Interconnected networks sharing data and information across the nation or around the world are the foundation for global commerce, infrastructure management, law enforcement, and much more. These networks are also prime targets for malware, ransomware, and hackers — working alone or as part of larger efforts to sow chaos and disruption. It’s the reason why network security is front and center for federal agencies and the organizations with which they partner.
Any vendor or organization that does business with federal agencies is familiar with Security Technical Information Guides (STIGs). STIGs are published by the Defense Information Systems Agency (DISA) to define the cybersecurity standards required for a particular device deployed on a federal agency network. Multiple STIGs exist for different network devices. And, as new devices become available, so do new STIGs. Securing infrastructure in a federal agency environment is not optional — complying with STIGs is mandatory for all Department of Defense agencies and the contractors that work with them.
While the intent is to create the most secure network environment possible, change is still a constant in the world of IT. New devices are added to networks all the time. And, existing network devices routinely receive software updates and new features, changing their baseline configurations over time and requiring additional compliance measures to reduce cyber risk and exposure. Unfortunately, these changes can happen so often, it can result in significant backlogs for the network teams managing STIG compliance. And, if those teams are primarily making the required changes manually, human error and other configuration mistakes can occur.
Network automation is a logical solution but only if the team can ensure network security.
The current state of STIG compliance
No one questions the need to keep networks secure — especially those that support federal agencies and other government departments and entities. That’s why STIGs were developed — to ensure all agencies and the vendors they work with are following the same cybersecurity standards and the devices deployed on their networks are continually updated to remain in compliance with those standards. The challenge is that STIGs are necessarily complex, as they encompass multiple devices, applications, and configurations. They’re also dynamic — changing and evolving with the devices and networks they manage.
Baseline security configurations defined by STIGs cover a wide number of devices. But, network devices can also have their own set of standards above and beyond the general baseline configuration. For example, a required configuration for an operational standard could stipulate that “core and edge routers in region X must have service configurations for NTP, Syslog, and DNS set to servers in the same region.” This would apply to a small number of devices. But, over time, this standard could change and evolve as the network grows — perhaps eventually defining that “core routers must use a set of service hosts that are different from edge routers in the same region.”
Then there’s the service configuration itself, which defines the commands that provision ports, VLANs, routes, ACLs, and any other features needed to provide access to an application or service. These types of configurations can change daily in some network domains. Plus, when a device is initially deployed on a network, these baseline security configurations are not typically enabled by default. Rather, they have to be enabled by the network teams.
Additionally, new applications and services require new configurations. And when something is no longer needed, those same devices need to be updated to remove older configurations.
In other words, over time, what you start with isn’t necessarily what you end with.
All this leads to the question of the day: How are network teams ensuring configuration takes place? Unfortunately, many network teams are relying on manual processes to stay on top of all these moving parts. That’s neither effective nor efficient. If network teams are primarily configuring devices and making ongoing changes and updates manually, it’s an indication they’re lacking modern tools for success.
Using automation to modernize and future-proof the network
Whether it’s security baselines changing through updated STIGs, operational standards that evolve over time, or service configurations that change daily, it’s important to recognize how fluid network device configurations have become. And, as the number of devices in the network has increased, it’s important to reevaluate the existing set of tools that network engineers are working with and determine if they’re equipped for success. While the initial reaction may be to adopt some form of network automation, automation at the expense of network security is not the answer.
Identifying and deploying an automation solution that can keep pace in a STIG-compliance environment means finding a modern way to easily manage hundreds or thousands of network configurations that will go through some amount of change over the lifetime of the device.
Following are several key steps to this process.
● Commit to automation integration and make it a priority. Understand that STIG compliance is too complex and fluid to be left to time-consuming manual processes that can lead to bottlenecks and errors.
● Start at the beginning. What specific compliance tasks are creating bottlenecks and backlogs? Are those tasks repeatable across the device ecosystem and can you replicate their solutions? What tools, whether open-sourced or from a vendor, are already available?
● Recognize that your network devices span physical, virtual, and cloud networks, and plan your automation and compliance processes with the entire network infrastructure in mind.
● Adopt an end-to-end perspective toward network automation that looks beyond automating tasks, overcomes existing operational silos, and integrates with your existing systems and technologies.
● Ensure your network’s compliance engine works hand in hand with the automation solution to guarantee that every single device is always in compliance.
● The solution you implement should be one that the existing network team can easily adopt from Day One and be flexible enough to provide the ability to create automations that extend across multiple network domains and integrate with other IT systems.
● Collaborate across teams to ensure seamless sharing of data and successful integration of the technology.
● Commit to giving your team members the time, training, and resources they need to implement and maintain the new automation solution.
● Focus on implementing an effective automation solution but also step back and assess the integration process and change course when necessary.
That may sound daunting, and it requires a fair amount of time and legwork to find the right solution, but automation and STIG compliance can work together. The result is a modern network future-proofed for an ever-changing compliance environment.