Continuous compliance for networks use cases

This topic describes a set of use cases demonstrating how network changes are tracked and approved whether the changes are initiated by a TrueSight Network Automation network engineer (that is, Operations) or by a staff member at the BMC Remedy Service Desk.

Network change actions can include all of the following:

• Provisioning a golden template on a new device
• Updating configuration attributes across one or more devices
• Enforcing configuration policies on one or more devices
• Executing custom actions on one or more devices
• Performing a non-disruptive configuration rollback
• Deploying a software image to one or more devices

The following groups of use cases apply to the Continuous Compliance for Network Automation solution:

• Enforcing continuous compliance to Change Management processes
  • Use case 1: Operator initiated changes
  • Use case 2: BMC Remedy Service Desk initiated changes
  • Use case 3: Reconciling network changes made without prior approval to the BMC Remedy Change Management system
• BMC Remedy Incident Management integration
  • Use case 4: Enforcing continuous compliance to network configuration policies
• BMC Atrium CMDB integration
  • Use case 5: Performing network change and configuration tasks with business service context
  • Use case 6: Launching network reports from the BMC Atrium Explorer
  • Use case 7: Launching into the BMC Atrium Explorer from device info popup windows

Enforcing continuous compliance to Change Management processes

The use cases that follow deal with the enforcement of continuous compliance to Change Management processes.

Use case 1: Operator initiated changes

When network configuration changes are implemented, network engineers are required to document these changes in BMC Remedy Change Management.

To automate the change tracking and documentation process, a Network Change request is automatically created in BMC Remedy Change Management when a network user submits a Job that requires BMC Remedy approval. After the change request is approved at Remedy, the change is scheduled for execution in TrueSight Network Automation.

When the Job completes, the BMC Remedy Change ticket is closed. The BMC Remedy Service Desk user can now launch the Job Details report from the BMC Remedy Change Task to verify the change actions. In addition, from the BMC Atrium CMDB CI Relationship Viewer the BMC Remedy user can launch a Change Summary Report to view change history for a network device.

The main benefit of this solution is to enforce continuous compliance to the change process without requiring network engineers to manually create BMC Remedy Change tickets. The solution reduces the risk of unauthorized and unplanned changes through enforced change tracking and automated documentation of all changes.

Both BMC Remedy and TrueSight Network Automation users can view the Job Details report detailing the actual changes made.

Use case 2: BMC Remedy Service Desk initiated changes

In the IT environment of most large enterprises, general change requests like provisioning a new server are often initiated by the BMC Remedy Service Desk. The network group is required to make a network change to provision the server onto the network.

When the Service Desk user submits a Network Change request through Remedy, it appears in the TrueSight Network Automation Remedy Inbox where the network engineer can create a job to service the request. The job will contain the actions required to support the change request – for example, provisioning the switch port for the server.

After the job completes, the BMC Remedy Change Task is closed. The BMC Remedy Service Desk user can launch the Job Details report from the Network Task to verify the change actions. From the BMC Atrium CMDB CI Relationship Viewer, BMC Remedy Service Desk user can also view the Change Summary report by CI to show a switch port was configured.

The main benefit of this solution is to enforce continuous compliance and to reduce the risk of unauthorized and unplanned changes through documented and enforced change tracking.

Use case 3: Reconciling network changes made without prior approval to the BMC Remedy Change Management system

Network engineers occasionally make one-off changes without requiring any prior approvals. Reconciling jobs is a capability that ensures all changes on the network that occur without prior approval can be tracked in the Change Management system.

These changes can be made in any of the following ways:

• External to TrueSight Network Automation but detected after the TrueSight Network Automation system does a snapshot of the device
• Using the TrueSight Network Automation SSH Proxy
• Using a TrueSight Network Automation job that makes changes to network devices (that is, Deploy to Active, Custom Action, etc.)

To reconcile these jobs, a Reconcile wizard similar to the Jobs filter is available. (Network > Actions > Jobs > Reconcile). For more information, see Reconciling-jobs in the TrueSight Network Automation documentation.

BMC Remedy Incident Management integration

The use case that follows applies to the integration of TrueSight Network Automation with BMC Remedy Incident Management. This integration provides the ability to automatically open network Incidents in BMC Remedy Incident Management when service impacting events (for example, device unreachable), configuration compliance violations, and baseline discrepancies are detected by TrueSight Network Automation.

