What is SecureCloud?

Tufin SecureCloud is a security monitoring and management solution for public cloud and Kubernetes that gives you three key requirements needed for robust network security:

  • Visibility into your public cloud and Kubernetes environments that graphically displays elements and connectivity
  • Policy Management and control
  • Enforcement of your policy to secure the network

These capabilities help you identify security risks and address them fast. At the public cloud level, SecureCloud monitors and maps out your Amazon AWS, Microsoft Azure, Google Cloud accounts and highlights deviations from security best practices. At the Kubernetes cluster level, SecureCloud gives you visibility into cluster workloads, connectivity and lets you enforce your security policy. Advanced Kubernetes automation features allow you to 'left-shift' security to your repository and CI/CD processes.

The main areas of functionality in the product can be grasped by looking at the main menu.


At the top of the visibility heirarchy is the SecureCloud dashboard. It highlights primary areas of concern in your networks such as overly permissive network policies, and risky ports with a drill-down capability that leads you to the issues you need to address. Read more in Dashboard.

Tufin SecureCloud gives you a way to view your public cloud environment not just as a collection of servers and services, but as complete business applications, even when they consist of multiple distributed assets - see Global Application Visibility. Furthermore SecureCloud lets you look beyond individual cloud accounts and see a single combined environment consisting of multiple cloud vendors and accounts.

SecureCloud monitors your cloud accounts and combines the information gathered with resource metadata to visualize cloud application access connectivity. It brings you the security status of your applications by highlighting applications and assets that violate the policy you have defined.

SecureCloud's global application visibility includes topological maps of your assets and applications in the cloud, showing their connections outside of the application and compliance with your security policy. You can drill right down to see the effective access to each and every asset.

In the Kubernetes environment, you can see the network connections, Kubernetes network policies and vulnerabilities in containers, pods and services. View the pods, services, nodes, Kubernetes network policies and network traffic in your cluster and identify traffic that is not compliant with your defined policy.


SecureCloud lets you define a global security policy for your public cloud that is checked against the effective connectivity set up in your cloud vendor accounts. SecureCloud automation then discovers violations and configuration issues in your environment. Similarly, in SecureCloud you can create a set of policy rules for your Kubernetes cluster. Building your cluster policy is made easy by using 'learning mode', which presents all new connections for your consideration and add them to the whitelist policy in a click. Read more in The Concept of Policy.

Enforcement of Your Kubernetes Cluster Policy

Kubernetes is shipped without any protection whatsoever from Kubernetes Network Policies. SecureCloud lets you enforce a first line of protection by locking down any-any-any-allow connection attempts even before you have built your policy. Once you have a security policy of allowed connections you can enforce it on the cluster as Kubernetes network policies and other mechanisms of protection. Read more about Enforcement.

Kubernetes Automation

SecureCloud provides a number of features that help you identify security issues before deploying your containers and maintain a unified security policy that can be applied outside of the cluster.

  • Immutable policy control - automated policy creation built into your CI/CD pipeline.
  • Scanning of Docker container images for vulnerabilities and giving an appropriate Security Score to each container. Tufin SecureCloud computes a Security Score for each active service. The Security Score gives you instant insight into the security of the services you utilize in your application and can be added as a step to your CI/CD pipeline.
  • Submission of egress change tickets to Tufin SecureChange, based on your cluster policy rules.

Will SecureCloud Work on Our Infrastructure?

SecureCloud can monitor public cloud vendors Amazon AWS, Microsoft Azure, Google Cloud. It integrates into any Kubernetes platform, any build server and any code repository. Your Kubernetes application can be monitored on any certified Kubernetes platform version 1.9 or higher including Google GKE, Microsoft AKS, Amazon EKS, RedHat Openshift, Docker EE, Kubernetes vanilla and Enterprise PKS (VMware / Pivotal). You must define appropriate permissions in your public cloud accounts to allow SecureCloud to monitor them - see Account Manager for more information.

What Next?