The document discusses building a change workflow process to increase control over organizational changes. It recommends building the process to comply with industry regulations and internal policies, improve security by eliminating ad-hoc changes, and reduce costs. The key components of a change workflow process include submitting a request, review, approval, implementation, and validation steps. Automating the workflow can accelerate changes and reduce risks, costs, and human errors. The document provides examples of how organizations have benefited from automating their change management processes.
5. 5
• Compliance
- Industry Regulations
- Internal security policies
- Organizational change process
- Organizational SLA
• Improve security by eliminating ad-hoc changes
• Reduce costs
Why Build a Change Workflow?
6. 6
• PCI DSS Requirement 6.4: change control processes and
procedures for all changes to system components
• NERC CIP-010: change management process to ensure that
only authorized changes are made to the Cyber Assets + every
change must be documented to demonstrate proper
authorization was utilized.
• ISO 27001:2013 (Annex A) A.12.1.2 Change management:
changes to the organization, business processes, information
processing facilities, and systems that affect information security
have to be controlled
Compliance Mandates that Require a Change Process
7. 7
Align With The Organizational Change Process
Organizational Change Process
11. 11
Before you start:
• Identify types of changes and prioritize them
• Identify stakeholders and include them in defining the process
• Get management buy-in
How to Build a Workflow?
13. 13
• Who is your user?
• Where is the ticket submitted?
- Email
- Ticketing system
- Portal page
- Dedicated application to control input
• What information is required?
1. Submit
14. 14
Who needs to review?
• Manager
• Professional colleague
• Security review
• Other?
What information do they need?
2. Review
15. 15
• Who should approve?
• What happens if they approve?
• What happens if they do not approve?
• What if they are away?
3. Approve
16. 16
What should get done?
• Analyze
• Assess
• Design
• Implement
• Report
Is there a change window?
4. Do
17. 17
How can results be validated?
• Requester Approves
• Implementation did not break anything
• Results match the request
5. Validate
18. 18
6. Documentation
• Who: accountability
• What: accuracy
• When: and for how long
• Why: justification
20. 20
Making It Even Better: Automation
Time to implement a change reduced from 6-8 days to 6 hours (Energy company in EMEA)
• 50% reduction in time and effort of submitting changes
• 50%-75% reduction in time and effort for staging changes
(Large Financial Services company in the US)
• Go from missing 5-day SLAs to changes implemented within 1 hour
• Free up 67% of the time spent on ongoing changes so the team can focus elsewhere
(An Independent Agency of the US Federal Government)
Accelerate changes from 1-2 weeks to same day (Large Life Insurance Provider in the US)
Reduced the time to implement access changes from 1-2 months to a few days
(Large Energy provider in the US)
21. 21
• Process Flow
• Steps
- Submission
- Approval under certain conditions
- Analysis and Design
- Implementation
- Validation
• Documentation
What to Automate?
22. 22
We are the Security Policy Company
Who can talk to whom? What can talk to what?
23. 23
About the Tufin Solution
Tufin Orchestration Suite
SecureApp™
SecureChange™
SecureTrack™
IT Service
Management
Other
3rd Party
Solutions
Scripting &
Automation
RESTAPIs
Firewalls Public CloudPrivate CloudNetworks
Unified Security Policy
Containers
Collectors and Provisioning Engines
Analysis Engines
24. 24
Automated Network Security Change Process
Request from
App connectivity
Ticketing
Portal
Automated Risk
Assessment
1
Automated
Design
2
Automated
Provisioning
3
Audit
4
Maximize agility with end-to-end automation of network
security changes with baked-in security & compliance
26. 26
Automated Network Security Change Design
Automated Risk
Assessment
1
Automated
Design
2
Automated
Provisioning
3
Audit
4
Automated change design
based on accurate topology
simulation & path analysis
across vendors & platforms
27. 27
Automated, Accelerated Implementation
Automated Risk
Assessment
1
Automated
Design
2
Automated
Provisioning
3
Audit
4
Automated provisioning
across the hybrid network
from a single console
reduces complexity &
eliminates human error
28. 28
Auditable Change Process
Automated Risk
Assessment
1
Automated
Design
2
Automated
Provisioning
3
Audit
4
Full accountability
with automatic audit trail of
all network security changes
Authorized
Unauthorized
Full audit trail over all
changes and their security
impact
29. 29
Configurable Change Workflow
1
Create a new workflow in SecureChange and select its type. Each
workflow type is associated with a relevant template.
