1
00:00:00,060 --> 00:00:01,200
In this lesson, we're going to talk

2
00:00:01,200 --> 00:00:04,019
about upgrades and compliance and how we use automation

3
00:00:04,019 --> 00:00:05,820
and orchestration to do that.

4
00:00:05,820 --> 00:00:08,100
Now, as our networks become increasingly more complex

5
00:00:08,100 --> 00:00:10,530
and integral to our organizational operations,

6
00:00:10,530 --> 00:00:12,570
the traditional manual methods of maintaining

7
00:00:12,570 --> 00:00:14,280
and securing our network infrastructures

8
00:00:14,280 --> 00:00:15,900
are simply inadequate.

9
00:00:15,900 --> 00:00:17,700
Automation is really what we need to use here

10
00:00:17,700 --> 00:00:20,190
as a crucial tool to facilitate efficiency

11
00:00:20,190 --> 00:00:21,480
and accuracy inside

12
00:00:21,480 --> 00:00:23,880
of our upgrades across large scale networks.

13
00:00:23,880 --> 00:00:25,350
And also we're going to use this

14
00:00:25,350 --> 00:00:26,850
to help get stringent adherence

15
00:00:26,850 --> 00:00:28,440
to our different compliance standards

16
00:00:28,440 --> 00:00:30,810
through automation and orchestration.

17
00:00:30,810 --> 00:00:32,460
Both of these things are things we really need

18
00:00:32,460 --> 00:00:34,080
to consider in our high velocity

19
00:00:34,080 --> 00:00:36,300
and high availability environments.

20
00:00:36,300 --> 00:00:38,730
First, let's take a look at the role of automation inside

21
00:00:38,730 --> 00:00:40,620
of our network upgrade process.

22
00:00:40,620 --> 00:00:41,705
Now, when we use automation,

23
00:00:41,705 --> 00:00:44,070
this is going to play a critical role in the upgrading

24
00:00:44,070 --> 00:00:45,660
of our network components by helping us

25
00:00:45,660 --> 00:00:48,240
to streamline our processes, reducing the chances

26
00:00:48,240 --> 00:00:50,340
of human error, and to ensure consistency

27
00:00:50,340 --> 00:00:51,810
across the network.

28
00:00:51,810 --> 00:00:53,820
Whether we're trying to install security patches,

29
00:00:53,820 --> 00:00:57,090
firmware updates, or new features to our network devices,

30
00:00:57,090 --> 00:00:59,820
by using these automated scripts and tools, we can schedule

31
00:00:59,820 --> 00:01:02,040
and execute the updates during off peak hours,

32
00:01:02,040 --> 00:01:03,900
so they'll minimize downtime and disruption

33
00:01:03,900 --> 00:01:06,750
to our otherwise busy business operations.

34
00:01:06,750 --> 00:01:08,430
Now, another thing that we're going to use automation

35
00:01:08,430 --> 00:01:09,720
for is version control

36
00:01:09,720 --> 00:01:12,270
and consistency, especially when we're dealing

37
00:01:12,270 --> 00:01:14,310
with large networks, we need to ensure that all

38
00:01:14,310 --> 00:01:16,680
of our devices are running the correct software versions

39
00:01:16,680 --> 00:01:18,210
and this can be a really hard thing to do

40
00:01:18,210 --> 00:01:19,950
when you have hundreds or thousands

41
00:01:19,950 --> 00:01:22,530
or hundreds of thousands of endpoints on your network.

42
00:01:22,530 --> 00:01:25,890
So by using automation tools, we can conduct regular scans

43
00:01:25,890 --> 00:01:27,870
of the network, verify the software versions

44
00:01:27,870 --> 00:01:30,240
against our standard requirements and our baseline,

45
00:01:30,240 --> 00:01:32,760
and then anybody who is not at that baseline,

46
00:01:32,760 --> 00:01:34,759
we can automatically update those devices

47
00:01:34,759 --> 00:01:36,330
to the newer software

48
00:01:36,330 --> 00:01:38,940
and remove that older, outdated software for us.

