Planet SCM

The National Institute of Standards and Technology has recently released three new special publications of note.

SP 800-45 covers guidelines for electronic mail security, SP 800-94 focuses on Intrusion Detection and Prevention Systems, while SP 800-97 is on Establishing Wireless Robust Security Networks.

These publications are very thorough and I would particularly recommend taking a close look at SP 800-45. One of the interesting twists the government is posing on organizations of late is the one-two punch of protecting sensitive information (a la SOX, PCI, GLBA, HIPAA....) while also calling for more and more email records to be retained for potential future litigation (see my post from December 2006). Essentially, organizations must retain more information that they must ensure is secure, all compliments of government legislation.

I would pay particular attention to chapters 5-8. This is the real meat of the publication - covering a logical progression from OS to mail server, to the network, and ending with the mail clients.

In addition, NIST has published two new interagency reports designed to help auditors, inspectors general and senior management understand and evaluate information security programs.

Good, practical help that is well worth the time to download.

We've all heard the cliches surrounding change - almost all of them trumpet the need to embrace change as a purely positive part of business growth and development. However, a recent study by the IT Process Institute makes a strong case for tightening the reigns on unbridled changes in the IT enterprise.

In a recent issue of CIO, Michael Schrage, co-director of the MIT Media Lab's eMarkets Initiative, points out the change management is really process management and change leadership is really process leadership, whether you're talking about people, systems, or applications.

Schrage points out that, in the IT Process Institute survey, those who took process leadership most seriously didn't just perform a little better than the median - they delivered results seven or eight times better! More projects, more applications and software, more IT services, and more business IT changes - with half the failure rate. So, what was the key difference the survey identified in this elite group of performers?

Foundational controls.

Bottom line - this group of performers rigorously monitors and punishes unauthorized changes. As Schrage states, "What kills us is not our failures of planning, analysis, design, testing and deployment...It's our black market economies of unauthorized changes - no matter how well intentioned or essential."

Gene Kim, one of the lead researchers for the IT Process Institute, expressed that elite IT organizations didn't see the controls in the change management process as a constraint but a platform for innovation. They found that disciplined design actually proves to be more agile, robust, and maintainable than unauthorized change.

Another benefit? Bigger IT budgets. Kim found the elite organizations with budgets three times larger than median groups. "High performers have continually earned ever increasing budgets because they deliver ever increasing value to the business," said Kim.

It's time to think carefully about unrestrained change. I think in the back of our minds we all know it, but the never-ending fire drill of change is not terribly productive and really isn't good for the business long-term.

The IT departments at top companies around the globe are actively engaged in implementing IT best practices to improve IT services.  Fundamental to the success of these efforts is establishing a configuration management database, or CMDB.

Major players like HP, BMC, CA and EMC all tout their version of a CMDB. But, when you really look at the type of configuration items they are populating their CMDBs with, you’ll find they’re woefully ineffective for truly meeting the objectives of IT best practice standards like ITIL and even more importantly they won’t improve security and performance in your IT environment. The reason is simple – the data in today’s CMDBs tends to be too “shallow”. It captures basic assets like computers, applications and some relationships among them, but this kind of a model is not going to help you understand the impact of a change to one or more systems. For example, can this CMDB really tell me how a patch I am about to apply will impact my system and other systems connected to it? I don’t think so.

Can this CMDB tell me if a configuration change I am about to apply will impact performance of some critical application that is involved in a key business process? Again the answer is - you guessed it – not.

Without a comprehensive model that captures all critical components of IT and  thousands of interrelated configuration settings that control security, performance and availability of systems, a CMDB is, you guessed it again, a toy.

The problem is exacerbated by the knowledge that adding data to these CMDBs is often a manual process, wrought with the potential for error. In a recent article, Dennis Deane, head of program management in Europe for Scottsdale, Ariz.-based delivery company DHL and uses Hewlett-Packard Co.'s OpenView, said "Chances are pretty good that someone somewhere has all the information that is needed to implement a CMDB on an Excel spreadsheet."

Can you imagine populating a CMDB the size of DHL from Excel spreadsheets? It’s almost impossible to believe anyone would have the meticulous attention to detail required to do that successfully. It’s almost harder to believe anyone has the time to collect the data and actually dedicate the time to importing it into the CMDB.

A better option to expedite this process is to federate other databases into the CMDB. This point was reinforced in comments by Richard Ptak, analyst for Ptak and Noel Associates. "If a team enters every CI individually, there is the chance for redundancy. A way to avoid this is to federate databases into the CMDB."

Ptak is not the only one calling for the leading CMDB vendors to improve their ability to federate data. Gartner analysts Ronni Colville and Cameron Haight made similar statements in a recent research paper. “While the good news is that seemingly almost daily a new vendor is claiming to offer a CMDB or CMDB strategy, the bad news is that very few of them offer comprehensive DMDB capability and none have proven multi-vendor federation capability,” write Colville and Haight.

The good news is, while leading CMDB vendors may not have the deep configuration information needed to populate their CMDB, you’re stuck importing Excel spreadsheets either. There is an automated tool for collecting deep configuration information that is perfectly capable of being federated into today’s leading CMDB products.

Stop wasting valuable staff time or risk manual data entry errors. This solution will accelerate you from a shallow, ineffective CMDB to a truly deep CMDB, full of the configuration detail required to accelerate your IT best practice implementation.