Change and configuration management

Touchpaper

Touchpaper considers the recent history and current status of change and configuration management - the terms most often associated with the discovery, monitoring and modelling of IT device and application statuses and interactions. This is an emerging market for vendors since many of the driving factors (particularly regulation) and foundation technologies have only arisen in recent years.

If there is a Holy Grail in IT service management (ITSM), it might well be a situation in which an administrator can obtain any piece of information about any corporate IT device, including its current location, owner, dependencies, usage and history at the touch of a button.

This simple proposition, immensely complex in practice, is fast becoming a reality as a result of pressing management concerns surrounding risk, cost and regulation.

The need to know everything

Consider the following: In a June 2005 convention for chief information security officers, one presenter joked that if you were caught contravening US Sarbanes-Oxley regulations, your best course of action might be to kill the person who had found you out. His jibe was based on the sobering fact that some of the new regulations affecting senior IT personnel in the US carry stronger sentences than murder.

A technician recently brought down all the booking systems in a major UK international airport simply by upgrading a server. Such a major incident could occur in any organization where a significant number of systems are connected together and their precise connections are unknown. Today that means most organizations.

An IDC study[1] of the impact of introducing automated systems to improve service delivery has shown that enterprises using a desktop management system from a supplier such as LANDesk 'saved an average of close to $1.1 million annually over three years, in increased user productivity due to reduced downtime and less time lost on system administration tasks. When normalized for company size, these savings amounted to $22,909 per 100 users'.

These (and many other) lines of evidence all point unequivocally to an increasing need for IT chiefs to know about the systems under their command. And not just in a general way. Many now want (and are to an increasing degree being mandated) to know every detail of every history and interaction of every device and application under their purview.

Theoretically, this should not be a problem. In practice, and particularly given the scant level of complete, consolidated application and infrastructure information available to most IT heads, it is, or at least has been, rather more difficult.

A brief history of change

The need to understand the nature, history and interactions of corporate IT devices, applications and people has arisen from the increasing complexity of technological infrastructure and the growing level to which organizations are dependent upon it.

In recent years this focus has crystallized around two emerging areas of IT service: configuration management, concerned with knowing about the current and past state of a system and its components; and change management, concerned with what happens when the system is altered.

Both configuration management and change management are part of the IT Infrastructure Library (ITIL®)®, a set of international best practices drawn from the public and private sectors that aid the implementation of a customizable framework for IT service management (ITSM) within a specific organization.

According to the itSMF (the international forum for IT Service Management professionals)[2], configuration management is 'the process of identifying and defining configuration items (CIs) in a system, recording and reporting the status of CIs and requests for change, and verifying the completeness and correctness of CIs'.

A CI, a configurable component of an infrastructure such as an item of hardware, is associated with an infrastructure - that is (or is to be) under the control of configuration management.

Change management refers to the process used to control changes to the infrastructure or any related services, enabling approved changes to be handled with minimum disruption.

This could include ensuring that there is a business reason behind each change, identifying the specific CIs and IT services affected by the change then planning and testing the change before implementation.

Although viewed by Gartner[3] as distinct processes that have common points of intersection, from an IT administration perspective, change and configuration management can be seen as two sides of the same coin. One is about discovering what has happened to your systems so far, the other about what will happen from now on.

Change and configuration management has become a hot topic in recent times thanks to a number of factors, principally including:

  • a growing financial pressure on IT departments to become more efficient, coupled with a realization that money is frequently wasted where there is little inventory or version control;
  • disparate systems across organizations creating 'silos' of CI information making it virtually impossible to identify a single, consistent picture of the assets at their disposal;
  • increasing complexity of and interaction between IT systems, along with the amount they are relied upon by business and the consequent risk posed by security threats or human error;
  • the emergence and widespread acceptance of IT best practice frameworks such as the ITIL® and Control Objectives for Information and Related Technology (CobiT);
  • a raft of new regulations, including the US Public Company Accounting Reform and Investor Protection (Sarbanes-Oxley) Act of 2002, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, the Gramm-Leach-Bliley Financial Services Modernization Act of 1999, The UK Financial Services and Markets Act 2000, the New Basel Capital Accord (Basel II), Title 21 Code of Federal Regulations (21 CFR) Part II, the Health Insurance Portability and Accountability Act (HIPAA) and the International Accounting Standards (IAS).

The current situation

Despite these pressures, or more likely because they have arisen relatively recently, the level of knowledge of IT systems and their role in supporting some of the topics listed above is typically very low in the average organization.

Gartner[4] says: 'Given that less than 1 per cent of IT operations groups (ITOGs) perform configuration management beyond simple desktop, server and network configurations, more than 80 per cent of IT groups may be incapable of satisfying many of the laws and regulations, such as HIPAA and 21 CFR Part 11, that require change-related audit trails and accountability over material configuration items.'

Auditing and accountability are made difficult by the fact that many large organizations still do not have robust automated systems for configuration and change management. In a 2004 poll of data centre conference attendees by Gartner[5], only 34 per cent of respondents were found to have an off-the-shelf IT operations management tool.

A further 21 per cent used a homegrown database, a similar proportion just used Excel spreadsheets, 14 per cent relied on Visio or manual diagrams and one in ten admitted they had no configuration repository whatsoever.

Conclusion

Change and configuration management is a logical and necessary requirement of today's complex IT systems but their widespread introduction into a full, process-driven solution based around a CMDB has been hampered by limitations of the available systems.

Organizations should be investigating the new generation of applications. By adopting an appropriate solution they can expect to leverage significant benefits in terms of organizational productivity, corporate governance, statutory compliance and financial return.

With over 20 years' experience across Europe, the US and Asia Pacific, Touchpaper is an international provider of IT business management (ITBM) solutions, encompassing IT service management (ITSM), customer service solutions (CSS) and network and systems management (N&SM).

Touchpaper sells its solutions directly and through an international network of resellers to private and public sector organizations across various vertical markets. For further information please visit www.touchpaper.com Touchpaper is a registered trademark of Touchpaper Software plc in the UK and other countries.

References

1. IDC (October 2004) Quantifying the ROI Benefits of Integrated Systems Management, (IDC#4270).
2. The IT Service Management forum (
www.itsmf.co.uk).
3. Gartner (3 August 2005) Optimize Change and Configuration Management With People, Processes and Tools, Ronni J. Colville, Patricia Adams, Kris Brittain, ID Number G00128133.
4. Gartner (6 July 2005) Effective Regulatory Compliance Requires IT Configuration Management, Daniel Vogel, ID Number G00127752.
5. Gartner (31 March 2005) Organizations Are Paying More Attention to Configuration Management, Ronni J. Colville, ID Number G00126227.

November 2006