Enterprises have to demonstrate operational and fiduciary responsibility in their regulatory environment. As a consequence, IT has to make operational decisions based on issues of corporate governance, security and compliance. A major operational challenge is observing and managing change in global and heterogeneous IT infrastructure while meeting the stringent government compliance requirements of Sarbanes-Oxley (SOX) and mandates of the payment card industry (PCI).
Compliance should not be seen as a one-time event, but as an opportunity to run the operations in a more consistent and predictable manner. Enterprises have an opportunity to implement operational policies that can lead to uninterrupted compliance, the benefits of which include decreased business risk from IT and increased business responsiveness.
An inseparable link exists between enterprise business and IT operations. Enterprises want to improve the economics of service delivery by reducing the cost of IT operations.
At the same time, there is a push to minimize business risk from IT by increasing compliance, availability and meeting service level agreements (SLAs). Much of todays security risk and forced outages have a root cause in change control and management. CIOs want better visibility and control over their IT operations to remain compliant with policies.
IT Change Is Constant
Today, an enterprise is responsible for providing business services. However, the underlying IT infrastructure that supports those services remains in a constant state of change. For example, an online retailers core infrastructure consists of several classes of multivendor devices such the routers, switches, firewalls, load balancers, wide area network optimizers, performance enhancers, domain name system (DNS) servers, etc. The applications infrastructure includes various classes of servers, storage devices, databases and applications. All of the aforementioned components realize configuration changes on a regular basis. IT operations spend a considerable amount of their time and budget managing these changes to the IT core and associated applications.
Government and industry requirements that come with financial penalties for noncompliance exacerbate the endless IT changes. Regulatory requirements for security compliance vary from policy statements to explicit requirements for compliance - SOX is a perfect example. Operationally, SOX imposes a requirement to manage the security and configuration integrity of enterprise infrastructures and requires them to demonstrate compliance to auditors on an ongoing basis. An example of explicit requirements is the PCI Data Security Standard (DSS). The twelve requirements described within PCI DSS provide an opportunity for enterprises to build a compliant environment in which sensitive data is secure.
The PCI DSS requirements pertain not just to retailers, but to any credit card accepting organization from university book stores to pay-at-the-pump gas stations. Lets face it, retail payment systems were not designed with security in mind; they were designed to add convenience to consumers shopping experiences. Hackers caught on to this oversight, however, and are finding new ways to exploit the weakest network links for their profitability - and they are getting good at it.
The impact of these regulations is that IT operations pay more attention to configuration change management, rule books and collecting logging data in each of the domains of operations. It is more cost effective for an enterprise to run its operations according to a set of corporate policies that makes it easier to respond to all regulatory requirements than to create a solution specific to each regulatory requirement.
New changes and requirements force IT operations to be reactive within an environment that asks personnel to do more with less. But reaction is difficult in an environment where a lack of a cross-domain communication exists between IT silos governing firewalls, UNIX servers, Windows servers, databases, networks and applications.
Another challenge is the rapid growth of virtualization. From a change and compliancy point of view, virtualization makes manageability even more complex. Administrators need to monitor both virtual and physical resources. In the event of a change related problem, they would need to correlate information between virtual resources and the physical ones they rely on.
Observing the Configuration State in Real Time
From a business service delivery viewpoint, it is important to understand the dependencies between the configurations of todays infrastructure resources, whether they are physical, logical or virtual. Consider this real-world example of a combination of physical and virtual environments:
- A Windows application running on a virtual environment, with a Solaris container accessing an Oracle database.
- The Oracle database is on another server in a different virtual local area network.
- The server accesses an authentication server running in a different location.
- The business service is also supported by DNS and other Internet protocol services.
To be truly useful, the configuration repository must show the dependencies between resources (configurable items) supporting the business service. Todays challenge is how to get information at this level in a single unified view of the configurations and in real time the configuration state. Without adequate visibility to observe the configuration state, it remains difficult to control the change and manage impact. With traditional root cause and fault isolation tools, it is not possible to ensure the visibility to observe the configuration state, detect the configuration change, who made the change and what impact the change is going to have on the business service.
