At Tufin, we are often asked: “Our company is undergoing a technology migration. Can Tufin help?” The answer is yes. Tufin can enhance the value of migration, from a few dozen enforcement points to a global, enterprise-wide technology change. However, some of the ways Tufin can increase long-term value may surprise you.

When we delve into these questions, we most often hear: “Can you transfer security policies from vendor X devices to vendor Y devices?” or “We are moving our applications to the cloud, can Tufin migrate our security policies from our on-premises data centers to the cloud?” These are logical questions, as migrating policies is one of the most complex aspects of a migration.

Policy normalization and unified management

When Tufin ingests security policies, every device, rule, and object is normalized into a standard format. This security policy normalization is what makes Tufin Rule Viewer such a powerful tool for our clients. Every rule, regardless of its origin (be it a firewall, router, or cloud service), can be queried and managed from a single console in the context of the entire security policy base. This same information can be queried and extracted via the Tufin REST and GraphQL APIs, providing flexibility and integration with other systems.

So, transferring policies from vendor to vendor should be easy with Tufin, right? At Tufin, we work on creating feature-rich integrations with leading security vendors such as Cisco, Palo Alto Networks, Check Point, and many others. Our security policy normalization can bring huge benefits to migration projects. However, our real value lies in the unified visualization of security policies, management, and automation across the entire hybrid network. We do not have a one-click solution for transferring security policies between vendors. As we’ll discuss shortly, you probably don’t want that anyway.

Planning and preparation: the key to a successful migration

Anyone who has been through a migration of any scale knows that the work begins long before the first change is made. A successful migration requires months or even years of careful planning and preparation. According to analyst firm Gartner, up to 50% of migration projects fail or go over budget and schedule due to insufficient planning.

A key component of the planning phase is a complete understanding of what needs to be migrated and the corresponding actions. Tufin’s deep network visibility facilitates this by providing both macro (topology) and micro (rules) understanding of your network’s current state.

More than likely, there are unused objects and rules, incorrect settings, and other unnecessary complexities that accumulate over time. Ideally, these should not be migrated to the new environment (remember we said a one-click solution to transfer full configurations between vendors was probably not a good idea?). Tufin’s ability to detect unused and empty rules and objects, overly permissive rules, suboptimal configurations, and policy violations can help enterprises ensure the policy base is optimized and risk-free before migration takes place. This allows for a fresh start.

Understanding current topology and monitoring changes

Anyone who has gone through a migration will also tell you that it is impossible to simply “flip a switch.” Migration projects can last months or years with many stages from beginning to end. In some scenarios, simply understanding the basic network interconnections can be a challenge. This morning’s network may be vastly different from the one that existed when you left the office the night before. Tufin’s Interactive Topology Map displays the current network topology based on the network’s current state in an intuitive and easy-to-use form.

The interactive map allows you to perform topology analysis queries, showing the current path from source to destination and the relevant security policies for each enforcement point along the path. This can be an invaluable tool, providing basic network awareness, as well as simplifying troubleshooting when a connection on a new path you thought should work doesn’t.

Monitoring changes is another critically important aspect. Migrations are a time of change, and change introduces complexity and risk. As hundreds of changes are made as part of a migration, a simple oversight or error can easily lead to a serious operational outage or, worse, the exposure of critical data or services. Tufin maintains a complete history of policy changes, allowing network administrators to look back in time and view the security policy base as it existed at any previous moment. Tufin also provides instant version comparison, highlighting the changes that have occurred between any two versions, making it easy to determine the root cause of outages or unexpected behavior related to changes.

Security and automation at all stages

A successful migration is impossible without constant control over security and compliance.

  • Unified Security Policy (USP): The Tufin Unified Security Policy allows enterprises to define security policy constraints that apply equally across all devices and vendors, regardless of their location or technology. Whenever a policy change is made, the new policy revision is checked against all defined USPs, immediately alerting the enterprise to potential risks that may have been unintentionally introduced.
  • Automating change management: With Tufin SecureChange, a proposed change is automatically compared against all defined USPs and additional third-party sources of vulnerabilities and risks, identifying potential risk before it is implemented in the network. This significantly reduces the likelihood of errors and outages.

Unfortunately, migrations do not exist in a vacuum. During a migration, routine tasks will still be performed — new access is needed, DevOps teams will promote new applications, and the cloud computing team will deploy new resources. Effectively managing these routine tasks when the network is likely different from what it was yesterday, and almost certainly different from what it was when the change request was made, can be a challenge. Tufin topology and policy visibility provide network administrators with the critical situational awareness they need to ensure seamless operation throughout the migration. With this transparency, administrators can continue to manage the corporate network with confidence that their decisions are based on its current state.

With every change in network topology, administrators must reorient themselves to correctly design new policies to implement change requests. This process takes time and creates countless potential opportunities for errors. Tufin SecureChange takes change management to the next level, helping network administrators automatically design new policies to implement requested changes based on the network’s current state. The SecureChange designer validates each change request, automatically identifying which enforcement points will be affected by the change and what changes, if any, are needed at each point. This leads to faster and more accurate request processing and a significant reduction in the number of misconfigurations and repeat requests.

The added benefits of Tufin in migration projects go far beyond simply moving policies from X to Y. From planning and preparation to migration and ongoing operations, Tufin can significantly reduce friction and optimize the process, allowing you to realize the benefits of your migration project faster, while reducing the degree of potential risk.

Tufin Orchestration Suite – a unique solution for the Ukrainian IT market

Tufin Orchestration Suite is a truly advanced and unique solution from a world leader in cybersecurity for the domestic IT market, represented in the portfolio of the company NWU, which is the official distributor of Tufin in Ukraine. This opens up unique opportunities for Ukrainian companies seeking to strengthen their cybersecurity and optimize network infrastructure management.

Tufin Orchestration Suite is a comprehensive solution that provides:

  • Visibility and control over all your security policies and devices, from on-premises to the cloud.
  • Automation of security processes, which allows you to reduce the time for performing routine tasks from hours to minutes.
  • Reduction of compliance costs, as the system automatically monitors and documents all changes.
  • Improvement of overall security by minimizing errors and constant monitoring.

Tufin is a reliable partner for many of the world’s largest organizations, including Fortune 500 companies and government agencies. Their trust in Tufin underscores the high quality and reliability of this solution.

Thanks to the company NWU, you have the opportunity to buy Tufin in Ukraine and get full expertise and technical support. Tufin Orchestration Suite is a desirable solution for SOC teams of any Ukrainian company that seeks to achieve a high level of automation and security in its hybrid network.

If you would like to discuss your specific migration project and how Tufin can provide real value, please contact us.