Monday, 6 May 2019

Cyber Defense Clinic for Education

Cisco Certifications, Cisco Learning, Cisco Tutorials and Material, Cisco Guides

And it’s not just America’s problem, it’s the world’s, with an estimated one million cybersecurity positions currently unfilled globally. The lack of personnel with the right digital skills to bridge the cyber-gap is growing so fast that many in the industry are predicting a three-fold plus increase in that number by 2025. That means 3.5 million unfilled cybersecurity jobs are on the horizon. So it’s time the industry gets serious about how we’re going to fill them.

Leaders in cybersecurity must lead in cyber education


As an industry-leader in cybersecurity, Cisco suggests the first step is to attract and train more defenders. That’s why we’re stepping up to do just that through our Cyber Defense Clinic (CDC) for Education program. This program helps students gain experience as both an attacker and defender in various cyber attack scenarios. Our program offers schools across America access to:

◈ Software
◈ Equipment
◈ Preprogrammed labs
◈ Lab guides
◈ And other teaching materials,

all while giving teachers the flexibility they need to use and structure labs creatively to enhance the digital skills of their students.

We must move aggressively to evolve cyber training


As defense strategies evolve, so do those of the hackers. And both are doing so at a rapid pace. In order for students to gain a working knowledge of them, they’ll need to go beyond basic learning to submersive cyber training, where hands-on interaction with the latest cybersecurity tools enable them to hone their expertise in cyber defense.

That’s where our Cyber Defense Clinic for Education comes in, providing students with real-world insight into ransomware, phishing, common hacking tools, breach detection, incident response, and the latest defense technologies.

Advanced tools are now a must-have in cyber education


As an IT industry-leader keeping private and public sector networks secure around the world, Cisco has developed a robust internal tool called D-Cloud, designed with customers, partners, and employees in mind. It has the power to demonstrate solutions and show proof of value to thousands of users every single day.

CDC is one of the most popular tools in D-Cloud, teaching users how technology from Cisco and other companies can be applied in real-world scenarios to defend against cyber threats. As part of our ongoing commitment to training future cyber defenders, we are training educators on this innovative tool – empowering universities, community colleges and advanced high school programs with lab access.

Most importantly, we’re making it easy too. So easy, in fact, that all they need to do is logon from their laptop and they’ll gain immediate access to millions of dollars’ worth of lab solutions, including industry-leading technologies like:

◈ Identity and Access Management (IDAM)
◈ Email Security
◈ DNS Protection
◈ Intrusion Detection (IDS/IPS)
◈ Anomaly Detection
◈ Advanced Malware Detection
◈ and even Security Incident and Event Management (SIEM) from QRadar and Splunk.

Advanced digital skills are critical to a strong cyber defense


Thanks to CDC, schools now have the capability to get creative in their cyber training so students can advance their digital skills. For example, educators can:

◈ Cap off classes with lab experiences
◈ Engage via reinforcement labs throughout the semester
◈ Create staff enrichment events
◈ Develop activities that increase cybersecurity awareness
◈ Deploy half day or full day clinics for students and faculty.

Plus, CDC can be used for community outreach and student recruiting efforts (Cyber/STEM). We’re also committed to providing and maintaining the latest equipment and solutions, and reset labs after each use. Our team is always happy to work hand-in-hand with a school’s IT leaders to ensure the best user experience. By the way, it’s worth noting that by using CDC, which keeps schools separate from labs, the schools can reduce risks from outside cyberthreats.

Our team at Cisco is thrilled to offer our Cyber Defense Clinic (CDC) for Education program to both educators and students. By doing so we can all partner together, as one community, to slow and eventually bridge the growing cybersecurity skills gap.

Saturday, 4 May 2019

Accelerate Your Journey to AWS With a Cisco Cloud Ready Network

Many organizations have already developed cloud migration targets and are looking at how they can accelerate cloud adoption. As organizations increasingly embrace IaaS, PaaS, and SaaS consumption models many have selected AWS as their primary cloud provider.