49
00:01:38,940 --> 00:01:40,650
And this helps maintain consistency

50
00:01:40,650 --> 00:01:43,470
and security across the entire network.

51
00:01:43,470 --> 00:01:45,420
The third big area for automation

52
00:01:45,420 --> 00:01:48,090
is doing automated testing and validation.

53
00:01:48,090 --> 00:01:49,350
After you do an upgrade,

54
00:01:49,350 --> 00:01:50,940
you want to make sure you test your systems

55
00:01:50,940 --> 00:01:53,100
to ensure everything is working properly.

56
00:01:53,100 --> 00:01:55,380
Well, instead of me doing a simple ping command

57
00:01:55,380 --> 00:01:58,020
to see if the network connectivity is up, I may have a suite

58
00:01:58,020 --> 00:02:00,840
of tools by running an automation script that does lots

59
00:02:00,840 --> 00:02:03,660
of different things, including checking routing tables,

60
00:02:03,660 --> 00:02:05,400
making sure our ARP caches are clear,

61
00:02:05,400 --> 00:02:07,470
making sure the DNS caches are accurate

62
00:02:07,470 --> 00:02:10,020
and all sorts of other things that we want to do.

63
00:02:10,020 --> 00:02:12,840
By using automation, we can perform systematic testing

64
00:02:12,840 --> 00:02:15,000
of our network functionalities and our performance

65
00:02:15,000 --> 00:02:17,850
after an upgrade to ensure that no issues are left

66
00:02:17,850 --> 00:02:20,670
and that we've identified anything that needs to be fixed.

67
00:02:20,670 --> 00:02:22,080
Now the next thing we need to talk about

68
00:02:22,080 --> 00:02:23,790
is the compliance section.

69
00:02:23,790 --> 00:02:25,050
Now, when it comes to compliance,

70
00:02:25,050 --> 00:02:26,550
what we are doing is trying to make sure

71
00:02:26,550 --> 00:02:27,990
that our systems are networks

72
00:02:27,990 --> 00:02:30,690
and our software are all operating in accordance

73
00:02:30,690 --> 00:02:32,190
with the rules, regulations,

74
00:02:32,190 --> 00:02:35,160
and laws that we are subject to based on where we live

75
00:02:35,160 --> 00:02:37,530
or what contracts we've entered into.

76
00:02:37,530 --> 00:02:40,590
Now when it comes to automation, you can use automation

77
00:02:40,590 --> 00:02:43,380
to help continuously monitor your network configurations

78
00:02:43,380 --> 00:02:46,170
and compare them against your compliance standards.

79
00:02:46,170 --> 00:02:47,970
So if you accept credit cards

80
00:02:47,970 --> 00:02:50,580
and you're subject to the terms of PCIDSS,

81
00:02:50,580 --> 00:02:51,930
you're going to want to make sure your systems

82
00:02:51,930 --> 00:02:55,050
are meeting those requirements and you can do a weekly scan

83
00:02:55,050 --> 00:02:58,710
or a quarterly scan to verify that through automation.

84
00:02:58,710 --> 00:02:59,970
By doing this, you're going to be able

85
00:02:59,970 --> 00:03:02,220
to identify any deviations and they can be flagged

86
00:03:02,220 --> 00:03:04,080
and rectified immediately.

87
00:03:04,080 --> 00:03:05,790
And this makes sure you're in compliance

88
00:03:05,790 --> 00:03:08,490
and don't run afoul of any regulations or laws

89
00:03:08,490 --> 00:03:10,200
because they can't have significant penalties

90
00:03:10,200 --> 00:03:11,760
for your organization.

91
00:03:11,760 --> 00:03:14,640
Another use of automation is in policy enforcement.

92
00:03:14,640 --> 00:03:17,490
And policy enforcement goes hand in hand with compliance

93
00:03:17,490 --> 00:03:19,170
because if you have a compliance requirement

94
00:03:19,170 --> 00:03:21,420
that says something like you must use 15 character

95
00:03:21,420 --> 00:03:24,150
or longer passwords, the way you implement that is

96
00:03:24,150 --> 00:03:25,200
through a security policy

97
00:03:25,200 --> 00:03:27,300
that's going to be installed all over your systems.

