Incident Management Made Easy: The New Open SSL Vulnerability

Incident Management Made Easy: The New Open SSL Vulnerability

Open SSL hit the news again today with a new vulnerability. Coming on the heels of April’s revelatory discovery of the Heartbleed vulnerability, incident management is in the forefront of business managers’ and executives’ minds. And Incident Management is one of the many reasons why a CMS, made possible with the Effectual PIE Framework, is indispensable.

As a change management professional how can you be certain that your change requests are actually solving the problem? How confident are you that everything that needed to get done actually got done?  How do you know for sure that the right change was made? Technology should not be a matter of faith, but a matter of fact.

This is why automation is so essential. Manual reporting methods can be incomplete; there is always a risk of human error. If even one of your servers remains insecure, then your whole enterprise could be at risk.

The new vulnerability gave us the opportunity to help our customers understand the scope of risk and cost impact associated with the new announcement. There was never any confusion around which server belonged to which services, and which services were related to which budget lines and cost centers. That same important information was available when opening, reviewing and approving a request for change.

In the image below, the OpenSSL issue is qualified against a customer CMS. We immediately knew scope and costs. We knew who was responsible for the change and the right parties were notified. In the context of a HPE CMS for SACM, this is what a real customer environment looks like (although the names are removed from the objects).

060514_CCS InjectionBiz impact-01

The numbers at the top of the image will increase as the numbers at the bottom decrease. The data values at the top are from Asset and Service Manager. The information on the bottom shows service maps tied to the catalog, and the affected servers (ordered by the service catalog business applications).

The business applications below are tied to location, persons, responsible organizations, assets in an infrastructure context, cost center and budget line items. As the IT Process Records mature and Tasks are completed, the number of impacted servers in each of the Business Applications below shrinks and the number of Tasks and Costs increase.

This picture shows the current Incident exposure, and cost spent resolving the work related to solving the Incident itself. As the Incident is escalated, the affected CI’s and the related IT Process Records for Change are automatically linked. All costs, time, effort, change is all related to one set of good data operating in UCMDB.

Problems of this magnitude don’t happen every day, but operational gaffes do. A service request may be opened in one system, but the effects of the change may be visible in another system. The two systems may have mismatched details, or errors of their own. If you don’t have visibility and basic accountability to a configuration management lifecycle for a change, you’re at best increasing work overhead. At worst, you’re making bold and risky assumptions about the outcome.

But the ability to connect the dots between facts about your infrastructure, services, and the impact of changes to them is not as far away as you might believe. Process maturity and advanced use cases related to change management, like CLIP and CCRM, become much less difficult to achieve when tools and data are easy to understand, when they integrate automatically, and when they simply work well.

HPE Software provides incredible features and capabilities. Effectual focuses on simplifying and automating the complex parts of the process. Combine the two, and you get results that are feature-rich and reliable, allowing you and your team to keep your focus where it should be: on reducing costs, increasing efficiency, and properly mitigating risk.