Did you know that 75% of IT organizations are concerned that their configuration management processes could cause errors? That is one of the main highlights that stuck out to me in a recent research report that Itential did in partnership with Enterprise Management Associates. This stat got me thinking – why is this number so high? Then, it hit me pretty quickly. Many network teams are still managing their configuration process in a very reactive way, causing high concern that most changes have the possibility to bring their networks out of compliance.
This traditional, reactive method of ensuring a network configuration is in compliance can be summed up as a “break, check, fix” process. Let’s consider what this process looks like. First, a manual or automated process checks a network device’s configuration and determines that is in a state of compliance. At some point in time afterwards, a change is made to the device that brings it out of compliance. At that time is the “break” event, and if the nature of the change is such that it doesn’t cause a direct network or service outage, it can remain undetected until the next “check” event occurs that would bring the violation to light. When the “check” event occurs, then the network device is known to have a non-compliant configuration, which needs to be remediated. When the remediation process is finally completed, it becomes the “fix” event.
Whatever the time delta is between the initial “break” and the “fix” is the total amount of time a particular network device is exposed. Is that hours, days, weeks or even months? Any of those options is too long as it could cause security risks for an organization.
So how do network teams move beyond a purely reactive method to include a more proactive approach to avoid errors in the first place?
Evolving the “Break, Check, Fix” Model of Reactive Compliance Management
Because this method of ensuring compliance is reactive in nature, it carries along with it a burden of exposure. The accepted way to deal with this burden of exposure is to reduce the time between the “break” and “check” events — which typically means to check more often, and to reduce the amount of time between “check” and “fix” events, which in turn means prioritizing fixes, more manual changes, and additional backlog for the network team.
Instead of working solely on reactive processes, organizations need to implement proactive measures that can prevent the “break” event from occurring in the first place by employing a more proactive approach to configuration management. This is a validation process that can query the compliance system for confirmation that a proposed change will not violate the standard set by an organization. If the proposed changes to the network would bring the network device out of compliance, the change will not be made, thus avoiding the dreaded “break” event altogether. By avoiding the “break” event, there’s no need to “check” or “fix” anything, which means there’s no unnecessary exposure of that network device.
How to Leverage Automation to Achieve Network Configuration Validation
The reality is that both reactive and proactive network compliance processes are necessary, but in today’s modern network environment, automating both processes has become a requirement. There’s always the possibility of someone making a manual change to some network device or service that will violate the compliance standard. By automating the traditional “break, check, fix” methods, it’s possible reduce the time to detect a change that violates compliance and to remediate it in mere seconds. This very thing is actually something I showed in action in a recent demo where an automation can be integrated with an event-driven system to immediately run when a network change is detected, determine if the change violates compliance standards, and remediates the configuration if needed.
And on the other side of the compliance coin, a proactive validation process is a natural fit with automation. It becomes a logical step in a workflow that should take place before any change is applied to a network device or service. It’s the guardrails that every organization must have, especially considering the increasing demand to have network infrastructure changes made as quickly as other IT technologies. Validation provides a method of avoiding exposure while safely allowing more network automation to occur.
Itential’s Configuration Manager empowers the network team with an automated platform that can implement traditional compliance checking along with modern configuration validation so they can be sure that the entire network, not just a portion, is configured and operating properly. With native support for both CLI and API management methods, Configuration Manager is the only solution for modern enterprise networks that leverage both physical network devices and cloud-based network services, and can ensure consistent compliance, end-to-end across the entire network.
For an in-depth look at how Itential can help your organization implement compliance validation processes, watch our recent webinar, “How to Get Proactive with Compliance Validation.” If you’re ready to give a try for yourself, you can create your free account of the Itential Automation Platform and start validating today.
Rich Martin
Director of Technical Marketing ‐ Itential
Rich Martin is the Director of Technical Marketing at Itential. Previously, Rich has worked at several networking vendors as a both a Pre-Sales Systems Engineer and Systems Engineering Manager but started his career with a background in software development and Linux. He has a passion for automation in the networking domain, and at Itential he helps networking teams to get started quickly and move forward successfully on their network automation journey.
