As enterprises mature in their approach to protecting sensitive data as it moves across networks, networking pros are facing more stringent network compliance auditing responsibilities. Whether they are facing compliance pressure from corporate policy or federal regulations, automated network configuration and change management
"[Network engineers] have been operating a bit in what I'd characterize as the Wild West. They're excellent at their jobs and would TELNET into a router or make a configuration update because they knew that was the right thing to do … but that behavior did not leave a paper trail," said Deb Curtis, research vice president at Gartner Inc. "Compliance demands have slowly filtered down through the IT organization … and the last bastion of where these compliance requirements have hit is in the network."
Although security teams may be in charge of identifying and responding to threats, implementing the necessary patches or intrusion protection systems (IPS) onto routers and switches to maintain network compliance falls "under the purview of the network operations team," said Curtis, who recently co-authored Gartner's 2010 MarketScope for Network Configuration and Change Management. In that document, Curtis identified compliance as a major motivation for enterprise investment in NCCM and a key element for vendors in this space to focus on when trying to deliver value to customers.
"That kind of responsibility is on your shoulders. You cannot wait for the 2 a.m. Sunday morning maintenance window to make an emergency security patch, nor can you go device by device, individually applying this update," she said. "Apart from it being ridiculously time-consuming, it has the possibility of a typing error as somebody's making these updates on the command line."
Keeping up with an ever-evolving regulatory environment can be confusing to network administrators and engineers, whose jobs have focused on ensuring uptime and reducing congestion, according to Rahul Sachdev, vice president of marketing and business development at Intelliden, whose automated NCCM products were recently acquired by IBM.
"The issue of compliance was always an afterthought," Sachdev said. "If I'm a network engineer and I'm sitting in front of a box and I configure something, do I know if that change has broken something in terms of a security policy or regulatory policy? I have no idea. All I know is I didn't break the Cisco box."
Networking team at manufacturer hopes to achieve better compliance with NCCM
At HNI Corp., a furniture manufacturer based in Muscatine, Iowa, the security pros know what needs to get done to meet compliance demands. But it's up to technical infrastructure manager Jason Hill and his networking team to execute the necessary updates and reconfigurations on the 2,000 devices they manage to ensure complete network compliance.
With four networking pros and 115 global locations, Hill had already implemented a "fairly mature" change management process for his team -- convening a committee to review and approve major changes.
But he sought a better way to automate those changes and to understand the larger impact one device configuration might have on the overall network. About four months ago, he bought NetMRI -- an automated NCCM tool from Netcordia that can monitor compliance with specific regulations or corporate policies -- to free up engineers from NCCM paperwork.
Although Hill is only beginning to toy with NetMRI's baked-in network compliance templates, he expects his team to be "a little bit ahead of the game" in terms of anticipating security changes and deploying them more easily en masse.
"We're going to really be able to create policies that say, 'We want all of our switches set up in this way. We want it verified that there's this line of configuration in the devices,'" Hill said. "It's going to make everything standard, and if anything else changes down the road, it's going to raise a red flag."
NCCM tools offer built-in network compliance audit capabilities
Network configuration and change management has had a bad rap, earning grumbles from networking pros who complain NCCM is inefficient and creates more problems than it solves, Curtis said.
"This is not exactly a welcome influence," she said. "I know many network engineers feel this hampers them from doing their job -- that instead of doing their jobs, they have to spend time doing what they feel is bureaucratic paperwork .… [But] once they convert to using these automated NCCM tools, they find it actually speeds their work."
Networking pros whose IT departments fall under federal or industry regulations should look for these kinds of "sophisticated" NCCM tools that take the guesswork out of compliance and offer more than the typical device discovery and configuration backup features, Curtis said. Netcordia's NetMRI, along with competing products from Intelliden, EMC, Hewlett-Packard and Pari Networks, comes with prepackaged compliance templates that simplify the process of mapping NCCM to compliance efforts.
"What you'd be looking for in tools is exceptional reporting capabilities and some of the built-in domain knowledge that compliance organizations enforce, specifically for Sarbanes-Oxley or specifically for HIPAA or specifically for PCI," she said.
However, small to midsized businesses in regulated industries could find it possible to keep their networks in compliance without an automated NCCM tool. Manual audits of networks consisting of fewer than 100 network devices are achievable, Curtis said.
For Bob Branski, systems administrator at Goodwill Industries of Southeastern Wisconsin, keeping up with the PCI compliance paper trail hasn't required any NCCM software. Even though he manages 4,500 network devices -- including 1,500 in-scope for PCI demands -- Branski has managed with manual updates and logging capabilities native to Windows Server and Cisco IOS.
"I know probably within the next two to three years, we're going to be implementing bits and pieces of [NCCM] concepts, but we're probably [never] going to go out and look for an integrated package to do it," Branski said. "Of course, time and requirements can change and often do … [but] right now, we're small enough that one person can typically take the lead on the issue and [can] track and work issues from start to finish."
Let us know what you think about the story; email: Jessica Scarpati, News Writer