Posts filed under 'Change Control'
Tripwire announced today that AirTran uses them for PCI. Here is a link to the article AirTran Airways Selects Tripwire Enterprise for Continuous Data Center Compliance The press release title is just marketing fluff, if you jump into the article it says the bought it for PCI. It is also interesting that ArcSight announced AirTran as a customer for PCI also which is using their system. Why would a customer buy both if Tripwire met all the requirements?
Solidcore’s PCI customers like Convergys, don’t need to use anything else across network, databases and servers for the PCI requirements.
October 2nd, 2007
Here is SVP of Marketing at Tripwire’s response to the Solidcore Blog (http://blog.solidcore.com). Our response: let the technology speak for itself … the customers will decide. Marketing folks can call even batch processing real time huh?!
From: DJS
Sent: Friday, September 21, 2007 9:52 PM
To: Erin Swanson
Subject: Our realtime
Nice blog Erin… Just want to inform you that Tripwire has complete real time support. Feel free to keep saying that we don’t as it gives us a great opportunity to discredit you when you try to compete.
DJ Schoenbaum
Tripwire, inc.
Sent via BlackBerry from T-Mobile
September 24th, 2007
We at Solidcore are engaged in a market share battle with Tripwire. Tripwire is about 10 years old, their biggest asset is that they are bigger, have a more widely known brand name than us. Their weakness is that their technology is the same at it was 10 years ago.
We (Solidcore) are smaller, younger and have state of the art technology. Our biggest challenge is how to get our brand name out so that we are invited to all the deals where Tripwire is being considered. Once we are in we tend to win 80% of the deals we compete in.
This is a classic battle studied in almost every MBA class: David versus Goliath.
One of the reasons we won deals against Tripwire was that they are not real-time. They have a scan and diff approach, while Solidcore is real time. Recently tripwire began telling customers that they have a real time version of the product. It works on only two versions of windows and no versions of Unix. This was a big victory for us as basically the market has spoken that real-time tracking of change is a critical requirement for PCI, SOX and ITIL deals and Tripwire was forced to accept it come on to the Solidcore turf, where they are newbie’s with little experience.
September 22nd, 2007
This week tripwire announced their release 6.0 and they have adopted (blatantly copied) the Solidcore message of Visibility, Accountability and Control. Why would they do that?
- is the market adopting this message?
- is it really what the customers need?
It is also interesting to see how they are positioning their product capabilities:
1. Solidcore: Real Time Change tracking
Tripwire: Continuous Scanning with Real Time Alerting
2. Solidcore: Pro-active Enforcement
Tripwire: Detection & Rollback (using 3rd party tools)
Ofcourse my views are biased. Should I feel happy that is recognition of thought leadership from Solidcore or feel enraged? What do you think?
February 13th, 2007
“Behind The Firewall: The next time the sales rep from your anti-virus provider drops by, shake his hand, thank him and wish him luck in his future endeavors. You won’t be needing his services much longer, because the age of viruses and worms is over.”
– Dennis Fisher Link to article.
For enterprises Change Control is a much better alternative than using A/V or other traditional security products. For consumers or home users it may still be ok. But organizations which care and control what programs can access resources on their corporate network … A/V will be a thing of the past.
February 4th, 2007
The Symantec, Altiris deal is the first recognition of the fact that traditional anti-virus, anti-phisihing etc is a dying market. And this is not because Microsoft (MSFT) has decided to put some of the features in its newly launched Vista release.
Many corporations have realized that traditional anti-***** products stop the “known bad” stuff from entering their infrastructure. But it is much easier to keep track of “known good” stuff which provisioning systems like Altiris do. They make sure that only “known good” where good is defined by the corporate policy or by Dell for consumers is kept on the machines.
Solicore Systems is another example of this, where enterprise change control policy is used to ensure the known good state of the machine. If it came in via enterprise change control it is good, otherwise it is not.
If you can ensure that only known good stuff is on the machine, traditional anti-virus, anti-spam etc is dead.
January 30th, 2007
Peter Armstrong, Corporate Strategist BMC Software, talks about IT horor stories in IT World.
Here is Peter’s podcast.
January 21st, 2007
… based on a true story at a Fortune 1000 company
From the wikipedia:
… a tax shelter is any organized program in which many individuals, rich or poor, participate to reduce their taxes due. However, a few individuals stretch the limits of legal interpretation of the income tax laws. While these actions may be within the boundary of legally accepted practice in physical form, these actions could be deemed to be conducted in bad faith. Tax shelters were intended to induce good behaviors from the masses, but at the same time caused a handful to act in the opposite manner. Tax shelters have therefore often shared an unsavory association with fraud.
In most organizations when you want to make a change you need to fill out a change request form. The change request form states what needs to be accomplished, but does not concern itself with how the change is to be carried out. It usually contains when the change should be made and to which machines in the infrastructure. The change requests then go to the change
Again from the wikipedia
Change requests typically originate from one of five sources: (i) problem reports that identify bugs that must be fixed, which forms the most common source, (ii) system enhancement requests from users, (iii) events in the development of other systems, (iv) changes in underlying structure and or standards (e.g. in software development this could be a new operating system) and (v) demands from senior management
Almost every IT administrator I have met hates to fill out requests for change. Several of them see this as a TAX that they have to fill in addition to working 24×7 to get the work done. Now most administrators are smart people and they either created or found their own tax shelter: the Emergency Change.
