Tripwire's new Enterprise 7 configuration audit and control product includes numerous features aimed at ensuring that changes in the data center comply with regulatory, security-related and operational policies. Among the new features are integration with configuration management databases (CMDBs), automated assessments of configurations enterprise-wide, control of change in virtualized environments and configuration rollbacks.
For Solidcore, a sales and marketing deal with Opsware Inc., a provider of software that automates provisioning and change management, holds the promise of enabling customers to control all server-based changes. The partnership aims to combine the strengths of both companies -- Solidcore's ability to automatically prevent unauthorized changes with Opsware's ability to automatically implement only authorized changes -- into a solution that Opsware will resell.
Tripwire's and Solidcore's latest releases aim to tackle a vexing challenge for the data center: controlling change in an increasingly complex and interdependent environment. Enterprise 7 and Solidcore's tool also indicate a larger market shift toward holistic approaches to rather than point solutions for change management. Increasingly software providers are creating tools that work in concert with organizations' policies and environments to manage change enterprise-wide.
Indeed, say experts, the bar has been raised; tools that simply account for and implement change aren't enough. "There are many products that combine strong auditing and good release management capabilities for such things as distributing software and actively making changes," said Dennis Drogseth, vice president of analyst and consulting firm Enterprise Management Associates. "When you are managing change, you are managing a capability that touches every discipline: system performance, system availability, service management, security," he said. "What's needed for really effective change management is an ability to integrate, automate and audit changes across the board in a cohesive fashion."
Now change management tools have to meet a new standard by accounting for policies as well as technology, personnel and the impact of change on an enterprise as a whole.ITIL v3 and the winds of change
Whither this new, more holistic approach among vendors? Part of the answer may lie in the latest release of the IT Infrastructure Library (ITIL), the best-practices framework for IT service management created by the U.K.'s Office of Government Commerce (OGC). In May 2007, the OGC released ITIL v3.
Indeed ITIL v3 may help to challenge and stretch the parameters of existing change management tools, including CMDBs.
As Drogseth sees it, ITIL v3 embodies the concept of a holistic approach to change management, and now vendors are following suit with new tools. "Managing change isn't just about configurations," he said. "Organizations need a cohesive set of policies, otherwise a change that may seem great for a device in isolation may have unintended consequences in the overall environment." Indeed, Drogseth said that the idea of CMDBs in which configuration items and relationships are stored has in ITIL v3 given way to configuration management systems, of which a CMDB may or may not be a component. Further, configuration management is only one component within a change management landscape. Others may include database technologies, workflow, policies and application dependency mapping, Drogseth said.
But according to Tripwire, Enterprise 7 is designed to extend CMDB capabilities. According to Steve Hall, product marketing manager at Tripwire, the Enterprise 7 product can serve as a foundation for implementing CMDBs, because it allows users to define policies and then adhere to them. "We are called the stepping stone for CMDB success," Hall said. "Companies can put the processes in place for change management and release management in order to ensure success of CMDBs."
Drogseth, however, is more circumspect. "Yes, you do need policies and processes to make a CMDB work, but whether you start with a system like Tripwire or Solidcore depends on needs and objectives, which vary from organization to organization," he said.Reining in the change beast
For Solidcore, meanwhile, CMDBs are not necessarily part of the equation, according to vice president of marketing Bob Vieratis. "The three drivers for implementing change control systems are compliance, system availability and ITIL," he said. "Ad hoc changes are responsible for a lot of issues, so our system, along with Opsware, provides the mechanism where you can control change both behaviorally through policies as well as technically through automation." Most customers, he added, don't have CMDBs, but they could certainly implement one once they solidify their change management processes.
One such customer is Web conferencing company WebEx Communications. Chief Security Officer Randy Barr said that in 2004 WebEx implemented Solidcore to address a central priority: system availability. "An individual can't go in at any time of the day and make a change," he said. "With the system, we can enforce a policy that allows changes only at certain times." (For WebEx, that window is between 9 p.m. and midnight.)
With 3,000 devices at 12 locations that are networked together, WebEx wanted to establish centralized change control. Solidcore now enables that capability, so Barr doesn't currently see a need for a CMDB. "System availability is paramount for us," said Barr, "and using Solidcore has enabled us to avoid the kind of ad hoc or unauthorized changes that led to downtime before."
But still, WebEx encountered roadblocks. The biggest challenge was overcoming resistance from system administrators who weren't eager to adopt more formalized processes. For example, in conjunction with ITIL, WebEx established a change management board that must authorize all changes in advance.According to Drogseth, the releases from Tripwire and Solidcore demonstrate the continuing evolution in the change control and configuration software space -- an evolution that is reflected in ITIL v3. Rather than addressing change management from either a systems or networking perspective and leaving policies out of the equation, the market is moving toward providing customers with an integrated solution, Drogseth said. That concept addresses more than just automation or tracking of change; it also incorporates a host of organizational concerns, such as "risk management, compliance and governance."
Let us know what you think about the story; email Megan Santosus, Features Writer.