The Cyber Jack Podcast: The Cloud Security Multiverse & the Power of Automation - Ruvi Kitov, Tufin

Cloud security is complicated. But it doesn't have to be. Ruvi Kitov, CEO, Tufin, urges organizations to think differently about cloud security by embracing the 'multiverse' and the power of automation. Ruvi also dives into visibility as a security killer and enabler. All this and more on this episode of The Cyber Jack Podcast.

[automatically transcribed for accessibility and reading leisure]


Jack 00:04

Today Ruvi Kitov, CEO and co-founder of Tufin joins us to talk about the cloud security multiverse, the power of automation, and how poor visibility kills security, all this and more on The Cyber Jack Podcast. Ruvi, thanks so much for joining us today. We're looking forward to talking about cloud security, which has been on everyone's minds, especially as this boom in remote work has made companies all that much more reliant on the cloud. To kick things off, can you tell us a little bit more about Tufin and the problems that you're looking to solve?


Ruvi Kitov 00:47

Sure, thanks for having me. My name is Ruvi Kitov. I'm the CEO and co-founder of Tufin, and we see ourselves as a security policy company. So we've been around for about 17 years. And what we do is enable large enterprises to manage their network complexity by using a policy-based approach. So when you think of large enterprises, they have a large, complex and heterogeneous network that is so fragmented, that it's organic, there are things changing on that network all the time, these organizations are expanding to the cloud. So, they have high complexity, and it's changing all the time. And they need some way to manage that complexity. And that's where we come in with our set of solutions that help them manage and automate network changes.


Jack 01:33

That sounds like a really important core list of challenges that you're solving for. So I know Tufin is urging organizations to really think differently about the cloud security strategy that they're implementing. You've mentioned before that cloud security can be considered a multiverse of sorts. Can you explain what that means and how organizations should be thinking differently about their cloud security approach?


Ruvi Kitov 01:59

Cloud security is interesting, because as organizations are moving more and more into the cloud, especially large enterprises, it's really fragmented again, there, when you think of their network, they're extending into the cloud using, on the one hand, things like SD-WAN and sassy solutions. And they might have a hub and spoke architecture, a lot of times they are using traditional vendors like Palo Alto CheckPoint, Fortinet in that hub, to monitor and control all the traffic coming in and out of the cloud. So there's that type of Cloud Control. And then there's different types of control.


They're provided by the platforms themselves. So AWS, Azure, and Google, all have the concept of security groups using tags, as in who can talk to whom, in the cloud itself. And then recently, both Microsoft and AWS came up with their own firewalls that now compete with Palo Alto for their checkpoint. And on top of all that you have identity and access management controls. So when you try to figure out whether an instance in the cloud can talk to some instance, maybe in another VPC or in a different cloud, it's almost impossible to figure that out and troubleshoot because there are so many layers of potential security controls that might affect that traffic. It's really like archaeology, it's very, very complex.


Jack 03:23

Wow. Well, we know how complexity can really kill security. So to narrow this down, what are the most critical components to include in organizations’ cloud security multiverse?


Ruvi Kitov 03:35

When you think of the multiverse, and we think of it in terms of security organizations, especially large ones, they're adopting the cloud in a way that they're not going to throw away all their on-premise infrastructure, they will always have something that it's on-premise, right, they're going to have maybe factories, or stores or data centers, some mainframe that is left on-premise, and yet, a lot of their data centers are going to move to the cloud. And so in the cloud, you're looking for, first of all, controls that will enable you to connect back to the data center securely, but at the same time, make sure that you don't have leakage of information that you're not exposed, it's very easy to get exposed to the internet. And another challenge is that a lot of times the people that have keys to the kingdom in the cloud are not necessarily security managers. So on-premise, a lot of times if somebody wants to make a change, they want to open a ticket. There's no other way to make a change.


They open a ticket in ServiceNow, a remedy, they asked for permission from it in the cloud. If you're in a cloud-native environment. That might not be the case. You might have developers or DevOps folks with admin privileges on your cloud provider like on AWS, Azure, maybe on GitHub, Jenkins, so they're making changes themselves to things like security groups, or things like Cloud firewalls, and you are left with very little control over what's actually happening in that cloud in the cloud environment. So there's a big challenge in trying to marry the two together, where does the responsibility of the security team and where does the responsibility of DevOps or developers begin in things that have to do with shared responsibility. So it's a major challenge.


