DevOps teams are keen to add security automation into their advanced app development, so a new tool from a cybersecurity...
suite provider may find an attentive audience.
Tufin's Orca service extends the company's policy-based approach to secure DevOps tools and protect containers and microservices. Although DevOps can help by flagging security concerns earlier in the development pipeline, the struggle between IT security staff and DevOps pros remains an issue, as IT security often relies on manual processes that are incompatible with DevOps automation goals. Tufin's policy-based approach helps to bridge this gap.
Tufin Orca lets IT set up guardrails or policies that govern which application resources should be deployed and where, as well as which resources should communicate between each other. Tufin enables IT to establish security policies that adhere to an organization's overall policies.
"I think Tufin's timing is good, as this amalgamation [of IT security and DevOps] is just starting," said Jon Oltsik, senior principal analyst at Enterprise Strategy Group (ESG), in Milford, Mass. "Tufin has an opportunity to be a thought leader, but it really has to evangelize security operations to the DevOps community."
DevOps teams can integrate Orca with their continuous integration/continuous delivery tools and with their Kubernetes runtime to provide microservices security regardless of where they are deployed -- whether on premises or in a public cloud.
"With the rising security threats we are seeing, there has been a push to add security frameworks and automation as part of the DevOps process," said Edwin Yuen, an analyst at ESG. "In many enterprises, IT, DevOps [and] developers, and the security team have not really integrated and are just starting to work together to bring their requirements into a common discussion."
Embedded security automation
Tufin Orca embeds security both into the DevOps pipeline and into the microservices mesh. Like the industry at large, Tufin sees more of its enterprise clients adopt DevOps as a way to increase productivity, bring new products to market, deliver capabilities and improve software quality, said Colby Dyess, director of cloud marketing at Tufin, based in Boston.
Edwin Yuenanalyst, ESG
Companies have also adopted technologies, such as Docker and Kubernetes, and have built applications through microservices architectures. And in their Kubernetes environments, enterprises have developed service meshes, which are akin to a network abstraction layer in the Kubernetes environment. It is a configurable infrastructure layer for a microservices application.
By embedding security into the DevOps pipeline and service mesh, Tufin provides security teams with visibility into these environments and helps developers and DevOps teams monitor their systems' security without slowing the DevOps flow, said Reuven Harrison, CTO at Tufin.
Tufin Orca automatically tracks all microservice connections, as it monitors risk and uses a policy-based approach to protect applications. Orca automatically analyzes and scans containers for vulnerabilities. It also integrates with GitHub and reports back to the developer with a security score for their services, Dyess said.
"Developers can see right away if they may have inadvertently introduced vulnerabilities," he said. "The idea is to identify these risks as early as possible and shift left -- to take the security and shift it left in the process of DevOps."
Tufin Orca also sets up microsegmentation for users' environments and will automatically encrypt traffic and lock down a Kubernetes environment to reduce the attack surface in the case of an anomaly. Moreover, if Orca sees anomalous behavior, it will take a policy-based action, such as isolating the containers or isolating the environment that has behaved inappropriately. It will then notify the IT team and developers.
"Increasingly, there are a variety of tools and plug-ins that developers can use that either scan code or 'spell check' it for various coding errors or methods that create potential security problems," said Eric Parizo, an analyst at GlobalData in Houston. "These tools are helpful, but it remains to be seen the extent to which secure development for containers and microservices can take hold."