Cloud-based Solutions can Empower Financial Services Companies to Adapt While Cutting Costs

IT professionals in financial services have been instrumental to ensuring the integrity of global financial markets over the last year. Their hard work has helped keep the world’s largest economies working and financial aid flowing to those who need it most.

For them, few things remain unchanged from the pre-COVID world. Many network engineers had their hands full supporting large scale migrations to remote working. But aside from that, one constant during this time of change is that IT budgets are not increasing. “Do more with less,” “Reduce costs,” and “Extract more value,” are a few common mantras. The message is clear—each dollar spent on IT projects must have a tangible business benefit associated with it. With this increased focus on efficiency and cost, now is the perfect time for financial services companies to consider investing in cloud-based IT.

Benefits of cloud-based IT

Migrating IT infrastructure to a cloud-based platform can help improve efficiency and reduce costs for finserv companies by accelerating business processes, simplifying technology, and boosting operational efficiency. Today’s reality has required businesses to rethink how to help their employees collaborate safely while working from remote locations as they begin the return to work. By leveraging cloud-based solutions, workers and IT support teams are able to troubleshoot issues quicker, reduce downtime, and lower costs both for employees and for the end-customer.  

Supporting rapid change 

Before COVID, financial services companies were embarking on their cloud journey in pockets, with the primary focus on software development environments and connections to provide staff with secure connectivity. The rapid changes required for companies to function during the early days of the pandemic necessitated quick adoption of cloud-based technologies for enterprise voice, contact centers, remote access and network security. Projects that would have taken weeks or months were now being done in hours or days, driven by a need to get lines-of-business operational and keep companies viable. Now that the industry has successfully dealt with the crises of 2020, and have been operating in the new normal for several months now, a few trends have emerged that will drive IT decisions going forward— including preparing for a return to work and facilitating future growth.

Preparing for return to work

While bank branches never closed, most campuses and offices did. Optimistic news around vaccine development and distribution has led many companies to prepare for the return to work and reconsider the landscape for the office environment.  

For example, adding cameras could help ensure compliance around masks and social distancing policies. Access sensors could help track room occupancy and ensure timely and consistent sanitation practices. In a traditional environment, implementing such practices could take up to a year. However, by taking advantage of the ability to configure a network and add components to that network without configuration of individual components, we can continue to meet the accelerated timelines required for the return to work.

Scaling for the future

Traditional companies deal with mergers and acquisitions, but for financial services companies, growth is typically purchased. Network teams are not revenue generators, and as a result, mergers have historically been underfunded and understaffed. The inevitable outcome of years or decades of that reality is a patchwork quilt of networks that are all sort-of connected. Each legacy organization retains some idiosyncrasies, issues, and non-standard hardware that requires specialized support personnel. That complexity leads to lower velocity than what lines-of-business have come to expect throughout the pandemic.  With everything needed to deploy a branch, campus, or office network, cloud adoption takes advantage of the appetite that company departments have developed for speed. This emphasizes the critical need to scale for the future growth of financial services companies and the need for simplicity.  

All in all, the events of 2020 have been a catalyst for change and digital transformation within the financial services sector. Cisco Meraki offers solutions to address the challenges that come with such abrupt changes including facilitating the campus and client network, creating operational efficiencies, and reducing downtime and loss of revenue.

Source: cisco.com

Continue reading

Cisco introduces Fastlane+ with advanced multi user scheduling to revolutionize real-time application experience

Cisco and Apple continue to work together to deliver better experiences for customers through collaboration and co-development. Our latest project, Fastlane+, builds on the popular Fastlane feature by adding Advanced Scheduling Request to take QoS management a step further by scheduling and carving out airtime for voice and video traffic on Wi-Fi 6 capable iPhone and iPad devices. This facilitates a superior experience with latency-sensitive collaboration applications such as WebEx and FaceTime.

What is FastLane+, and why do we need it?

First and foremost, let’s take a look at the motivation behind Fastlane+. The 802.11ax standard introduced OFDMA and MU-MIMO as uplink transmission modes to allow scheduled access-based uplink transmissions. This allows the access point (AP) to dynamically schedule uplink OFDMA or MU-MIMO based on the client’s uplink traffic type and queue depth. This decision is made on a per Access Category basis and at the start of every Transmit opportunity (TXOP) with OFDMA used for latency centric low bandwidth applications. In contrast, MU-MIMO is used when higher bandwidth is required.