Also, a lot of organizations are buying multi-cloud, they're not just going to use one cloud or another, they're going to use two or three cloud providers day one, because they might use them for different applications. So one of the things that we advise people to do and we're seeing a lot of large companies move towards is use a set of tools that is really vendor and platform agnostic, because you will end up probably having a mixture of AWS, Azure, Google Kubernetes, you might have VMware in the cloud, all sorts of things, want security solutions that cover the gamut, all of the different types of platforms and environments you're going to have, so that you don't build point solutions for each one. But you have them wide coverage across the entire set of technologies and platforms that you're using in the cloud.


Jack 06:15

That makes sense. So let's shift gears a bit to automation. Another key component of cloud success. Why is automation so important to the security function of today's organizations,


Ruvi Kitov 06:28

When we think of cloud, in many ways, is automated by definition. If you think of the CI, CD pipeline, and continuous integration, continuous deployment, people are building their applications using immutable concepts. So you're going to write the code, you're going to build it, you're going to deploy it. And if there's a bug, you're not going to fix it in production, you're going to rebuild that app and deploy it. So developers are thinking of how to rebuild their applications from scratch and how they can instantiate them and kill off the old code and rebuild it and redeploy it very quickly. So a lot of the cloud-native applications are already automated, the DevOps toolchain is automated. So from that perspective, when you think of security, it needs to be automated as well. And one of the surprising aspects is that a lot of organizations don't really automate yet security policy changes. So it's mind-boggling.


But a lot of times, you will find that firewalls or all sorts of segmentation technologies are actually done manually. It might not be an SSH that somebody is logging into a Linux machine. But it still might be a dashboard that somebody needs to open in manually edit, find the right roll, make a change, push that change out, we still think of that as a manual change, because it's something that a human needs, sit in front of the console, figure out what needs to be changed, and then deploy that change. That's not really automated. So a fully automated solution is one where a developer or any stakeholder that wants to make a change would request that change. And if that change request complies with a corporate security policy of who can talk to whom and what can talk to what, then whatever system you're using, first of all, it'll automatically detect whether it's compliant or not.


If it's not compliant, it will reject that change, and never move forward, it won't proceed. But if that change is compliant with a policy, then it can automatically design the perfect minimal change that needs to be implemented on every platform, segmentation technology firewall, you name it, both in the cloud and the on-premise that is connected to that cloud, so that you could deploy that change automatically in a matter of minutes or seconds. So automation is critical, especially in the cloud, because you're assuming that you will be able to rebuild your app maybe multiple times a day push changes out dozens of times a day, if you're still using a manual process to make security policy changes. And every time you use the main process, it might take hours, it might take days, that's no longer acceptable in most companies, right? They're expecting security to move at the speed of the cloud or at the speed of DevOps. So you want a security policy management solution that is automated in order to fit within the mold of where the cloud teams are headed.


Jack 09:29

So thinking about a company that's maybe a little newer to automation, what's the best place to start adopting automation? Is there a preferred path to follow to implement automation correctly?


Ruvi Kitov 09:43

A lot of times companies they have something that they're using right now, usually they have some manual process and it's painful and it's manual. It's error-prone. We start always by trying to define the policy. The policy is at the core. It is The desired state is what should be able to talk to what? On your cloud or on your network, and what should never talk to what. So you need to start with that as the blueprint or the architecture of your security, both in the cloud and on-premise. So I would start with the defining the policy finding who can tactically what conduct the one, I would say that step one, and then once you define the policy, you probably need some kind of tool or solution that can automate changes using that policy. So there's also solutions and people can obviously do some research, and then probably do a proof of concept, start small, try it for free, try to integrate it into your CI CD pipeline connected to your various platforms, your network security controls your firewalls, and build from there. So when we think of as a maturity model, the first thing that users do, usually when they look at two fingers, they will start with visibility.


So they would connect whatever solution they have and see what is out there, what are all of the segmentation technologies and controls, what is the policy right now. And then once they define their own security policy, it can see the gap from the configuration to the policy. So a lot of times there's a cleanup phase, where they see all the gaps, they might have dozens or hundreds of vulnerabilities right now on the network and in the cloud, which are essentially gaps between the desired state and where you are right now. Usually, organizations would want to clean that up, right? So they would have a cleanup project, closing all those gaps, patching the vulnerabilities and making sure that they have good security posture. And you do all that without even automating, right, that's just getting to clean bill of health.


