Customers frequently ask me “How do I keep up with all these network compliance requirements the auditors are handing me?”
Compliance can be a tough problem to handle, especially in a complex, growing and evolving network like most of my customers are building and running.
The conversation is often around the PCI Data Security Standard (PCI DSS), since every company who accepts and processes credit card transactions must comply with the current PCI DSS. For power generation and utility customers, NERC Critical Infrastructure Protection (NERC CIP) standard often tops the to-do list. For health insurance companies that exchange Medicare data with the US Federal government, DISA Security Technical Implementation Guide (DISA STIG) for network devices compliance is a must.
Mechanics of Network Compliance, and Where It Gets Complex
The actual mechanics of complying with these different programs is not particularly difficult; usually there are about forty or fifty configuration changes needed to bring a particular device into compliance. The complexity enters into the problem in three ways:
- Defining the logical boundaries for the controlled network;
- Finding all the devices on the network and assessing their configurations; and,
- Ensuring that devices remain in a compliant state over time.
Network Auditing and Compliance Used to Be a Manual Process
Traditionally, network teams regard compliance activities as necessary but inconvenient tasks that interfere with “fun” jobs. Designing new architecture, configuring new equipment and so on are all more fun than compliance, right? It’s typical to see network audit results either incompletely remediated or ignored entirely as the network team focuses on work that supports new business initiatives.
Until recently, the nature of the audit regime has made this approach to security and compliance acceptable. In many enterprises there is only one external audit conducted annually, perhaps with two to three internal audits preceding a “full dress” audit. Configuration gathering and analysis was a manual activity executed infrequently. There were no real penalties for failing to completely fix problems found: A well-intentioned plan of action as sufficient for a large number of findings. Only the most serious problems required immediate action.
Savvy Consumers Raise the Stakes of a Network Audit
Consumers have become more savvy about a company’s duty to protect their data. They reward proactive firms with their continued loyalty. Many organizations need to take a more proactive stance on security and compliance to stay competitive.
Auditors are paying more attention, and requiring more than “best effort” action. Those days of occasional, toothless audits are quickly going away. To survive a second or third network audit, you need to demonstrate material improvements in compliance. Manual efforts, or partial solutions won’t cut it.
More and more, network managers are looking for tools to help them keep their networks secure and compliant. The smart ones are looking for solutions that prove compliance to their stakeholders every day, not just on audit day.
Satisfying the Broader Mandate for Compliance
We work with customers to implement Infoblox NetMRI, an industry-leading Network Change and Configuration Management product, to detect, manage and correct problems in network compliance. Thinking broadly about the underlying requirement for compliance helps demonstrate the value of NetMRI’s more nuanced features aimed at enabling compliance.
Here’s three key capabilities of NetMRI that bring huge value to the larger compliance challenge:
- Automated collection of configuration changes
When stuff goes down the first question Operations folks ask is “What changed?” NetMRI helps answer that question right away. NetMRI captures every change made to a device so you can compare each version of a device’s configuration side-by-side.
- Automated collection of configuration changes
- Policy Engine
Using a well-formed set of rules to configure network devices is at the heart of compliance. NetMRI allows users to define the rules – according to best practices for security, or for specific compliance mandates, like PCI, DISA STIG or NERC CIP – that apply to network devices. Then, the NetMRI Policy Engine evaluates all device configurations according to those rules in real time. NetMRI helps you keep your network configured correctly continuously, not just when the auditors arrive.
- EmpoweredAdvisor™ for NetMRI for Security Bulletins, and more.
There’s a continuous flood of security vulnerability information, from different vendors and sources, in different formats. Sorting out which ones apply to you and your network, and may impact your compliance is an ongoing challenge.EmpoweredAdvisor collects vendor security & other bulletins, like CVEs, PSIRTS & EoL/EoS notices, and makes that information machine-readable by NetMRI. Then, leveraging the NetMRI Rule & Policy Engine, EmpoweredAdvisor highlights which devices in your network are impacted, within the NetMRI GUI, where you can decide what action is needed.This streamlines the whole process of getting from vendor security & lifecycle information, to the action you need to take to keep your network secure and compliant.
There are many other capabilities of NetMRI that come into play, like automating password changes, logging privileged access, or enforcing Role-Based Access Control, that come up in the compliance discussion too. Our team demonstrates these capabilities every day. Just book a demo with our team to see for yourself.
The Better Way – NetMRI
To sum up, Infoblox NetMRI helps customers be audit-ready every day, not just once a year. NetMRI can help you prove PCI, DISA STIG and NERC CIP compliance quickly and easily.