Co-authored by Gavin Littleboy
Challenges in Network Compliance
Government businesses face important challenges in sustaining community compliance because of the ever-increasing complexity of rules. From NIST 800-53, cybersecurity vulnerabilities, to different safety requirement guides like DISA Security Technical Implementation Guides (STIGs) for Department of Defense, complete measures require configuring and sustaining networks to make sure they keep compliant and are safe towards vulnerabilities and threats. Compounding this problem are the restricted budgets and assets accessible inside authorities entities, which might make it troublesome to allocate enough personnel and instruments to handle compliance successfully. Additionally, the necessity to combine numerous applied sciences and legacy techniques additional complicates compliance efforts. These techniques usually lack the flexibleness wanted to adapt rapidly to new and evolving threats, making the duty of attaining and sustaining steady compliance an ongoing wrestle. Agencies are taking a look at how automation and orchestration might help with these challenges.
Evolution of NetOps and SecOps Teams
The evolution of NetOps and SecOps groups is reworking how authorities businesses method community compliance and safety.
NetOps, DevOps, SecOps confused? See particulars right here – What is NetOps?
Traditionally working in silos, these groups at the moment are more and more required to collaborate and tackle shared challenges. NetOps groups want to deploy steady community automation and validation to simplify operations, enhance velocity and effectivity to ship companies, and enhance efficiency and resiliency of crucial community infrastructure. SecOps groups are continually responding to evolving threats comparable to vulnerabilities created from configuration errors, uncared for updates, and never having enough visibility into safety posture, delaying response efforts.
The Need for Automation to Scale
Automation is required to scale these efforts, enabling groups to effectively handle routine duties and reply swiftly to threats as community calls for develop. Many technical challenges exist in automating community compliance. For instance, what are we in search of on the subject of community compliance? For networks, we’re validating end-of-life gear, code variations, CVE/PSIRTs (Common Vulnerabilities and Exposures/Product Security Incident Response Teams), Security Implementation guides comparable to DoD STIG, and community and organizational requirements. As this record of compliance concerns demonstrates, there are numerous touchpoints that rapidly make compliance a difficult process and turns into a “firefight” situation the place all assets are urgently targeted to atone for compliance earlier than the subsequent audit. As it pertains to community configurations, there are three patterns in compliance checks.
Patterns Around Network Compliance
A given compliance requirement necessitates the evaluation of both a community configuration or community state. These checks typically fall into 3 evaluation patterns: match configuration, match variables, or match enterprise logic.
Configuration matches search for actual matches in configuration. Examples embody disabling or enabling of companies comparable to http or password-encryption. Variable matches search for partial or variable substitution matches in configuration. Examples embody validating that a number of NTP (Network Time Protocol) servers are configured or that configured BGP (Border Gateway Protocol) neighbors are utilizing authentication. Business logic matches search for organizationally outlined patterns in configuration. Examples embody validating {that a} boundary entry management record is utilized to the proper interface and that it blocks organizational outlined protocols. This final sample is probably the most advanced to implement and varies broadly between organizations primarily based on the native implementation of the required coverage.
Today, SecOps groups use their area particular auditing instruments to audit the community and create studies. These studies are then shared with the NetOps group who should interpret, translate to community area configurations, after which implement the community change. This prolonged course of then repeats.
Automation Enables Continuous Compliance
Imagine a community automation platform the place NetOps and SecOps can leverage unified tooling to resolve frequent targets and allow steady compliance auditing, reporting, and remediation. Security groups sometimes describe compliance “intent” within the type of guidelines that validate whether or not a community configuration satisfies the factors. Network operators should fulfill not solely these compliance necessities, however community design necessities and different components when making a closing template to be utilized to the community.
Cisco Crosswork Network Services Orchestrator (NSO) supplies this functionality by enabling community operators to automate and handle advanced networks with ease with a built-in compliance engine to validate community compliance. It provides a flexible and highly effective answer that helps configuration administration, service orchestration, and network-wide coverage enforcement. Cisco NSO 6.x comes with important compliance updates comparable to compliance templates, an intuitive compliance reporting interface, and continues to introduce options to cowl the patterns above. Cisco NSO has fashionable APIs and a stateful database the place steady compliance will be validated primarily based on real-time community state and reported as much as northbound techniques. Cisco NSO can be model-driven, that means knowledge fashions and their intents can straight be translated to meant implementation state within the community. This allows a brand new paradigm for SecOps groups to have the ability to audit and report compliance checks with the identical tooling and configuration templates that the NetOps group have outlined for the community for remediation. With Cisco NSO, groups can guarantee constant compliance throughout multi-vendor community parts, streamline operations, and improve collaboration between completely different groups inside a corporation.
To be taught extra about Cisco Crosswork NSO or to see examples of easy methods to construct compliance templates, see beneath.
Crosswork NSO Solution Overview
Compliance Reporting Examples Repository on NSO Developer GitHub
Closing Thoughts
As the roles inside NetOps and SecOps evolve, fostering a tradition of studying and adaptableness ensures that personnel can successfully handle new applied sciences and regulatory necessities. By constructing cross-functional experience and problem-solving capabilities, businesses can tackle present compliance wants and anticipate future calls for, resulting in extra resilient and responsive operations. Achieving efficient compliance options and leveraging automation yields substantial returns on funding (ROI) for presidency businesses, leading to notable value financial savings and enabling businesses to allocate assets extra strategically and deal with their core missions. This not solely protects the company’s repute but in addition ensures the uninterrupted supply of important companies.
To dive deeper into community compliance and automation, be part of us at Cisco Live San Diego from June 8-12, 2025 for 2 insightful classes exploring methods and options to reinforce your community operations:
DEVNET-2144 – “Automating Network Compliance: Leveraging Cisco NSO for Compliance Auditing, Reporting, and Remediation”
DEVWKS-2083 – “The Journey of Automating Network Compliance using Cisco NSO”
If you want to be taught extra about how Cisco might help your compliance wants or to get began in your Automation Journey, attain out to your Account Team.
Additional Relevant Links
Learn extra about different Cisco options to assist authorities businesses with compliance
Cisco SaaS Compliant Product Availability
Share: