DevOps Chats: Tufin SecureCloud Secures Hybrid Cloud Environments

Tufin Technologies has announced SecureCloud,  which combines and builds on Tufin’s Orca and Iris offerings to offer one product for comprehensive cloud security policy.

In this DevOps Chats, we had a chance to catch up with Tufin CTO and Co-founder Reuven Harrison to chat about this and the state of the market before the upcoming RSA Conference.

As usual, the streaming audio is immediately below, followed by the transcript of our conversation.


Alan Shimel: Hey, everyone. This is Alan Shimel,, Security Boulevard. You’re listening to another DevOps Chats. I’m joined in this DevOps Chat from an old friend of mine from the security world, cofounder and CTO of Tufin, Reuven Harrison. Reuven, welcome.

Reuven Harrison: Hi, Alan. Always good to talk to you.

Shimel: Yeah. Reuven, we’ve been talking – how old is Tufin? 12 years old? 13 years old?

Harrison: No, it’s 15.

Shimel: Fifteen.

Harrison: Yeah.

Shimel: We’ve been talking all 15 years. So Reuven is joining us today because Tufin has a new announcement that just came out. They’ve done something interesting with the product line, and Reuven, why don’t you tell our audience?

Harrison: Okay. Thanks. So, yeah, as we discussed previously, you know, we saw this whole DevOps movement and a lot of our enterprise customers were starting to move to cloud, later on, Kubernetes. We saw that trend happening. Obviously, we’re selling to large companies so these things take longer than like the born-in-the-cloud companies, but they’re actually happening now in a big way, and we created these two products for the cloud and for Kubernetes that do the same thing generally speaking as we do on-prem, which is security policy management.

What we realized at some point is that the combination of these two products makes a lot of sense. A lot of our customers are moving to cloud and Kubernetes at the same time. So what we’re announcing is Secure Cloud, which is the combination of Iris and Orca to support hybrid cloud security policy management.

Shimel: Excellent. You know, Reuven, it makes a lot of sense to me too because I think one of the things that kind of took me a little by surprise last year was what I call multi-cloud, which is always envisioned hybrid cloud, and to me hybrid cloud was I had some stuff on-premises and I had some stuff in one of the public clouds, whether it’s Amazon, Google, Microsoft, whatever. But I think how it’s really worked out are a lot of – well, especially large enterprises, they don’t put all their chips in one basket, right? They know AWS does this really well, Google Cloud does that really well, Azure does some things better than the others, so they have, you know, multiple cloud installs plus their on-premises, and they all want the same thing. No one wants five different security policy managers, right? One for this, one for that. They want one that does it across. So is that kind of what we’re aiming for here?

Harrison: Yeah, so multi-cloud. We’ve also seen that start to pop here and there over the past year, and some large vendors are promoting that as well, like IBM and VMware I think. Yeah, we – for example, we see Red Hat OpenShift on-prem. A lot of people are using that, especially in the enterprise environment. And then a lot of people are using Kubernetes in the cloud and they have within their Kubernetes applications they’re consuming services, platform as a service, from the different cloud vendors and sometimes outside of the cloud as well, just using a SaaS service to do authentication, for example, right?

So, multi-cloud, I know there’s two ways of looking at it. There’s like what you described, which is the enterprise is consuming two or three or more cloud providers, but another definition I saw somewhere which made a lot of sense was building an application that consumes cloud services from a multiple number of vendors.

Shimel: Yeah. I think that captures it well too, Reuven. So, Reuven, so with the combining now of Iris and Orca, do we have a singular interface or is it still –

Harrison: Yes. Yeah. So, what we’ve done is we’ve taken the two interfaces that we’ve built individually – and by the way, I think it’s interesting also to explain why we built them separately to start off with, because it’s very much aligned with the spirit of DevOps. DevOps is all about agility and focus on software development, and in order to enable us to focus on cloud and Kubernetes we deliberately started these two products as startups within Tufin. So we separated them from the bigger Tufin and we also separated them from each other so that they could innovate at the maximum speed. Now that they’ve matured and we actually have paying customers we’ve decided to put them together because the synergy between these two products makes a lot of sense.

It’s one plus one equals three. So, yeah, it’s a unified interface, it’s unified API. It’s because a lot of people consume it as API. It’s not just user interface. And it’s a unified security policy across Kubernetes regardless of whether it’s on-prem or in the cloud. The different cloud providers – AWS, Azure and we’ll support Google as well this year – and also visibility across everything, and the next step is also to connect it to the bigger Tufin so that you have an end-to-end view for your policies across everything.

Shimel: Yeah, and I think that’s really what people want, right? They want that end-to-end, single plane. Reuven, one of the things I’d like if you don’t mind, if you can explain to our audience, you know, as we said I’ve been working or following Tufin since you guys started and back then it was really about firewall policy management, right? We were managing firewall rules across multiple firewalls and that’s fine and dandy, but really it’s morphed into, as you call, security policy, which is so much more than just firewall roles. If you wouldn’t mind, if you can explain to our audience, when we talk about security policy management what are the kinds of things we’re managing?

Harrison: Okay. Securities is a huge industry, right? So many different types of security, and we’ll see that in RSA in a couple of weeks, right?

Shimel: Sure.

Harrison: We’ll see the magnitude, the width of this industry is just beyond anyone’s comprehension. But when we look at the industry based on revenues per vector, if you like, you see that the primary section of the industry is network security in terms of how much vendors are selling or how much enterprises are buying. It’s always network security is the number one and the next one, if I’m not mistaken, is identity and access management, and then it goes – you know, the vulnerability manager and, I don’t know, the incident management, what have you, right? So, network security is the number one and that’s where we started our journey into security policy management, and the way we always describe it is who can talk to who and what can talk to what. Okay?

