Jeff Dufresne, VP, Asset & Configuration Management, Information Technology, CIT Group
Cloud computing, analytics and mobile are garnering headlines these days. However, there is not nearly as much fanfare for IT solutions that govern the IT assets and processes that bind these technologies together. Known as Configuration Management (CM), the discipline of evaluating, coordinating, approving and implementing changes to IT hardware and software traces its roots back to the management of military assets in the 1950s.
" The benefits of CM extend well beyond making IT infrastructure more secure—adopters report significant headway in reducing compliance costs and avoiding system outages"
In recent decades, CM has been adopted by companies in nearly every sector of the U.S. economy, as the discipline has transitioned from traditional holistic approaches to more technical oversight that includes the mapping of applications and dependencies. In large part, this evolution has been driven by the rapid pace of technological change. As companies increasingly move to a virtual IT environment, they need to understand how each IT asset, or Configuration Item (CI), relates to the others and how the assets and the data they are running are being accessed and employed. The benefits of CM extend well beyond making IT infrastructure more secure—adopters report significant headway in reducing compliance costs, boosting the productivity of IT staff, and avoiding system outages.
Yet many companies continue to hold off on adopting CM databases (CMDBs) and other tools. While the evidence continues to point to growth in CM adoption, the value of such tools may not be fully understood. A couple of years ago, CIT began working with a third-party provider to implement a CMDB. We have seen the widespread impact the CMDB has on our organization across four main dimensions: change management, incident management, asset management and request fulfillment.
IT infrastructure is constantly evolving. It might not seem like a major change, but something as simple as swapping out a hard drive or adding memory to a machine can have significant ripple effects on other assets in your system.
If something does happen—say the server malfunctions—you need to be able to understand what other CIs link to that server and are likely going to be impacted. A CMDB puts you in a position to map out these linkages and think about potential workarounds in the event of such an outcome. Using CMDB information, you might even schedule a change to a server outside of critical periods of operation, such as month-end.
This is one area where the real value of CM shines through—the whole notion of automation and discovery is light-years ahead of past manual approaches that took much more time to resolve and were vulnerable to human error and potential IT lapses.
With a lot of IT infrastructure being virtualized, companies still require applications to support key business processes. The key to maintaining operations is knowing where the application is actually hosted. Also, your organization may not even own or operate the infrastructure, which makes managing that information more difficult.
Enter a CMDB. A few years ago, after a series of powerful storms demonstrated the potential impact of disruptions, CIT embarked on a migration of our data centers. When the process is complete in 2016, CIT will call on two co-located data center sites that are more than 250 miles apart and managed by two separate third-party providers. CM is playing a critical role in this by constantly tracking where our applications are stored and when an application switches from being hosted on one server to another. If there is an outage at one of our two data centers, we can easily determine which applications are being hosted there and work to restore them based on the business criticality of each as defined by the business in the CMDB.
Without that capability, it would take us much longer to resolve this type of service outage. As such, the dynamic nature of the CMDB helps ensure that we have access to the information we need to make effective business decisions.
One of the biggest security and compliance risks businesses run into these days is the unauthorized use of devices and software applications. It used to be fairly simple to manage IT assets—after all, they were often all contained in the same room. No longer: assets are spread across facilities and beyond through the use of virtual networks and servers.
When businesses lack a common means for identifying those assets, it can be difficult to harmonize the data. Moreover, the costs of improper use and access of IT assets can be high. Our CMDB enables us to minimize that level of risk and maintain proper controls. At any point in time, we need to be able to show our auditors that we have adequate controls over access to data and what infrastructure we have running in our environments. The CMDB also helps us keep track of our software licenses and automatically alerts us when we’ve exceeded our thresholds.
Of course, plenty of valid requests for access to IT processes and servers come up in the daily course of business in any large corporation. For instance, an employee might need access to a Windows server to pull data. In the old days such requests could be both time-consuming and approved in a vacuum. Requests used to come in by e-mail and then be forwarded on to the data’s actual owners. The process was unwieldy, and it could expose the company to risk—it would not necessarily be immediately apparent if the server contained confidential information or was running a critical process.
Now, at CIT, data and access requests are structured leveraging the data in our CMDB. Requests are automatically routed to managers for their approval and then passed on to the data owner for their approval. All interactions are recorded. At any point in time, we can show who requested access to an application or server, who approved it, and when. In this way, we save time and are much more likely to prevent security lapses and business disruptions.
When I think of life before configuration management, it reminds me of the pre-Internet days. People and businesses were a lot less productive, information was not always at your fingertips, and duplication of effort was common. Today, with solutions such as CMDBs readily available to companies of all sizes, it is tough to imagine going back to the old ways. Especially now, with the pace of technological change moving so fast, it pays to have processes in place to capture and manage that dynamism.