Blog

How Network Automation Ensures Compliance and Reduces Security Risks

By August 17, 2021No Comments
How Network Automation Ensures Compliance and Reduces Security Risks - iStock 1266559436

In a recent blog by Gluware partner NetCraftsmen, it was highlighted that passing security audits does not necessarily mean your IT infrastructure is safe. Read the blog here. Building off the issues and suggestions raised, in this blog we show how having network automation like Gluware in place enables the ability to perform basic compliances checks along with expanding it to the needs of your organization to enhance security.

Compliance Standards

Nearly every IT organization faces significant challenges in keeping up with and implementing IT security compliance. Putting the proper controls in place and performing regular assessments and audits are fundamental to achieving compliance.  The challenge often begins with deciphering governmental regulations like FISMA, NIST, DISA STIG, or FEDRAMP. Compliance checks based on 3rd party standards are often the starting point for most organizations since they are well known and frequently used by auditors. IT infrastructure teams (like NetOps and SecOps) will use standards such as those defined by the National Institute of Standards and Technology (NIST) and the Center for Internet Security Controls (CIS). Is that enough? Having the proper solutions in place can help IT organizations meet that minimum requirement and exceed it with additional security checks.

Using Network Automation for Compliance

Start with Device Configuration Audits

Starting with implementing the automation of compliance audits for device configurations is an excellent way to start. For example, using the Gluware Config Drift and Audit solution, you can run example audits including those defined by NIST, CIS and DISA STIG.

The CIS Benchmarks cover a broad range of technologies. Gluware can be used to execute audits against network devices (like Cisco and Juniper routers and switches).

Using Gluware to audit device configurations, an audit policy is created consisting of required configuration statements and with forbidden statements along with variables or regex to account for changing items like IP addresses, VLAN IDs and others.

Gluware Audit Rule Example audit rule to require AAA authentication

Gluware Audit Results Running the Audit Shows the Summary and Detailed Audit Violations

Now that you have visibility of the audit violations, you can take the next step to remediate those violations.  This can be accomplished using Gluware Config Modeling to define the desired state of each feature and implement the changes reliably and at scale to your network. Once you get your network configuration compliant, you are able to maintain compliance auditing regularly with Config Drift and Audit and implement remediation and ongoing configuration management with Config Modeling.

Automating Essential Network Security Controls

Essential network controls, defined in NIST 800-53 are often difficult to interpret, making them difficult to implement. Isolating these controls enables enterprise IT to have common ground to ensure their network policy meets compliance standards. The specification defines 20 security and privacy control families. The example table below shows how Gluware Intelligent Network Automation can help to deliver essential network controls and how they map to your NIST requirements across many of the control families.

Essential Network Security Controls

NIST 800-53 Rev. 5 Requirement

Gluware helps to implement access control by:

  • RBAC into Gluware for control on who can perform changes with permission control
  • Automate the configuration on the network to implement access control
AC (Access Control)
AC-1 Policy and Procedures
AC-2 Account Management
AC-3 Access Enforcement
AC-4 Information Flow Enforcement
AC-5 Separation of Duties
AC-6 Least Privilege
Gluware helps to implement audit and accountability by:

  • Provides deep levels of event logging within the system to understand who changed what, and what happened on each device
  • Gluware logging and reports along with data retention policies help to pass external audits
AU (Audit and Accountability)
AU-1 Policy and Procedures
AU-2 Event Logging
AU-3 Content of Audit Records
AU-4 Audit Log Storage Capacity
AU-5 Response to Audit Logging Process Failures
AU-6 Audit Record Review, Analysis and Reporting
Gluware helps to implement assessment, authorization and monitoring by:

  • Establishing a single layer of control to assess the network and monitor for configuration changes
  • Implement policy and procedure through Gluware for assessment, audit and configuration changes
CA (Assessment, Authorization and Monitoring)
CA-1 Policy and Procedures
CA-2 Control Assessments
CA-3 Information Exchange
CA-4 Security Certification
CA-5 Plan of Action and Milestones
CA-6 Authorization
Gluware helps to implement configuration management by:

  • Gluware Config Modeling enables the ability to define baseline configuration standards and enforce at scale
  • Gluware provides ongoing configuration management at scale
CM (Configuration Management)
CM-1 Policy and Procedures
CM-2 Baseline Configuration
CM-3 Configuration Change Control
CM-4 Impact Analyses
CM-5 Access Restrictions for Change
CM-6 Configuration Settings

Network Automation Beyond Compliance

Netcraftsmen raise two additional security-related components to consider:

  • Zero Trust Architecture (ZTA)
  • Cybersecurity Maturity Model Certification (CMMC)

ZTA defines an environment where there are no trusted devices, networks, or users. ZTA also defines a Zero Trust Edge (ZTE). ZTA has evolved into a NIST publication, NIST 800-207. Implementing network automation using Gluware, enterprise IT are able to implement and enforce authentication policies on every device in the network using Config Modeling.  Gluware can act as the Policy Engine for configuration policies that are applied to the network devices. Gluware can also provide network information and system activity logs that are required. While Gluware does not provide monitoring of traffic flows, it does provide the ability to perform ongoing config audits and monitoring to ensure the network remains in policy using Config Drift and Audit.

Cybersecurity Maturity Model Certification (CMMC) defines 17 domains in which practices and processes must be implemented. Access Control (AC); Asset Management (AM); Audit and Accountability (AA); Awareness and Training (AT); Configuration Management (CM); Identification and Authentication (IDA); Incident Response (IR); Maintenance (MA); Media Protection (MP); Personnel Security (PS); Physical Protection (PP); Recovery (RE); Risk Management (RM); Security Assessment (SAS); Situational Awareness (SA); System and Communications Protection (SCP); and System and Information Integrity (SII). Similar to NIST 800-53, Gluware can help to automate and implement many of the requirements of this specification related to the network infrastructure.

Automating Network Security as a Process

The NetCraftsmen blog calls out two well-known lifecycle management processes, including:

Adopting one of these lifecycle processes can enable your organization to stay within a well-defined process and execute lifecycle management. Implementing network automation using Gluware can dramatically accelerate the ability of your organization to meet changing requirements and deliver on the business needs.

To learn more about how Gluware can help enterprise IT implement compliance and improve security through network automation, contact Gluware or request a demo.