While pre-application migration planning and application readiness is a key area of focus, many organizations have also realized that network readiness is also critical in accelerating and ensuring a successful cloud adoption journey. Legacy network architectures lack the simplicity, adaptability, automation and most of all application-awareness needed to deliver the best user experience. A Cloud Ready Network needs to enable a secure and optimized connectivity to cloud services from the branch/remote-offices.

Cisco next-gen SDWAN is one of the pillars of the Cloud Ready Network that can accelerate organizations adoption of cloud.

Cloud Ready WAN


To guarantee optimal end users experience an organization requires seamless connectivity between branch office locations, applications, and workloads hosted in the cloud. Many WAN solutions are ill-equipped for this task because they are generally rigid, complex to configure, and expensive to maintain. IoT adoption, a dramatic increase of the number of network devices, and the sophistication of security threats further compounds this challenge.

Cisco SDWAN on Amazon Web Services (AWS) is an overlay WAN architecture that is designed to address heterogeneous WAN connectivity and distributed users by building a scalable WAN infrastructure that reduces data transport costs and operational expenses. Cisco SDWAN for AWS helps with the following two major use cases:

Cloud Onramp for SaaS – Improving SaaS performance with SDWAN on AWS


Enterprises with the legacy WAN architecture, find it challenging to ensure a quality end user experience with their SaaS adoption. Often times a suboptimal path with increased latency is chosen to connect a user to the SaaS application in the cloud resulting in a degraded end user experience. A cloud ready network via SDWAN solves the problem by creating multiple Internet exit points and dynamically steering around bandwidth and latency issues in real-time, resulting is an optimal SaaS user experience at branches.

To achieve this the SDWAN fabric continuously measures the performance of designated SaaS applications through all permissible paths from a branch including direct internet access. For each path, the fabric computes a quality-of-experience (vQoE) score that gives network administrators visibility into application performance. The fabric also makes real-time decisions to choose the best-performing path per application per VPN between the end users at a remote branch and the cloud SaaS application and automatically fails over in case of performance degradation.

Cisco Certifications, Cisco Study Materials, Cisco Guides, Cisco Cloud

Cloud Onramp for IaaS – Faster and secure connectivity from branches to the AWS cloud

Traditional hub-and-spoke network architectures were designed to support consolidated applications and services hosted at centralized “demilitarized zones” (DMZs) and data centers. This layout forces the backhaul of internet traffic through the DMZ, creating inefficient traffic routes that increase the distance between end user and application. As an alternative, many organizations have opted to implement private circuits or MPLS to create mesh connectivity and satisfy any-to any traffic requirements. This approach can work but is costly and adds operational complexity. There is also a need to handle dynamic traffic patterns driven by seasonality, bursting, or external events.

Cisco SDWAN Cloud onramp for IaaS extends the visibility, reliability, and management of the SDWAN network from branches, remote sites, and campus to AWS. It allows for a transport independent any-to-any connectivity and end-to-end VPN segmentation. Tight integration with Amazon Virtual Private Cloud (VPC) enables organizations to automate network configurations with a consistent policy across branch, DC, and AWS, so that they can deploy and scale workloads on AWS faster. Cisco vEdge routers are deployed in a gateway VPC to connect branches and application VPCs. This enables the administrators to easily scale up the VPC environment by reducing the number of point to point tunnels between organization’s branches to host VPCs resulting in a simplified WAN management, lower transport costs, and faster time to deploy. The gateway VPC also supports workload segmentation especially when an organization deploys application VPCs across multiple AWS regions. The vManage component of the Cisco SDWAN solution, orchestrates the WAN sites and Amazon VPCs to automate connectivity and provides full lifecycle management and network visibility into the entire SDWAN environment.

Cisco Certifications, Cisco Study Materials, Cisco Guides, Cisco Cloud

Friday, 3 May 2019

Optimizing Cloud Resources + Reducing Your Carbon Footprint with TimeBox

At Cisco Engineering, innovation isn’t just something we do; it’s a way of life.

With tens of thousands of developers churning out an equal number of cutting-edge solutions at high velocity, Cisco truly is at the helm of technological innovation.

