WIXLIB

ItSMF MN 2018 Panel DiscussionChallenges of Configuration Management 1.Scott Miller – EvergreenJonathan Waldo – Prime TherapeuticChristine Barry – MedtronicJim Federline – MedicaJosh McDonald – Xcel EnergyHow did you start CMDB?o Scott – don’t boil the ocean, look at the top 10 services, focus on those CIs andrelationshipso Jon - CMDB born out of need to innovate security around HIIPA, quicklyexpanded to servers and infrastructureo Christine – wasn’t here when it started, so question was “how do we restart aCMDB?” Developed portfolio management, questions arose how to bettermanage, security also became a big stakeholdero Jim – CMDB was a necessity, needed to understand, “what stuff do we have,”discovered lots of duplicity and unretired systems, needed better information tosupport asset management, continues to evolveo Josh – started with asset tracking, discovery efforts, branched out toapplications and services, needed to mature2.How did you decide what to include?o Josh – audit and securityo Jim – high loss assets, software, enterprise contracts, focused now onmiddleware configurationo Christine – currently redesigning CMDB, moved from three systems to one,lack of clarity on definitions, reviewing the value and stakeholders of each CI, ifit’s sustainable, updateable and has an ownero Jon – applications, “what is an application” had to be answered, trying to findthe right level of granularity, for some things small list/high level, for otherslarger list/deeper levelo Scott – doing discovery, defining classes for critical business services toestablish scope, bringing in service owners to supportPage 1 of 7

ItSMF MN 2018 Panel DiscussionChallenges of Configuration Management3.What were the biggest hurdleso Scott – buy-in and support from executive leadership, because so many areasneed to be involved, so senior management support helps break through silos,talked with them early on to convey the value proposition, how CMDB is thefoundation for so much of Service Managemento Jon – a lot of struggles, always asked to do a lot from stakeholders, don’talways include on-going support and maintenance of data, need acomprehensive plan, that can scale for new types of data; if you don’t identifythe strategic ask that will help the company succeed, not going to find the bestsolutiono Christine – start with security, can’t manage data if we don’t know what’s in ourenvironment, get leader involved; talk about value and benefits, lots of doubtthat a complete CMDB could be accomplished, got different groups to see howCMDB addressed their needs; putting data in has to result in informationcoming out that is usable by stakeholderso Jim – beat the drum on buy-in, establish trust that you can accomplish it,adding value is key to convincing others to participate; data needs change asorganization changes, need to focus on highest-value efforts, bring a vision tothe table that applies to specific business caseso Josh – influx of data from many tools, discovery tools were expected to fill anydata holes (unrealistic expectation), struggle to get access to some areas,updates coming from multiple sources, different data definitions, had to get allplayers to standardize the terminology4.Who is responsible for configuration management?o Christine – dedicated team for configuration, and redesign team, involving allITIL practices, question is always “do we have the right number of peopleinvolved?”o Jon – Configuration management within service management organization,several people hold specific roleso Scott – normally see starting with stakeholders, sponsor and various owners,security is critical; usually a configuration management process owner and CIclass owners – manage a subset of the CMDB for data validationo Jim – still forming, but not norming yet. Service Management team andperformance management team (tools, infrastructure) split responsibilities,customers of each othero Josh – process owner, CI owners still being identified, 3rd party vendorsmanaging some data, but not wellPage 2 of 7

ItSMF MN 2018 Panel DiscussionChallenges of Configuration Management5.How do you educate users on value of configuration management?o Jim – every DevOps team has challenges, example: server team wanted to besingle-source of all information, but couldn’t maintain it using a spreadsheet,didn’t want to turn it over until team realized how configuration managementteam could support their efforts, combination of bottom-up and top-downinteractionso Jon – biggest advocates recognized the value within the CMDB, example:customer facing systems had to be available 24/7; having their systemsmapped in CMDB helped reduce and eliminate downtime, governance ofbringing in new applications has helped sell process by validating new data6. From the audience: is that sustainable? Does CMDB lose accuracy over time?o Jon – need to audit and review, find data gaps that impact resolution of outageso Christine – opportunities around relating it to other processes, but need tomature data first, have to be a trusted partner, listen to stakeholders andunderstand what problem they are trying to solve, security is definitely a highstakeholder, incident, change, and problem management can all benefit fromaccurate and complete CMDBo Scott – show people what a good CMDB looks like, show how it can impactmajor incidents and how CMDB information can help determine solutionso Josh – try to sell CMDB as the single-source of accurate data, need to be ableto provide what they need; different discovery tools all have scope limitations,show how CMDB brings all the data together7.What value has been realized by other processes?o Scott – Incident resolution time; with focus on customer service, keepingsystems up or restoring them quickly is critical, CMDB is critical for changemanagemento Jon – security was initial stakeholder, continue to be highly involved, SecurityIncident Response and vulnerability management, ability to see everything onthe network, certainly change and incident still growingo Christine – moving to the cloud, but gathering inventory has been difficult, datagets stale, CMDB helps keep it current; patch management can learn whatapplication owners they need to contact to determine risk and impact,operations monitoring want to know how to prevent outages; seeingrelationships helpso Jim – need massive amounts of data, how to determine if change recordsreflect all change activity? Audit has started asking, need to be able to answer;compliance activities, how to map infrastructure to environments andapplication stacks, environments constantly changing, so continuous discoverywithin CMDB is critical, multiple DevOps teams need to be able to quickly undoinstances if problems occurPage 3 of 7

