Posted on May 4th, 2022 by Tufin

Presented by:
Dr. Jason Clark, Independent Security Researcher
Tucker Hall, Director of Product Marketing, Tufin Cloud Security Solutions

The hybrid and multi-cloud environment provides significant benefits for enterprises, including functionality, scalability and agility, and specialized deployments. These benefits are why organizations are flocking to hybrid and multi-cloud. However, hybrid and multi-cloud environments create a host of security challenges for businesses, including misconfiguration, exfiltration of sensitive data, and unauthorized access. Enforcing security control consistently across different cloud and on-premise environments requires first understanding these challenges, then implementing tools and processes to prevent and/or remediate threats.

Tufin provides a single, unified strategy for network security. The Tufin Orchestration Suite offers real-time asset visibility across the network, automation and workflow optimization, and policy design and enforcement to ensure consistent, product-agnostic security in a hybrid environment.

Key Takeaways

We have entered a multi-cloud, hybrid world.

Organizations of all sizes are rapidly moving to a multi-cloud and hybrid cloud environment. Reasons include use of multiple applications, specialized deployments, better functionality for certain types of applications, access to on-demand resources, network connectivity, and scalability and agility.

Figure 1: Why organizations are moving to multi and hybrid cloud

Specific cloud-based threats present security challenges in hybrid cloud configurations.

While hybrid and multi-cloud environments offer significant benefits, there are major security challenges and threats:

  • Misconfiguration or improper setup. Technical- or policy-related configuration errors can weaken security. Enterprises can mitigate this by implementing robust logging practices, a solid configuration management plan, and consistent audits.
  • Exfiltration of sensitive data. To combat internal threats to sensitive data, consider implementing data loss prevention (DLP) practices such as tagging and scanning sensitive data, monitoring the volume and frequency of traffic, or even infusing machine learning and artificial intelligence.
  • Unauthorized access. Access issues often stem from a problem with security policy, configuration, or visibility. Applying least-privilege principles and reviewing access regularly can assist security teams with access control.
Figure 2: Addressing security challenges introduced by hybrid cloud configurations

Enterprises can also take organizational steps to set up their teams for success, such as enabling teams to work together on complex configurations through knowledge sharing, training, and awareness of team responsibilities.

Removing the barriers between teams will additionally facilitate the creation and application of a single unified policy and management oversight. And because having too many tools in an environment can decrease efficiency or cause teams to take shortcuts to meet time-based requirements, focusing on a single, unified solution to manage security will streamline the work of security teams while simultaneously offloading the burden of labor from application managers.

Improving visibility into the cloud decreases the attack surface.

Given the nature of multi and hybrid cloud environments, it's easy to lose visibility of who is accessing assets or services, and why and when they are being accessed. It is vital to know the true source of data and to check it regularly. This includes:

  • Asset visibility. Taking inventory of assets and comparing them against the controls in place, as well as the inverse of reviewing controls in place to determine which assets are being protected or impacted by each particular control.
  • Network mapping. A complete mapping of the entire cloud landscape that is checked regularly ensures assets are up to date with security requirements.
  • Event and alarm processing. Not only knowing where assets and users are, but also what they're doing in the current environment, is one of the most important areas enterprises can improve upon.

“You can’t protect what you can’t see.”
- Dr. Jason Clark, Independent Security Researcher

Reducing fragmentation and consolidating assets lowers risk.

Over time, the use of different software and hardware by disparate teams, across a multitude of cloud configurations and physical versus virtual resources, can lead to significant fragmentation and corresponding governance and security challenges. An actionable policy that is enforced across the entire landscape can address some of these fragmentation challenges.

Migrating or decommissioning some unused approaches is easier with a management platform that can coordinate workloads, determine usage frequency, and streamline processes. Removing unwanted services and redundant applications reduces the attack surface, lowers security risk, and lowers costs.

Automation adds value in a single, unified strategy.

Managing policies across various environments without automation increases the probability of errors, mistakes, and security gaps—not to mention that it is time consuming. Working with DevOps to move beyond simple task automation to a single, unified security policy ensures consistency across the entire landscape. Tools and techniques that apply security policy directly into existing automation processes also supports continuous integration and continuous delivery.

An automated solution helps lock down network policies and data as well as address issues created by a common use case: Shadow IT. This is the use of IT systems, devices, software, and application services that are not explicitly approved by the IT department and that can further impact non-compliance, increased attack surface, visibility loss, data systems inefficiencies, and increased costs.

