|
|
| Home - Industry Article - Sep 06 Issue |
A New Market Opportunity for IT Policy Control
continued... page 2 |
Centralization
Individual focus on IT policy control deficiencies identified by point solutions limits an organization’s ability to mitigate risk and improve service levels. A centralized approach to policy management provides complete knowledge of IT control violations that are happening throughout the entire IT environment so that staff can easily make decisions about which controls pose the most risk or negatively impact service delivery or support. With this knowledge, users can then set the priorities that will provide the most benefit to the business. Some degree of risk or bottlenecks in service is acceptable because it simply costs more to prevent it than the cost if the bottleneck is removed or if the risk actually happened. Knowledge of the time and frequency of a wide arrange of events will help managers more accurately assess potential costs to determine whether action is warranted.
Point solutions for IT policy control automate detection and reporting for whatever control they are designed to implement. This situation is certainly better than relying completely on manual processes for data collection and review. However, because there is no single authoritative source of record for audit and forensic analysis, users still have to spend time and energy consolidating and aggregating data for enterprise reporting requirements. A centralized system more fully automates these steps, reducing the cost and complexity of policy compliance.
Historical Context
Historical analysis is essential to problem management because it helps to minimize the adverse effect on the business when incidents happen. Often, a series of actions, rather than a single action, is the culprit for an incident. Historical context is therefore useful when root cause analysis requires consideration of events that have occurred over time. The results may reveal that the previous configuration before an incident is not necessarily a good configuration and point to the correct restoration point.
An effective IT organization tries not only to minimize the adverse effects on the business of undesired events once they have happened, but also tries to proactively prevent them from happening in the first place. Without historical context, it’s difficult to spot the trends that will lead to future incidents and to verify if control improvements are really working. Historical trend analysis is essential for determining the likelihood of future incidents and if policy control violations are getting better or worse over time.
Change Validation
The objective of change management is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to minimize the impact of any related incidents upon service. A centralized policy management system identifies the changes that require validation and then validates them against authorizations in a change management system. Discovery of unauthorized changes helps IT organizations ensure that their standardized change management policies are being followed. Change validation also makes it easier to identify the types of changes, namely unauthorized ones, that are the most likely to have caused an incident. This is important because studies have demonstrated that 80% of unplanned downtime is caused by either unauthorized or untested change.
Conclusion
Today, vendors are already making attempts to resolve the issues caused by the lack of centralized policy management. Some technology suppliers are adding to the number IT policy control products in their product portfolios, mostly through acquisitions of smaller vendors. Other vendors are increasing the number of IT policies that their product can support, largely through internal development efforts. But, neither of these tactics will eliminate the need for a centralized policy management system. Single vendor ownership of multiple products does not guarantee policy integration and even if it did, the vendor still would not provide an open repository that supports policy integration across vendors who are typically competitors. Alternatively, a single product that is expanding its IT control capabilities cannot possibly support the policy control requirements for heterogeneous components in the IT infrastructure and the complexity of IT controls that must be applied to them.
In the endeavor to achieve centralized IT policy management, the market will experience many false starts based on force fitting existing technologies to solve a problem they simply were not designed to do. Inevitably, the market will see a new product category devoted exclusively to the needs of a centralized policy management including consolidated policy administration and storage, as well as enterprise policy integration, historical context and analysis and change validation.
Teresa D. Wingfield is Director of Product Marketing at Active Reasoning, where she is responsible for defining new market opportunities for the company’s control automation and validation software. Prior to Active Reasoning, she has held senior-level marketing positions at TIBCO Software, Niku Corporation (acquired by Computer Associates), and Netfish Technologies (acquired by IONA Technologies). Teresa has also been an industry analyst at Current Analysis and Giga Information Group (acquired by Forrester Research). She holds graduate degrees in business from MIT’s Sloan School of Management, and software engineering from Harvard. For article feedback, contact Teresa at teresa.wingfield@activereasoning.com
 
|
|
|
