Posted on Apr 5th, 2022 by John Moran

At Tufin, we’re often asked, “Our company is going through a technology migration. Can Tufin help?” The answer – yes. Tufin can add value to migrations, ranging from a few dozen enforcement points, to a global, enterprise-wide technology shift. However, some of the ways Tufin can add long-term value may surprise you.

When we dive a little deeper into these inquiries, what we hear most is “Can you move security policies from Vendor X’s devices to Vendor Y’s devices?” or “We’re moving our applications to the cloud, can Tufin move our security policies from our on-premises data centers to the cloud?”

When Tufin ingests security policies, each device, rule, and object is normalized into a standard format.

Security policy normalization is what makes the Tufin Rule Viewer such a powerful tool for our customers. Every rule, regardless of its origin, can be queried and managed from a single console within the context of the entire security policy base. This same information can also be queried and retrieved via Tufin’s REST and GraphQL APIs.

So, moving policies from vendor to vendor should be easy with Tufin, right? At Tufin, we work hard to build feature rich integrations with industry leading security vendors. Our security policy normalization can offer tremendous value in migration projects. However, our real value lies in unified security policy visualization, management, and automation across a hybrid network. We do not have a one-click solution to migrate security policies between vendors. As we’ll discuss soon, you probably don’t want one anyway.

Planning and Preparing for a Successful Migration

Other than migrating the policies from one platform to another, how can Tufin add value?

Anyone who’s been through a migration of any scale knows that the work begins long before the first change is made. Successful migration requires months or even years of meticulous planning and preparation. A key component in the planning phase is a thorough understanding of what needs to be migrated and the relevant impact. Tufin’s in-depth network visibility facilitates this by providing both a macro (topology) and micro (rule) understanding of the current state of your network.

Chances are there are unused objects and rules, misconfigurations, and other unnecessary complexities that accumulate over time. Ideally, these should not be migrated to the new environment (remember we said a one-click solution to migrate full configurations between vendors probably wasn’t a good solution?). Tufin’s ability to identify unused and empty rules and objects, overly permissive rules, suboptimal configurations, and policy violations can help enterprises ensure the policy base is optimized and risk-free before the migration occurs.

Understanding Connectivity

Anyone who’s been through a migration will also tell you that there’s no “flip the switch” moment. Migration projects can take months or years with many phases and milestones from beginning to end. In some scenarios, simply understanding basic network interconnectivity can be a challenge. This morning’s network may be very different than it was when you left the office the night before. Tufin’s interactive topology map displays up-to-date network topology based on the current state of the network in an intuitive, easy to consume manner. The interactive map allows topology analysis queries, showing the current path from source to destination and the relevant security policies on each enforcement point along the way. This can be an invaluable tool providing basic network awareness, as well as easy troubleshooting when connectivity along a new path you think should work – doesn’t.

Monitoring Change

Migrations are times of change, and change introduces complexity and risk. As hundreds of changes are being made as part of a migration, a simple omission or mistake can easily lead to a critical business outage, or worse, exposure of critical data or services. Tufin retains a full policy revision history, allowing network admins to look back in time and view the security policy base as it existed at any previous point. Tufin also provides instant revision comparison, highlighting changes that occurred between any two revisions, allowing easy identification of the root cause of change-related outages or unexpected behavior.

Ensure Security and Compliance Through All Phases

Tufin’s Unified Security Policy (USP) allows enterprises to define security policy guardrails that are applied uniformly across devices and vendors. Each time a policy change is made, the new policy revision is checked against all defined USPs, immediately alerting the enterprise to potential risk which may have been inadvertently introduced as part of a change. When changes are made through Tufin SecureChange, the proposed change is automatically compared to all defined USPs, and optional third-party sources of vulnerabilities and risk, identifying potential risk before it’s provisioned to the network.

Unfortunately, migrations do not exist in a vacuum. Throughout the migration, routine tasks will continue – will require new access, DevOps teams will push new applications, and the cloud team will deploy new resources. Effectively managing these routine tasks when the network is probably different than it was yesterday and almost certainly different than it was when the change request was made, can be a daunting task. Tufin’s topology and policy visibility provides network admins with the critical situational awareness required to maintain seamless operations throughout the migration. With this visibility, admins can continue to manage the enterprise network with confidence that their decisions are based on its most current state.

With each network topology change, admins must reorient themselves to correctly design new policies to implement change requests. This process takes time and introduces many potential opportunities for error. Tufin SecureChange elevates change management to the next level, assisting network admins by automatically designing new policies to implement requested changes based on the most current state of the network. The SecureChange designer examines each change request, automatically determining which enforcement points will be impacted by the change and what changes, if any, are required at each point. This results in faster, more accurate request handling, and a significant reduction in misconfigurations and request resubmissions.

Tufin’s added value in migration projects extends far beyond simply moving policies from X to Y. From planning and preparation to migration and ongoing operations, Tufin can significantly reduce friction and streamline the process, allowing you to realize the benefits of your migration project faster, while reducing potential risk.

If you’d like to discuss your specific migration project and how Tufin can add real value, reach out to your Tufin sales representative, or contact Tufin directly. We’re here to help!