“Twenty to forty percent of enterprise technology spending is on projects without the knowledge of the IT department . . . this magnifies a significant increase in the amount of cloud spend.”
- Dr. Jason Clark, Independent Security Researcher

One of the most important process solutions that exists is security process orchestration, which can help mitigate many of the security issues that have been discussed.

“There no real silver bullet, but I think security policy orchestration in some ways comes pretty close. Having a good, comprehensive security policy orchestration can help meet the needs of enterprises.”
- Dr. Jason Clark, Independent Security Researcher

 

Figure 3: Security Policy Orchestration encompasses four core functions.

Additionally, addressing these challenges optimizes costs by:

Unifying the management of security policies independent of controls, platforms, services, and processes.

Accelerating application delivery by injecting security policy into DevOps processes.

Bridging the skills gap by abstracting control plane across hybrid technologies.

Dr. Clark summarized his remarks by commenting that organizations are moving to hybrid and multi-cloud environments in droves because of the functionality and benefits. But, this comes with a host of challenges, including staying agile and secure. He reiterated the need for visibility, the importance of addressing issues of fragmentation, and focusing on automation.

“Probably my most important point, arguably, is automation. I think a tool like a security policy orchestrator can help maintain consistency while minimizing the security risks.”
- Dr. Jason Clark, Independent Security Researcher

Figure 4: Considerations for securing cloud environments.

Tufin solutions delivers everything organizations need to secure their network in a comprehensive, scalable manner.

Modern networks are increasingly diverse and heterogeneous. The Tufin Orchestration Suite is a product-agnostic solution offering support for all traditional on-premise network architecture, private cloud technologies, and public cloud platforms and services. Tufin offers seamless integration with the broader cybersecurity stack via an extensive API library and integrations to other key platforms and tools.

Figure 5: Tufin Orchestration Suite provides security management across all hybrid cloud assets

Tufin Orchestration Suite consists of three fully integrated products:

SecureTrack™ provides security teams with real-time visibility of the network across and through firewalls, routers, switches, software-defined networking (SDN), and cloud environments—including information on these assets’ configurations and current security posture. With this visibility, SecureTrack™ enables organizations to design security policies that establish a baseline of allowed and blocked traffic between security zones and groups to support consistent network segmentation.

SecureTrack™ also offers:

Broad built-in library of policy templates and tools that gives enterprises the ability to design bespoke policies to meet corporate security requirements, as well as specific regulatory and compliance obligations such as PCI, DSS, GDPR, and more.

Real-time network monitoring delivering real-time alerts of any risky access changes and policy violations.

Highly accurate topology modeling and path analysis across the network, which can be leveraged to quickly troubleshoot and remediate any network outages, or to plan connectivity changes.

SecureChange™ leverages the policies designed and deployed via SecureTrack™ to add automation and orchestration to the environment, bringing down time to effect network changes from days to minutes. With SecureChange™, the entire network change process can be automated.

For example, Tufin automatically calculates optimal traffic path for access requests originating from an ITSM solution and identifies any risk associated with granting that access. Upon approval, Tufin then automatically designs all associated rule chains across all devices and assets through which relevant traffic will pass, applying the principle of least privilege to any rule changes. It will then implement those changes, verify the access, notify the requester, and log all activity for audit purposes. Additionally, SecureChange™ continually analyzes rule sets across all network security assets and identifies any shadowed, unused, or duplicative rules, then automates their cleanup.

SecureCloud™ extends network visibility, policy design and enforcement, and automation into public cloud and native environments. SecureCloud™ delivers that granular visibility into the entire public cloud environment, through a workload-centric view of all assets and services. This topology is evaluated against industry benchmarks and best practices, such as Center for Internet Security (CIS), and provides alerting for any high-risk configurations found.

“We're focused on helping security teams identify risk end to end, across the network, and then deploy policies to proactively mitigate that risk and to drive agility . . . bringing products and services to market faster without compromising your security posture.”
- Tucker Hall, Director of Product Marketing, Tufin Cloud Security Solutions

The Tufin Marketplace provides a broad portfolio of approved plugins for the platform to extend its capabilities even further, with first-party and third-party apps to integrate with other solutions to streamline segmentation design or policy buildout to enable application discovery and enhance compliance reporting.

Additional Information

  • Phased approach. The presenters recommended a phased approach to policy strategy, using a maturity model. Common phases include: 1) visibility to understand the infrastructure; 2) rule cleanup; 3) build a policy framework; and 4) automation.
  • Tufin offers a free, fully-enabled 30-day trial of its secure cloud product. To learn more, visit www.tufin.com/demo.

Click here to watch the webinar now.