The prior blogs on this sequence, listed on the backside, have mentioned the varied rules affecting CIOs and their IT organizations. The goal of this plan was to know the applying and complexity of those rules as they apply to applied sciences, in order that we are able to consider applied sciences used to assist groups fulfill these necessities. The goal of this weblog is to debate a couple of methods wherein tooling and automation capabilities can be utilized to fulfill the asset administration necessities of the FFIEC Operations Guide.
Financial establishments are regulated to have the ability to handle, safe, and audit their IT property. They cowl a number of product units with completely different working methods by nature, and are tasked to create a cohesive asset administration framework. At Cisco, we work with these completely different teams, and their deployments of greatest in school applied sciences. However once we are dealing on the regulatory stage, we have to step again from our conventional method of doing enterprise and contemplate the larger image.
From the regulators perspective, they don’t care about the way you handle and patch your knowledge heart switches.
And they don’t care the way you handle and patch your campus switches.
Or the load balancers.
Or digital machines.
The regulatory our bodies and senior management care about ALL of it. From the bodily to the digital, from the endpoint to the cloud. Thus a framework to have the ability to merge collectively completely different methods is prime to the function.
The IT Administrators and their management are tasked with figuring out, patching, and securing all of their community.
Here are two completely different approaches that assist handle the property throughout the breadth of the property.
- An enterprise-ready, multi-vendor cross-architecture answer that’s constructed on over a decade of doing this for Service suppliers.
- A practical code instance of how current Cisco controller options could be pulled collectively on the API stage to create a framework (from which different distributors could be included), to have the ability to guarantee your information of your span of management is updated and could be assessed.
Using Cisco Business Process Automation
The first answer is Cisco’s Business Process Automation. This is a scalable, microservices primarily based platform that’s vendor AND controller agnostic. It is pre-integrated with Cisco NSO and Ansible and is able to working with different Cisco and third get together orchestrators. It gives the power to automate and monitor working system automation and configuration compliance with golden pictures.
The good thing about this method is you may summary everything of the span of management and work on provisioning constant providers securely. It gives an API which may permit for straightforward auditing of the whole breadth of the atmosphere, from the bodily to the digital, together with third events. It helps a number of workflows to have the ability to handle a compliant infrastructure, from machine onboarding with ztp, dealing with asset administration, and guaranteeing golden software program and configurations are utilized and compliant.
BPA permits us to include the enterprise logic and combine change administration with stock administration, to fulfill the organizations necessities and transfer to an Infrastructure as Code mode of operation. Its inherent help for a number of controllers suits in nicely with the necessities monetary establishments should help their current infrastructure, together with legacy and fashionable constructs.
Using Controllers and API primarily based Solutions
The second method is to leverage a house grown answer the place a framework is created to have the ability to extract and monitor compliance of a whole property in a multi-controller and multi-vendor world. This could be helpful for organizations that have already got in home tooling or capabilities, and search to handle their controllers on the API stage
We intend to indicate how this may be performed virtually utilizing various Cisco {hardware} and software program, and the framework would bolt in to another third get together and supply practical, straightforward to make use of code, that may create a single asset administration desk for merchandise within the Cisco portfolio.
We do that by integrating the under controller options right into a single desk which could be cross referenced after which pushed, into ServiceNow:
- ACI
- Multiple DNAC cases
- Meraki
- Intersight
- Cisco SD-Wan
As of December 2022 it’s performed in cloud-based devnet sandboxes. There can also be a reference on how this may be reconciled and pushed into ServiceNow (in order that the system of document could be up to date following software program modifications, or reconciled). The code to have the ability to do that is all practical, with the one exception being you’ll need to provision a ServiceNow account or developer occasion (and modify the authentication/URL).
This is practical code, which is simple to run in opposition to actual sandbox environments, and could be validated and repurposed to your atmosphere.
While we can not management third-party merchandise and the way they combine, the framework would permit for different gear which help REST API to create a state desk for stock asset administration. The framework is slightly simple, seize stock from various methods utilizing REST API, and normalize to a constant checklist of all property in these methods. From there, you may replace ServiceNow or one other system of document.
This course of is mentioned in larger element on this weblog, however the spotlight is it makes use of a straightforward to run (really easy a barista with no programming expertise can do it!), and makes use of our cloud infrastructure to indicate the practical code and framework: Cross Domain Inventory Demo
The finish result’s a cross area stock of a number of Cisco merchandise and a framework for including different distributors, right into a constant desk of community state, which can be utilized to validate compliance. This can then be used to replace your system of document (ServiceNow) together with your system of reality, to make sure your documented state is updated together with your operational state.
Secondarily, the script makes use of an instance of pushing in ServiceNow to indicate easy methods to evaluate of a system versus a system of document. In my instance it makes use of ServiceNow as a system of document, and will get the present documented state from ServiceNow. It then does a Pandas SQL be part of to indicate the distinction between the system and the system of document, and lets you replace the system of document (ServiceNow).
The similar mechanics apply to evaluating the system versus an inventory of golden pictures, validating software program throughout all methods versus the golden pictures required.
Comparing present state versus ServiceNow
InventoryNotInSvcnow_df=theBigInventory.merge(svcnow_inventory_df, how = ‘outer’ ,indicator=True,left_on=[“Hostname”,”IP Address”,”Model”,”Version”], right_on=[“name”,”ip_address”,”model_number”,”firmware_version”]).loc[lambda x : x[‘_merge’]==’left_only’]
Comparing present state versus checklist of normal pictures (what’s versus what we count on)
InventoryNonConformant_df=theBigInventory.merge(GoldenImages, how = ‘outer’ ,indicator=True,left_on=[“Model”,”Version”], right_on=[“Model”,”firmware_version”]).loc[lambda x : x[‘_merge’]==’left_only’]
There are a number of methods to leverage Cisco merchandise in a holistic methodology to fulfill FFIEC asset administration necessities, through both the bottom API or by means of an entire turnkey answer (and completely different choices in between). The subsequent weblog will cowl easy methods to use the completely different controller primarily based merchandise to fulfill different areas of the regulatory necessities.
Prior Blogs
Introduction to Understanding FFIEC Regulations
FFIEC Cybersecurity Maturity Tool
The FFIEC’s Architecture, Infrastructure, and Operations Book
Share: