Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

The Role Of ITSM In The Cloud, DevSecOps, And Container Era

Published 12/09/2022

The Role Of ITSM In The Cloud, DevSecOps, And Container Era

Written by Sandeep Shilawat, Cloud and IT Modernization Strategist, ManTech.

Originally published by Forbes.

Over the last two decades, ITIL has become the de-facto industry standard for managing IT services. IT service management tools and processes were developed and implemented to execute ITIL standards. This gave rise to the IT-as-a-service (ITaaS) model and helped promote utility-based consumption of IT services.

With the advent of cloud and DevSecOps, the information technology service management (ITSM) model drew significant scrutiny due to differences between the fundamental principles on which ITSM tools are built and the expected behaviors of assets in new technologies.

The assumptions about centrally stored configuration items and age attributes of assets in configuration management databases (CMDB) has made it harder for the existing portfolio of ITSM tools to meet the demands of cloud computing technologies and DevSecOps processes. This issue is significantly complicated by the advent of container-based technologies.

Cloud Computing And ITSM

The evolving computing environment is far too complex to be stored in a single CMDB, the typical ITSM standard under the ITIL model.

On average, every enterprise has at least five different cloud vendors, which means hybrid clouds and multicloud environments are today’s reality. Thus, a CMDB must cater to five asset sources to track the configuration items. These assets are not easily accessible and are highly volatile due to their elastic nature. In many cases, the cloud service provider cannot provide details of assets with the fidelity required by the CMDB due to a shared responsibility model. Further, some assets might exist only for a few seconds to improve capacity before they disappear.

Then there is an entirely new class of virtual assets that depend on a different management philosophy than the traditional configuration items (CIs) the CMDB tracks. The dependency among these assets is highly complex and graphical in nature. None of the CMDB databases is graphical in nature — they require complex data structures to store this information. Cloud service providers offer key performance indicators (KPIs) only for services, not underlying components, which makes it harder to model these new systems through traditional ITSM models.

The federated and composite nature of the services shared among multiple clouds and on-prem environments means that concepts like recovery time objectives (RTO) and recovery point objectives (RPO) must be revisited. Traditional ITSM tools, designed to reduce downtime through accurate reporting of asset dependencies, are inadequate due to the distributed nature of data in different cloud environments.

Containers, Microservices And ITSM

Container technologies are fast becoming the tool of choice for application processing in cloud computing environments. They provide consistency, letting developers work seamlessly among cloud vendors, on-prem and virtual environments. Descriptive files define these containers that run using control planes by orchestration tools and container runtime engines. These orchestration platforms further encapsulate these containers in clusters and pods and provide self-healing capabilities. The nature of these assets makes it difficult for ITSM tools to track them as assets and CIs in the CMDB.

Finally, microservices, atomic and self-sufficient units of code that provide business services, also create asset tracking challenges. Cloud services providers administer microservices as a managed service with just resource numbers and DNS names as identifiers. They run unique processing techniques in shared computing environments, the details of which are hard to trace. These units can also be very hard to track in a traditional CMDB.

DevSecOPs And ITSM

A DevSecOps framework can help manage application development, migration and operations supply chains. Based on agile thinking, these processes aim to quickly deliver business benefits to customers while minimizing failure risks. DevSecOps enables fully automated production delivery using automated security and functional testing.

ITSM processes, on the other hand, use change advisory boards to review all changes and go to production using quality gate-based processes. ITSM processes tend to collide with DevSecOps processes during change management very often on this point. This formation of quality gates and application of DevSecOps processes only in lower environments leads to a reduction in delivery speed and fewer consumer benefits.

On the other hand, many IT enterprises were restructured during 2010 on an ITIL/ITSM model and do not cater to DevSecOps models. Many commercial and public sector organizations that operate in highly regulated environments still struggle with concepts of multiple deliveries of code daily using DevSecOps.

How Do We Leverage ITSM As Technology Evolves?

CMDB sits at the heart of ITSM processes under the ITIL model. In a diverse and composite environment, however, current design of CMDB is simply insufficient. CMDB must be federated among multiple sources delegating the systems of record. This will lead to a control plane managing CIs and assets among different systems and a data plane that will facilitate data flows among different CMDBs. This will also potentially lead to different dashboards for viewing CMDB data because having a single-pane-of-glass view in real time may not be economical. CMDB database structures need to track dependencies, which will cross network boundaries among different providers and must also be joined with on-prem environments.

To succeed, ITSM processes must look beyond demand and capacity management in terms of compute storage and networks. Hyperscale cloud service providers promise infinite capacity for any set of demands, reducing the importance of these processes in terms of physical infrastructure. The ITSM processes stay important, but primarily in the context of service performance indicators and in its economical context. Most importantly, ITSM processes should consider shared responsibility models for different types of cloud services such as IaaS, PaaS, and SaaS and provide rules for differentiated handlings.

Finally, ITSM models must focus on business-based KPIs such as IT business management, using outputs as indicators of IT performance where cloud service providers completely manage services.

ITIL responded to technology trends by shifting from an IT process focus to a value streaming one. ITIL version 4.0 focuses on iterative development and IT velocity, thereby incorporating DevSecOps. However, ITIL’s framework and related tool set have a long way to go to meet the demands of modern technology platforms. CIOs and other IT managers should recognize the limitations of these tools and processes.

Share this content on your favorite social network today!