With Fastlane+, the Cisco AP learns the client’s uplink buffer status using a periodic trigger mechanism known as Buffer Status Report Poll (BSRP). Nevertheless, the client devices may not be able to communicate their buffer status to the AP in a timely manner due to MU EDCA channel access restrictions and possible scheduling delays in dense environments. Additionally, the AP may not always be able to allocate adequate resource units that fulfill application requirements. Because of this, a better approximation of uplink buffer status is critical for efficient uplink scheduling.

Next, let’s compare 802.11ax standards-based approaches for uplink scheduling- UL OFDMA and Target Wakeup Time (TWT). As highlighted in the chart below, with UL OFDMA, the AP has absolute control over uplink scheduling, while in the case of TWT, the client can pre-negotiate TWT service periods. A compromise thus needs to be made between the AP and client to improve uplink scheduling efficiency in a dense RF environment with latency-sensitive traffic.

Fastlane+ is designed to approximate better the client’s buffer status based on application requirements indicated by the client. This estimation policy significantly reduces BSRP polling overhead as compared to the default BSR based UL OFDMA scheduling. Along with obtaining key parameters for active voice and video sessions to improve uplink scheduling efficiency, Fastlane+ also solicits periodic scheduling feedback from the clients.

In a nutshell, Fastlane+ enhances the user experience for latency-sensitive voice and video applications in a high-density user environment by improving the effectiveness of estimating the uplink buffer status for the supported 802.11ax clients.

Key considerations for Fastlane+

Fastlane+ is initiated for latency-sensitive voice and video applications like WebEx, FaceTime, and others, whose traffic characteristics can be better approximated. Fastlane+ is indicated in DEO IE by the AP and Advanced Scheduling Request (ASR) specific information from the clients, including ASR capability, ASR session parameters, and ASR statistics. This information is sent using Vendor-Specific Action frames that are protected using PMF (protected management frame).

Latency becomes a concern only when there is enough contention in the medium due to high channel utilization. Consequently, Fastlane+ based uplink TXOPs are allocated only when the channel utilization is higher than 50%.

System overview for Fastlane+

The diagram below shows a bird’s-eye view of an end-to-end system to support Fastlane+. Fastlane+ specific configurations can be managed from the controller’s GUI and CLI. Uplink Latency statistics provided by the clients to the AP are also displayed on the controller. These latency statistics are on a per client basis and triggered with/without an active ASR session.

Fastlane+ benefits:

To better understand the benefits of Fastlane+, let’s first define key performance indicators of a typical voice and video application. Mean opinion score (MOS) is a standard measure for quality of experience for voice applications. It is quantified on a scale of 1 – 5, with 5 being the highest and 1 lowest. To put things in perspective, 3.5 is the minimum requirement for service provider grade quality.

For measuring video quality, we use the Delay factor. This evaluates the size of the jitter buffer to eliminate the video interruptions due to network jitter. The lower the delay factor (in milliseconds), the better the video quality.

Test considerations:

Results below are from a typical collaboration application with simulation tests performed under a high channel utilization and controlled RF environment. 16 numbers of Wi-Fi 6 capable iPhone in 80Mhz bandwidth were used.

Adios to choppy voice and video calls

With Fastlane+, you get a better Wi-Fi experience when you are collaborating with friends and colleagues. It doesn’t’t matter if you are in highly congested RF environments such as schools, offices, high-density housing, shopping malls, airports, or stadiums; Fastlane+ has you covered. So, when we’re all ready to come back, the network will be ready and waiting.

Fastlane+ is enabled by default on 802.11ax capable iPhone and iPad devices running iOS 14 or later. On the infrastructure side, it is currently supported on the Cisco Catalyst 9130 Access point. On AireOS WLC platforms, the 8.10 MR4 (8.10.142.0) release has CLI based support of the feature. On Catalyst 9800 Series WLC platforms, the 17.4.1 release has CLI and GUI (client data monitoring) support. Whereas, configuration tab in GUI will be in later releases. Please note, the Fastlane+ feature is listed as “Advanced Scheduling Request” in the CLI and GUI.

Continue reading

Visualize, validate policy and increase remote worker telemetry with Network Analytics Release 7.3.1

We have heard it before. Securing your organization isn’t getting any easier. The remote workforce is expanding the attack surface. We need context from users and endpoints to control proper access, and IT teams need to ensure our data stores are resilient and always available to gain the telemetry they need to reduce risk. Yes, zero trust is a great approach, but network segmentation in the workplace is hard, and it can shut down critical business functions if not deployed correctly.

