Top-20 global bank eliminates 12-month security policy backlog and automates 4,000+ firewall rules across 40 countries with Tufin
A multinational financial institution based in Asia — among the top 20 banks in the world by total assets — deployed Tufin SecureTrack and SecureChange to manage 33 firewalls across 40 countries, automating 4,000+ previously manual security rules and eliminating a 12-month rule recertification backlog within 12 months of deployment.
Background
The bank operated a complex, multi-vendor firewall estate across 40 countries, with no centralized automation for rule management, change tracking, or compliance reporting. A 12-month backlog of rules needing recertification, combined with an ongoing corporate merger, made the risk of misconfiguration and compliance failure significant. Manual spreadsheet-based rule management was no longer sustainable at this scale.
What Was Implemented
- Deployed Tufin SecureTrack for full topology visibility and policy monitoring across 33 firewalls (Palo Alto Networks and Check Point) in 40 countries
- Deployed Tufin SecureChange for automated change management workflows, enabling structured rule review and approval processes
- Implemented automated rule review and recertification with variable expiration timeframes, replacing annual manual cycles with daily automated reviews
- Configured automated compliance reporting against NIST 800-53 and PCI-DSS standards, replacing manual spreadsheet-based documentation
- Working toward zero-touch automation: automated provisioning of approved firewall changes without human intervention
Results
Within 12 months, the bank eliminated its 12-month rule recertification backlog and moved from annual to daily automated rule reviews . Management of 4,000+ security rules — previously handled through spreadsheets and emails — was fully automated. The bank achieved full topology visibility across 33 firewalls from two vendors in 40 countries. Manual audit preparation for compliance reporting was virtually eliminated . The netsec team described Tufin's deployment as delivering "instant benefit" upon initial rollout, particularly for Palo Alto Networks firewall monitoring that had been unavailable under the previous platform.
Lessons
- Multi-vendor firewall environments (e.g., Palo Alto + Check Point) require vendor-agnostic NSPM platforms; single-vendor tools leave coverage gaps.
- Rule backlogs are a compounding problem: the longer a backlog grows, the harder and riskier it becomes to clean up. Automation from the start prevents accumulation.
- Corporate mergers amplify network security complexity; deploying NSPM automation before or during a merger reduces post-merger risk exposure.
- Moving from annual to daily automated rule reviews is transformative for security posture, not just operational efficiency.
- Zero-touch automation (approve-once, auto-provision) is the logical endpoint of firewall change automation and eliminates human-error risk from manual implementation.