wow! a configuration management program that worked · pdf filea configuration management...
TRANSCRIPT
Wow! A configuration management program that worked the first time!Stuart Smith | Transurban
5 minutes Intro
5 minutes Why Bother
5 minutes What were the challenges how were these overcome
10 minutes Leveraging existing tools (Technical section)
15 minutes Benefits
5 minutes What does the CMDB look like today and what are the next steps
5 minutes Questions
Agenda
Configuration Management 2
Incumbent tool was due for upgrade
Undertook a review of tools looking for best of breed, SAAS solution
Tool must support the organisation’s fast paced growth and align to corporate strategy
– Position for the future
– Get faster
– Deliver increasing value
Incumbent system did not have an integrated CMDB
One of the key deliverables was a fully functioning, largely auto populated CMDB
Introduction
Configuration Management 3
Applications and Infrastructure
– Projects asking how many servers, applications, databases or details about these
– Senior Management don’t understand why you are so busy
– Complex and time consuming to understand life-cycle replacements
– Unable to explain everything you are managing and how it is interconnected
– Receive requests which do not have all the correct details
– Outages caused by expiration of digital certificates
Why Bother?
Configuration Management 4
Infrastructure
– Not knowing who owns an application or who should approve a change
– Unable to get outage times and approvals– Unsure of what groups of Servers to Patch
and when– Get flooded by alerts
Service Management
– Have multiple regions you want to report by– Inconsistent and poor details provided in
service requests Security
– Find it complex to manage your Payment Card Industry (PCI) compliance
Create a High-Level Model
5
Data Model: Determine level of depth you want to manage and what can reasonably be discovered automatically.
What tools are available and hence, what integrations are required
What fields are required to meet the objectives
How to automate the creation of most (if not all) CIs and relationships
Technical considerations (eg. Integration method)
Leverage Existing Tools
Configuration Management 6
DiscoveryCMDB
Discovery
Slide subheadingTools and Integrations
Configuration Management 7
Integrations: Determine the integrations required to capture the source data Servers – SCOM Network – Solarwinds Database – Oracle Enterprise Manager
(OEM) Desk/Laptops – SCCM Windows server – SCCM Applications – Manually created Mobile devices – AirWatch (post go-live) VMs – Vcentre (post go-live)
SCOM
SCCM
Solarwinds
OEM
Thawte
Internal CAMID
ServiceNow
DISCOVERED ASSETS
DISCOVERED CIs
DISCOVEREDCIs
DISCOVEREDASSETS
IN17
IN2,4,16 IN2,4,16
DISCOVEREDCIs
DISCOVEREDASSETS
Slide subheadingIntegration Method
Configuration Management 8
Method – Determine Target Tables, create integration specification and the integration method– Webservice– JDBC– Email etc.
Reconciliation Identifiers - are used to determine the order we try and match on keys – try to match on SCOM ID, then FQDN, then Name?
Copy Empty Fields - If set to YES and discovery source has a NULL field, the CMDB is over written with blanks.
Met with each CI Class owner(eg. Server, Network Device etc.)
Included any additional fields required to meet the overall objectives
Mapping Fields
Configuration Management 9
Choice Action:
“create” enables the creation of new reference values (eg. create a new Make/Model in the CMDB, if one does not exist for this make/model)
Mapped fields from the source system to the CMDB Determined if some values could be used to auto
update reference data (eg. Make/Model) Determined what fields they required
Based on data sources, determine what fields can be used to build relationships
Using discovery precedence, load relationships between CIs (typically using the same source)
Log exception report where correlation failed Tune engine to improve matches, or manually deal with exceptions
Auto Create Relationships
Configuration Management 10
Source Target Coalesce Choice action
source.u_network child TRUE REJECT
Source.u_server parent TRUE REJECT
"CONNECTED BY::CONNECTS" type TRUE REJECT
Data from Solarwinds provides: • The key/unique id from a network device u_network
• The key/unique id from a server device u_server
• We then create a parent to child relationship with the terms Connected By and Connects
Don’t create a new relationship, if one
existsDon’t create a new CI
Slide subheadingTechnical considerations
Configuration Management 11
Alerting for failed discovery and transformation tasks
Connection method (eg. Web Service, email etc. )
Never perform creates on the same Class from multiple sources
– Discover from primary source and then update additional data from secondary source(s)
Challenges
Configuration Management 12
Challenge Overcome by
Getting time and commitment of Subject Matter Experts from each CI owner group
Strong sponsorship from senior management (CIO / GGM) Regular steering committee meeting where issues were
flagged Ensure we built a CMDB that provided benefits to the team
(explained in more detail upcoming slides)
Loading data/mapping fields and mapping relationships
Need a resource with in-depth understanding of configuration management
Auto-populating data versus manual updates. Everyone wants everything auto-populated
Explaining cost benefit to SMEs Escalating to the steering committee if the SMEs could not be
convinced
Ongoing population of the CMDB Ensured managers bought into the value All staff were put through training sessions Configuration Manager to drive/uplift compliance Reports compliance provided to GM and above
Tips
Configuration Management 13
Tips Explanation
Configuration Management is a journey Ensure stakeholders expectations are met Expect 1 to 2 years to reach end state
Don’t under-estimate the effort Ensure adequate resourcing, such as: A Configuration Manager Technical expert to create the CMDB Technical staff to provide the details and help with mapping
Ensure stakeholders understand the difference between Configuration and Asset Management
Avoid confusion regarding the end state deliverable
Understand the benefits To sell why you are implementing Configuration Management
End of Technical sectionQuestions?