For context, Cisco has a vast amount of DevOps activities that are associated with development and these require significant resources for running workloads. The resources encompass storage, compute, memory, and associated ancillary costs such as real estate footprint, electricity, and others. Moving to the cloud does not change the fundamentals of this challenge,  even cloud workloads at the end of the day need to run on compute (and consume electricity). This landscape created the perfect opportunity for Cisco internal engineering to innovate.

Enter TimeBox.


Cisco Certifications, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials
Born out of a Cisco-fueled engineering hackathon and with roots in our Kanata, Ontario, Research & Development Centre, TimeBox is an award-winning made-in-Canada solution. With two filed patents, it is taking cloud resource optimization at Cisco to new heights.

As a data-driven resource optimizer, TimeBox:

1. Understands intent.

2. Provides recommendations.

3. Monitors and heals workloads on auto-pilot.

4. Provides insight into workloads.

5. Is a one-stop-shop to discover your Total Cost of Ownership (TCO) footprint, directly mapping to financial costs.

Here is the recipe:


Cisco Certifications, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials

Through machine learning, TimeBox understands the intent of historic workload computations, then uses those to make recommendations for a better schedule. Once tweaked, this schedule gets re-trained for subsequent, more sophisticated Artificial Intelligence (AI) driven recommendations. It also works as a smart assistant, automatically answering frequently posed questions and challenges encountered by our Cisco engineers. These include:

1. Determining the optimal resources required for a given workload.
2. Autonomous monitoring and healing of aborted workloads.
3. Total Cost of Ownership for a given workload.
4. Preventing accidental hoarding of resources.

In a nutshell:


Cisco Certifications, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials

Scheduling and optimizing cloud resources is not a new idea, but using genetic modelling-based AI to solve for it may just be. TimeBox can be pervasive, with applications across any industry where the efficiency of resource allocation is critical. Where there are resources that undergo periodic consumption, there is a need for optimal capacity planning, workloads with large variety, and associated variable characteristics.

Thursday, 2 May 2019

The Future is Now! Presenting the Cisco Catalyst 9100 Wi-Fi 6 Access Points

Cisco Mobility, Cisco Study Materials, Cisco Learning, Cisco Certifications
When I was a kid, the future meant flying cars and everyone wearing the same silver jumpsuits. It’s been a few years since I was a kid and while I may not own a flying car, but I don’t have to wear a jumpsuit and working at Cisco allows me to check out all of new innovations that we bring to the world.

With the launch of our newest Catalyst 9100 Access Points, we’re continuing our journey to bring Intent-based Networking to our customers—we’re bringing the future to now. The Catalyst 9100 Access Points are the new addition to the Catalyst family and they’re also our first access points that adhere to Wi-Fi 6 (802.11ax) standard.

A lot of people have been talking about the future of the network. You may have seen Cisco CEO Chuck Robbins present at this year’s MWC in Barcelona or perhaps you tuned in to our Virtual Event announcing our new Wi-Fi 6 innovations a few days ago.

I know that you’re thinking that this is just another access point that’s meeting another standard, this isn’t flying-car news. And you’re right, it won’t bring you a flying car, but these new devices have greater bandwidth, a more dependable connection to the network and features that will continue to automate your network. These new features are going to allow for a lot of really great uses–and in a lot of ways, that’s better.

How so? How about things such as robots and advanced virtual and augmented reality (VR/AR).

Like some of you, one of my all-time favorite TV shows is the Simpsons. There was a classic episode where Lisa dreamt of the perfect school and in that dream, her teacher told her to put on her virtual reality helmet and travel back in time to days of Genghis Khan. Thanks to the Catalyst 9100 Access Points and the increased bandwidth and strong connection, this won’t be a cartoon fantasy anymore. Students are able to learn by literally immersing themselves in their studies. Whether it’s using AR to go back thousand and reliving a historical battle or delving into a scientific study.

The VR and Wi-Fi 6 partnership isn’t just for pointy haired, second grade geniuses either. Surgeons can employ VR to work on patients at a hospital on the other side of the world. This means that geography and time will no longer be the deciding factors on whether patients get the treatment they need.

