One of the main conversations that I have around Network Configuration & Compliance Management (NCCM) and NetMRI is the need to ensure that their networks can be demonstrated to be compliant with regulatory requirements and standards.
Most frequently, the conversation is around the PCI Data Security Standard (PCI DSS), since every vendor who accepts and processes credit card transactions must comply with the current PCI DSS. For Power Generation customers, the conversation is often about compliance with the NERC Critical Infrastructure Protection (NERC CIP) standard. For firms that hold or process US Federal Government-related data, often a requirement of doing so is compliance with the current DISA Security Technical Implementation Guide (DISA STIG) for network devices.
Mechanics of Network Compliance, and where it gets Complex
The actual mechanics of complying with these different compliance programs is not particularly difficult; usually there are about forty or fifty configuration changes needed to bring a particular device into compliance. The complexity enters into the problem in three ways:
- Defining the logical boundaries for the controlled network;
- Finding all the devices on the network and assessing their configurations; and,
- Ensuring that devices remain in a compliant state over time.
Network Auditing and Compliance used to be a manual process
Traditionally, network teams regard compliance activities as necessary but inconvenient tasks, that interferes with “fun” tasks like designing new architecture, configuring new equipment and so on. It’s typical to see network audit results either incompletely remediated or ignored entirely as the network team focuses on work that supports new business initiatives.
Until recently, the nature of the audit regime has made this approach to security and compliance acceptable. In many enterprises there is only one external audit conducted annually, perhaps with two to three internal audits preceding a “full dress” audit. Configuration gathering and analysis was a manual activity executed infrequently, and without a lot of teeth. Auditors were typically content to accept a well-intended plan of action as sufficient remediation for a large number of findings, and only require immediate action on the most serious findings.
Compliance Mandates raise the Stakes of a Network Audit
As exploits and breeches of company, customer and personal information become more widely publicized and consumers become more savvy about privacy, many organizations want to take a more proactive stance on security and compliance.
As a result, auditors are paying more attention, and requiring more. Those past days of occasional, toothless audits are quickly going away. To survive a second or third network audit, you need to demonstrate material improvements in compliance. Manual efforts, or partial solutions won’t cut it.
More and more, network managers are looking for tools to help them streamline the processes involved in keeping their networks secure and compliant. The smart ones are looking for solutions that go beyond that, to help demonstrate and prove compliance to auditors and other stakeholders.
Satisfying the broader Mandate for Compliance
Thinking broadly about the underlying requirement for compliance helps demonstrate the value of NetMRI’s more nuanced features aimed at enabling compliance.
Here’s three key capabilities of NetMRI that bring huge value to the larger compliance challenge:
- Automated collection of configuration changes in NetMRI.
When stuff goes down, the first question Operations folks ask is “What changed?”
NetMRI does that right away. During initial discovery, NetMRI collects the base configuration for every device on your network. Then, each time that device’s configuration changes, it captures a delta, so you can compare every version of a device’s configuration, side-by-side.
Showing this capability to auditors can help put you in their good graces – assuming they don’t explicitly require this level of control.
- Rules & Policy Engine.
Compliance is all about rules for network device configurations, and demonstrating that all devices are configured in accord with those rules.
NetMRI allows users to define the rules – according to best practices for security, or for specific compliance mandates, like PCI, DISA STIG or NERC CIP – that apply to network devices. Then, the NetMRI Rules & Policy Engine evaluates all device configurations according to those rules, on-demand or in real time.
NetMRI helps you keep your network configured correctly continuously, every day – Not just when the auditors arrive.
- EmpoweredAdvisor™ for NetMRI for Security Bulletins, and more.
There’s a continuous flood of security vulnerability information, from different vendors and sources, in different formats. Sorting out which ones apply to you and your network, and may impact your compliance is an ongoing challenge.
EmpoweredAdvisor collects vendor security & other bulletins, like CVEs, PSIRTS & EoL/EoS notices, and makes that information machine-readable by NetMRI. Then, leveraging the NetMRI Rule & Policy Engine, EmpoweredAdvisor highlights which devices in your network are impacted, within the NetMRI GUI, where you can decide what action is needed.
This streamlines the whole process of getting from vendor security & lifecycle information, to the action you need to take to keep your network secure and compliant.
There’s other capabilities of NetMRI that come into play, like automating password changes, logging privileged access, or enforcing Role-Based Access Control, that come up in the compliance discussion too. Our team demonstrates these capabilities every day. Just book a demo with our team to see for yourself.
The better way – NetMRI
NetMRI helps customers be audit-ready every day, not just once a year. The tool provides deep insight into how compliance has improved over time with a comprehensive set of rules and reports. If you need to be PCI, DISA STIG or NERC CIP compliant, there’s no better way to do it than with NetMRI.