Add steps to the workflow according to the business process
2
Add relevant fields to each workflow step, and assign the step to
relevant user(s).
3
Activate and save the workflow. It is now ready to use and available in
the workflows list.
30. 30
Open Platform to Enable Integrations
ITSM
VULNERABILITY
SCANNERS
IPAMSOAR
ENDPOINTSIEM
31. 31
Case Study
THE PROBLEM
• Need a way to audit all changes
• Falling behind the business SLA
THE RESULT
THE SOLUTION
SecureChange™
SecureTrack™
Boosted agility and
productivity
• Changes implemented in 6
hours instead of 6-8 days
• Reduce costs and efforts for
audit prep (1-2 days)
• Enhance application delivery
and ensure service uptime
SecureApp™
Your organization should have the appropriate methods to control any changes in to and out of your environment. PCI Requirement 6.4 requires that your organization’s Change Control Program includes a documented roll-back plan, a testing phase, management’s approval, and updated documentation. The PCI DSS warns, “Without properly documented and implemented change controls, security features could be inadvertently or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced.”
PCI DSS also demands recertification (timely justification) of access rules.
ITIL
Change Advisory Board
Urgent changes vs.
Changes to critical services – limited to a change window
Allow changes vs. Block changes
Another poll:
Which regulations do you need to comply with?
PCI DSS
ISO 27001
Industry-specific: HIPAA, NERC CIP, SOX or other
Geo-specific: like GDPR
None
Automation journey
Add access or remove access?
Before and After:
How long does it take to make a change?
How many changes are processed per week?
How long does it take to prepare for an audit?
How many incidents are caused by misconfigurations?
How many redo’s are required?
Enterprises are seeing growing network complexity and fragmented, manual processes in security and network operations are too slow and error-prone to be effective. Without a central solution managing security policy across the complete network and cloud infrastructure, implementing connections manually takes days or weeks and results in errors and new security risks. For organizations who want to become agile, competitive and secure that’s no longer acceptable.
We believe that there is a more informed, secure and efficient way to orchestrate security-related changes across enterprise networks, and have pioneered a security policy management platform to bring automation and analytics to security and network operations. The types of policies that we manage are network policies: who can talk to whom or what can talk to what on the network
Our customers deploy SecureChange to break the endless loop of chasing none compliant changes by embedding the security policy into the network change process. SecureChange leverages the analysis and provisioning engines of SecureTrack and aligns with the unified security policy that is defined in SecureTrack.
SecureChange customers who leverage the automation capabilities of the product implement network changes in minutes instead of days, with dramatically better security and accuracy.
Tufin’s end-to-end automation increases agility with security.
Tufin provides automation at every step of the change process, as well as automation for the process flow itself.
Click: Network security change requests can originate from the application connectivity model we discussed in the previous slide, from a 3rd party ticketing system like Remedy or ServiceNow, or from a custom user portal.
To ensure security and compliance together with agility, Tufin provides automated risk analysis.
Each network security change request is proactively examined against the central security policy baseline to identify and address potential violations. A few ways to address violations are:
Automated escalation for security approval (completely customizable)
Allow temporary exception with an expiration date
Reject the ticket or return to the requester for adjustments
Once security and compliance are cleared/approved, the change can be automatically designed to provide a clear and accurate implementation plan. Tufin delivers trusted design based on accurate topology simulation and path analysis across heterogeneous platforms and topology architecture.
Here’s how it works - Tufin:
Automatically selects the target policies in the topology path of the requested change
Identifies the targets that require a change in policy to allow requested access
Designs the optimal policy change for the specific target (avoid shadowing, add object/group/rule)
Tufin provides automated provisioning for leading firewall and next-generation firewall platforms – such as Check Point, Palo Alto, Fortinet, Cisco, Juniper, also Forcepoint which is the new brand for Stonesoft Next-Generation Firewalls.
Provisioning can be triggered automatically for zero-touch process flow, or activated from the designer.
Finally, Tufin provides every aspect of ensuring compliance and audit readiness with:
Real-time change monitoring and accountability
Automatic audit trail
Automatic change verification and authorization against approved change requests
Complete history of each change request
Reporting
Quote from RWE:
The cloud team accidentally deleted 15 servers and immediately setup 15 new servers. “In a normal way that would have meant death for that application for a few weeks”, but by using application-based automation the server group was updated and the application was back up in 15 minutes.
To summarize, there is a lot of planning that needs to go into building a change workflow, but you shouldn’t let it stop you.
There are great benefits, so if there are blockers try to start small, prove the value, and then continue.