Use case 4: Enforcing continuous compliance to network configuration policies

TrueSight Network Automation performs network compliance audits based on security, operational, and regulatory configuration standards.

When a compliance violation is detected, TrueSight Network Automation can automatically open a Network Incident in BMC Remedy Incident Management and optionally relate a Network Change request within BMC Remedy Change Management to begin the remediation and tracking process.

The BMC Remedy Service Desk staff can view the Compliance Summary Report from the federated link on the Atrium CMDB CI Relationship Viewer, allowing users to view the details of each violation.

The BMC Remedy Change request is displayed on the TrueSight Network Automation console for resolution. The network engineer submits a job to remediate the compliance violations using the SmartMerge auto-scripting capability. After the compliance violations has been fixed, the BMC Remedy Change ticket is closed.

The main benefit of this solution is to improve compliance to security, operational, and regulatory standards through automated compliance monitoring, auditing, remediation and reporting.

BMC Atrium CMDB integration

The use cases that follow apply to the integration of TrueSight Network Automation with BMC Atrium CMDB.

Use case 5: Performing network change and configuration tasks with business service context

TrueSight Network Automation imports network CI business service relationships from BMC Atrium CMDB through the Web Services API. The business services are stored in the device inventory field called Business Services.

The TrueSight Network Automation system auto-groups network devices by Business Services so network engineers can perform network change and configuration management tasks with business relevance, such as the following:

• Display the Dashboard by groups to audit change discrepancies and compliance violations by business service. Initiate a single command from the Dashboard to remediate all violations on network devices supporting a specific business service.
• Implement jobs by business service. Enables network engineers to assess business service impact when planning configuration changes.
• Generate and schedule inventory, change history, compliance, regulatory and change discrepancy reports by business service.
• Configure policies by business service. For example, open Remedy Incident when a high severity compliance violation is detected on any devices supporting critical business services.

The following example shows how network engineering can view a Compliance Summary report for all network devices that support the Email business service.

Use case 6: Launching network reports from the BMC Atrium Explorer

TrueSight Network Automation discovers and stores configuration and change information for network CIs. You can view a variety of TrueSight Network Automation reports for a network CI from BMC Atrium Explorer. (In BMC Atrium 7.6, BMC Atrium Explorer replaces the interface known as the CI Relationship Viewer in earlier versions.)

While the integration supports orchestrating changes and incidents with one or more TrueSight Network Automation servers, CMDB Federated links should be used only when a single TrueSight Network Automation server is deployed.

The following figure shows the menu that TrueSight Network Automation adds to BMC Atrium Explorer:

The set of network reports includes:

• View Change History: View detailed configuration change history (who/what/where/when) for a network CI for planning, auditing and remediation purposes.
• View Compliancy History: Shows whether a network CI is compliant with or has drifted from configuration policies. Users can enforce any policy deviations using BMC Remedy Change Management.
• View Device Inventory Report: View detailed configuration attributes, change history, and compliance status for a network CI.
• View Device Discrepancy Report: Shows configuration discrepancies on a network CI such as differences between the Running and Startup configuration and differences between the current Running and Trusted Running (that is, the desired state). Users can synchronize the device’s Running and Startup configurations and roll back to any prior configuration by using BMC Remedy
   Change Management.
• View Detailed Configuration: Examine the network CI configuration archive to compare any configuration to any other configuration.

Use case 7: Launching into the BMC Atrium Explorer from device info popup windows

TrueSight Network Automation enables an administrator to create external links enabling users to launch external applications. This use case describes the case where an administrator sets up an external link for the BMC Atrium Explorer.

Using this integration, a network engineer can launch into the Atrium Explorer from an external link displayed in device info popup windows that can be accessed from the TrueSight Network Automation dashboard and device list page.

An engineer staging a change in TrueSight Network Automation, can do the following:

• Check dependencies of the network devices being changed with business services, clients, and servers that depend on them.
• (From the dashboard): Quickly evaluate the impact that discrepancies and compliance violations can cause.
• (From the device list page): Quickly check these dependencies for reference purposes.

he steps for performing this integration are described in Configuring TrueSight Network Automation to launch directly into a CI.