Interconnected networks sharing data and information across the nation or around the world are the foundation for global commerce, infrastructure management, law enforcement, and much more. These networks are also prime targets for malware, ransomware, and hackers — working alone or as part of larger efforts to sow chaos and disruption. It’s the reason why network security is front and center for federal agencies and the organizations with which they partner.
Any vendor or organization that does business with federal agencies is familiar with Security Technical Information Guides (STIGs). STIGs are published by the Defense Information Systems Agency (DISA) to define the cybersecurity standards required for a particular device deployed on a federal agency network. Multiple STIGs exist for different network devices. And, as new devices become available, so do new STIGs. Securing infrastructure in a federal agency environment is not optional — complying with STIGs is mandatory for all Department of Defense agencies and the contractors that work with them.
While the intent is to create the most secure network environment possible, change is still a constant in the world of IT. New devices are added to networks all the time. And existing network devices routinely receive software updates and new features, changing their baseline configurations over time and requiring additional compliance measures to reduce cyber risk and exposure. Unfortunately, these changes can happen so often, it can result in significant backlogs for the network teams managing STIG compliance. And, if those teams are primarily making the required changes manually, human error and other configuration mistakes can occur.
Network automation is a logical solution, but only if the team can ensure network security.
The Current State of STIG Compliance
No one questions the need to keep networks secure — especially those that support federal agencies and other government departments and entities. That’s why STIGs were developed — to ensure all agencies and the vendors they work with are following the same cybersecurity standards and the devices deployed on their networks are continually updated to remain in compliance with those standards. The challenge is that STIGs are necessarily complex, as they encompass multiple devices, applications, and configurations. They’re also dynamic — changing and evolving with the devices and networks they manage.
Baseline security configurations defined by STIGs cover a wide number of devices. But network devices can also have their own set of standards above and beyond the general baseline configuration. For example, a required configuration for an operational standard could stipulate that “core and edge routers in region X must have service configurations for NTP, Syslog, and DNS set to servers in the same region.” This would apply to a small number of devices. But, over time, this standard could change and evolve as the network grows — perhaps eventually defining that “core routers must use a set of service hosts that are different from edge routers in the same region.”
Then there’s the service configuration itself, which defines the commands that provision ports, VLANs, routes, ACLs, and any other features needed to provide access to an application or service. These types of configurations can change daily in some network domains. Plus, when a device is initially deployed on a network, these baseline security configurations are not typically enabled by default. Rather, they have to be enabled by the network teams.
Additionally, new applications and services require new configurations. And when something is no longer needed, those same devices need to be updated to remove older configurations.
In other words, over time, what you start with isn’t necessarily what you end with.
All this leads to the question of the day: How are network teams ensuring configuration takes place? Unfortunately, many network teams are relying on manual processes to stay on top of all these moving parts. That’s neither effective nor efficient. If network teams are primarily configuring devices and making ongoing changes and updates manually, it’s an indication they’re lacking modern tools for success.
Using Automation to Modernize & Future-Proof the Network
Whether it’s security baselines changing through updated STIGs, operational standards that evolve over time, or service configurations that change daily, it’s important to recognize how fluid network device configurations have become. And, as the number of devices in the network has increased, it’s important to reevaluate the existing set of tools that network engineers are working with and determine if they’re equipped for success. While the initial reaction may be to adopt some form of network automation, automation at the expense of network security is not the answer.
Identifying and deploying an automation solution that can keep pace in a STIG-compliance environment means finding a modern way to easily manage hundreds or thousands of network configurations that will go through some amount of change over the lifetime of the device.
Following are several key steps to this process:
- Commit to automation integration and make it a priority. Understand that STIG compliance is too complex and fluid to be left to time-consuming manual processes that can lead to bottlenecks and errors.
- Start at the beginning. What specific compliance tasks are creating bottlenecks and backlogs? Are those tasks repeatable across the device ecosystem and can you replicate their solutions? What tools, whether open source or from a vendor, are already available?
- Recognize that your network devices span physical, virtual, and cloud networks, and plan your automation and compliance processes with the entire network infrastructure in mind.
- Adopt an end-to-end perspective toward network automation that looks beyond automating tasks, overcomes existing operational silos, and integrates with your existing systems and technologies.
- Ensure your network’s compliance engine works hand in hand with the automation solution to guarantee that every single device is always in compliance.
- The solution you implement should be one that the existing network team can easily adopt from Day One and be flexible enough to provide the ability to create automations that extend across multiple network domains and integrate with other IT systems.
- Collaborate across teams to ensure seamless sharing of data and successful integration of the technology.
- Commit to giving your team members the time, training, and resources they need to implement and maintain the new automation solution.
- Focus on implementing an effective automation solution but also step back and assess the integration process. Be ready to change course if necessary.
That may sound daunting, and it requires a fair amount of time and legwork to find the right solution, but automation and STIG compliance can work together. The result is a modern network that enables greater network visibility, uptime, availability, and modernization all while maintaining standards and cyber defense in an evolving compliance environment.
Why Itential is Trusted in the Public Sector
In the public sector, agencies are looking for ways to accelerate deployment of critical network infrastructure without introducing more risk into the network. This requires an automation solution that can both automate network changes and verify that those changes will stay within the defined operational and security standards.
Itential enables public sector agencies to achieve greater network visibility, consistent uptime and availability, cybersecurity defense, and their automation and modernization objectives. By leveraging our unique capabilities to automate across every part of network and IT infrastructure, organizations can deploy services faster while simplifying network management from a people perspective. Scale, stability, and security are top priorities for the public sector, and Itential’s customers have used our software to get there.
To dive into how you can leverage Itential to automate your network while maintaining STIG standards, check out this webinar. You can also learn more about our solutions for the public sector here.
Article originally published on Mission Critical.
Rich Martin
Director of Technical Marketing ‐ Itential
Rich Martin is the Director of Technical Marketing at Itential. Previously, Rich has worked at several networking vendors as a both a Pre-Sales Systems Engineer and Systems Engineering Manager but started his career with a background in software development and Linux. He has a passion for automation in the networking domain, and at Itential he helps networking teams to get started quickly and move forward successfully on their network automation journey.
