Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Staying on the right side of network compliance law.

Intelliden : 28 January, 2008  (Technical Article)
Scott Crawford of Enterprise Management Associates takes a look at achieving complete network compliance without the risk of penalties or excess man hours.
How many network engineers does it take to make a change to the network? Answer - way too many, way too often. If that sounds uncomfortably familiar, then as someone familiar with delivery of compliance requirements for high-demand networks, believe me, I feel your pain.

But I'm also frustrated that we as an industry are not progressing through that pain faster. According to Enterprise Management Associates, up to 80 percent of IT service problems are directly related to faulty configurations. But configurations are only part of the problem. Network compliance costs are also rising and represent a significant burden on the networking organizations. Compounding these pressures are the high penalties hanging over our heads for SLA and regulatory violations, ranging from hefty fines to more serious costs to the business.

Quite frankly, we as an industry have been very poor about ensuring we have the right tools in place to make life easier for ourselves, or in some cases, even deliver on what's been promised. Let's take Quality of Service (QoS) for example. I can recall a particular instance where a single VoIP access switch required seven different QoS settings in order to ensure the call was executed correctly. That was just for one type of device! And as we all know, it's not uncommon to have hundreds or even thousands of QoS settings across the network at any one time. This simply cannot and should not be managed manually by human beings. However, I don't think a disjointed collection of prescriptive tools are the answer either, but I'll come to that later.

Now it's not as if vendors haven't tried to sell solutions to this problem in the past. However, the problem is, many have only tried to sell solutions to the specific part of the problem that they solve, which has typically tended to focus on regulatory or security compliance. Legislative initiatives such as the Sarbanes-Oxley Act (SOX) in the United States and the European Union's Safe Harbor regulations have been primary catalysts for IT governance, risk and compliance (GRC) management initiatives. Non-legislative mandates such as the Payment Card Industry (PCI) Data Security Standard, which requires conformity from any business that uses credit or debit cards, have also become increasingly visible contributors to the trend. However this narrow focus ignores the giant white elephant in the room that nobody wants to mention - the holistic need for total network compliance, which should consider the broader business risks and requirements as they relate to your network. After all, Risk Management must embrace threats to IT's positive values of business-critical availability, performance and resource integrity, as well as the negative threats of security, compliance and other risk gaps. Without such an approach, IT Risk Management can hardly be considered comprehensive. The value of such an approach is that it harmonizes the values most meaningful to the business: assure IT's business objectives while minimizing risks to those objectives. We need to be able to support all business requirements as they pertain to networks, including regulatory, industry, security and operational aspects.

There is no denying that effective implementation of large and varied compliance policies in a dynamic, multi-vendor, complex network environment is no small task. This task becomes even harder when networks need to support diverse service requirements and multiple network engineers need to touch the devices - usually through manual processes, scripts or proprietary solutions. How do you strike the right balance between absolute compliance and guaranteed service delivery? How much risk can you afford to take without affecting critical service availability? Which risks are the most significant, and how can the most effective mitigation be applied while simultaneously delivering business priorities and serving customers? And how do you keep pace with all of this in an increasingly dynamic environment?

I mentioned earlier that I don't believe this proliferating problem can be addressed manually. Business depends on the network and the network cannot afford to be down. Ever. Human beings simply cannot keep pace with the volume, speed or complexity of dynamic, multi-vendor networks, the in-depth detailed knowledge required for managing multiple devices, or the numerous compliance requirements of SLAs. The reality is that a large number of enterprises and service providers don't have network-wide policies in place, which results in prevailing chaos and the hope that nothing goes down, goes wrong or needs changing too often.

Nor do I believe the answer lies in prescriptive tools for different compliance requirements. In my opinion, installing a myriad of different tools will send you running down rabbit warrens of silos, disjointed stove pipes and fragmented management processes without the visibility or capability to orchestrate them in relation to each other or to the business. So if the answer isn't more human beings doing more manual tasks more often, or installing more departmental level tools, then what's the solution?

