In-Depth
How Network Configuration Management Improves Compliance and Productivity
How implementing a network configuration management strategy and solution can help effectively manage compliance-related tasks and all configuration changes
by Lawrence F. Lunetta
There’s no question that corporations and government agencies today are more sensitive to the role and importance of protecting the organization. What was once simply keeping the bad guys out of the network has now become a driving force in corporate management known as Governance, Risk, and Compliance (GRC). Since GRC is a new trend, let’s define the concepts to guide the discussion.
-- Governance focuses on what is universally important to organizations as expressed in policies and decisions. For example, “We will behave ethically and legally.”
-- Risk can be defined as the potential loss associated with policy violations. The loss can take many different forms – from lawsuits and jail time to financial costs and brand damage. Through risk, security threats are linked to overall GRC initiatives.
-- Compliance concentrates on business processes and how they reflect and adhere to specific policies. Some compliance initiatives come from internal directives (for example, “Only HR can see employee salaries.”) and some are externally imposed such as Sarbanes-Oxley or PCI requirements.
Because governance, risk, and compliance collectively have a huge impact on overall organizational health, the key is to manage them in a coordinated and centralized way. In fact, the operational health of the network and IT infrastructure is crucial to a successful GRC.
Network Configuration Management: A Foundation for Compliance
The Internet and associated innovations in networking technology have transformed meaningful business processes into instantaneous “point and click” transactions. Remember how we traded stocks, bought airline tickets, and received news ten years ago? Compare those business models with today’s “always on, always available” businesses.
The instantaneous nature of business today complicates the execution of governance, risk, and compliance initiatives and places tremendous pressure on the underlying network infrastructure. In response, organizations must understand and carefully manage an exceedingly large volume and a wide variety of network devices to protect the health and performance of these real-time processes and ensure that configuration policies comply with both internal and external standards.
Because mis-configured routers and switches often leave gaping security or compliance holes in critical business processes, IT organizations now must define and carefully manage a specific set of device configurations designed to provide the highest level of enterprise protection. An example of a well-defined network configuration standard is the Center for Internet Security (CIS) Cisco “Gold Standard,” which outlines recommended security settings for Cisco routers, switches, and firewalls. These settings can be applied directly to Cisco equipment or used as models for other vendor products and internally generated policies.
Unfortunately, the path to an ideal configuration state is littered with device-specific configuration tools that require mastery of arcane and idiosyncratic command-line interfaces. It is also possible to narrowly focus on a prescriptive benchmark with any number of siloed and uncoordinated tools. Without a centralized, vendor-neutral network management capability, reaching an ideal configuration is staff-intensive and becomes yet another difficult and time-consuming task in a long list of daily network management tasks.
From a network perspective, implementing a network configuration management strategy and solution can help effectively manage compliance-related tasks and all configuration changes, such as moves, adds, and deletes, as well as automate the typical auditing activities. A robust solution should provide the following network configuration management functions:
- -- A current network diagram that illustrates connections to customer data. This diagram provides automated discovery of a complete view of the Layer 2 and Layer 3 network topology along with an understanding of the attributes of the connected servers and endpoints.
- -- A unified interface for the management of configuration data. Because few, if any, networks are sourced by one vendor, it is desirable to have a universal user interface that a network engineer can access to make device changes in a heterogeneous environment, independent of the vendor that supplied the product.
- -- Control of roles, authority, and workflow. The standard for this function requires formal change control processes. Most organizations also want to escalate certain types of network changes for review and approval. To support this control, the network configuration management system must be able to define roles and responsibilities by individual or title, as well as define authorization procedures to involve senior technical and management staff.
- -- Configuration standards that reflect policy. The tools of a consolidated management system must be able to accurately reflect policies that outline security best practices (such as the “Gold Standard) that can be uniformly applied to the network infrastructure. Decisions, such as which services to allow and which ports to open, should not be made at the tactical tier-one or tier-two levels.
- -- Compliance auditing and reporting. Although most compliance regulations do not explicitly stipulate audit trails and reporting on the networking infrastructure, it must be able to demonstrate ongoing compliance to auditors, corporate management, shareholders, customers, and partners. Thus, deviation from defined standards to accommodate such compliance must be identified and reported.
- -- Closed-loop real-time response to out-of-policy configuration changes. At the outset, auditors may only require periodic reporting on network configuration status. Security and risk management, however, are increasingly becoming real-time propositions. As a result, many organizations are implementing closed-loop network configuration management processes that start with a change to a device setting that alerts the configuration manager and then assesses whether the change is acceptable. When found unacceptable, configuration changes are automatically executed and the device is returned to a compliant state. Closed-loop real-time response to out-of-policy configuration changes is an emerging network management best practice.
Each of these features contributes directly to the overall conformance of the network infrastructure and best practices for governance, risk, and compliance. In addition, they represent opportunities to reduce the labor and time required to manage complex real-time networks. Mistaken changes that have to be recovered and rolled back (avoiding unnecessary training on new device-specific interfaces and preventing headline-grabbing breaches) as well as the ease of automated reporting, create the opportunity for very rapid return on investment.
Implementing an automated network configuration management strategy and associated solutions contributes to an improved corporate compliance posture. Companies will be able to proactively ensure implementation of network-enabled compliance standards and pass compliance audits for PCI, Sarbanes-Oxley, HIPAA (and others) and will experience a better return on investment through increased operational efficiencies.
- - -
Lawrence F. Lunetta is vice president of strategy and corporate development for ArcSight. He has served as ArcSight's vice president of strategy and product line executive for networking products since February 2006. Previously, Mr. Lunetta served as chief customer officer and vice president of marketing. He holds a B.S. in electrical engineering from Rutgers University and an M.S. in engineering and an M.B.A. from Arizona State University. You can reach the author at llunetta@arcsght.com