Improving Compliance While Managing Increasingly Complex Infrastructure

IT infrastructure is increasingly complex and dynamic. Physical characteristics of networks do not necessarily reflect the logical organization of network as it once did. There was a time when a set of servers would be physically on a subnet and could be managed as a logical unit, often dedicated to a single department. That subnet would house everything a department needed for its operations, from servers and desktops to storage arrays to tape backups. If you understood the physical layout of a network, you understood the logical design as well, which in turn meant you had a pretty good understanding of the business operations.

Network technology has developed to drive more efficiency out of infrastructure. This goal is partly accomplished by improving the speed at which operations happen thanks to advances like 10 gigabit Ethernet (10 GE). It's also the result of the removal of constraints on how we map physical organization to logical organization. For example, a department may be better served by creating a virtual local area network (VLAN) that uses resources located in multiple locations. Another example is virtualization. Both servers and storage can be virtualized to allow for more efficient use of infrastructure. The combination of improved device performance and the elimination of constraints on how we deploy and utilize hardware is fundamental to improvements in IT efficiency. This combination is also the root cause of so many administrative headaches.

When everything is working smoothly, we get the benefits of new‐generation technologies and architectures. We pay a price on the troubleshooting side of operations. When there is a problem, for instance, in an enterprise application, it can be difficult to track down the root cause. For example, if an application's response time slows significantly, it could be caused by any number of conditions:

  • An increase in the number of simultaneous users of that application
  • Changes in software that necessitate changes in configuration settings
  • If the application runs in a virtual environment, the other virtual machines on the shared physical server may be consuming additional resources
  • A patch to an application server may be incompatible with some of the application stack and additional patches are required to bring up software dependencies to avoid a mismatch in the application stack
  • Changes to switch configurations that adversely impact VLAN performance
  • Desktops infected with malware are used to generate spam or perform other malicious activities that consume network resources

Troubleshooting complex applications in complex networks requires multiple supporting tools. Fortunately, tools that help manage increasingly complex networks are also useful for analyzing, remediating, and reporting on compliance.

In this final article in the series, we will consider the need for and the benefits of configuration management tools in today's network environments. In particular, we will examine:

  • Need for situational awareness of network devices
  • Automated configuration management support for compliance management
  • Widespread benefits of automated configuration management

As we will see, configuration management tools lead to both technical and business benefits.

Need for Situational Awareness of Network Devices

When you think of situational awareness of network devices, you might immediately think about the most dynamic metrics typically used in performance management, such as throughput, latency, drop packet rates, and so on. These are certainly important and they help network managers maintain appropriate service levels. They are, however, at just one end of the situational awareness spectrum. It is important to know network performance metrics, but as Figure 1 highlights, these are not the only metrics you need.

Figure 1: The need for metrics about the state of infrastructure ranges from a realtime, short­term requirement about current performance to capacity planning for long­term needs. Between these is the important operational management scale where the ability to track device configurations and assess compliance are of particular interest.

Network managers should have access to information about the state of configuration of all devices for a variety of reasons:

  • A vulnerability may be discovered in a server OS on several devices that needs to be patched as soon as possible
  • A bug in a mission‐critical application associated with device configurations must be corrected
  • Management is reviewing compliance status and needs reports on the current configuration of application servers and end user devices
  • IT management is considering reallocating resources and moving applications off dedicated servers to virtual machines; configuration management reports can provide helpful information about those applications
  • IT management may be negotiating a usage‐based license for software and can use configuration and asset management reports to precisely identify the number of devices capable or running the software

In addition to situational awareness for resource management purposes, configuration management can help with compliance management and reporting.

Automated Configuration Management Supports Compliance Management

Compliance was once the concern of large enterprises or organizations in specialized industries, such as banking and healthcare. With the growing awareness of the need for information security and personal privacy, more and more organizations need to understand and comply with government, industry, or internal governance and compliance requirements. It is often the case that in addition to being in compliance, organizations must be able to demonstrate that they are in compliance. Configuration management tools can help in a couple of ways with these reporting requirements.

Reporting on Device‐Level Compliance

Regulations can specify that devices used for sensitive operations—such as collecting personal financial information, credit card data, or personal healthcare information—meet a minimal level of security. This requirement might mean that a workstation must be running antivirus and personal firewall applications and that be configured to automatically update when new malware signatures are available or patches are made for the software.

In addition to reporting at the device level, configuration management tools can help generate reports at aggregate levels. For example, an IT auditor might want details of a finance department's VLAN configuration to ensure only legitimate finance devices are on the logical network. By generating an inventory of the devices on the VLAN and producing a software inventory of each device, the auditors and IT managers can save time and reduce the chance of human error with automated configuration management tools.

Report on Remediation Operations

With the rate of change realized in some business networks, it is not surprising that on some occasions some device or software will not be properly configured from a compliance perspective. When a problem is found, the first task is to correct it. Remediation measures can include shutting down the non‐compliant device, applying a patch to a vulnerable application, or updating the configuration of the device. Whatever remediation steps are required, it is better to automate them in a script than to run them manually for several reasons:

  • The fix is applied consistently to all devices
  • The script can generate a log file that documents the details of any problems that may have been encountered
  • Scripts can be scheduled to run at times that minimize disruptions to operations with virtually no additional costs
  • Vendors may provide template scripts or tools for creating scripts that can help improve the pace and quality of script development
  • Scripts become repositories of institutional knowledge that might otherwise not be captured; IT departments do not lose all their configuration knowledge when the top Linux systems administrator or the Windows Exchange manager leaves the company

Scripts, logs, and reports document what remediation was performed and how the device responded. With reports about the before and after state of configuration operations, staff may be able to identify common patterns in failures and modify scripts or remediation steps to avoid those problems in the future.

Widespread Benefits of Automated Configuration Management

Throughout, this series has examined the need for configuration management from both technical and business perspectives, such as the ability to consistently and rapidly change configurations and the cost efficiencies of automating routine configuration tasks. At the conclusion, it is important to summarize the technical and business benefits of automated configuration management.

Technical Benefits of Automated Configuration Management

The technical benefits of automated configuration management are immediately recognized by IT professionals. Benefits such as a reduction in the time required to discover assets, reduced effort to meet management reporting requirements, and the ability to script configuration changes all help to reduce some of the less interesting and more tedious parts of IT jobs. A secondary benefit for IT professionals is that automated configuration management can leave more time for more important and more interesting tasks. Let's face it, who wouldn't rather work on deploying a new technology or team up with network architects to redesign a network segment than repetitively check desktops for a particular version of software, copy a patch if needed, and log the details about the patch operation. Knowledgeable IT professionals are valuable assets and can effectively solve problems that cannot be automated, but not if they are stuck with repetitive, automatable work.

Business Benefits of Automated Configuration Management

Although IT professionals might appreciate the benefits of automated configuration management because it leaves them more time for interesting and challenging work, those on the management side of the business might appreciate the cost savings even more. A quick review of IT professional salary surveys and some basic ROI calculations about the cost of configuration management software versus the cost of experienced systems administrators can show how significant those savings can be. Cost is not the only business benefit, though.

Automated configuration management can allow for more timely reporting and more effective compliance. The discovery process is a low‐cost operation with an automated system, so it can be run more frequently than if it was a manual task. With more frequent data gathering, there is an improved chance of catching problems earlier. This, in turn, leads to faster remediation, which can help to improve the security of the devices. In addition, more timely and comprehensive reporting can help with compliance. Of course, the less time spent on compliance is more time for focusing on delivering other values to the business.

Summary

This series has outlined the key challenges IT professionals face in managing the configuration of complex and dynamic IT infrastructures. One way to help manage such environments is with automated configuration management tools. These solutions provide support for key services, such as automated discovery, scripting, and reporting. With this combination of tools, both IT professionals and business managers will realize benefits over manual configuration management.