The firewall management services team is on a digital transformation journey, as are so many network and security teams today. This specific initiative required consolidating management and control of security policies across the organization to improve their overall security posture, while accelerating the provisioning of network changes. These common needs, for improved security and agility, are traditionally at odds and continue to create challenges network-wide. For the last two years, the team has been using Tufin SecureTrack to achieve visibility of their security policies across the company’s 200 internal corporate firewalls. As part of this initiative, they need to incorporate an additional 600 firewalls controlled by subsidiary business units, into their management scope. With a keen awareness that their security posture was only as strong as the weakest policy, the team could not add these 600 firewalls to their network without ensuring that every firewall had compliant policies. They defined an initiative to audit each subsidiary firewall, plus the existing 200 firewalls under management, to ensure there were no shadowed or redundant policies, and full compliance. They projected the audit would require 9 months to complete, and multiple FTEs. What’s more, they had neither bandwidth nor budget for such a project of this size or scope.
On a daily basis, with over 800 firewalls under management, the team was (and still is) inundated with a high volume of change requests – over 11,000 annually. Managing these requests manually not only required considerable time and resources, but it increased the possibility of misconfigurations (leading to re-work). To add to this challenge, the requesters, developers and app owners are often not familiar enough with the network configuration to include all the information required to provision the connectivity. This meant that tickets were not always accurate or complete, making it exceedingly difficult for the team to complete the tasks at hand. With incomplete information, the team’s output was hampered. The head of the firewall management services team explained “we need to be able to be good at our job.” The team found themselves having to help the requesters define their rule requests, which added to the time required to make the required changes. Overall, for consolidation, the team required an automated method of auditing policies for compliance, shadowing or redundancy. For ongoing management, they needed to improve collaboration and share responsibilities with developers and app owners. They sought a solution to reduce the possibility of errors and help manage the high volume of monthly requests; they sought a solution to make changes more efficiently and accurately.
The head of the firewall management services team had experience with Tufin, knew they were the industry leader, and knew the product well. The team still completed a Proof of Concept. The POC quickly demonstrated the product’s multi-vendor management, visibility, automation, compliance support, and API integration capabilities: the set of capabilities required to solve the team’s challenges. Tufin was known by the firewall management team as the industry leader. As a global organization, this consulting and auditing firm requires a unified security posture, and Tufin SecureTrack and SecureChange delivered. With centralized visibility and a unified policy across the entire organization, they were also able to better secure the perimeter and reduce the attack surface. In addition to achieving improved response times and improved security, the user experience remains the same with Tufin’s API integration. Users do not need to change their processes, they still access the same form in ServiceNow for a change request.
“ROI on our Tufin investment has been great. It was, and still is being, driven by productivity gains, reduction of re-work from manual errors and automated coordination across teams.” —Head of the Firewall Management Team
Today’s network and security teams are tasked with finding the balance between speed and security. Their customers need access granted, quickly, and without mistakes. Tufin’s robust, centralized multi-vendor platform enables teams to ultimately improve security posture, while decreasing risk and increasing the speed of delivery.
Using Tufin SecureTrack and SecureChange the team successfully completed the consolidation project in 3.7 months. Originally estimated to require 9 months, Tufin saved 1,400 man hours, representing $300k savings over the projected costs without Tufin. During the 3.7 month consolidation, the team eliminated thousands of redundant and obsolete rules. Automation saved 5.3 months and over $300k for security policy optimization initiative.
Since deploying Tufin, so far to just a a handful of their over 140 regions, the team witnessed a 10% boost in efficiency and productivity. In addition to decreased time coordinating with member sites, the firewall management team has eliminated re-work from unneeded requests. Prior to Tufin, a request for a redundant rule would have to go through the entire planning, risk analysis and approval process. An engineer would only discover it was redundant when trying to implement it. Now, with Tufin, redundant rules are identified automatically prior to the provisioning workflow. Headcount increases will no longer be required. When the Tufin Orchestration Suite deployment is complete, the team predicts they will be able to decrease their SLA from 5 to 2 days, with many changes completed in minutes.