Cisco Mobility, Cisco Study Materials, Cisco Learning, Cisco Certifications
To make use of this new technology, you’re going to need a reliable, scalable and secure wireless network that can handle the additional number of devices and the data that they’re going to create. That’s where the Cisco Catalyst 9100 Access Points comes in. These access points are your first step to creating that robust network needed to handle the crush of devices and applications connecting to your network.

Here are some things you can expect:

• Enhanced features: Cisco RF ASIC delivers CleanAir, Wireless Intrusion Prevention System (WIPS), Dual Filter DFS in addition to Fast Locate and off-channel RRM, which will be available in future releases. The Cisco Catalyst 9100 access points also support Target Wake Time, which is a new power-saving mode allowing the client to stay asleep and to wake at prescheduled times to exchange data with the access point. The energy savings over 802.11n and 802.11ac is significant, with up to three to four times the older standards. In addition, this improves power and battery efficiency in end devices like smartphones, tablets and IOT devices.

• Addresses the growing IoT explosion: The Cisco Catalyst 9100 access points provide multi-lingual support and application hosting of IoT protocols such as Wi-Fi, BLE and Zigbee. IoT is more than lights, heating and security cameras. From life-saving medical equipment in hospitals to restocking robots—I told you that there would be robots!—in retail to heavy machinery in manufacturing, all of these devices are considered IoT. Everything is connected and since some of these devices are literally the difference between life and death, they must be always-on. Making sure that this equipment doesn’t have downtime is paramount.

• Customizable with a programable RF ASIC: The Catalyst 9120 access point has custom RF ASIC and provides real-time analytics. When combined with Cisco DNA Assurance allows you to gain RF intelligence and visibility that can be analyzed and used to run your network more efficiently. The custom RF ASIC also has a dedicated third radio that is automatically enabled during high density scenarios. This goes along with delivering other features such as RF Interference mitigation and rogue detection.

• Reliability: always-connected, always dependable; a seamless experience. The Catalyst 9100 access points have improved roaming features allowing a better Wi-Fi experience. Add Spectrum Intelligence and Interference and Rogue Detection to the reliability mix and you can be sure that your network is clear of any issues that will hinder a seamless connection.

• Capacity: Thanks to Wi-Fi 6, there is a reduced latency with 100+ devices communicating at the same time. The Catalyst 9100 access points will also provide support in the future for both OFDMA and MU-MIMO to help to dole out application resources. OFDMA is ideal for low-bandwidth applications and increases efficiency while reducing latency. For high-bandwidth applications, MU-MIMO increases capacity resulting in higher speeds per user. Look at MU-MIMO as multiple trucks serving users simultaneously, while OFDMA is one truck serving each user.

The new Catalyst 9100 access points are poised to take your infrastructure to the next level. And with more devices being added to the network every day, this next level is where you’re going to need to be.

The future is much closer than you think. Outfitting your infrastructure is the best way of bringing the future to now.

Wednesday, 1 May 2019

Cisco Trusted Platforms

Service Provider networks serve as critical infrastructure, and the security and trustworthiness of the network infrastructure is essential and the Trusted Infrastructure video from Mobile World Congress. Providers of digital infrastructure must be able to verify whether the hardware and software that comprise their infrastructure are genuine, uncompromised, and operating as intended.  As shown in Figure 1 below, there are security and trust requirements at every layer of the Network Operating System. I will address each of these layers in this and a subsequent blog.

Cisco Trusted Platforms, Cisco Study Materials, Cisco Guides, Cisco Learning

Figure 1: Network Operating System Layers and Security Requirements

Note that not all the features listed here are available on all Service Provider platforms. Please contact the sales team for details.

Foundations of Trust


The ability to verify that a Cisco device is genuine and running uncompromised code depends on Cisco Secure Boot and Trust Anchor module (TAm).  Cisco uses digitally-signed software images, a Secure Unique Device Identifier (SUDI), and a hardware-anchored secure boot process to prevent inauthentic or compromised code from booting on a Cisco platform.