To answer these challenges, we are excited to announce new features in Cisco Secure Network Analytics (formerly Stealthwatch). In 7.3.1, we are introducing TrustSec-based visualizations that allow network operations and security teams to instantly validate the intent of policies. This is a big jump that provides organizations the visibility required to confidently embrace network segmentation, a critical component of the zero-trust workplace.

To answer the remote work challenge, the Cisco Secure Network Analytics team has simplified how customers obtain user and endpoint context from AnyConnect. And to ensure the expanded attack surface doesn’t increase risk, Secure Network Analytics has advanced its integration with Cisco Talos, one of the largest threat intelligence teams in the world. But there is more; read on to learn how we virtualized the Data Store to simplify how organizations big and small ensure resiliency and manage the growing volumes of data required to stay a step ahead in the arms race that is network security.

TrustSec Analytics reports offer new ways to visualize group communications between SGTs

Secure Network Analytics’ TrustSec Analytics reporting capability leverages the Report Builder application and its integration with Cisco Identity Services Engine (ISE) to automatically generate reports that map communications between Security Group Tags (SGTs) to provide users with unprecedented visibility into all communications across different groups within their environment. For security teams that want to adopt a group-based policy management program to build network segmentation but lack the resources to pursue one, TrustSec Analytics reporting lowers the entry point to doing so. Now any Secure Network Analytics user can effortlessly visualize, analyze, drill down into any inter-group communication, adopt the right policies, and adapt them to their environment’s needs.

Figure 1. A TrustSec Analytics report generated in Secure Network Analytics that displays volumetric communications between different SGTs that have been assigned and pulled directly from ISE.

Streamline policy violation investigations with TrustSec Policy Analytics reports

TrustSec Policy Analytics reports can also be generated to assess whether policies are being violated. By clicking on any cell in the report, users can gain insights into the volume of data being sent between any two groups, how that data is being distributed, the protocols being used, what ports they are operating on, and more.

Additionally, when it comes to the typically lengthy processes associated with determining a policy violation’s root cause, the capabilities offered by the TrustSec Policy Analytics report quite literally enable users to find the proverbial ‘offending-flow needles’ in their vast ‘network haystacks’. Rather than performing hours of cumbersome tasks such as conducting manual searches and cross-references across different datasets, users can get granular by drilling down into policy violations to view all associated IPs and related flows, associated endpoints, ISE-registered usernames, and events with timestamps on single pane. This effectively enables users to streamline their root cause analysis efforts and expedite their ability to diagnose why a policy violation occurred.

Figure 2. A TrustSec Policy Analytics report generated in Secure Network Analytics with intuitive color-coded cells and labels that indicate whether communications between different SGTs are violating a policy and require further investigation.

Increased Remote Worker Telemetry

Amidst the recent explosion of people working from home, organizations face new challenges related to monitoring and securing their remote workforces as they connect back to the network from anywhere and on anything.

Secure Network Analytics has made endpoint Network Visibility Module (NVM) data the primary telemetry source to meet these challenges, effectively eliminating the need for NetFlow to gain user and device context. Customers are gaining the following benefits:

◉ Simplified remote worker monitoring with endpoint NVM data becoming a primary telemetry source

◉ More efficient remote worker telemetry monitoring by collecting and storing on-network NVM endpoint records without the need for NetFlow

◉ Increased Endpoint Concentrator ingestion bandwidth to support up to 60K FPS

◉ NVM driven custom alerting and endpoint flow context

Figure 3. Examples of NVM driven custom alerting and endpoint flow context within the Secure Network Analytics Manager.

Introducing the Secure Network Analytics Virtual Data Store!

The Secure Network Analytics Data Store is now supported as a virtual appliance offering. Similar to the Data Store that was introduced in 7.3.0, the virtual Data Store offers a new and improved database architecture design for Secure Network Analytics that enables new ways of storing and interacting with data more efficiently. A virtual Data Store supports a 3-node database cluster with flow ingest from virtual Flow Collectors.  This new architecture decouples ingest from data storage to offer the following benefits:

◉ Query and reporting response times improved by a significant (10x faster!) magnitude

◉ Scalable and long-term telemetry storage capabilities with no need for additional Flow Collectors

◉ Enterprise-class data resiliency to allow for seamless data availability during virtual machine failures

◉ Increased data ingest capacity of up to 220K flows per second (FPS)

◉ Flexible deployment options – as a fully virtualized appliance, the Virtual Data Store does not require additional rack space and can be rapidly deployed using your existing infrastructure

Enhanced security analytics

As threats continue to evolve, so do the analytical capabilities of Secure Network Analytics to deliver fast and high-fidelity threat detections. The cloud-based machine learning engine has been updated to include:

◉ System alarms have been ported to appear as notifications in the Web UI

◉ Brand new confirmed threat detections related to ransomware, remote access trojans (RAT) and malware distribution

Figure 4. New confirmed ransomware, remote access trojan (RAT) and malware distribution-related threat detections.

