Implementing Zero Trust with Tufin: A Comprehensive Guide for Technical Professionals

In today’s world, where digital assets are becoming increasingly valuable and cyber threats are becoming more sophisticated, traditional approaches to network security are proving inadequate. The Zero Trust concept is becoming a necessity for protecting critical data and infrastructure. But how do you effectively implement Zero Trust? One of the key solutions is using Tufin, a platform for automating network security policies and managing risks, providing network visualization and automating changes to security policies. In this article, we will take a detailed look at how Tufin helps organizations implement Zero Trust, ensuring network security and protection against modern threats.

What is Zero Trust and why is it important?

Zero Trust is a security model that assumes that no user or device, whether inside or outside the network, should be automatically trusted. Instead, every access request must be carefully verified before granting access to resources. This means that it is necessary to implement strict access control, continuous verification, and least privilege principles.

The importance of Zero Trust is due to several factors:

• Growing number of cyber threats: the number and complexity of cyber attacks are constantly increasing, requiring more reliable protection measures.
• Expanding network perimeter: with the development of cloud infrastructure and remote access, the traditional network perimeter is blurring, making it vulnerable to attacks.
• Need to comply with regulatory requirements: many industries and organizations are required to comply with strict security regulations, such as GDPR, HIPAA, and PCI DSS.

Implementing Zero Trust can be a complex task. It is worth paying attention to Zero Trust standards and frameworks, such as NIST SP 800-207, as well as various approaches to implementing Zero Trust, for example, Zero Trust Network Access (ZTNA). Tufin helps to implement Zero Trust principles by providing capabilities for:

• Network visualization and risk analysis.
• Network microsegmentation.
• Security change automation.
• Access management and least privilege
• Integration with SIEM and other security systems

Tufin SecureTrack is used for network visualization and risk analysis, which…

Tufin: your reliable partner in implementing Zero Trust

Tufin helps to implement Zero Trust principles by providing capabilities for:

• Network visualization and risk analysis.
• Network microsegmentation.
• Security change automation.
• Access management and least privilege.
• Integration with SIEM and other security systems.

Tufin SecureTrack is used for network visualization and risk analysis, which provides complete visibility into the network infrastructure, including information about network traffic, firewall rules, and vulnerabilities. SecureTrack identifies vulnerabilities, using, for example, the CVE database, prioritizing risks based on their potential impact on the business. Supports various types of security devices, such as firewalls from Cisco, Palo Alto Networks, Check Point, as well as cloud platforms AWS, Azure, and Google Cloud.

Tufin SecureChange is used to automate security changes, and Tufin Security Policy Builder is used to create microsegmentation policies.

Network Visualization and Risk Analysis

Before you start implementing Zero Trust, you need to have a clear understanding of your network. Tufin SecureTrack provides complete network visualization, including information about network traffic, firewall rules, and vulnerabilities. This allows organizations to identify potential risks and prioritize security enhancements.

The risk analysis functions in Tufin SecureTrack help identify vulnerabilities, such as rules with excessive permissions, configuration errors, and outdated software versions that could be exploited by malicious actors. SecureTrack prioritizes risks using, for example, the CVE database and considering the criticality of vulnerable hosts to the business. The types of security devices supported by SecureTrack include firewalls from various vendors (Cisco, Palo Alto Networks, Check Point) and cloud platforms. This allows organizations to quickly address these issues and reduce the risk of successful attacks.

Example SecureTrack Report:

Number of rules with excessive permissions: 150

List of vulnerable hosts:

• Web Server 1 (CVE-2023-1234, Critical)
• Database 1 (CVE-2023-5678, High)

Network Flow Map: [link to interactive map]

Network Microsegmentation

Microsegmentation is one of the key principles of Zero Trust. It involves dividing the network into small, isolated segments, each with its own security policies. This limits the scope of attacks and prevents unauthorized access to resources.

Tufin Security Policy Builder simplifies the process of network microsegmentation, allowing organizations to create and manage security policies at the microsegment level. It provides a visual interface that makes it easy to define network segments, set access rules, and control network traffic.

Tufin Security Policy Builder interacts with real security devices, automatically configuring firewalls and NSGs in the cloud, thus automatically applying the created rules.
With Tufin Security Policy Builder you can:

• Define network segments based on various criteria, such as location, function, or application type.
• Create security policies that allow or deny specific network traffic between segments.
• Automatically apply security policies to all relevant security devices, such as firewalls and routers.
• Monitor network traffic between segments and identify any security policy violations.

Example of a microsegmentation rule created in Tufin Security Policy Builder:

Segment 1: WebServers (10.1.1.0/24)

Segment 2: DatabaseServers (10.1.2.0/24)

Rule: Allow traffic TCP port 1433 from WebServers to DatabaseServers only for users in the ‘WebAppUsers’ group.

Translation of the rule into Cisco ASA configuration:

access-list WebServers_to_DatabaseServers extended permit tcp object-group WebServers object-group DatabaseServers eq 1433 object-group WebAppUsers

access-group WebServers_to_DatabaseServers in interface inside

Security Change Automation

Changes to security policies are necessary to adapt to evolving business needs and new threats. However, manually managing security changes can be complex, time-consuming, and error-prone. Tufin SecureChange automates the process of making changes to security policies, reducing the time it takes to implement changes and reducing the risk of errors.

SecureChange allows you to automate the addition/removal of firewall rules, change membership in security groups, configure VPNs, and handles emergency changes, providing the ability to bypass standard approval processes in emergency situations, such as when an active attack is detected.

Security change automation with Tufin allows you to:

• Automatically generate firewall rules and other security policies based on change requests.
• Automatically approve and deploy security changes to all relevant security devices.
• Conduct a security audit of security changes to ensure they comply with regulatory requirements and the organization’s security policies.

SecureChange integrates with ITSM systems (e.g., ServiceNow) to automatically create and close change requests. For example, when a request is received to open access to a specific port for a new application, SecureChange will automatically create a request in ServiceNow, obtain the necessary approvals, generate and apply the appropriate rules on firewalls, and then close the request in ServiceNow.

Access Management and Least Privilege

One of the key principles of Zero Trust is the principle of least privilege, which states that users and applications should only be granted the access they need to perform their job. Tufin helps organizations implement this principle by providing tools for access management and privilege control.

Tufin does not manage accounts and access rights directly, but integrates with existing Identity and Access Management (IAM) systems, such as Active Directory, LDAP. Tufin supports Role-Based Access Control (RBAC).

With Tufin, you can:

• Define access policies based on the roles and responsibilities of users.
• Automatically grant and revoke access to resources based on changes in user roles and responsibilities.
• Monitor and record all user activity to identify any violations of access policies.

With Tufin, you can configure a rule that allows access to the database only for users who are members of the ‘DBAdmin’ group and only from specific IP addresses associated with application X.
For example:

Segment 1: ApplicationServers (10.1.3.0/24) – IP addresses of application servers

Segment 2: DatabaseServers (10.1.4.0/24) – IP addresses of database servers

Rule: Allow TCP traffic on port 3306 (MySQL) from ApplicationServers to DatabaseServers only for users authenticated in Active Directory and members of the DBAdmin group.

Integration with SIEM and other security systems

To effectively protect the network, it is necessary to integrate Tufin with other security systems, such as SIEM