Intellyx BrainBlog by Jason English for Evolven
Why do IT governance and configuration management processes fail to catch these unauthorized changes?
Everything’s locked down to get ready to stream the major media charity event. Environments are monitored. Releases, updates and patches are well-governed with an approval chain. Development and IT Ops teams are fully trained on configuration management, change control, and infrastructure release processes.
A network administrator makes a small change to a setting on one load balancer, without requesting authorization, confident that his change has nothing to do with the live stream.
The web broadcast starts, people and donations start streaming in, and … it crashes.
It takes half an hour to recover to a backup channel, but the show has been interrupted the whole time, and most viewers leave. It takes another day to figure out what actually happened.
The best laid plans of our configuration management processes still go awry so frequently. If we can tightly define all elements of an IT environment from software to system-level configuration, and specify which components can be changed, when, and by whom — then how come we still can’t stop these unauthorized changes from happening?
To keep up with compliance requirements, enterprises invested heavily in IT governance processes and tools, from ITIL practices to today’s highly automated approaches to configuration management with more rigorous environment reproduction and testing.
Just like any fabled deal with the devil, the devil is in the details.
How could unauthorized changes still happen in today’s compliance-driven IT environment?
There is a Faustian bargain going on here, wherein IT leaders may believe their spending and effort has acquired them complete knowledge, visibility and process control over their world — but once the letter of the law is executed, they eventually realize they missed an important detail in the contract.
They are left high and dry.
I’m not saying there’s some horned Mephistopheles involved in this plot. Aside from malware authors and malicious hackers who actually enjoy making unwelcome changes, most IT leaders and professionals are good actors who, in general, try to follow change protocols.
People still make unauthorized changes because they think “oh, this little change won’t affect anything” or “I’m in a hurry and willing to make an exception to policy just this once.” And administrators will still inevitably fail to notice many of these unauthorized changes.