Continue reading

Explore NSO in the new Always-On DevNet Sandbox

Today’s model-driven programmability makes the network a core foundation for revenue generation. Therefore, companies must implement network orchestration to simplify their entire lifecycle management for services. For virtualized networks, this means transparent orchestration that spans multiple domains in the network and includes network functions virtualization (NFV), and software-defined networking (SDN), and the traditional physical network with all its components.

This is where Network Service Orchestration or NSO steps up. NSO is a model-driven (YANG) platform for automating your network orchestration. It supports multi-vendor networks through a rich variety of Network Element Drivers (NEDs). Supporting it supports the process of validation and implementing, as well as abstracting network configuration and network services, and providing support for the entire transformation into intent-based networking.

How does it work?

NSO gathers, parses, and stores the configuration state of the network devices it manages in a configuration database (CDB). Users and other applications can then ask NSO to create, read, update, or delete configurations in a programmatic way either ad hoc or through customizable network services. NSO uses software packages called Network Element Drivers (NEDs) to facilitate telnet, SSH, or API interactions with the devices that it manages. The NED provides an abstraction layer that reads in the device’s running configuration and parses it into a data-model-validated snapshot in the CDB. 

The NEDs also allow for the reverse – i.e., creating network configuration from CDB data inputs and then sending the configurations to the network devices. There are hundreds of NEDs covering all the Cisco platforms (including IOS-XE, IOS-XR, NX-OS, and ASA) and all major non-Cisco platforms. 

Want to get hands-on now? 

You’re in luck! Check out the new DevNet NSO sandbox. You’ll find a production NSO server deployed to manage the multi-platform network within the sandbox environment lab. This network is made up of Cisco NX-OS, IOS, IOS XE, IOS XR, and ASA devices, and includes Linux hosts which can be used as clients for connectivity testing. 

This always-on sandbox lab provides access to everything you need to explore the APIs for NSO, as well as develop network automation packages and services for use in your networks.   If you are just getting started with NSO APIs check out the new updated Postman Collection which has been updated to work with the new always-on NSO Sandbox. 

Now you have everything you need to get started with NSO – Import, the collection in your Postman client set the environment for the new Always-On NSO sandbox and start making API calls today! You can find the new DevNet NSO sandbox here, no reservation is required.

And for all things NSO, visit and bookmark the DevNet NSO Dev Center.

Source: cisco.com

Continue reading

SAN Insights Discovery: The Match-maker tool for SAN

From the dictionary of Oxford: match·mak·er  /ˈmaCHˌmākər/  a person who arranges relationships and marriages between others, either informally or, in certain cultural communities as a formal occupation.

But what is the matchmaker doing here?

Well, in the past few years, we have seen new speeds and feeds generating a lot of synergy in the FC storage and FC switching market. It took ~5 years to transition from magnetic spinning discs based storage HDDs to Hybrid arrays, followed by All-Flash Arrays. Now, looking at the new transition into NVMe, it seems like NVMe will be mainstream very soon.

At the same time, SAN switching took ~5-6 years to transition from 16G FC to 32G FC. But it took only 3 years for 64G FC to become a reality.

New things bring fresh challenges, right? The same goes for all SAN switching infrastructure. Whether it is a Cisco or non-Cisco SAN, it requires considerable effort to identify the right platform, technology, and set of required features.

Challenges:

There are tools in the market to help meet these challenges; however, there are also concerns:

1. Future readiness: Is my SAN ready for Nextgen FC features (64G, NVMe, etc.)?

2. Security: Is my data secured and following all security rules and adhere to security policies?

3. Interoperability: Can this tool identify and support multi-vendor switching environments?

4. Multi-platform support: Is it supported across multiple client OS?

The solution:

With Cisco’s recent announcement of the SAN Insights Discovery (SID) tool, all of the above challenges are met, along with some additional benefits:

1. Nextgen Ready SAN: The report will provide component-level details that can help us identify if the SAN is ready for 64G FC speed.