ItSMF MN 2018 Panel DiscussionChallenges of Configuration Managemento Jon – within application roles, ID access management can relate to roles andsee what roles are accessing what parts of infrastructureo Josh – unauthorized changes, especially for infrastructure, CMDB used for a lotof things, including request, request catalog based on CMDB, supportsautomated fulfilment, access management, ability to see what CIs are beingchanged before it happens drives CAB attendance8.From the audience: how do you determine how good your CMDB is? What modelor scale do you use to measure? (Scale of 1 – 5 used for discussion)o Josh – still fairly immature, maybe 2 on our third iteration of configurationmanagemento Jim – Maybe 1.5o Christine – at a 2, have policies, not mature or consistent processes, some bestpractices gaps, use ITIL and ServiceNow, and Gartner measureso Jon – two-ish, hard to determine how far along you are, use cases are alwaysdifferent, need policies, governance processes, measurements; still haveopportunities to improve, using ServiceNow data model and a combination of ITand Business modelso Scott – average is about a two, use ITIL to select a base process and thendevelop for a specific client9.From the audience: as CMDB grows, becomes harder to analyze and understand,what success have you had integrating with change to identify downstreamimpacts?o Josh – for a subset of applications, list of critical applications, track minutes ofdowntime was initial scope, need to determine right level of view and who isviewing ito Jim – standard impact analysis, by application, tiered. Tier 2 seems to drive themost anxiety; for Tier 1, usually know what to doo Christine – trying to get to better scope, only ½ of Tier 1 applications haverelationships in CMDB, sometimes rely on tribal knowledge, one goal is to beable to know the dependencies of CIs, beyond the CI on a particular changeo Jon – still have application mapping gaps, is challenging, how do you measureand report higher-level outages, still organically growing relationships, need tocapture tribal knowledge whenever possible, change process can help captureo Scott – if you have relationships for critical applications, can crawl up and downthe relationship tree and include that information in the impacted CI analysiso Josh – looking to add capabilities to change to show pending changes, andcoordinate with monitoring to have awareness of what is and isn’t an actualoutagePage 4 of 7

ItSMF MN 2018 Panel DiscussionChallenges of Configuration Management10. Data in CMDB can be confidential, what security do you have around it?o Josh – different regulations for different areas of the company, have specifictools that can mask data points based on security rightso Scott – roles or group definitions control what fields or tabs are visible,attributes should be identified in initial designo Christine – getting requests to add security access to various productscompany offerso Jon – integrity of the data more important than confidentiality, need to controland audit any changes, security control of data at the attribute level allows onlythe data owners to modify their datao Josh – having SOX requirements owned and maintained is vitalo Jim – too small to have a lot of exclusions within IT, can be risky; did identifycritical CI classes and controlled the security permissions for those classes11. What discovery tools do you use?o Jim – using ServiceNow Discovery, back when it wasn’t a good product (got agood deal), has matured over time, now have fallen behind all of thecapabilities of the tool, have an advanced application monitoring tool tosupplement what SVN tool doesn’t provideo Scott – Discovery has matured over time, has some mapping based on proberesponses, still need to be validated; can’t build business relationships, toolshelp automate, but can’t do everything, can do database connections to SCCMand other sourceso Christine – Have high expectations for SVN tool, but also need other sources tocapture information it can’to Josh – several different discovery tools, one specific for critical applications,each have different strengths can find gaps by seeing how data intersectso Jon – been using SVN discovery for about 5 years, has improved over time,one challenge is needing to use credentials for every level; hard to maintain,also uses SCCM to push desktop scripts, IP address management system,vulnerability scannero Scott – regarding credentials, involve the security team to help overcome thosehurdles, so actual discovery can run successfullyo Josh – too much discovery overlap has resulted in outageso Jim – if remediating gaps, especially in devices, use a trusted source to ensurethe devices are live on the network, helps establish credibilityPage 5 of 7