98
00:03:27,300 --> 00:03:30,150
Well, using automation, you can write that policy once

99
00:03:30,150 --> 00:03:33,300
and apply it to all of your systems at the same time.

100
00:03:33,300 --> 00:03:35,730
Another use for this is anytime you find a device that tries

101
00:03:35,730 --> 00:03:37,410
to connect to your network that's not in compliance

102
00:03:37,410 --> 00:03:38,670
with the security policy,

103
00:03:38,670 --> 00:03:40,142
you can automatically quarantine it

104
00:03:40,142 --> 00:03:43,470
and then through orchestration, you can update that system

105
00:03:43,470 --> 00:03:45,960
and that will minimize the risk that that system poses

106
00:03:45,960 --> 00:03:47,280
until it can be patched up

107
00:03:47,280 --> 00:03:49,800
and then brought back onto the production network.

108
00:03:49,800 --> 00:03:51,510
Another great area in terms of compliance

109
00:03:51,510 --> 00:03:53,910
that we can use automation in is gathering up all

110
00:03:53,910 --> 00:03:55,590
of our logs and all of our evidence

111
00:03:55,590 --> 00:03:57,494
because when we go through a compliance audit,

112
00:03:57,494 --> 00:03:58,816
the auditors are going to ask

113
00:03:58,816 --> 00:04:01,290
to see your records and your data.

114
00:04:01,290 --> 00:04:03,001
By using these automation tools, you can generate

115
00:04:03,001 --> 00:04:05,790
and preserve the logs of all your network activities,

116
00:04:05,790 --> 00:04:07,800
your upgrades and compliance measures,

117
00:04:07,800 --> 00:04:09,090
and then you can present all of that

118
00:04:09,090 --> 00:04:11,370
during a compliance audit to the auditors

119
00:04:11,370 --> 00:04:14,160
to ensure you can pass the audit without any issues.

120
00:04:14,160 --> 00:04:15,487
So now that we've covered some of the basics

121
00:04:15,487 --> 00:04:17,670
of automation and orchestration

122
00:04:17,670 --> 00:04:20,279
and their use inside of things like upgrades

123
00:04:20,279 --> 00:04:22,200
and compliance, I want to talk a little bit

124
00:04:22,200 --> 00:04:24,030
about some real world use cases

125
00:04:24,030 --> 00:04:26,010
that you may apply this stuff to.

126
00:04:26,010 --> 00:04:28,620
Now, the first one is automated patch management.

127
00:04:28,620 --> 00:04:30,930
If you're dealing with a lot of endpoints on your network,

128
00:04:30,930 --> 00:04:33,060
each of those represents a unique vulnerability

129
00:04:33,060 --> 00:04:34,980
to your network and its systems.

130
00:04:34,980 --> 00:04:36,840
Now to ensure that you're going to be the most secure you

131
00:04:36,840 --> 00:04:38,070
can be, you want to make sure

132
00:04:38,070 --> 00:04:40,380
that all these systems are effectively patched

133
00:04:40,380 --> 00:04:42,630
and maintained to the appropriate level

134
00:04:42,630 --> 00:04:44,250
to make sure there's no known vulnerabilities

135
00:04:44,250 --> 00:04:45,360
on your network.

136
00:04:45,360 --> 00:04:47,400
For example, I used to run a network

137
00:04:47,400 --> 00:04:51,120
that had over 15,000 endpoints across seven countries.

138
00:04:51,120 --> 00:04:52,650
That was a really big network

139
00:04:52,650 --> 00:04:54,570
and it was really hard to conduct patch management

140
00:04:54,570 --> 00:04:55,680
at that scale.

141
00:04:55,680 --> 00:04:58,230
Even with the use of automation, we were still lucky

142
00:04:58,230 --> 00:05:02,610
to get up to 99 or 99.9% complete on our patching

143
00:05:02,610 --> 00:05:03,690
'cause there are always systems

144
00:05:03,690 --> 00:05:05,610
that are offline or hard to reach.

