Strengths: Applies standard change management practices to network security. Versatile workflow processes, detailed reporting and auditing tools
Weaknesses: Needs Tufin's SecureTrack; auto-verification not yet available
Verdict: SCW offers a sophisticated change management solution for network security that works hand in glove with its SecureTrack product
Few change management solutions are really geared up to apply to network security. Businesses with a large collection of firewalls etc need to have them updated, but it can be a nightmare keeping track of all these changes.
Tufin's SecureChange Workflow (SCW) aims to apply standard change-management practices to network security.
SCW can be used for common office tasks - but it has a few tricks up its sleeve. Integration with Tufin's SecureTrack means it can apply change-management processes to any network device.
SecureTrack provides the tools to manage firewalls, analyse rule-sets and enforce security policy compliance. It maintains all device configurations in its database.
Both SecureTrack and SCW are available as software or appliance-based solutions and for testing we used Tufin's T-500 rack appliance preconfigured with both. We added VMware VMs running Check Point's NGX 65 firewalls. Tufin also supports all of the main network security vendors.
The SCW web interface is basic but intuitive and our first job was to declare our SecureTrack server to it. This only took a few seconds, but you can add remote servers.
SCW uses workflows to manage each change request. There's no real limit to the number of steps a workflow can contain, so highly complex procedures can be defined and managed by SCW.
Each step in a workflow offers the same three tabs, where you define the step properties, add fields and choose assignments.
We used a simple workflow example, where we created one for new employees requesting network access. After logging in to SCW, they submit their request. We then received an email from SCW advising that a ticket was waiting with a user change request. Their job was to create a firewall rule and this could be done swiftly from SCW's console.
At this stage, the access rule hasn't been implemented, as the next step in our workflow is risk assessment. Once again, SecureTrack comes into play as SCW can use its compliance policies. It matches up the new request with these and advises whether it is acceptable or not.
We were good to go, so the next step was to implement the change. SCW falls at the last hurdle, as it cannot verify that the authorised change has been made. It doesn't query SecureTrack about this.
SCW can't spot when an unauthorised change has been made after risk assessment has deemed it unacceptable. However, all is not lost: Tufin advised us that an auto-verification feature will be implemented in the next version.
Assigning tasks can be done manually or automatically. Dynamic assignments are the most flexible, as workflows can pass tasks to participants on conditions such as the request content.
This type of assignment also allows you to run multiple steps in parallel within a single workflow - and the next step won't be progressed to until all participants have given their seal of approval.
Tufin's SCW is an ideal partner for SecureTrack firewall management, as it extends change-management practices to network security. It can automate the entire process and provides detailed auditing and reporting - and auto-verification completes the picture.