Hardware Root of Trust


A trusted element in the scope of system software is a piece of code that is known to be authentic.  A trusted element must either be immutable (stored in such a way as to prevent modification) or authenticated through validation mechanisms. Cisco anchors the root of trust, which initiates the boot process, in tamper-resistant hardware.  The hardware-anchored root of trust protects the first code running on a system from compromise and becomes the root of trust for the system.

Trust Anchor module


The Trust Anchor Module (TAm) is a proprietary, tamper-resistant chip that features non-volatile secure storage, Secure Unique Device Identifier (SUDI), and crypto services including random number generation (RNG).  See below for additional information on SUDI.

Image signing


Image signing is a two-step process that creates a unique digital signature for a given block of code. First, a hashing algorithm, similar to a checksum, is used to compute a hash value of the block of code. The hash is then encrypted with a Cisco private key, resulting in a digital signature that is attached to and delivered with the image. Signed images can be checked at runtime to verify that the software has not been modified.

Chain of Trust


A chain of trust exists when the integrity of each element of code on a system is validated before that piece of code is allowed to run. A chain of trust starts with a root of trust element. The root of trust validates the next element in the chain (usually firmware) before it is allowed to start, and so on. Through the use of image signing and trusted elements, Cisco hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software.

Secure Boot


Cisco Secure Boot helps ensure that the code that executes on Cisco hardware platforms is genuine and untampered. A typical UEFI-based boot process starts at the UEFI firmware and works up to the boot loader and the operating system. A tampered UEFI firmware can result in the entire boot process being compromised.

Using a hardware-anchored root of trust, digitally-signed software images, and a unique device identity, Cisco hardware-anchored secure boot establishes a chain of trust which boots the system securely and validates the integrity of the software.  The root of trust (aka. microloader), which is protected by tamper-resistant hardware, first performs a self-check and then verifies the UEFI firmware, and thus kicks off the chain of trust leading up to the integrity verification of the entire IOS XR operating system.

Cisco Trusted Platforms, Cisco Study Materials, Cisco Guides, Cisco Learning

Secure Unique Device Identifier (SUDI)


The SUDI is an X.509v3 certificate and an associated key-pair which are protected in hardware in the Trust Anchor module (TAm).  The SUDI certificate contains the product identifier and serial number and is rooted in Cisco Public Key Infrastructure. This identity can be either RSA or ECDSA based. The key pair and the SUDI certificate are inserted into the Trust Anchor module during manufacturing, and the private key can never be exported. The SUDI provides an immutable identity for the router that is used to verify that the device is a genuine Cisco product, and to ensure that the router is well-known to the customer’s inventory system.

The SUDI-based identity can be used to perform authenticated and automated configuration using Zero Touch Provisioning (ZTP). A backend system can issue a challenge to the router to validate its identity and the router will respond to the challenge using its SUDI based identity. This allows the backend system to not only verify against its inventory that the right router is in the right location but also provide encrypted configuration that can only be opened by the specific router, thereby ensuring confidentiality in transit.

Secure Storage


Cisco’s Trust Anchor technology provides a mechanism to securely store secrets on the router. The encryption of the storage space is tied to the hardware root of trust, and data cannot be decrypted without the specific hardware that was used to encrypt it. The secrets that can be stored include user passwords, customer credentials for authentication protocols such as RADIUS or TACACS, customer certificates, and any type of keys.

The combination of SUDI-based ZTP and secure storage provide very strong protection of customer configuration and secrets.

Hardware Fingerprint


Tampered hardware, particularly in transit, is a clear vector of attack. This is especially a concern when the hardware is in transit from Cisco to our customers and partners; or when a Service Provider ships their router from a holding center to the deployment center. A malicious agent can intercept the hardware in transit and tamper the hardware in a non-detectable manner.

Cisco’s Hardware Fingerprinting technology provides the ability to detect tampered hardware using the Trust Anchor. Cisco fingerprints the critical hardware elements of a router, such as CPUs and ASICs, during manufacturing and stores the fingerprint in the tamper resistant Trust Anchor. This fingerprint is not only immutable once it is inserted into the Trust Anchor but it also cannot be read back from the Trust Anchor.