And once you get to that point, people start thinking about automation. So they have a clean bill of health, they are now compliant with their own policy for the first time in a long time. And then they think, okay, how can I be continually compliant from this point forward. So then you would start looking at automating changes so that every change that is made to the infrastructure is gone through this vetting process of understanding whether it complies with the policy that you've defined, and only allowing it to move to production, if it complies with the policy, so you end up having a strong gating process, so that everything that gets into production is clean, and is complying. So when you get to that level, first of all, you're in a much better state because you no longer make changes that are non-compliant in your infrastructure. And the added benefit is the fact that you actually end up making changes a lot faster. So not only are you more secure, but at that point, you end up being a lot more agile, because changes can be done in minutes instead of days. So your users or stakeholders no longer need to wait around for security managers to finish their work.


Jack 12:57

Absolutely. being agile in the cloud is really a core component of success. And speaking of agile, how does near real time visibility into an organization security environment play an important role in cloud security? And how can that lack of visibility potentially hurt you?


Ruvi Kitov 13:16

Even if you have a fully automated solution, you still can lock it down completely, there will be some people who have privileges to make changes manually in sometimes emergency changes, right? Something happened, maybe we're coming up on the holiday period now. So like maybe there's a huge volume and somebody needs to make some change. And they need to circumvent the entire regular workflow. So they make a change. And maybe that change was a configuration mistake that ended up making a change that should not have been made.


So having visibility in real-time to the changes that are made is critical. Because you want to know what is happening right now in your network and in your cloud. So at any point in time, you have full control, it's really interesting to see because the environment is really heterogeneous to the point that it's fragmented. There are so many different vendors and platforms that there is no one console to really rule them all, if you will. To understand what's happening in your cloud or on your network, you'll need to open 10 different consoles in fiddled with each one to try to figure out what is happening on your network right now, whether that's network is on prem or in the cloud. So it's very difficult to do that. If you don't have a solution that provides visibility that goes into when and your cloud and your network. Visibility is critical. Because even if you're automating, first of all, if you're not automating changes, then obviously you need to see what's happening, who made what change and when, why did they make that change? What is the impact of that change? If you don't have visibility, you have no control and you're not in a good spot. When it comes to dealing with potential malware attacks. You're not going to be able to manage things.


But even if you're automating, people still will have the ability to make some changes manually. And you have to control that. Essentially, any change that comes out of left field, and you might not be seeing that change coming through your change process, you have to be able to monitor it. So real-time is critical, especially if you think of attacks that are happening and propagating very quickly. You want to be able to immediately see what's happening, who made what change, did you now open a vulnerability are we exposed, you don't want to wait an hour or a day? To have that knowledge, you need that knowledge in real-time?


Jack 15:36

So final question, as organizations continue their digital transformation efforts, how can having a strong security multiverse aid them in their journey?


Ruvi Kitov 15:48

The digital transformation is interesting because people expect full automation, they want to go 100% digital. And what's surprising is organizations that really haven't automated their policy change process, whether it's in the cloud or the network, they can't really claim that or they're digitally transformed, right? If your change process takes hours or days to make a change, and you need a human, to sit in front of the console to figure out if something is compliant or not. And they don't have a well-defined policy. Some people think they've gone through digital transformation, and yet their policy change process and everything to do with access control in the cloud, or the network is lacking, that's not really digitally transformed. This networking, cloud access change process is one of the last things that really has not been automated.


So we believe that it's a key to getting full digital transformation. And in many ways, security is oftentimes seen as the bad guys, right? A lot of times security teams are the ones that are saying no, they're slowing down projects, they're making all sorts of problems for people that want to move quickly. Security is critical, you can really circumvent security. And yet, it's probably the most hated group in the organization in many ways. So if you're able to automate security all the way, if you're able to make changes in minutes, instead of days, you can achieve digital transformation and security, in this way can actually be an enabler, people that are used to every change taking hours or days. And now suddenly, they're in a different environment where changes can take minutes. In a developer, once they make a change, they open a ticket. And that ticket is implemented on the network or in the cloud, in a couple of minutes with no questions asked, everything is automatically deployed, and is well conforming and fully audited. That's a completely different experience. So we see security folks actually being really commended on the changes that they're making, and how they're driving better agility through automation to the organization.


Because at the end of the day, most companies today are running on top of their business applications. Whether you're a bank, or you're an automotive manufacturer, almost any large company has applications, enterprise applications that are actually running the business. And if every time you want to make a change to the application, you need to wait hours or days to implement that change that you moving very slowly. And security folks that embrace automation can provide real agility to organizations so that now the business can deploy revenue-generating applications or mission-critical applications much more rapidly. So up to now security really has been a blocker, but I think it can be an enabler and drive real digital transformation through automation.


Jack 18:54

There it is, Rui, thank you so much for coming on the show. We'll lookout for more cloud security innovations from Tufin. And to all of our listeners, we'll see you next time.


###