State of Michigan Case Study

The speaker

Anthony Rodgers, Director of Enterprise Solution Design Services, Office of the Chief Technology Officer, State of MI

Anthony’s department’s scope of responsibilities include to enable a government to work for Michigan’s 10 million residents

Which aspects of NIST does Tufin help us meet?

Tufin helps the State of MI meet many NIST 800-53 controls

Specifically the NIST requirements highlighted in orange, including

Enforcing approved authorizations

Authorizes internal connections

Documentation

Establishes a traffic flow policy

Tufin helps manage a complex regulatory environment

Challenges we had to overcome

Paperwork, paperwork and more paperwork

Transition compliance from a command-and-control environment to trust-but-verify

Eliminate manual dependencies to find mistakes

Moving away from “paper-like” processes

Achieving security guardrails, control and consistency, at scale

Security changes in minutes, not days through eliminating manual processing

Over 4 months, average days to implement a network access change request decreased from an average of 5.1 to less than 1 day

Even while access change request volumes increased from 25-50% due to Covid-19

Fixed firewall management issues through a standardized set of service rules

Defined guardrails or data communication standards based on pre-approved rules

For example enterprise services that may be consumed by an endpoint

Eliminated redundant and inconsistent rules

Eliminated guess work

Simplified access change requests for users

Tufin helps eliminate manual processes to increase productivity and accuracy

Removed manual steps

Supported the addition and incorporation of new technologies

Unified siloes and encouraged shared responsibility by eliminating “throw it over the wall” to the cloud team, or IPS team, or Azure team through automated workflows and transparent policy standards

Implementing 3 modules of Tufin Orchestration Suite

Tufin SecureTrack

Create guardrails that keep individual rule requests within standards

Automatically validates rule compliance & implementation

Detect and remediate access changes that did not go through the approval and validation process

Tufin SecureChange

Automate and orchestrate the right rule, on the right firewall, on the right platform

Eliminate sending remedy tickets off to multiple teams

Eliminates typo / manual input errors

Automates clean up – eliminate obsolete and shadowed rules

Tufin SecureApp

Shift from a Layer 3 to Layer 7 view of connectivity

Describe business applications similar to how described in our data communication standard and have a complete picture of a business application connectivity