145
00:05:05,610 --> 00:05:09,000
But by using automation, we could usually get to 95

146
00:05:09,000 --> 00:05:12,630
or 99% patch compliance within about 24 hours.

147
00:05:12,630 --> 00:05:14,640
And then we would spend the last week

148
00:05:14,640 --> 00:05:17,640
or two trying to get those last handful of machines

149
00:05:17,640 --> 00:05:19,950
that we couldn't find that were not taking the patch

150
00:05:19,950 --> 00:05:21,330
for some reason or another.

151
00:05:21,330 --> 00:05:22,830
So using automation in terms

152
00:05:22,830 --> 00:05:24,930
of patch management is a great thing to do

153
00:05:24,930 --> 00:05:27,810
and it's really going to save you a ton of time and effort.

154
00:05:27,810 --> 00:05:30,630
Another big use case here is compliance monitoring,

155
00:05:30,630 --> 00:05:32,010
and I talked about the fact that you want

156
00:05:32,010 --> 00:05:34,110
to do continuous compliance monitoring.

157
00:05:34,110 --> 00:05:36,030
And for a person to do that 24 hours a day,

158
00:05:36,030 --> 00:05:38,370
7 days a week is just not realistic.

159
00:05:38,370 --> 00:05:40,770
But our tools when we use orchestration

160
00:05:40,770 --> 00:05:43,860
and automation don't get tired and they don't take vacation.

161
00:05:43,860 --> 00:05:47,310
So we can use automation tools like Chef and Puppet

162
00:05:47,310 --> 00:05:49,710
and DNA Center to provide continuous monitoring

163
00:05:49,710 --> 00:05:51,780
and management of our network configurations

164
00:05:51,780 --> 00:05:54,270
and then enforce any standard configurations that we want

165
00:05:54,270 --> 00:05:56,124
and automatically correct any deviations back

166
00:05:56,124 --> 00:05:58,290
to the baseline and providing us

167
00:05:58,290 --> 00:06:00,000
with real-time compliance reporting

168
00:06:00,000 --> 00:06:03,360
and data gathering so we know the status of our networks.

169
00:06:03,360 --> 00:06:05,760
So remember, when it comes to automation in terms

170
00:06:05,760 --> 00:06:08,250
of your network upgrades and compliance, you want

171
00:06:08,250 --> 00:06:09,757
to use automation wherever possible

172
00:06:09,757 --> 00:06:12,030
because it's efficient, it's accurate,

173
00:06:12,030 --> 00:06:14,370
and it's reliable when conducting network management

174
00:06:14,370 --> 00:06:15,480
on your behalf.

175
00:06:15,480 --> 00:06:17,490
By embracing this world of automation,

176
00:06:17,490 --> 00:06:19,770
your organization can save time and money

177
00:06:19,770 --> 00:06:22,470
and even better, have a more secure network

178
00:06:22,470 --> 00:06:23,790
that is safe from data breaches

179
00:06:23,790 --> 00:06:26,610
because you are patching for all known vulnerabilities.

180
00:06:26,610 --> 00:06:29,130
The best use cases for automation are things you're going to do

181
00:06:29,130 --> 00:06:31,380
on a daily basis or a weekly basis,

182
00:06:31,380 --> 00:06:33,330
and that are repetitive, boring tasks that have

183
00:06:33,330 --> 00:06:35,040
to be done at scale.

184
00:06:35,040 --> 00:06:38,010
Those are the kind of things where automation is king.

185
00:06:38,010 --> 00:06:40,740
For example, if I wanted to patch five computers,

186
00:06:40,740 --> 00:06:42,060
I can do that manually,

187
00:06:42,060 --> 00:06:44,190
but if I need to patch 5,000 computers,

188
00:06:44,190 --> 00:06:45,540
I really have to use automation

189
00:06:45,540 --> 00:06:47,103
or I'm never going to get it done.