Benefits / Savings
Want to ensure there are real savings / benefits?
Activity Saving Comment
Change Manager effort 25% Easier to see impacts, add approvers
Change creation 62.5% quicker
Reducing alert SPAM’ing 150 hours/month SCOM put in to maintenance mode
Self Service Portal (SSP) Requests Days quicker Improvement based on empirical data. Previously there was no SSP. Average SSP provisioning is 4-hours
Server patching 13 hours / month Based on 2 patching cycles (Dev then Prod)
Easier Life-cycle management Several Months Previous project ran for over 12 months
Providing Projects with accurate CI data
Days/request Often requests took days, can now provide info in minutes
Network firewall burns 30% Absorbed 30% growth with no FTE increase
PCI Compliance N/A Improved compliance/governance
Reduced SD call Volume 30% SSP task are sent directly to the resolver group
Benefits
Configuration Management 16
Slide subheadingLocation Data and Data Classifications
Configuration Management 17
User Locations:Locations that the services / application is provisioned. Staff understand which regions they need to take into consideration, different financial reporting, different public holidays etc.
Info Classification:Is data highly confidential (eg. HR data)
PCI Compliance:Is the data within scope of PCI compliance, what additional checks/approvals need tobe under taken to ensure PCI rules are met
Privacy Compliance:What privacy rules must be metor considered
TISA compliance:TU has third party agreements with the roadside, this requires certain rules, such as outage lead times and communications
Slide subheadingBusiness Criticality
Configuration Management 18
Business Criticality: Used to define the SLAs for the service/application. This is used for reporting and can be used for managing the overall end-to-end service (where the underlying Infrastructure is not built to the same level criticality).
– Transurban use Gold / Silver / Bronze
Slide subheadingLife-Cycle Management
Configuration Management 19
Support End date:Dates can be used to pull reports for life-cycle replacement
Potential Saving:
Last time LCM was a project that ran for over 12 months (just to collect and validate data)
Slide subheadingAssignment and Approvers
Configuration Management 20
Assignment:Incidents and requests are directly assigned from the self-service portal to teams based on populated assignment groups, thus skipping the IT Service Desk
Approval:Approvers of a Change are driven from approval groups on the configuration item and a secondary approval group can be added, for instance to ensure that a Change is approved for both the Aus. and USA regions
Effort Saved:
Minor Change review is 50% quicker, saving
25% of total Change Manager effort
Slide subheadingDependency Mapping
Configuration Management 21
Dependency Maps:Can be used to understand the impact a server, database or Network component can have on applications and services
Improvement:
Helped to half the amount of time spent reviewing changes
Slide subheadingPatching Cycles - Security
Configuration Management 22
Patching Group: Can be driven by adding CIs to a patching group and patching can be automated off this
Patching Exemptions: Servers can be omitted from patching if there are risks associated with performing the patch (eg. Applications running on the server are not supported on the patch level)
Patching Instructions: Special instructions can be added eg. Check alerting is re-enabled
Effort Saved: 7 hours/patching cycle (Windows Fleet - 570 Production and 154 Dev/Test servers)
Slide subheadingSCOM Alerts – Put into Maintenance Mode
Configuration Management 23
SCOM Alerts:By integrating SNOW and SCOM and loading the CIs, when a Change is raised and outage records created, the SCOM servers are placed into maintenance mode, thus preventing spamming of alerts during a valid outage
Effort saved:
150 hours/month
Slide subheadingUpstream Applications
Configuration Management 24
Upstream Applications: Users can add upstream applications etc. to an Infrastructure change which will then show any impacted upstream components, reducing the likelihood of an application/service outage
PCI Compliance
Configuration Management 25
PCI Compliance: When Changes are approved by a peer and moved from Peer Review
to Tech & Change Review the Dependency map is checked to see if the application is within PCI scope and an additional approver can be added. Weekly reports are also produced detailing if PCI configuration items have been changed.
Certificate Expiration
Configuration Management 26
Digital Certificates:Are managed across the enterprise to ensure certificates are upgraded, before they expire. Since go-live we have seen no incidents resulting from expired certificates.
Value:
Reduces the risk of an outage caused by expired certificates
Portal Home Page
Configuration Management 27
Sample Service Requests
Configuration Management 28
Self Service Request – Driven from CMDB
Configuration Management 29
Improved self-service:As a number of requests can be driven off the CMDB. For example, a system to system firewall rule can have the source/destination firewalls populated, ensuring appropriate approval and that the right information is provided in the request.
Effort saved:
30% increase in volume, with no increase in people
Improved Self Service
Configuration Management 30
Improved self-service:If the relevant Configuration Item is selected, then the request is immediately assigned to the correct team.
Savings:
Together with knowledge articles, and self-service forms, this has reduced help desk
call volume by ~50%.
Auto Create new CIs
Configuration Management 31
Improve CI Creation:New Application CIs are QA’d and created through a new form.
Savings:
5% Configuration Manager saving
End of Benefits sectionQuestions?
Current Dashboard vs Improved Dashboard
Loading vCentre data automatically – Expected a saving: 4-weeks/annum
Creating services and mapping to applications
Loading mobile billing data
Current CMDB and looking into the future
Configuration Management 33
Current Dashboard
Configuration Management 34
Improved reporting: Ability to monitor exceptions in the CMDB, such as stale, duplicate and orphaned CIs
CMDB – Completeness / Compliance / CorrectnessImproved Dashboard
Configuration Management 35
Contact Details
Email: [email protected]
LinkedIn: https://au.linkedin.com/in/stuart-smith-43b4923
Configuration Management 36
End PresentationQuestions?