The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations. A quick visit to the home page of the official ITIL website confirms that, “ITIL is the most widely accepted approach to IT service management in the world.”
Now over 20 years old and on its third version, ITIL provides a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the organisation.
Before we go any further, it’s worth clarifying that ITIL is not a method, tool or standard – it is a cohesive set of best practices, drawn from the public and private sectors internationally.
A bit more background
The evolution of computing technology in the 80s moved from mainframe-centric infrastructure and centralized IT organisations to distributed computing and geographically dispersed resources. While the ability to distribute technology introduced flexibility for organisations, unfortunately it had a sting in its tail – often producing inconsistent application processes for technology delivery and support.
The UK’s Office of Government Commerce first identified that, by introducing consistent practices for all aspects of a service lifecycle, it was able to create organisational effectiveness and efficiency as well as predictable service levels. ITIL was born.
Many organisations understand that adopting ITIL practices can offer a huge range of benefits that include:
- improved IT services
- reduced costs
- improved customer satisfaction through a more professional approach to service delivery
- improved productivity
- improved use of skills and experience
- improved delivery of third party service
Why the ITIL story isn’t all good news
However, according to the experts ITIL initiatives often fail. This is because employees and organisational factions try to circumvent newly implemented service management controls. Instead, they continue to make changes to critical IT components and services without the reviews and sign-offs that are required for the ITIL process to succeed.
A quote that comes to mind is “What is often overlooked is that if one person can single-handedly save the ship, that one person can probably single-handedly sink the ship, too” – Source unknown.
There are a number of well known, independent, books on the subject, such as “The Visible Ops Handbook”, in which the authors make a strong case that unless you’ve got a way to prevent unauthorized changes to systems and applications, there’s a good chance that your ITIL implementation will fail. Their advice is to use passive monitoring solutions to detect unauthorized changes. The four steps they recommend are to:
- Identify who made the change
- Determine what they changed
- Decide if it needs to be reversed and, if so, how that can be done
- Finally, how to prevent it happening again in the future.
Now, while that’s great advice, we’d argue that advancements in technology have provided more compelling options.
An active approach
Today more organisations have adopted an active approach to prevent destructive changes instead of simply detecting them. Rather than respond to each unauthorized change, IT management can now take advantage of software that allows them to determine in advance who can change configuration settings, at what time, with least privileges necessary – while fully documenting the stated purpose of each change.
Because this category of software – called Privileged Identity Management (or PIM) – provides an authoritative record of who accessed what system or application, when and for what purpose, it helps to create a culture of accountability within IT.
Best-of-breed PIM solutions also integrate with SIEM systems to tie individuals to any resulting security events that that may result from their privileged access. And, PIM can make it much easier for management to demonstrate regulatory compliance when it comes to control of the powerful administrative logins used by IT staff.
The four steps
Critically, PIM software can help to avoid ITIL failure by automating the four steps it takes to secure privileged access to systems, applications, and network hardware:
1. PIM identifies all of the privileged accounts on the network that grant access to change configuration settings or access sensitive data; along with their interdependencies.
2. It helps you configure and enforce rules to delegate privileged access to every IT resource, so that only authorized personnel can access privileged accounts in a timely manner, using the least privilege required, with documented purpose, only during designated times.
3. PIM software helps you enforce rules for password strength, uniqueness and change frequency, synchronizing changes across dependencies – to prevent unauthorized insiders, hackers, and malicious programs from ever gaining access to change configuration settings or view sensitive data.
4. It helps you audit and alert so that the requesters, purpose and requested duration or each access are documented and management is made aware of unusual access and other events.
Information technology brings innumerable benefits and yet can be dauntingly complex to manage. That is why ITIL came into existence 20 years ago, continues to evolve today, and is heralded as the world de-facto framework for service management. Unarguably following ITIL guidelines will realize many benefits for the organisation. Nonetheless, not every process or practice will automatically be understood by your end-users.
While it’s human nature for individuals to circumvent what they consider to be a ‘blockage’ – especially if they don’t understand the reason for its introduction, it’s also unrealistic for every element of each process to be communicated to everyone. Organisations need a way to ensure their largest asset – their people, don’t become their biggest problem. Using another proverb, businesses need to prevent ‘one bad apple rotting the barrel’.