There could be a firewall in-between these two assets or identities. There could be an _____ policy, for example, in the cloud. The differentiation between identity and firewalls is almost nonexistent. It’s almost the same thing. If you want to segment certain assets in the cloud you’re gonna use a security group, which is a simplified virtual firewall, and if you’re gonna segment other things you’re gonna use identity and access management or RBAC, right? But they’re consolidating in the cloud. There’s no real difference between them.

You use both interchangeably. So, these two fields are becoming part of what we do in security policy management. And then we also do a little bit of vulnerability management as well. We don’t do it ourselves but we consume these vulnerabilities as part of our larger picture that we can give a CSO or his team as to what security looks like across his hybrid network. So, the potential is endless but these are the areas that we’ve focused on since the beginning of the company.

Shimel: Yeah. And it really – I mean the cloud changed all that, of course, the perimeter changing and all of these things, but to your credit, Tufin – and not just you, but the whole Tufin team has been able to ride with this evolution in security as we – it’s such – it’s almost like an octopus with so many tentacles, right? The aspects of security policy and security policy management.

Harrison: Yeah. You know, I think we were lucky because we came out of CheckPoint and we had that heritage and we followed it and it turns out that area of network security was very important and we could kind of gain the advantages of that and build the other stuff as we were seeing the returns from the investment in that area. The cloud right now – the cloud, DevOps, all of these – you know, the new perimeter or the end of the perimeter, if you like – they’re changing everything in a very significant way, right? We’re seeing the big change right now.

Shimel: It’s right and, you know what, with internet time it happens in like crunch time. It’s so much faster. Two things. First of all, I neglected to ask with the announcement today of the combining of the products, what is the name of the new product now or is it…?

Harrison: Yeah, so at first we wanted to be creative and demonstrate how innovative we are, so we moved away from secure track secure exchange and created these new things, Orca and Iris.

Shimel: Right.

Harrison: But now we figure, yeah, let’s just bring it back home and call it SecureCloud.

Shimel: So it’s SecureCloud. Excellent.

Harrison: Yeah.

Shimel: I like descriptive names, too. I always went through a thing like that where trying to be fancy like with naming cars, you know? Like some kind of European-sounding thing and it – I like descriptive better. So that’s number one. Number two, Reuven, I wanted to ask you another question. I think one of the big things in DevSecOps this year has been the realization that, you know what, the developers, the DevOps people, even the QA people, security truly is everyone’s responsibility, and if we want them to care about security, if we want them to be involved in security we need to make our products a little more friendly to maybe some of the non-security people so that they don’t feel, oh that’s just for security people kind of thing. Has that kind of added to – found its way into Secure Cloud and what Tufin’s doing?

Harrison: Yes, yes. I think the people that we sell to today are very different than the people we sold to 10 years ago, right? We’re not selling to the developers. At the very extreme we’ll be selling to the cloud ops or the DevOps people, but not – I wouldn’t say to developers. Developers don’t want to look at security dashboards. They want to write code. They want to focus on coding, and that’s great. I would say that the level of requirements today from a software product is 100 or 1,000 times more than it was 15 years ago, right?

It’s just like it’s gone through such an evolution the expectations are completely different. And you’re right, there are a lot of things that people today not necessarily want to see simplified but they want to see it very differently than what they saw 15 years ago or 10 years ago. User experience is super important, right? People just don’t like to use products that make life difficult. They want to use products that make life easy, even if it’s a security product.

Shimel: Yeah. No, but it’s true, right? Security products are almost hard on purpose, right? [Laughs] And now we’ve gotta make them easier for – ’cause people – you want – they gotta be usable. They have to be.

Harrison: Right, right. And I think a lot of people have gotten used to mobile apps that are a whole new level of usability.

Shimel: Yes.

Harrison: They want to see the same on their MacBooks or whatever they’re using, right? They expect the same level. Yeah.

Shimel: And they also want collaboration, right? I want my team to – I mean we share a view, if you will, right? We want that slack integration and all – these are the things people seem to be asking for. But yet, here’s an interesting thing I’ve observed, Reuven, and I’m sure you have too, is with all of that it still rests on the security team. Number one, it’s their budget, right? They’re the ones spending the money. And number two, they ultimately are the ones approving, disapproving, choosing these tools.

They’ll take into account what these other folks – the other teams say. But you still primarily gotta convince that security team that this is somehow gonna help the organization be better.

Harrison: Yeah, yeah.

Shimel: And that’s an issue. RSA is coming up in just two weeks, so this is a big announcement from you guys. Any other kind of insight into maybe something – anything around RSA for Tufin and you?

Harrison: No. Perhaps just remind everyone that I’ll be there with Ruvi and the rest of the team, so happy to meet all of our friends, customers, partners, yourself, Alan.

Shimel: We’ll be there. Actually, look, Tufin is a sponsor of our DevSecOps days, which is Monday of RSA week at Moscone West, a full day with – I’m just doing the program right now with my team. We’ve got some great speakers, really, really good speakers, and a month later we’ll have a virtual DevSecOps event. Reuven will be speaking. Yeah, I want to remind people about that.

Reuven, I want to thank you. I know it’s crazy this month leading up to RSA and we caught you – actually you’re in Vienna now, so [laughs] we’re gonna let you get back to your conference in Vienna, but thanks for joining us, and good luck with the new combination of the products. We’ll see you at RSA.

Harrison: Thanks, Alan. Great talking to you as usual.

Shimel: Alright. Reuven Harrison, CTO/co-founder of Tufin here on DevOps Chat. This is Alan Shimel, and you just listened to another chat.

Alan Shimel

Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded and then the DevOps Institute. is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 81 posts and counting.See all posts by alan