2. Security: It follows the rules set by the customer. Customers decide who they want to share their data with and when. The tool has the option to integrate the Single Sign-On for authentication.

3. Usability: A tiny program that can run on Windows or Linux workstation. Simply provide the management IP address of any NPIV enabled switch in the fabric, using read-only account authentication, and the tool will do the rest.

4. Result accuracy: Run this tool for a longer period of time (to capture more performance statistics) and it will prepare a more detailed, accurate picture of your SAN.

5. Migration help: Lastly, it will help you migrate/refresh by converting your existing (Cisco or non-Cisco) switch configs to Cisco MDS based SAN fabric configuration.

There is also this common saying for this analogy: Sometimes, you don’t need to make a mountain out of a molehill. That’s the story of this tool. A small, tiny tool can help you – scan, identify, suggest, install and migrate/refresh to Cisco MDS based SAN fabric.

Ok, enough talking, what’s in it for you?

For Partners: Engage with your customers, recommend them to run the tool, suggest the right platform, and help them migrate and close business smoothly. More details can be found here (Cisco Partner level access required).

For Customers: Identify the current usage, the future requirements, select the right platform based on actual usage, and deploy without disruption. That’s a huge saving and prevents budget overspending.

That’s like extra icing on the cake, right?

And that’s the story of match-maker in our context: Identify, visualize and suggest Nextgen Cisco MDS SAN switches to our customers.

Continue reading

How Can Webex Control Hub Help You, the IT Admin?

A Day in the Life of the IT Admin

8:50 AM (EST): It’s the start of a typical workday, and you’ve been notified that users are having trouble joining meetings and experiencing poor video quality. You’re an IT admin at an enterprise in the middle of a large product launch, and critical virtual meetings across your leadership teams are reporting technical issues with their meetings.

As IT admins, we’ve all been through periods when the services we provide are experiencing higher than normal workloads — the type of scenario we’ve planned for. But layer on top of that a forced remote work environment brought on by a pandemic and the scenario expands, requiring additional resources, expansion of our collaboration footprint, and additional capacity. We’ve all had to pivot to the new normal.

8:53 AM (EST): You set out to tackle the issue as you normally would, but now, with Webex Control Hub, you have visibility in real-time into what’s happening across your collaboration ecosystem, along with actionable insights as to how to address it.

Digging deeper into Control Hub, you can see the dramatic increase in the total number of meetings — a trend you’ve been watching for the past month as your firm ramped up preparations for the launch.

Dig in further, you can confirm a significant increase in the number of participants. You see poor video quality indications and that colleagues in the London area are having trouble joining meetings. Plus, diving into a specific meeting that ended 20 minutes ago, you can see that your VP of product marketing, based outside London, has significant issues with their device.

Diagnosis? You first discover that their Desk Pro doesn’t have the latest patch installed. Second, after verifying with ThousandEyes that VP’s internet service provider is having issues, you can confirm the network issue on the provider’s network status pages.

8:57 AM (EST): Armed with this near real-time insight, you can act! You quickly notify the VP of product marketing that your team is remotely installing the latest firmware patch for the Desk Pro. Plus, you communicate that their provider is aware of their network traffic issue and working to resolve it within the hour.

9:37 AM (EST): You receive notification that your VP’s firmware has been updated and that the internet provider has resolved their issue — all in time for a critical meeting marketing has with analysts and media at the top of the hour. You set a Webex Notification in Control Hub to track your VP’s meetings so that you can get an email alert in case you VP has any media quality issues.

Reducing IT’s Response Time While Empowering Long-Term Planning

Webex Control Hub received a significant revamp. With an improved user experience design, faster load times, trending charts with summary statistics, and contextual filtering capabilities, gaining visibility into the performance of your organization’s collaboration has become easier and in near real time. The result is a dramatic decrease in your team’s response time.

At the same time, with Control Hub, the partnership between your team and the business is bolstered by real insights into adoption and performance. As your organization looks to the future and planning for hybrid work environments is being debated, a better understanding of trends becomes a vital tool in planning for success. You’re able to identify gaps and weaknesses, highlight opportunities to improve, and document models that work well.

9:48 AM (EST): You continue with your morning, reviewing incident reports and monitoring systems. All services are stable, the engine is humming, and you’re free to move on to the next part of your day. You spend the following 30 minutes preparing for your meeting with the head of HR, where you’ll be reviewing the latest version of an internal HR monitoring tool. This tool provides a top-level view of the company’s team collaboration and meeting trends, leveraging data from Webex through Control Hub APIs and other data sources.

