Sergey Nivens - Fotolia


Approach an off-premises systems management service with caution

With an IT platform spread across on-premises and hosted platforms, operations teams need systems management tools that take hybrid integration -- and data security -- seriously.

An IT administrator needs suitable tooling to monitor, manage and measure the entire platform, no matter where those IT resources reside.

When IT estates were primarily centralized, on premises and physical, admins could install and use traditional systems management tools: IBM Tivoli, HP OpenView, BMC Patrol, CA Unicenter -- many of which have since evolved into other product suites. But the world has changed.

Virtualization requires systems management to look at both the physical and logical worlds; public cloud opens wholly new territory outside of the admin's physical control.

Cloud adopters have created hybrid platforms that mix private workloads alongside public infrastructure (IaaS), platform (PaaS) and software as a service (SaaS).

Even though it's still possible to monitor such a dispersed and disparate IT platform via on-premises tools, many organizations reach out to systems management service offerings on the cloud that are not only more cost-effective, but also far more capable of keeping pace with change around standards, best practices and threats to hybrid IT deployments.

Cloud systems management access

An off-premises systems management setup requires that the IT organization allow the management service to drill straight through the firewall.

Systems management as a service requires a change in mindset -- and an awareness of what a move to cloud-based tooling actually means.

A subscription-based systems management service model precludes upfront license costs; on-premises hardware, OS and other programs needed to host the systems management tool; and regular patch and update maintenance. These considerations fall in the product vendor's purview: As long as the systems management functionality works, then administrators can get on with their core job of ensuring high availability and functionality across the IT platform.

There is one massive problem for many organizations. An off-premises systems management setup requires that the IT organization allow the management service to drill straight through the firewall to access sufficient information about operations to rapidly and effectively identify issues and take remedial action.

This collection method goes right through to the heart of the IT platform. A lot of monitoring can occur through simple network management protocol (SNMP) and other data sources that pose little security threat. However, while scavenging log files for individual items of IT equipment, a systems management service could unearth data that has a commercial nature to it. In some cases, IT equipment carries username and password pairs.

A systems management service's remediation capabilities bring the biggest worries to the surface. An external service, which goes through the firewall, has permission to change the IT platform remotely: Is this a good idea?

Yes, as long as the IT team takes the right steps to mitigate any issues.

Safe and secure as a service

Vet the systems management service provider by asking these questions: What steps do they take to ensure that there is full data security? Is ISO 27001/2 in place? How do they archive or destroy the data they receive from a customer's systems? Are all data stores combined in one large database, or are they partitioned to enhance security? Will the service provider redact certain information as it is ingested? This could include username/password pairs or data that can identify the organization, its employees, suppliers or customers.

Isolate the problem

ISO 17799 is the precursor to ISO 27002, which guides organizations on information security planning, implementation, and management. ISO 27002 is a guideline standard for certification against ISO 27001. A fully audited ISO 27001/2 compliant vendor should minimize security risks to its users.

The IT team is responsible for the service provider's main access -- ensure it is for reading data only. Protect all SNMP data streams and log files as read-only, and then encrypt the files when in motion and at rest in the cloud to prevent third parties from hijacking potentially sensitive data.

Compare possible actions of the systems management service provider to your organization's risk profile. Allowing the systems management service to take all actions automatically isn't a good idea. Instead, send alerts directly to systems administrators -- complete with recommended steps to take -- so the humans invested in protecting the organization can review and carry out the remediation work manually.

If this system works, the cloud systems management tool can integrate directly with the help desk ticketing system. This will enable alerts to raise trouble tickets directly. Policy rules can then be brought into play. Again, start slowly. Require manual signoff on all actions, and make actions on business-critical applications and services require manual provisioning. As time progresses and the service proves itself, automate more remediation actions, allowing faster time to rectification, lower downtime and higher system availability without fear of uncontrolled change.

These rules prevent the management service provider from taking direct steps to change the organization's IT platform -- a necessary precaution. Enabling this automated process does require that an organization allow the service provider some data write access through the firewall, but this can be managed if everything is written to a single place where the help desk can then use policy rules to ingest the data.

Choosing the wrong service provider can be catastrophic: Poor systems availability, damaging data leaks and system crashes caused by wrong remedial actions loom as possibilities. Check that the provider has existing customers that are happy with how the systems management service works. Has the vendor enhanced its service over time to embrace changes in how hybrid platforms work? For example, a cloud systems management tool should ingest data from third-party IaaS, PaaS and SaaS platforms in the course of root cause analysis and incident remediation.

While it requires new processes and controls, a third-party systems management service frees up IT operations from the task of running a tool on-premises. In addition, as-a-service systems management more easily keeps pace with the rate of change in modern IT.

Next Steps

Find free time thanks to IT automation

Check out top IT management service offerings

What systems management means today

Dig Deeper on Real-Time Performance Monitoring and Management