When the router boots up, UEFI firmware fingerprints the hardware elements of the router at boot and creates a fingerprint of the hardware elements. This fingerprint is sent to the Trust Anchor hardware, which will compare it against the master fingerprint stored inside the hardware. UEFI firmware will only boot the router if the Trust Anchor hardware can successfully verify the observed fingerprint at bootup against the master fingerprint.

As threats evolve, Cisco continues to enhance the security and resilience of our solutions.  While no vendor can guarantee security, we are committed to transparency and accountability and to acting as a trusted partner to our customers to address today’s, and tomorrow’s, security challenges.

Tuesday, 30 April 2019

TLS Fingerprinting in the Real World

To protect your data, you must understand the traffic on your network.  This task has become even more challenging with widespread use of the Transport Layer Security (TLS) protocol, which inhibits traditional network security monitoring techniques.  The good news is that TLS fingerprinting can help you understand your traffic without interfering with any of the security benefits TLS brings to applications and complements current solutions like Encrypted Traffic Analytics.   To help our customers better understand the benefits of the approach, and to help drive the development and adoption of defensive uses of traffic analysis, the Advanced Security Research team of Cisco’s Security and Trust Organization has published a large set of fingerprints with the support of the Cisco Technology Fund.

Cisco Tutorials and Materials, Cisco Learning, Cisco Certifications, Cisco Guides

Transport Layer Security (TLS) fingerprinting is a technique that associates an application and/or TLS library with parameters extracted from a TLS ClientHello by using a database of curated fingerprints, and it can be used to identify malware and vulnerable applications and for general network visibility. These techniques gained attention in 2009 with mod_sslhaf, in 2012 with SSL fingerprinting for p0f, in 2015 with FingerprinTLS, and most recently with JA3.  We have been using this approach at Cisco since 2016.  The attention given to TLS fingerprinting has been warranted because it is a proven method that provides network administrators with valuable intelligence to protect their networks. And while more of the TLS handshake goes dark with TLS 1.3, client fingerprinting still provides a reliable way to identify the TLS client. In fact, TLS 1.3 has increased the parameter space of TLS fingerprinting due to the added data features in the ClientHello. While there are currently only five cipher suites defined for TLS 1.3, most TLS clients released in the foreseeable future will be backwards compatible with TLS 1.2 and will therefore offer many “legacy” cipher suites. In addition to the five TLS 1.3-specific cipher suites, there are several new extensions, such as supported versions, that allows us to differentiate between clients that supported earlier draft implementations of TLS 1.3.

Why is our approach different?


But here’s the catch: the visibility gained by TLS fingerprinting is only as good as the underlying fingerprint database, and until now, generating this database was a manual process that was slow to update and was not reflective of real-world TLS usage. Building on work we first publicly released in January 2016, we solved this problem by creating a continuous process that fuses network telemetry with endpoint telemetry to build fingerprint databases automatically. This allows us to leverage data from managed endpoints to generate TLS fingerprints that give us visibility into the (much larger) set of unmanaged endpoints and do so in a way that can quickly incorporate information about newly released applications. By automatically fusing process and OS data gathered by Cisco® AnyConnect® Network Visibility Module (NVM) with network data gathered by Joy, our system generates fingerprint databases that are representative of how a diverse set of real-world applications and operating systems use network protocols such as TLS. We also apply this process to data generated from Cisco Threat Grid, an automated malware analysis sandbox, to ensure that our system captures the most recent trends in malware. With ground truth from multiple sources like real-world networks and malware sandboxes, we can more easily differentiate fingerprints that are uniquely associated with malware versus fingerprints that need additional context for a confident conviction.

Our internal database has process and operating system attribution information for more than 4,000 TLS fingerprints (and counting) obtained from real-world networks (NVM) and a malware analysis sandbox (Threat Grid). The database also has observational information such as counts, destinations, and dates observed for more than 12,000 TLS fingerprints from a set of enterprise networks. We have open sourced a subset of this database that, at more than 1,900 fingerprints (and counting), is the largest and most informative fingerprint database released to the open-source community.   This database contains information about benign processes only; we are not able to publish fingerprints for malware at this time.

