Configuration Management One Bite At A Time

Transcription

1 Configuration Management One Bite At A Time By Kai Holthaus, ITIL v3 Expert and Director for Third Sky, Inc. Implementing Configuration Management can be a daunting challenge. While the potential payback is big, probably bigger than implementing any other ITIL v3 process, the work and discipline that is required for successful Configuration Management has often been too much for the implementing organization many giving up along the way without the benefits being realized. There is a better way understanding the discipline that s required and carefully planning the implementation, creating value at each step of the journey. The implementing organization needs to balance keeping their eyes on the prize while also making sure that momentum is sustained. That way, the full benefits of Configuration Management can be achieved. ITIL s Perspective Why Implement Configuration Management ITIL v3 defines the Service Asset and Configuration Management (SACM) process in the Service Transition publication. It describes the objective of the SACM process as to define and control the components of services and infrastructure and maintain accurate configuration information on the historical, planned and current state of the services and infrastructure. This is achieved by managing the configuration data in a Configuration Management System, which not only includes data about Configuration Items (CI) and their relationships, but also data relating the CIs to Incidents, Problems, Known Errors, Changes and Releases. Like a number of other ITIL processes, the ultimate goal for the SACM process is to achieve superior decision making abilities. This will show itself in three main areas: Better impact analysis of changes, thus reducing the unexpected outages cause by poorly planned changes. It is well known that most service incidents today are caused by poorly planned changes, which means that a lot of IT organizations today are the cause of their own negative image with customers. Good SACM processes, procedures and data will enable the service provider to correctly identify the impact of changes, not just within the service provider organization itself, but also the impact to the business processes. It will also help to identify the risks associated with a change, as well as assist in creating better remediation procedures, should a change implementation fail. By the same token, good SACM processes and data will enable a service provider to quickly and accurately identify the impact of a service incident. This will enable better communication with Page 1

2 customers about such incidents. Additionally, it will help the service provider to better establish impact and urgency of incidents, and therefore enable the provider to prioritize resolution of incidents better. The same goes for problems the impact of the problems can be more accurately established, which will help to better prioritize problem resolution efforts. Last, but not least, SACM may not be an option for a service provider organization, because of rules and regulations that the organization may need to comply to. In such instances, good SACM practice may be essential to avoid fines or penalties associated with failed audits of data or procedures. Service Asset and Configuration Management Activities In order to manage all this data and achieve the benefits associated with SACM, ITIL defines the following activities for SACM: Management and Planning: Since there is no universal standard for Configuration Management that can be applied to every organization and every environment, each organization needs to set their own standards and policies. This is done in a Configuration Management Plan. The Plan should contain: o Scope o Requirements o Applicable policies and standards o Organizational structure o Applicable tools o Processes and Procedures o CMS Data Dictionary o CMS Population Strategy o Key Performance Indicators Configuration Identification: Once the plan has been created, the next step is to identify the CIs that will go into the Configuration Management System. Tasks include: o Define and document the criteria for selecting CIs and the components that compose them o Select the CIs and the components that compose them based on this documented criteria o Assign unique identifiers to CIs o Specify the relevant attributes of each CI o Specify when each CI is placed under Configuration Management o Identify the owner responsible for each CI o Describe the relationship between the CIs and how it relates to the business services and processes Page 2