In my view, what's needed are tools that address the spectrum of compliance requirements in a comprehensive rather than a piecemeal way, to define and implement compliance requirements, and to measure and manage the effectiveness of compliance efforts according to business objectives, This means solutions that support the implementation of compliance through policy correlation with network configuration, to the validation of compliance and detection of violations, monitoring and reporting capabilities essential to the credible demonstration of compliance, and closed loop compliance violation resolution. It's the difference between having multiple, disorganized tools versus a foundation platform that replaces inefficient, multiple, disjointed manual or scripted processes with an integrated, intelligent and automated solution to support "total network compliance" needs.

Few vendors have as yet taken on the compliance challenge in such a holistic way, but some have recognized the value of such an approach. Intelliden's Policy Based Compliance Management solution (PBCM), for example, is a comprehensive network compliance application, which defines and manages policies to continually validate device configurations and intelligently resolve non-compliant conditions. PBCM automates the complete network compliance lifecycle to define policies, validate devices against policies, resolve violations, and report results in a continuous and closed-loop manner. Among its most attractive values: it provides an effective bridge between business and IT to enable more direct correlation of network compliance to organization-wide priorities. Using the Intelliden PBCM solution, business analysts need not be intimately familiar with the technical requirements of network configuration parameters in order to define or manage their configuration compliance responsibilities in the network. Nor do technical professionals need be forced to "translate" the network compliance posture in terms that may have little or no relevance to the business; business stakeholders can more directly grasp the network compliance posture and manage compliance issues through their interaction with the expressive capabilities of PBCM. This is an innovative and practical approach to more effectively aligning compliance efforts between technology and the business. Both groups benefit from the ability of the PBCM solution to automate the implementation of compliance efforts in the most challenging networks. These capabilities further support one of the most important requirements of a compliance solution: to drive down compliance costs through more efficient use of available resources.

Recent EMA research indicates that such an approach resonates strongly with practicing professionals. In a recent EMA survey of over 100 respondents into the drivers and benefits of network configuration and change management (NCCM):.

* Compliance management was identified as the most important function of an NCCM solution.

* Improved security and better compliance were most often cited as "very important" NCCM benefits.

* At the same time, 2 of the top 3 highest average responses regarding the benefits of NCCM solutions were resolution of performance and downtime issues, and improved operational efficiency.

Adopters of these solutions have been able to deliver services accurately and rapidly, control network security exposures, lower operational costs and eliminate service outages, as well as reducing regulatory and industry compliance overheads.

We as an industry are slow to learn the lessons from our past - perhaps because our present is constantly changing. Despite the high penalties of non-conformance, many enterprises and service providers still lack the ability to automatically and intelligently enforce network policies for their mission-critical networks. Effective implementation of comprehensive compliance policies in a dynamic, multi-vendor, complex network environment is a challenging task.
We know a manual approach is unrealistic and unworkable for the long term. And we also know that traditional first-generation network compliance 'script based' tools ignore the holistic and comprehensive approach necessary, which must support all business requirements as they pertain to networks. The challenges of compliance aren't going to go away or get easier. It's time we took a more intelligent approach.

Scott Crawford is a Research Director with Enterprise Management Associates (EMA), a leading independent industry analyst and consulting firm dedicated to the IT Management market. Prior to joining EMA, Scott was the first Information Security Officer for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization (CTBTO) at the UN's third headquarters in Vienna, Austria. As the CTBTO's senior IT security expert, Scott was responsible for guiding the development of information security strategy and implementation for an organization representing more than 150 nations. In addition to establishing the CTBTO's information risk and security policy foundations, Scott guided the deployment of security management systems and led the development of pioneering technology initiatives, including a worldwide data authentication regime centered on a public key infrastructure for which he was the principal designer and architect. He holds a BA in Molecular, Cellular and Developmental Biology, from the University of Colorado, and MSc. from the Information Systems Institute at the University of Salford, UK
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo