Configuration Management for virtual and Cloud Infrastructures

Configuration Management for Virtual and Cloud Infrastructures

The top seven things to consider

May 17, 2013.

By Ronni J. Colville and George Spafford

www.gartner.com

Configuration management is a key process for any IT endeavor — including

legacy IT systems, as well as private and public clouds. Without visibility to the

configuration of the relevant IT service, IT will not be able to manage the

multisourced cloud infrastructure and software.

Organisations adopting virtualisation and cloud delivery services need to review

their configuration management processes to ensure that they are optimised to

support these services.

A review of the configuration management process should focus on, and alter as

required, the process design, including inputs and outputs, workflows, controls,

roles and responsibilities, data models, reporting and opportunities for process

automation.

Through 2015, 80% of outages impacting mission-critical services will be

caused by people and process issues, and more than 50% of those outages will

be caused by change/configuration/release integration and hand-off issues.

As IT adopts technologies such as virtualisation and cloud services, new

dynamics will be introduced (e.g., mobility and offline/online), as well as

opening its doors to external providers (e.g., infrastructure as a service [IaaS]).

This complexity will require IT to add more rigor (not less) to their configuration

management process.

As the number of internal and external service providers increases, the need for

timely, accurate and secure information flows also increases. With any delivery

method, configuration plays a vital role in providing logical views of IT services,

including changes to configurations.

Consider the following questions and responses to rightsise your configuration

management process for virtual and cloud infrastructures:

1. How well are standards defined and followed? Standard implementations

bring predictability and speed in deployment, but the mobility of virtualisation

adds unpredictability in performance, because changes can be done in real time

without an impact assessment. Add a shared infrastructure (e.g., multiple VMs

per host and cluster) and what was standard and predictable for one IT service

will potentially be affected by other IT services. These new dynamics will affect

how standards are assessed and maintained, and will require closer inspection

of how dynamic (versus standard and static) the IT service blueprint should be.

Standards will need to be reassessed on an ongoing basis to ensure scalability

and predictable availability.

2. How well are IT services documented or tracked in systems such as the

configuration management database (CMDB)/configuration management system

(CMS)? The CMDB/CMS will maintain a trusted view using integration and

federation to bring in configuration data from a wide variety of sources. Some

discovery sources can take triggers from virtual infrastructures and become

closer to a "real-time view." This view, coupled with a runtime view for

application performance, will enable better predictive planning. Because having

visibility to public cloud infrastructures can be limited with today's discovery

tools, it is critical for IT organisations to understand the service or application,

and how it is manifested (internally and externally).

3. How well is automation used to discover and execute changes? While IT

resources are often experts, they are still prone to human errors. Using

automation to discover and better target changes will significantly reduce

outages. Automating provisioning without understanding the impact of the

single change to a system or software on the broader IT service or application

may have a negative effect (e.g., outage) systemwide. In addition, with the

frequency of changes to the virtual and cloud infrastructures, coupled with new

agile development and deployment, automation will improve the speed of

changes and reduce the errors to which humans cannot scale, to accommodate

the increase in changes without an increase in errors.

4. How well are audit requirements for contractual and regulatory compliance

addressed? Enterprises can no longer exist without mechanisms that prove

sufficient control is in place. Virtualisation enables the swift and real-time

movement of servers and applications from one place to another. Due to this

type of movement, organisations could fail to comply with restrictions, which

could subject the enterprise to significant consequences. This applies not just to

country- or industry-specific regulations (e.g., payment card industry) or

security-based regulations (e.g., Center for Internet Security[CIS]), but broader

regulations (e.g., the USA Patriot Act) that will impact or support global

enterprises.

5. How well are software licenses tracked and are they accurate? Virtual

infrastructures add mobility and offline dynamics that can present a challenge

for tracking application and software usage. IT organisations will have to be

prepared with documentation and discovery methods that can prove license

instantiation.

6. How well does IT already manage multisourced or multivendor operating

environments? The public cloud is not necessarily new; in many respects, it's

another flavor of outsourcing or software as a service (SaaS). IT organisations

are still responsible for their data, their application availability, etc., but now

there is a middleman. IT organisations that have best practices in place for

multisourced or SaaS infrastructures likely will have less of a challenge adapting

their configuration strategies to the public cloud. IT should seek out lessons

learned from traditional outsourcing vendors and incorporate them for the

broader use cases in the public cloud.

7. What is the degree of business risk that IT organisations will tolerate,

associated with specific types of changes (e.g., to business-critical systems,

preapproved changes, emergency changes, etc.)? Today, changes are controlled

within the IT infrastructure, but cloud infrastructures will take change-impact

assessment beyond the corporate firewall into more "opaque" environments

(public clouds). As the scope of control alters with public cloud scenarios,

business risk factors will need to be re-examined, and existing policies will

need to change to enable a 90% success rate or better.

This report is based on independent technology advisory research from Gartner,

Inc. Gartner delivers the technology-related insight necessary for IT leaders to

make the right decisions every day.