In a recent study by EMA, The State of Network Automation: Configuration Management Obstacles are Universal, the report indicated that there is significant dissatisfaction with the current state of Configuration Management, especially at the large network operators. The concerns revealed that 3 out of 4 IT organizations are worried that configuration changes are likely to lead to performance problems and security issues. These errors can impact any organization, even those with a leading reputation for network operations such as Facebook where they suffered a global outage in October 2021. Facebook publicly attributed the outage due to a bad network configuration change.
The study goes on to prescribe that Network Automation is the key path towards improving Network Compliance and Audits. Although automation tools do help provide more consistency and reduce human configuration errors, this path ignores critical attributes of network operations in the real world. Specifically:
- No networks are fully automated. Most have people making manual configuration changes to the infrastructure.
- A large volume of planned vs unplanned changes. Ideally configuration changes follow the change management process however in most organizations, there are a large number of changes made directly that avoid the process for various reasons.
- Authorized vs unauthorized changes. This includes changes due to security intrusions/hackers as well as internal personnel making changes that are implicitly “allowed”.
- Multiple automation tools. Most environments have multiple tools used by different functional groups that make configuration changes including vendor-specific management tools and Element Management Systems (EMS).
The real issue is that Network Compliance and by extension, configuration monitoring, should not be conflated with Network Automation. They serve different purposes. Network Compliance and Audits need to ensure the correct configuration on actual devices and not just “golden configs” defined in automation tools. In other words,
The “configuration truths” are on the actual devices and not in a CMDB or an Inventory system.
Not in network management tools or network automation tools.
The Network Compliance policies and audits must validate what is on the actual devices and verify all changes made to those devices regardless of whether it is manual, automated, or worst case, hacked.
At SIFF.IO, this is the methodology or approach we use to ensure Network Compliance.
- SIFF collects and monitors any configuration changes, whether it is a manual change or a change initiated by Network Automation.
- SIFF applies Compliance Policies to ensure any misconfiguration is immediately flagged and notified. This includes checking existing configs as well as newly detected configuration changes which allows new vulnerabilities to be identified on existing configs.
- SIFF integrates with one or multiple change management systems used by different functional groups to identify planned vs unauthorized changes.
With SIFF, you have visibility into all configuration changes across all sources (networks, servers, apps, cloud, VMs, and containers) to meet your security compliance and audit requirements. This change visibility is not limited to those that are planned or automated.
Configuration Monitoring and Compliance is different from Configuration Automation. There are certainly overlaps but what they do should not be confused. To learn more about how SIFF.IO can help monitor all infrastructure configuration changes and ensure policy compliance,
Visit SIFF.IO to find out “What the #%&$ changed?!”