This article is part of our ongoing How-to series that focuses on ways to keep your environment ready and yourself sane in real world scenarios.
Ensuring software standardization across an environment helps to avoid version conflicts, obsolete application buildup and knowledge siloing, problems every IT professional has faced at some point in their career. Three things can make standardizing software workable: visibility, notifications, integration and the wholehearted support of upper management. Okay, that’s four things, but the first three can make the fourth possible, believe it or not. This week, we’ll take a look at some examples of wrangling software standardization across a group of servers and what the benefits are of doing so.
You’ve been tasked with standardizing software in your data center. You need to make sure the applications you want are installed and on the correct version on all systems and that unwanted or problematic applications are not installed. This standardization needs to be maintained moving forward and you should be able to produce reports on demand for management on the data center’s compliance with the company’s software standards.
Kudos if you already have one, but the first thing you’ll need is a clear list of what software is required, at which version, and what software (or version of an application) if any is banned. This documentation should be available and kept up to date, with a clear sign off on the policy from executive management. This can also be a good opportunity to make sure you actually need all of the software you have running. If your data center has grown organically over the years, chances are systems have built up a store of applications that are either no longer in use, or should be replaced or consolidated into other tools. It can be difficult to fit what seems like housecleaning into day-to-day work, but it has a major payoff in the long run, saving both time and money.
"The first thing you’ll need is a clear list of what software is required, at which version, and what software (or version of an application) if any is banned"
Once you’ve made your list, you will need an accurate and up-to-date inventory of all the software, including version, installed on all the systems that must meet the standard. Much easier said than done. This is where visibility, the first key to effective standardization, comes in. To control what software exists in an environment, you have to be able to see what software is in that environment. It sounds obvious, but in traditional environments, that kind of visibility sometimes lives only in the heads of a few employees, or sometimes nowhere at all, lost over time through personnel turnover or other external factors. In other cases, the visibility exists, but the data is overwhelming or disorganized, and no one can or is willing to sort through it to make it useful. Visibility means both having the information and being able to use that information effectively.
Keeping track of which people are members of privileged groups is an important part of security monitoring.
The next step is to compare the inventory to the policy. There are a number of ways you can accomplish this, some technical, some manual. But when you begin comparing, you might be surprised at some of the results. A package installed years ago during an emergency that now has a critical vulnerability. Inconsistent versions of software like Java, PHP, Flash and other applications that affect the environment for other programs. A program someone else installed without the knowledge or approval of IT ops that might conflict with an important production application. These discoveries are extremely common for shops that haven’t already standardized their software.
It does little good to compare the inventory to the policy for a single instant, because over time both the inventory and the policy will change. The method by which the comparison takes place should be easily repeatable, regularly scheduled, and provide a history of previous inventories and policies for auditing or troubleshooting. This ties into the second key to effective standardization: notifications.
Only by having an up-to-date inventory regularly compared against an up-to-date policy can you be notified in real time when something changes. Change-driven notifications ensure that once the inventory has been brought in line with the policy, it won’t get out of line again without someone knowing about it. This makes for a more realistic process by which changes are made and verified. Unscheduled changes no longer fly under the radar and if the company software standard changes, the policy can be modified and systems can be monitored as they are brought in line with it.
The third key to effective standardization, integration, requires that your standardization solution tie into all applicable systems, is robust enough to scale with your business and is extensible enough to meet future technological needs. Most shops run a multi-platform data center along with one or more flavors of network equipment. To truly standardize across the board, you need visibility into all of these systems and the ability to easily track variance in them over time.
Watch this video for an example of how UpGuard can handle these needs:
If we go back to the idea of earning the (perhaps not wholehearted) support of management by implementing this process, it should be clear how having this inventory and policy data ready at hand, with histories of those inventories and policies, would serve as powerful business metrics. Executive reports and other summaries would give management the visibility and objective measurements they need to make informed decisions.
Usually everyone wants to accomplish the same business goals, and software standardization provides several benefits along the way. For IT teams, it increases resiliency and reliability while reducing troubleshooting time: you know what is where and maybe more importantly, what shouldn’t be there. Software on which other applications depend will be the right version. No legacy artifacts or unapproved installations are creating vulnerabilities. For management, it means a window into the software profile of the data center as well as metrics on policy changes such as version upgrades, making it easier to align IT process with business goals.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >
And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Article >