Tufin today announced it is extending the reach of its security policy management offerings into the realm of public clouds.
Company CTO Reuven Harrison said Tufin Iris makes it possible for cybersecurity teams to automate the process of ensuring the applications deployed on public clouds such as Amazon Web Services (AWS) and Microsoft Azure comply with the cybersecurity policies defined by the IT organization.
The goal, he said, is to enable cybersecurity teams to ensure policies are being implemented at the same level of speed developers are now building and updating applications. Tufin Iris, a cloud-based policy management service, is available now via an early access program.
Without the ability to automate the process of checking compliance with policies, cybersecurity teams wind up relying on manual processes that can’t keep pace with the rate at which applications are being deployed using DevOps processes, he said. Tufin Iris is designed to give cybersecurity teams a way to check cloud configurations in way that make that process a natural extension of a DevOps pipeline.
Tufin Iris is designed to also be an extension of the Tufin Orchestration Suite, which provides a range of tools for configuring and applying security policies in cloud and on-premises IT environments. The launch of Tufin Iris also follows the launch earlier this year of Tufin Orca, a cloud-based service for automating security policy management for containers running on Kubernetes clusters on-premises or in a public cloud.
Harrison said the rise of cloud-native computing is forcing organizations to reconsider how cybersecurity is managed. Too often developers are deploying applications on public clouds without really understanding the inherent shared cybersecurity responsibility model. Cloud service providers have some of the most secure platforms in all of IT. But it’s up to the organizations that rely on those platforms to secure the applications they deploy on top of that infrastructure.
As organizations come to terms with the shared responsibility model for securing cloud applications, Harrison said it’s now only a matter of time before most organizations embrace DevSecOps processes that push more of the responsibility for implementing security controls on to the shoulders of developers. Tufin Iris and Tufin Orca are designed to allow cybersecurity teams to monitor and remediate any cybersecurity issues that might arise as those controls are being implemented by developers.
In terms of DevSecOps adoption however, it’s still early days. Many cybersecurity teams are simply trying to catch up to all the applications that developers have deployed in the cloud. Most cloud security issues arise because of misconfigurations. In fact, as long as humans are involved in the building and deploying of cloud applications, there will continue to be misconfiguration issues. It’s the responsibility of cybersecurity teams to discover those issues before cybercriminals figure out how to exploit them. Given the large number of applications being deployed in the cloud, however, the process should not be manual.