Accurate Configurations – Why Technology Alone Isn’t the Answer

By: George Spafford

January 19, 2007

The idea behind ITIL’s Configuration Management process is to have a logical view of the world that IT supports. This means understanding the hardware, software, documentation, people, services, facilities and how they relate to one another. The desire is for an IT person with appropriate authority to be able to access the data and understand, for example, what hardware and software make up a given server? What component configuration items (CIs) make up a service and how they relate to one another.

Having an accurate and timely understanding of what is in production is vital to everyone in IT. So much so that many groups are rushing to implement automatic tools that promise to discover new and changed systems on the network. Like any tool, these automated systems have a time and a place but groups must understand the causality of their Configuration Management concerns before simply buying one of these tools and putting it into production.

In principle, these automated tools scan the network and/or monitor network traffic on a defined interval and can then load their findings directly into the Configuration Management Database (CMDB). The premise behind these tools is that Configuration Management takes a lot of work so why not implement systems to do the data collection work faster and more accurately because the tasks are so mundane. The siren song is that by implementing these tools the vital Configuration Management data will finally be accurate and current for everyone to benefit from.

The issue to consider is why isn’t the configuration data accurate today? Is it due to data entry error or because people aren’t recording the changes to the infrastructure to begin with? In some cases there are errors with the recording but the bigger problem relates most likely to uncontrolled changes in the form of new systems and changes to existing systems not being recorded into the CMDB.

Fundamentally, what groups don’t realize is that their challenge isn’t with Configuration Management. It is with Change Management. Change Management is the process by which an organization implements the necessary procedures to control changes to production and thus manage risk. It is very important to understand that Change Management governs Configuration Management – nothing should change in production, or the CMDB, without an approved Request for Change (RFC). If production is changing and nobody knows about it then this is a Change Management failure – not a Configuration Management failure.

Systems don’t magically change overnight on their own. Somebody changed them for some reason. If a service is important for an organization to need to know the configuration at a moment’s notice, then it is important enough to be governed by Change Management so the question “What changed?” can always be answered. Groups that fail to have proper Change Management fail to properly manage their organization’s risks. An automated configuration scanner that is implemented instead of Change Management, or instead of fixing what ails Change Management, is an incomplete band aid fix that fails to address the true problem and simply masks the true nature of the problem.

Concerns over bureaucracy and slowing down the rate of changes need to be carefully scrutinized. Organizations that implement appropriately designed Change Management processes find that their availability, integrity, overall security and agility actually improve as plans are scrutinized, errors detected and corrected, improvements factored in, right parties contacted, etc. The objective is to design a controlled Change Management process that balances risk with agility and the ability to support attainment of organizational goals.

The automated configuration detection tools are aids to processes – not replacements to processes. If Change Management is being bypassed then these should be flagged and investigated. The only level of unauthorized change that should be accepted by management is zero. If something changed and there isn’t and approved RFC then corrective and appropriate disciplinary action taken. A recent IT Process Institute study on the value of controls identified the two controls present in high performing IT organizations was the ability to detect unauthorized changes and disciplinary actions when processes were flagrantly disregarded.

In addition, these tools are trying to determine CI attribute details and CI relationships in a complex environment. Some of the assumptions/findings may not always be correct. Just because a change is detected doesn’t mean that the system is right. If an organizations plans to import changes into the CMDB then someone must review the proposed updates first for accuracy to ensure that the CMDB’s data integrity is protected. Furthermore, to reinforce what was stated earlier, questions must be asked about why the changes transpired by mapping them back to approved RFCs.

In closing, these automated discovery tools can help organizations collect data but they must support processes designed to meet business needs. This means that the goals of the business must be taken into account, then the IT requirements defined and then processes designed with the correct blend of people, process, and technology. Simply buying the tools and running them is not the solution. Understanding why changes are happening and gaining control over the infrastructure via an effective Change Management process to better ensure availability, integrity and overall security must be the primary focus.