In any approach, automation and control for uninterrupted compliance is the proper approach. This approach requires five steps:
- Auto discovery of configurations. The first step is to create a baseline, through auto discovery, of the configurations of the resources at the correct level of granularity, whether physical, logical or virtual. The methods used for discovery could be agentless, agent-based or a combination of the two. It is important that all relevant information be incorporated into a trusted global repository. This is essentially a real-time operational configuration management database and could be federated and synchronized with others in the system.
- Observing a change of state. Changes can be detected by real-time monitoring, processing of events or scheduling scans of the infrastructure periodically for security, compliance or best practices. Any changes in configuration state are compared with the baseline in the repository. If there is a change of state due to a change in a configuration, file or a log, the detection system sends an alarm. Not only is this an alarm of a failed policy, it could also trigger a notification for action to an administrator.
- Decision support. Once an alert has been processed to determine the violation of a security or regulatory policy, the remedial action could be an automated course of action or the creation of a trouble ticket advisory. The golden states of the correct configurations should be the ones in the repository. The change impact assessment provides decision support for the remedial action and the sequencing of tasks to address the change from a security or availability point of view.
- Remedial action. The next step is to download the correct configurations to the devices or the agents, as appropriate to upgrade or restore the problem.
- Continuous compliance. Managing change for continuous compliance requires that all polices be verified either in real time or on a scheduled basis. By comparing results over successive scans, it is possible to characterize the end-to-end behaviors of the business services and detect anomalies in real time.
On-going observation of change in this manner yields a wealth of business benefits.
Observing change that is based on a unified view results in an uninterrupted, verification of regulatory or compliance policy across the entire IT infrastructure. This approach provides tracking ability and traceability of changes and generates on-demand reports for audits. This process saves considerable expenses associated with preparing for and conducting external audits.
Managing change through automation and control minimizes human error and reduces potential forced outages. It reduces risk of revenue and brand reputation losses due to unavailability of services and customer satisfaction issues.
Reduced Operating Costs
Automating change results in more consistent operations across the IT domains of control. Automaton improves productivity and dramatically reduces the costs of downtime by lowering the time to repair,\ while enhancing service availability. The economic benefits of automation are clear: lower compliance costs, more efficient disaster recovery procedures and higher consistency and predictability of business services.
Increased Business Responsiveness
By successfully managing change, business services can be more responsive to customer requests, new opportunities and enhance customer satisfaction.
Observing and managing change for continuous compliance presents an opportunity to minimize business risk through automation and control. In the process, it provides a business services perspective of the configuration state in real time, while providing a holistic solution for managing change across the domains of operations. The economics of continuous compliance are compelling; the benefits remain for all types of compliance including SOX, Federal Information Security Management Act of 2002, PCI and others.
Without the aid of automated change and configuration management, we may experience more situations such as these current situations highlighted by PrivacyRights.org, Chronicle of Data Breaches:
- TJX Companies paid $256 million in fines, levies, lawsuits and court-ordered infrastructure repairs in the wake of the biggest data breach in history.1
- Hannaford Bros. supermarket chain in Portland, Maine, reported a security breach that affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products - 4.2 million records were breached.2
Managing change to avoid unfortunate circumstances such as TJX and Hannaford Bros., takes preparation - only visibility into the continuous state of compliance will be an effective preventative measure. Remember, a device that is compliant at 10 a.m. may not be compliant at 10:15 a.m. Noncompliant devices may lead to gaping holes throughout the network and into consumer data held in servers. Real-time security procedures that create a baseline through auto discovery of the configurations are a must. Only by closely following these procedures, can organizations manage the lifecycle of connected devices by monitoring and processing all associated IT events and properly ensuring adherence to industry and government mandates.
- Privacy Rights Clearinghouse. Chronicle of Data Breaches. www.PrivacyRights.org, June 10, 2008. http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.
- Privacy Rights Clearinghouse.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access