|
|
|
Features
< Back
Sarbanes Oxley : Technology : Policy Management
Policy Breeds Compliance: Getting Your Network into Compliance
By
Molly Stamos
|
|
Molly Stamos
Product Marketing Manager
Opsware
|
The term ?policy? has become one of the most overused terms within an organization. Depending on which department you ask, it can mean different things to different people. For Human Resources, a policy might dictate which web sites employees are allowed to visit.
For IT departments, a policy refers to a collection of rules that state how a company?s infrastructure should be configured. One of the biggest differences between the two is that unlike corporate policy violations, IT-related policy infractions are monitored and enforced by outside regulatory bodies potentially resulting in stiff penalties and extremely costly financial repercussions for non-compliance.
Regulations such as Sarbanes Oxley demand tighter control over networks and the hardware and software used to transmit data over that network. Configuration settings must be standardized, changes must be tracked and audit trails produced. This endless list of IT tasks coupled with the dramatic proliferation of network devices throughout the data center from an install base of 25 million in 2003 to 45 million in 2005*, makes the job of ensuring network compliance exponentially harder than any other compliance initiative.
Often, organizations are able to get their network into compliance with intense manual effort but struggle to keep the network in a compliant state. To ensure on-going network compliance, organizations should begin with the following:
Define network and security policies
Start by defining the device configuration settings needed to ensure network compliance, and the process that should be used to effect change on the network. For example, at a very minimum all devices must not use insecure protocols such as telnet and TFTP.
Prioritize and remediate devices that are out of compliance with policies
The first time a network with more than a few hundred devices is brought inline with the policy, several hundred compliance violations may be identified. Prioritizing the non-compliant devices in terms of severity of violation and criticality of device is essential. Organizations should remediate the most serious violations first and continue bringing the network into compliance until there are no further violations.
Establish processes that prevent policy violations before they occur
A key to ensuring on-going compliance is to establish and enforce processes that prevent violations before they occur. These can be processes such as designating change boards, change windows and access control.
These are just a few of the requirements companies will need to successfully ensure network compliance. With more devices to track and monitor and fewer available IT resources, a growing number of companies are automating their network compliance process rather than relying on the expensive and error-prone process of manually tracking changes, prioritizing violations, and reporting on network compliance.
Network Automation Simplifies Policy Enforcement
By automating key aspects of network management, organizations will see a significant improvement in the accuracy and compliant state of the network, while gaining substantial time and labor savings. Unless organizations are willing to allocate a large percentage of their IT budgets towards keeping the network in compliance, network automation is the only ways to maintain an on-going state of compliance by delivering the following capabilities.
Detect Violations
Unlike manual network change monitoring, network automation detects compliance violations as soon as they occur - whether someone is adding a rogue device to the network, making unauthorized or unplanned changes to a device or forgetting to re-apply an access list to an interface. Many of these compliance violations (such as setting an easily guessed password on a router) can go undetected for weeks or even months because they cause no noticeable problems on the network. By automating compliance detection, network automation immediately flags these problems and prevents them from happening in the first place.
Prioritize and Remediate Violations
If non-compliant changes are introduced into the network, IT must act swiftly to fix the violation. But when numerous violations occur the ability to prioritize them based on the seriousness of the violation is critical. Network automation automatically prioritizes violations and routes them to different system actions. For example, network automation can automatically fix simple violations while routing other, more complicated fixes to an engineer for review.
Policy Enforcement
One of the most distinct advantages of network automation is the ability to prevent violations before they are pushed onto the network. While detective controls are good, proactive controls are better at preventing non-compliant changes. It is far less expensive to proactively avoid problems before they occur versus manual network monitoring methods which are limited to detecting policy violations after the device change has been introduced into the network.
Audit Trails and Compliance Reporting
Reporting can be one of the most labor intensive and costly aspects of network compliance. Network automation can automate all the data collection and report generation, from detailed audit trails on change activity to comprehensive best practices reports covering adherence to change process and best practice configuration settings on devices.
Automating the network proactively prevents non-compliant changes and continually monitors the network for non-compliant devices. Automation removes much of the manual drudgery around network monitoring and compliance reporting. In addition to the cost and time savings, it provides a complete audit trail of every change on the network, substantially improving the accuracy of compliance reports.
Conclusion
Just as companies have focused on managing corporate policy violations, network compliance is fast becoming a top priority for both upper level management and IT. Companies that haven?t already thought about getting their network into compliance can start taking steps today to prepare. IT departments can start with the following baseline activities: Define network and security policies, prioritize and remediate non-compliant devices and establish processes that prevent policy violations.
Given the complexity of today?s network landscape and the critical nature of IT-related compliance concerns, more organizations are automating their network compliance initiatives. By preventing problems before they occur, network automation allows IT to take specific action on the actual failure ? the rule itself. Effective network automation brings welcome efficiency to network management, including a highly flexible policy model, effortless compliance reporting and prioritized actions and triggers. For organizations with large complex networks, network automation can save significant time and dollars.
* IDC Worldwide Router Shipments 1990-2005
Molly Stamos is Senior Product Marketing Manager at Opsware. You can reach her at mstamos@opsware.com.
Molly Stamos
Product Marketing Manager
Opsware
Molly Stamos is the Product Marketing Manager at Opsware Inc.
|
|
|
|
|