Webex Control Hub: An Essential IT Admin Tool

At Webex, we’re working to make sure Control Hub increases your ability to monitor and manage your collaboration experiences. We understand the role IT admins play in managing these complex ecosystems and how you participate in the planning for new work models, growth, and employee engagement.

Source: cisco.com

Continue reading

A Framework for Continuous Security

Technology is at the core of business today. Maintaining the resiliency of critical data, assets, systems, and the network is mission-critical; crucial to meeting business goals. As a result, development operations (DevOps) professionals must continuously improve the overall resilience —along with the security posture — of workloads, software, and applications (Figure 1). To do this at scale and speed requires the integration of a suite of application security tools in the continuous integration/continuous delivery (CI/CD) pipelines that automate posture assessment and provide visibility to help manage security risks.

At Cisco, we learned early on that application security processes were inhibiting our business agility. We knew we had to embrace an Agile and DevOps culture as early adopters to deliver software products based on business demands rapidly and iteratively. Agile DevOps without application security automation leads to a “hurry up and wait” situation, where some processes move quickly only to be bogged down by others. With evolving technologies such as cloud, Docker, Kubernetes, open-source as well as daily and frequent release cycles, it is hard for application security teams to keep up with the threat landscape. In a typical modern application development and deployment technology stack, 80% of the code base is comprised of third-party software. Only 20% is custom code. Most of the security breaches we have seen in recent years were entirely preventable had there been necessary security measures taken, not only for the custom code but also for the third-party software.

We set out to create a DevSecOps culture that empowers the application teams to continuously build and deploy secure applications instead of being gated by a central security function. To do this, we integrated and orchestrated a suite of application security tools within CI/CD pipelines under a program called Continuous Security Buddy (CSB) for CI/CD pipeline edition. It enables the development teams to ramp up their application security program while making application security transparent and friction-free.

Figure 1: DevSecOps – Security Implementation as Code

We used the following basic principles in the design of the program:

◉ Co-design and co-develop the security automation solution so it can work for the DevOps teams

◉ Integrate the DevSecOps workflow and empower the developers by giving them the flexibility to choose their application security tools

◉ Propagate security compliance requirements and hence eliminate the security friction points between security and development teams that impact development velocity

Co-design and Co-development of the Solution

We initially co-designed and co-developed CSB for CI/CD re-usable automated security capabilities using joint scrum planning with teams from Cisco Webex. To encourage adoption across development teams, we created an innovative, configurable rollout of CSB for CI/CD shared libraries to simplify the process.

Shared libraries are a collection of pipeline code made for Jenkins that can be used by any pipeline to reference any available code quickly. With one line of code in Jenkins, developers can access all the security scans available in the shared library. The shared library framework simplifies the code contribution workflow via the inner-source process and reusable code configuration in the pipeline by any team using Jenkins.

We quickly learned that we needed to provide CI-agnostic solutions for teams that used other CI tools. We offered such a solution using containers that are published in a centralized repository for development teams to access via Docker.

Security Scan Flexibility

Users can choose what type of automated security scans they want to configure and run. For example, a production pipeline may consist of a binary image scan, static code analysis scans, and a way to view a consolidated report of scans. The final step in the automation process is to send the scan results aligned to Security Control Framework (SCF) to a centralized security platform to meet compliance requirements. These features are all available as part of the shared library and the user needs to add configuration parameters to run it. As part of the CI process, security scans are configured and triggered to run whenever there is a code change. Developers can then continuously monitor the scan results for any new security issues.

Automated Compliance Reporting

Using the CSB for CI/CD shared library, teams can view reports generated from each security scan on the Jenkins dashboard and identify any failing security issues. Teams can also send the security results data to a centralized interface to Jira to help in various assessment processes, such as reviews by security architects. A consolidated report is generated (as shown in Figure 2), which shows an overall compliance score that considers which scans were enabled in the job, (e.g., binary scans, static code analysis, and dynamic scans). Developers can then use this report to view any quick fixes to improve the security posture.

Figure 2. CSB for CI/CD Scan Report

Measuring Progress and Success

After initial development with our Webex team, we scaled the CSB CI/CD approach across several business units at Cisco. We measured the agility, reliability, efficiency, quality, and success of the CSB for CI/CD shared library to ensure the system was operating effectively.

With the program now in place for over a year, some of business value we were able to deliver is captured in Figure 3.

Figure 3. CSB for CI/CD Benefits

Continue reading