Taking Network Security Operations into the Future

RWE case study

RWE AG is the second largest utilities provider in Germany, with over 20 million electricity customers and 10 million gas customers, principally in Europe. RWE Supply & Trading (RWEST) is a leading European energy trading house and the interface between RWE Group’s operating companies and global wholesale markets for energy and energy-related raw materials in both their physical and/or derivative forms.

Following a period of outsourcing network security, RWEST decided to bring it back in house and the need came up for a solution to manage security and connectivity from a single console across geographies, vendors and platforms. With a cloud-first strategy and heavy investment in DevOps (setting up workloads in minutes), RWEST was looking for the right solution to take network operations into the future, without compromising security and compliance. They needed a solution that could consolidate security and orchestrate connectivity across a hybrid network, including legacy firewalls and routers, next generation firewalls, and cloud platforms.

“The Management team is happy with Tufin. They get less complaints that the change process is too slow, and they gain visibility into the growing amount of changes, the level of complexity of the changes (a typical change includes 10-15 new connections for a single application), and the process bottlenecks.”

Ralf Buchroth, Network Operations Expert.

Turn on the Lights: Regaining Visibility and Auditability

In 2013, RWEST needed to reclaim visibility of their firewall configurations and how policy changes were made. For that purpose, the outsourcing vendor selected Tufin SecureTrack, which provided real-time change monitoring across RWEST network firewalls. The network operations team gained visibility, but also learned that the change process should be revamped to allow better auditability by leveraging automation. Since policy compliance was a must, RWEST decided to build a change process that follows RWE standards and is fully auditable. The next step was to streamline the change process and replace email approvals in order to prepare for an internal audit. The RWEST network operations team started evaluating Tufin SecureChange for streamlining and automating the change process. Shortly after its deployment, the team was able to set up their auditable workflow process, import 500 existing requests, and be audit-ready for the following year.

A Spotlight on Cloud: Visibility and Control for AWS Security

RWEST already had a hybrid, multi-vendor network, with legacy and next generation firewalls, when they decided to add AWS to the mix. While the adoption of cloud significantly improves scalability and agility, it presents some challenges around security controls and policy compliance. Like in many other organizations, RWEST established a dedicated “Cloud team” that owns AWS environment and is responsible for AWS security groups. In order to gain visibility and control of AWS security configuration, the network operations team monitors AWS VPCs, instances, security groups, and access rules with Tufin and also generates periodic reports they can share with other teams. By using Tufin, they can identify security violations in AWS and make sure they are addressed. Also, north-south traffic that goes across AWS and the Network firewalls (owned by network operations) can be fully controlled from a single console by using Tufin.

Automated Risk Analysis Accelerates Delivery

In addition to increasing the complexity of the RWEST network, the adoption of AWS tripled the number of policy changes required to allow connectivity with on-premises resources. Application developers set up resources in minutes and require similar agility for setting up application connectivity. The network operations team was tasked with processing all firewall changes in a timely manner but found that security approvals were causing delays. To accelerate change processing without compromising policy compliance, the team started using automated risk analysis in Tufin SecureChange. The proactive identification of potential violations and the analysis results that are sent to the security team sped up change requests, improved security, and increased the productivity of the security team by helping them focus on high-risk changes rather than spend valuable time on every change.

Next Step: Empowering DevOps for Lightening Speed

“We have 60 developers who can set up servers in minutes and are constantly requesting changes in connectivity. They do not think of IP addresses, ports, and protocols. They like Tufin because they get visibility to the rules blocking connectivity to their applications, and once the change is implemented, they can immediately see the status change,” said Ralf Buchroth, Network Operations Expert.

The only way to fully automate the process and keep up with the developers was to empower them to monitor connectivity and submit their connectivity requests directly. Tufin SecureApp, together with a customized developers’ portal, makes that feasible by automatically processing application connectivity requests and removing the need for manual translation into IP addresses, ports, and protocols. This will further reduce the work of the network operations team, and increase satisfaction for RWEST application developers.

About RWE Supply & Trading (RWEST)

RWE Supply & Trading is a leading European energy trading house and an active player on the global wholesale markets for energy and energy-related raw materials in both their physical and/or derivative forms. This includes power, gas, coal, freight, oil, weather derivatives, biomass, emissions certificates, and renewable energies. They are responsible for the economic optimization of power generation and the entire non-regulated gas business of RWE. Large industrial companies and trading partners are offered long-term delivery concepts by RWE Supply & Trading next to trading based portfolio and risk management solutions.

Download case study