Posted on Jul 2nd, 2014 by Reuven Harrison

At Tufin, we often talk about how the growing complexity of organizational networks is making it impossible to manage security effectively through traditional manual means. But one of the problems businesses often encounter when trying to move to a more automated approach is that security professionals are understandably wary. They do not want to place complete trust in systems that relinquish their ability of control– particularly in a highly complex, segmented network environment that supports business-critical systems. The key to overcoming such concerns is to understand the distinction between security automation tools that simply repeat tasks in a robotic fashion when particular conditions are met, and the idea of security policy orchestration (SPO). As the name implies, the latter is more like the conductor of an orchestra, deftly co-ordinating a system that comprises many different, interconnected parts.

Many IT automation tools implement a repetitive kind of automation, for example, tools that automate system configuration. Such tools are designed to automate repeated deployments of many instances of identical infrastructure or applications so that it can be performed instantly and on-demand.

Orchestration, on the other hand, is designed to "understand" a composite system, receive business requirements, and transition the system to a new state that satisfies the needs of the business. In the specific case of security policy orchestration, business owners define their connectivity needs and the system, taking into account the current network configuration, designs a set of firewall policy changes that achieve the required connectivity while adhering to security and compliance policies.

Tufin's Orchestration Suite, for example, can hook into a wide variety of different manufacturers' firewalls, routers, switches, load balancers and other devices. It understands how an organization's networks are segmented, and how any change to one system or application will affect adherence to security policies across an array of networks, firewalls and zones, before the change is actually implemented.

Security guru Bruce Schneier hits the nail on the head when he says that “security is a process not a product”. Yet most automation solutions do not take account of this important distinction. They simply automate configuration of particular systems through API calls.

Realizing the importance of processes in the context of security management, security policy orchestration handles changes as part of an auditable and controlled process. This makes the transition far more palatable for most security professionals, since they are able to delegate trust to a system that provides a comprehensive audit trail and allows them to intervene at any step of the process, as required.

Security policy orchestration provides an effective integrated management platform that can be automated as necessary, cutting network changes down from 1-2 weeks to less than a day. This allows businesses to be as agile as possible when it comes to changing applications and delivering new services. Security is embedded into the change process, and there no longer needs to be any trade-off between security and business agility.

Learn how basic security foundations and effective automation of security practices will minimize the effects of cyber breaches within your enterprise, or find out more about Tufin's Security Policy Orchestration Solution.