A Word on Automated Discovery and Security Credentials
The discovery and mapping of IT infrastructure components to a business service is a lot like forensics. The latter is defined as “the application of a broad spectrum of sciences and technologies to investigate and establish facts of interest in relation to criminal or civil law.” As anyone who has watched the umpteen versions of CSI (Crime Scene Investigation) on television knows, forensics plays a critical role in solving crimes. While I am not suggesting that IT executives are criminals, I think there is a valid, and potentially informative, analogy here so let’s explore further. In the case of discovery and mapping of IT infrastructure, we’re applying science and technology to investigate and establish the current factual relationships between business services and IT infrastructure. Let’s take our analogy to the next step. To perform an investigation requires certain access and permissions. Understandably, this can make some people nervous. What are you looking for? Why are you looking there? How do I know you’re not going to break something? The bottom line is, can I trust you enough to permit access to my key possessions? Those questions apply to forensics investigations, as well as IT projects designed to discover and map business services. Sounds pretty similar so far, right? Now, if a ‘bad’ person is trying to hide something, a diligent forensics investigator may seek a search warrant. The concept of a search warrant is older than the Fourth Amendment to the U.S. Constitution, which guards against unreasonable searches. As a result, most searches require a warrant based on probable cause and must be specific as to the object to be searched for and the place to be searched. OK, so this basic legal instruction is interesting, but how does it tie to an IT discovery and business service mapping project? Well, we run into this issue all the time (and Neebula is certainly not alone) because any IT discovery solution requires certain access and permissions, which in our case translates to the term “security credentials.” Most organizations are not keen to provide credentials to their systems. It’s in their DNA. As a former officer in the Army, I can tell you that the question: “do you have a need-to-know?” is the golden rule when it comes to questioning whether to share confidential information. IT executives who have a compelling need to increase service availability or “just” allow their IT managers access to graphical, topologically-accurate maps of their key business services for a host of benefits, including enhanced root-cause analysis, better change control, improved business continuity capabilities, etc., know the answer is affirmatively “Yes!” The fact is, if you can’t live with providing your internal co-workers and the tools they use to secure availability of key services with enough information, it’s game over because automated discovery solutions just won’t work. And that’s a shame because we see time and time again how automated software saves significant time and money, as compared with alternative, manual, labor-intensive, and error-prone approaches which can become Sisyphean-like tasks that never actually produce any value.