewall rules, without partnering with the relevant network/security teams.

A surge in manual re-work, combined with disparate responsibilities, can lead to blind spots and misconfigurations, resulting in major compliance gaps.

3. IT skills shortage

Many organizations are looking to reduce third-party service spending, and are relying more on in-house IT teams to manage their firewall estate. This effort, now combined with a limited remote workforce, puts additional strain on already overworked IT teams who are being asked to do more, with fewer resources, resulting in shortcuts or postponement of longer-term, and more strategic initiatives.

Tufin’s practice: Leverage automated network security change workflows to eliminate repetitive routine tasks and streamline security while ensuring SLAs

Nearly every network access change involves complex implementation throughout multiple, multi-vendor firewalls, switches, and routers, as well as security groups. Doing it manually, without accurate network topology and automated tools to help optimize newly implemented changes, makes it impossible to handle tickets in a timely manner, without exposing the network to potential risks. Network security automation, including a set of automated workflows that streamline every step in the change process, ensures fast, accurate, secure and documented access change process, to prevent and expose otherwise hidden threats and risks in your organization.

Automated, secure and accurate network access change implementation across multi-vendor network devices

With Tufin SecureChange, you can streamline the network change implementation process by automating change request workflow handling. You can actually create as many different workflows as needed, to achieve multiple use cases, including providing new network access, adding a new server to an existing cluster of servers, removing unused rules or servers from your security policy, and more. Each of these workflows is fully customizable, so that you can configure it to meet the specific needs of your organizational processes. Every workflow is a multi-step, graphical process – from design, to automated target selection, to risk assessment, all the way to approval and implementation, to help remove bottlenecks in your daily operations, and eliminate the risk of configuration errors. All workflows are audit-ready, as they track and document the full change history, and keep it for future reference.

What’s more, every workflow visualizes the entire sequence of events. Following are the key automation elements and steps that comprise a standard Access Request workflow:

Step 1: Automated risk calculation based on the ‘source’ and ‘destination’ entered by the user for the required change. Using risk calculation, SecureChange compares the source and destination to the organization’s defined Unified Security Policy and segmentation matrix, providing an early indication on policy violation, if it exists.

Step 2: Automatic selection of target devices in the path between source and destination, based on accurate network topology metadata and security policy configuration information, such as router interfaces, network protocols (e.g. NAT, VPNs, MPLS, etc.) collected from the on-premise, SDN, and cloud environments. Tufin maps out the firewall targets, irrespective of the device manufacture/SW vendor, between the source and the destination.

Path analysis tool. Based on a source and destination, TOS automatically suggests optimized path based on traffic analysis and topology metadata.

Step 3: Automatic design of policy changes using the Designer tool based on devices’ existing policy. Tufin pinpoints which changes in rule/s and/or network objects need to be made to enable the required change. Tufin easily does this across all environments and devices. For example, one of the Designer’s great benefits is that it can pinpoint required rule edits in security groups, and firewalls. Tufin can seamlessly translate new rules and/or ACL changes into existing, defined security configurations, and automatically implement the change into all relevant Transit Gateways, DNS, or Firewalls, to provide secure access.

In addition, you can view required rule edits per device. The Designer notifies if changes already exist on the devices, to prevent the creation of shadowed rules. In fact, we often find that up to 30% of all access requests do not require any rule changes.

Further, SecureChange ensures that no duplicate rules/objects are created. You can also review the designed path, and make changes to rule attributes, if needed. Finally, you simply click ‘Update Devices’ to implement the changes in all relevant firewalls.

Step 4: Verify change implementation automatically once rule changes are pushed, where the Verifier tool ensures changes were provisioned as designed.

TOS automatically suggests, implements and verifies rule changes that meet your operation and compliance standards.

See it in action:

Watch the short video below to see SecureChange in action when granting network access that involved rule changes in multiple devices, including an SDN environment.

Integration with external systems

Ultimately, we often see customers integrating workflows with other solutions via an API, such as ITSM systems, where you can open a change ticket in the ITSM triggering a workflow within SecureChange. Subject to how you design your process, it can trigger approval steps within the ITSM or a full implementation notification sent directly from Tufin to the ITSM.

Another common integration is with vulnerability management solutions, where you can add a step to the SecureChange workflow to check the source/destination vulnerability score, and alert the user in case of a high risk score.

Finally, with automation, IT teams will proactively address changes and issues with smart, standardized processes, rather than play catch up in time consuming and often haphazard ways.

To learn more about how to build workflows to meet your organization’s requirements, watch this webinar