3 Configuration Control: Once the CIs have been identified, changes to the CIs need to be controlled. In ITIL v3, Configuration Management is closely integrated with Change Management since all CIs, by definition, are under the control of Change Management. CIs can only be changed by authorization from the Change Management process. In other words, no CI should be added, modified or removed, without the appropriate controlling documentation or procedure being followed. This is the activity where process discipline comes into play: without that discipline, the configuration data will be a mismatch with the real world. Status Accounting and Reporting: Each CI will have a set of discrete states through which it can assume, e.g. Registered Accepted Released Withdrawn. The significance of each state needs to be defined in the Configuration Management policies. Additionally, the way a CI moves from one state to another needs to be defined as well, which includes the type of review and approval necessary to advance to the next state. Configuration status accounting and reporting is concerned with ensuring that all configuration data and documentation is recorded as each asset or CI progresses through its lifecycle. It provides the status of the configuration of a service and its environment as the configuration evolves through the service lifecycle. Verification and Audit: The activities include a series of reviews or audits to: o Ensure there is conformity between the documented baselines (e.g. agreements, interface control documents) and the actual business environment to which they refer o Verify the physical existence of CIs in the organization or in the Definitive Media Library (DML) and spares stores, the functional and operational characteristics of CIs and to check that the records in the CMS match the physical infrastructure o Check that release and configuration documentation is present before making a release. The First Law of Configuration Management As described before, the main goal for Configuration Management is to provide information on the current, historical and future state of services and the infrastructure. In order for that information to be valuable, the First Law of Configuration Management should be applied: The Configuration Management System is an accurate representation of reality at all times. There are three main reasons for why this is so important. What is common to all three reasons is that if the information is not accurate, the three goals cannot be reached, and the CMS is no longer valuable for the people looking to it to provide them with the information they need. Page 3

4 Performing Impact Analysis of Incidents, Problems and Changes Accurate information in the CMS allows a service provider to do an accurate impact analysis for Incidents, Problems and Changes. If the service provider can rely on the accuracy of the CMS, that provider will be able to accurately predict which business processes will be impacted if a certain CI fails. Knowing the impacted business processes will enable the provider to correctly identify the impact and urgency of an incident or problem, and therefore lead to better decision making when it comes to prioritizing the resolution of those incidents or problems, and ultimately, how resources should be allocated for incident or problem resolution or change implementation. Meet Compliance Requirements Accurate configuration information will allow the service provider to fully meet compliance requirements. If the information in the CMS cannot be trusted, because it is not an accurate representation of reality at all times, the data in the CMS cannot be used as the basis for demonstrating compliance to such requirements. Extra effort will be necessary to establish the compliance, in the worst case, re-identifying all CIs and assets, which would negate all the efforts spent on Configuration Management up to that point. Optimize Cost Keeping accurate configuration information will allow a service provider to optimize its spend for hardware, software or other types of CIs. Unused software CIs can be identified and redistributed instead of having to buy more licenses. The CMS will enable better re-use of hardware CIs, because it will be well known which CIs are no longer used by a business process and can be re-deployed elsewhere. Impact of the First Law Accepting the First Law as a basis for Configuration Management has some consequences for day-to-day management of the data in the CMS. First, it has an impact on a common practice regarding Discovery Tools. While such tools are very helpful in populating the CMS for the first time, they should not be used to automatically update configuration data upon subsequent runs. Allowing such automatic updates will remove the control that the Change Management process provides over CIs, and mask break-downs in the process. However, Discovery tools should be used for verification and audit purposes, as they can highlight where the CMS is possibly not an accurate representation of the real world. In other words, they can be a great help in identifying that processes and procedures have not been followed. Second, there should not be any unauthorized changes allowed to CIs. This includes common practices like retro-active approval of emergency changes 1. Retro-active approval is no approval at all, it is 1 Retro-active approvals are different than documenting after the fact. The Service Transition book states that there may be certain situations that warrant documenting after the fact for emergency changes. Page 4