Cisco Tutorials and Materials, Cisco Learning, Cisco Certifications, Cisco Guides

Given the records generated from the data fusion process, we report all processes and operating systems that use a TLS fingerprint, providing a count of the number of times we observed each process or operating system using the TLS fingerprint in real-world network traffic. This schema gives a more realistic picture of TLS fingerprint usage (in other words, many processes can map to a single fingerprint with some more likely than others).

Another advantage of our database is that it provides as much relevant contextual data per fingerprint as possible. The primary key into our database is a string that describes the TLS parameters that you would observe on the wire, which allows a system generating these keys to provide valuable information even in the case of no database matches. We associate each TLS parameter in the ClientHello with the RFC that first defined that parameter and use this information to report maximum and minimum implementation dates. These dates provide useful context on the age of the cryptographic parameters in the ClientHello and are not dependent on a database match.

Monday, 29 April 2019

Keys to a Successful Automation Project

We just finished working with the analyst firm Analysys Mason on a white paper exploring the factors behind successful automation projects. They talked to a number of tier 1 operators to capture lessons learned from the rollouts of their respective automation projects.  The white paper is more focused on process than technology and I think it’s a worthwhile read for anyone embarking on any automation project.

Automation projects tend to inspire an equal mix of excitement and fear and folks often come to us for advice on what to do.  Unfortunately, there is no one right answer to this; however, as the white paper establishes, there are a few guiding principles to keep in mind:

◈ Automation is not a “Big Bang” endeavor.  Successful companies view their automation initiatives as a series of discrete steps.  Like a staircase, each step builds upon the ones before it to increase scope and capabilties of the whole over time.

◈ Each step should have its own payoff, be it cost savings, increased efficiency or something else.  Having a backloaded payoff after several years of effort is seldom a great idea for a few reasons: 1) at some point, your leadership is going to wonder why they are spending money on a project with no apparent payoff, 2) your team will get tired of the churn, also with no apparent payoff, and 3) the needs of the organization will inevitably evolve and change and your initial plan will likely be dated in under a year. Instead, view your overall automation objective as a series of individual steps and make sure each step has tangible, measurable outcomes.  At the completion of each step, use what you learned along the way to re-asses the whole project.  By doing this, you gain credibility by showing the project is doing what you said it would do, your leadership is happy that they are seeing a return on their spend, your teams’ lives are getting better in measurable ways and they feel like their value to the company in growing, and you can be sure you are never too far out of sync with the business strategy.

◈ Of the three components of the infamous people, process, technology triangle,  “technology” is probably the most straightforward. A successful project is also going to entail investing in your teams’ skills. It’s critical to remember this is a non-compressible process: while you can install new tools in a matter of hours, your team can only absorb and operationalize new technologies at a given rate and you need to take that into account in your plans. In addition, you need processes that can be automated: spaghetti logic, gappy processes and disparate ways of doing the same task are all going to create friction in your quest to automate.  The good news is that an automation initiative is an excellent excuse to clean these all up as they are currently hurting your business whether you automate or not.  Again, allow time to do this: if you get three engineers in a room, you will have four opinions on how a task should be accomplished.

◈ Recognize that there is no one true path to automation.  Look at the image below. Some folks will follow the green line and focus on automating technical domains (i.e. data center networking, firewall policy) and then eventually stitch them all together.  Others will focus on automating specific business processes (i.e. auto-scaling video delivery, new employee on-boarding) and plan to eventually cover all the company’s activities.  Both approaches offer immediate benefits and both have longer-term implications.  Neither is right nor wrong, it’s simply which a matter of which approach best matches the needs of the company at the time.

Finally, and perhaps most importantly, it’s OK to try things and it’s OK if every step is not a complete success—it’s how you are going to learn. Internalize this but also set the expectation with your team and your leadership. Learn things and adapt. Expect to change tack–while the green and blue lines are nice and neat and look good on slides, reality more likely looks like the grey line going down the middle!

Cisco Tutorials and Materials, Cisco Guides, Cisco Learning, Cisco Certifications