AWS Control Tower vs. Tufin Orchestration Suite

We were wanting to prove the concept of a low touch process for quickly spinning up boilerplate AWS environments. We were able to get started quickly and to ensure that the AWS Well-Architected Framework principles were followed - at least upfront - however, we found that for our use case and expertise level it ultimately wasn't a fit. We have the skills on our team to manage more of this on our own. My recommendation would be contingent on what skills are already available on your team: if you can "do it yourself" you might as well so that you don't pay for resources you don't need and you have finer grain control over what's created.

Incentivized

Well suited scenarios - 1) Firewall Policy / Ruleset management 2) Where all the products are from Tufin like TOS ST, SC, SecureApp etc 3) Where customer focuses on ruleset compliance - USP violations, and other features Less suited - 1) Agnostic/distributed environment - Tough with integrate with 3rd party like CyberArk 2) FW recertification processes / exception process when complex process is included

Incentivized

• Easily create new AWS accounts.
• Easily secure and manage AWS accounts.
• Landing zone with SSO is a huge win for larger teams.

Incentivized

• Firewall management
• Compliance reports
• Unused rules and optimization
• Policy Automation

Incentivized

• The AWS SSO GUI is not very intuitive and determining how to apply policies to users without creating redundant logins has been a challenge.
• The default guardrails do not fully encompass all the security checks that we needed.
• There does not appear to be any way to control roles at the IAM level from the control tower account through the GUI.
• Some features on AWS accounts still require logging into the individual account with the root user and cannot be done from AWS Control Tower.

Incentivized

• Palo Alto Networks Integration
• Better/more user friendly api for integration with ticketing systems
• Web UI structure is not user-friendly

Incentivized

There is no way to easily close an AWS account whether it was created manually or via the AWS Control Tower. It takes too many steps to close it vs to provision a new AWS account

Incentivized

Using AWS Systems Manager and other slightly lower level components has been helpful for us to manage parts of our AWS presence at a more granular level than AWS Control Tower was designed for. It's not at all an apples-to-apples comparison as they solve different use cases, but for us, the use case associated with AWS Systems Manager was a better fit for our specific needs and skillsets. We did not need everything that AWS Control Tower was doing for us.

Incentivized

1) Fairly okay overall but definitely needs improvement overall Vs the other products available in the market like Palo Alto XSOAR 2) Cost wise okay at the beginning but when client demands add-ons/ more features/customization tailored to their needs, Tufin Orchestration Suite recommends RFE / custom costs/development costs 3) USP feature is cool to use overall Vs FireMon 4) Tufin ProServ needs to buckle-up/Support compared to other competitors in the market

Incentivized

• Less time manually deploying accounts which was error prone.
• Central logging allowed us to have 1 place to view logs.

Incentivized

• I think if you correctly configure your SIEM, you don't need Tufin. You can correlate a lot of things for firewalls.

Incentivized