Posted by Tom Foremski - December 19, 2012
I recently spoke with Ruvi Kitow, CEO and co-founder of Tufin Technologies, which provides firewall policy management tools for very large companies.
Tufin is interesting because it is rethinking the way firewalls should be managed. It's because of rise in the number of applications being produced by enterprises.
Firewall administrators are spending more of their time dealing with application related change requests. Yet the app developers know little about firewalls and potential conflicts, or security holes. Earlier this year, Tufin launched SecureApp, a suite of admin tools to help manage this important security relationship between apps and firewalls.
This application centric approach to enterprise security is a different way of thinking about security. Here are some notes from our conversation:
- Our latest survey shows that nearly half of all firewall changes are related to application connectivity. And most companies report that they don't have confidence in their IT staff being able to fully address the compliance and security risks that arise when managing application connectivity.
- We realized that the best approach is to address security through the app layer first, to document the resources an app needs and how it behaves, and then to communicate what's needed in the firewalls. Our new product helps to automate this process. And it's integrated with our two other firewall products, SecureTrack and SecureChange.
- It's a paradigm shift and it might take some time for this to be understood but you have to tackle security first through the app layer not the network.
- Here's why: Large enterprises have a high degree of complexity because of multiple locations, multiple IT systems and hundreds of firewalls to manage with multitudes of rules. Developing new applications is tough because they must work across all of a corporations firewalls.
- The situation becomes more complex when changes are made to an application and those changes have to be communicated to hundreds of firewalls.
- If firewalls aren't configured right, apps will fail. But the apps developers have to be better at communication, and documenting, how their apps behave, so that the right changes can be made by the network security teams.
- Anytime you change the configuration of firewalls, other things can break. A key feature of SecureApp is that you can simulate the entire network and test changes safely.
- CIOs want to deploy apps faster but this can compromise security if there is little communication between the app developers and the security teams.
- There's often a cultural problem within large corporations in that the apps developers don't understand the security issues and the security people don't understand the apps.
-There is often little or no documentation, and when people leave a company, a lot of knowledge about an app leaves too. SecureApp makes sure that there is documentation and that knowledge isn't lost when people leave.
Foremski's Take: Tufin's application centric approach to improving enterprise security makes sense and it won't take corporations long to realize its the right approach.
What will take longer is the internal shift in culture, in the app developer teams, which traditionally have not been very security minded.
It's a leadership move by Tufin and one that's well timed. The explosion of apps in the consumer web is driving a tremendous amount of app development in the enterprise. Firewalls can quickly become brick walls or leave security holes open because of badly designed apps.
Managing hundreds of firewalls while trying to support a deluge of apps will quickly turn into a nightmare unless the whole process of application development can be mapped against an organization's firewalls. The app and the firewall have to be in sync and that requires new sets of tools.
Tools such as Tufin's not only provide an easy interface for managing security policies and compliance but they can also be used as an agent of cultural change within organizations because they offer a common ground for the apps and security teams. It helps them communicate with each other, which should lead to better apps.