When a change is labeled as an emergency change most organizations allow all the procedures of filling out a change request and approval to be bypassed, hence avoiding the change management tax. Just like IRS’s tax shelter some of which are perfectly legal and have legitimate uses, the emergency change is required for the proper functioning of the infrastructure; but like several illegal tax shelters it can be used and abused.
Recently a large retail company had outsourced their e-commerce website to an managed service provider (like IBM SO, EDS, Verizon etc). The outsourced service provider had very strict change management procedure, which they had developed over the past several years to ensure highest availability and uptime on the revenue generating sites. But ofcourse there was the change management tax shelter: the emergency change. After about an year of signing the contract, one of the outsourcer’s executives reviewing the retailers account found that 70-80% of all changes presented by the team at the retailer were emergency changes with no documentation or approvals. This was clearly and abuse of the tax shelter.
He called up his counterpart at the retailer and explained his analysis and why their performance fell short of the SLA. The VP of e-commerce operations was a reasonable person and admitted that he was between a rock and a hard place. His development team had revolted that if they had to follow the process and pay the change management tax they don’t have enough time or resources to get he site up before the Christmas season and he had let his operations team use this tax shelter in the contract.
What should we do? They could not come up with a solution at that very moment. Now the person at the outsourcer wanted to help his customer the VP at the retailer. So he got his team together and said we have got to figure out a way to this problem, because we look bad in front of the customer by not meeting our SLA and we are loosing money on the account also.
His team worked hard and came up with requirements: What they really wanted was something that could let the customer just do the change and then pick up all the information for the change and create the necessary documentation. Thus from the customers perspective they got rid of the tax but from the outsourcers perspective they still got the documentation needed and if there were exceptions that would be flagged. If someone could figure out a way of doing that with the IRS we would all save tax and the government won’t go into deficit.
Once they knew what they wanted they began looking into the market for solutions. The first one they encountered was from Mercury (Kintana), now part of HP. This solution would fit well with the development system that the developers were using. But it only took care of changes from the development system; if someone used some other system it would not work.
Next they looked at Bladelogic & Opsware, both tools used for pushing out the changes. Now these tools could detect if a server had been changed and what the changes but they had no idea who made the emergency change, when it was made or how it was made. The integration with their change management system was also not easy. Both these systems could provide some of the documentation required for the process, but not all of it. Then they came across Tripwire. Tripwire could also be run periodically and it would detect what had changed, but it could not provide who made the emergency change (which was a problem, because it was important to show that the change had been made by the retailer) , also there was no SLA on when the change was made and when the documentation would be complete. The other problem they found with the above systems was that when they created tickets from change the volume of change was so high that the tickets created were meaningless.
Finally they looked at Solidcore. Solidcore could tell them what changes had been made, who (user) made them, what application was used to make the change, when the change was made. It could also connect back to the change ticketing system. Before the changes were put into the ticketing system, Solidcore clustered them to find units of change. This dramatically reduced the number of tickets created and also there was more meaning to each ticket.
The next morning the VP @ the retailer received an email: we have discovered a legal tax shelter for you: Solidcore and would like to discuss and mutually agree to discontinue the use of the illegal tax shelter: the emergency change.
January 18th, 2007
Is there a simple ITIL philosophy that can be used as the guiding light for implementing ITIL. The general consensus about six-sigma was that if the top leaders in the organization understood that six-sigma was about “removing variability from a repeatable process“, and then they empowered their people to go achieve this the implementations were enormously successful. This was because the statement was actionable for people, it tied very closely to some metric they were evaluated on and it made intuitive sense. In organizations where they created a group (inside or consultants) to come up with the six-sigma plan, almost always resulted in failure.
Now as IT organizations look at ITIL, how could we describe it in a simple phrase like “removing variability from repeatable processes? What is the equivalent statement describing the ITIL philosophy?
When I searched on the web, here are some interesting possibilities:
- separate administrative tasks and technical tasks
- develop a common-lingo for communication about process and solutions
- automate repeatable process
- get budget from the CFO, wait for the next wave
- provide a service (like a resturant), not technology (cooked food).
What do you think?
January 17th, 2007
It’s that time of the year again. Superbowl is a few weeks away. The playoffs are well underway, people are arguing about the Patriots, Chargers, Colts … winning it all. GoDaddy’s co-founder has been talking about how his ads were rejected by the ABC censorship committee. People almost expect something dramatic after the Janet Jackson wardrobe malfunction shocked the country in 2004. That it was broadcasted to millions of homes in the US was a big “control” failure.
One of the important things about controls is whether they are pro-active and reactive. Reactive is do something after it happens: like MTV & CBS apologized for Janet’s failure. Pro-active is what is done before … a system which would have not aired the snafu. The Janet Jackson’s control failure highlights that in some cases having reactive controls is just not good enough. The damage has been done.
Yet if we look at the IT world most of the process inside organizations to control change are reactive. They do-stuff after the change has happened not before it. They are waiting for a Janet Jackson control failure?
Should you control change pro-actively on some of your infrastructure?
January 14th, 2007
Previous Posts