5 asking for forgiveness. By definition, every CI is under the control of Change Management, and that control must be enforced, if accurate information is the goal. Unauthorized changes invite people to make changes to CIs without following standard procedures, which eventually will lead to inaccurate data in the CMS. Finally, updating the CMS must happen during the release of a change. The principle needs to be that documentation leads, and implementation follows. A well-managed CMS will have information on future changes happening to CIs and therefore will keep information on the new state of the real-world as part of the release. By linking CIs with Change and Release records, as discussed in ITIL v3, accurate information will be available at all times. How to Set Yourself Up for Success Since Configuration Management can be such a daunting task, how would a service provider organization get started? Here are four recommendations: Implement Change Management Since Configuration Management is tightly integrated with Change Management, a working Change Management process is a basic requirement. Often, Change Management is not being attempted under the guise of it slows us down. While that may sometimes be true, Change Management provides control, like brakes in a car. Brakes slow us down, too but nobody would propose taking them out. Configuration Management relies on a working Change Management process to provide the authorization to change CI information. It controls the integrity and accuracy of the Configuration Management data, and ensures that the data is accurate. Implementing a good Change Management process also involves organizational change techniques, to change people s behavior. Be prepared to reward good behavior and call out the bad. Do not tolerate changes without an approved change request. Make sure you train your employees on the new processes and policies. A good Change Management process will not only enable Configuration Management. Change Management provides control over more than just your Configuration data. It allows you to effectively control all aspects of your business, from policies, to processes and procedures, your services themselves, your Service Portfolio and your Service Catalog. In other words, implementing Change Management is an exercise well worth undertaking, as it will enable a lot of other things beside Configuration Management. Limit the Configuration Management Scope As said before, Configuration Management can be quite overwhelming. This means that your scope needs to be limited by making a rather conservative estimate on the level of depth and detail that would provide value to the organization versus the amount of work it takes to identify and manage the resulting data. Start small, show the success, and then expand. Page 5

6 Starting small has multiple benefits: It will be easier to identify the Configuration Items and populate the CMS without changes in the environment that make the data inaccurate before the CMS is even in use. IT is a dynamic environment. If there are changes in that environment while the first batch of CIs is being identified, the data is already wrong before it will be managed. Limiting scope will allow a service provider to manage this on-going change, or even fully prohibiting it for the time it takes you to populate the CMS. Results can be shown faster. Limiting scope will allow an organization to manage the configuration of a part of the environment quicker, and it can report on the successes quicker, showing management the benefits of doing Configuration Management. Once benefits are established, it will be easier to get commitment for expanding the scope of Configuration Management. How to limit the scope? There are several ideas here for example, scope could be limited by service, only managing the CIs that are linked to , for instance. Another way of limiting scope is to limit it by type of CI for example, starting with physical servers and network subnets only. The correct answer depends on a service provider s particular environment and the objectives that have been identified for the organization. Stick to the First Law As discussed before, the First Law is important. Additions, modifications, replacements or removals of CIs should not be allowed without the appropriate control by Change Management. Each such activity needs to be linked to an approved change request, and will be governed by the appropriate procedure ensuring consistency of approach and therefore accurate information and traceability. This means that there need to be Process and Procedure documents for the following (not an exhaustive list): Access control who can access and modify CI information? Build control and installation who is allowed to do builds and deployments? And what is the process that should be followed when doing builds and deployments? Taking a Configuration Baseline baselines should be taken to provide a basis for planning and so there is something to compare to. They can provide great help for change remediation, as a configuration that worked and that can be fallen back on, should a change fail. Policies and procedures should be developed to determine how to do this correctly consistently. Use Technology Lastly, the amount of data to be managed in Configuration Management cannot be managed in an Excel spreadsheet, unless we re talking about an organization of less than five people. Technology needs to be Page 6

7 used to enable the processes and procedures that were defined and documented. There are several systems and tools on the market today that will enable good Configuration Management practices. Summary While Configuration Management can be overwhelming, there are ways to achieve success without being tempted to give up along the way. A good Change Management process and limiting CI scope will go a long way to creating benefits in a shorter period of time, paving the way for expansion of the scope later on. Starting small and showing successes along the journey will create more enthusiasm and willingness to provide more resources to fully reap the benefits of a well-managed Configuration Management practice. About Third Sky Third Sky specializes in the assessment, planning, and adoption of ITIL / ITSM solutions that enable IT organizations to deliver higher levels of service while maintaining or reducing Total Cost of Operations (TCO). Third Sky provides a comprehensive set of IT Service Management solutions addressing people, process, and technology initiatives for medium to large enterprises. Third Sky can facilitate a 2-day Configuration Management Workshop to accelerate your organization s definition and adoption of the process, establishes consensus on a common Logical Configuration Model, and ensures all participants understand the purpose and benefit of a good Configuration Management process. The workshop can also be used to create a solid foundation of requirements for the implementation of a CMDB or CMS (Configuration Management Database or Configuration Management System). Page 7