Accurate Configurations -Technology Alone Isn't the Answer
Concerns over bureaucracy and slowing down the rate of changes need to be carefully scrutinized. Organizations that implement appropriately designed change management processes find their availability, integrity, overall security and agility actually improve as plans are scrutinized, errors detected and corrected, improvements factored in, right parties contacted, etc.
Tools Are Just Tools
The automated configuration detection tools are aids to processes, not replacements to processes. If change management is being bypassed then these should be flagged and investigated. The only level of unauthorized change that should be accepted by management is zero.
If something changed and there isnt and approved RFC then corrective and appropriate disciplinary action should be taken. A recent IT Process Institute study on the value of controls identified the two controls present in high-performing IT organizations was the ability to detect unauthorized changes and the willingness to impose disciplinary action when processes were flagrantly disregarded.
In addition, these tools are trying to determine CI attribute details and CI relationships in a complex environment. Some of the assumptions/findings may not always be correct. Just because a change is detected doesnt mean that the system is right.
If an organizations plans to import changes into the CMDB then someone must review the proposed updates first for accuracy to ensure that the CMDBs data integrity is protected. Furthermore, to reinforce what was stated earlier, questions must be asked about why the changes transpired by mapping them back to approved RFCs.
In closing, these automated discovery tools can help organizations collect data but they must support processes designed to meet business needs. This means the goals of the business must be taken into account, then the IT requirements defined and then processes designed with the correct blend of people, process, and technology.
Simply buying the tools and running them is not the solution. Understanding why changes are happening and gaining control over the infrastructure via an effective change management process to better ensure availability, integrity and overall security must be the primary focus.
George Spafford is a Principal Consultant with Pepperweed Consulting and a long-time IT professional. George's professional focus is on compliance, security, management and overall process improvement.