4 New Principles of Change Management
IT can evolve gradually to cloud-scale patch and update management. You can prepare for the future and still make things better today by applying these four principles.
By Shawn Edmondson, Vice President of Product Strategy, rPath
Like any IT revolution, cloud computing may have started with a combination of both hype and confusion, but it did not take long for this technology to become a gritty reality for IT. Let's look at that reality from a patch and update point of view. How does today's patch methodology fare in a cloud world, and what are the practical snags to watch out for? What's the right architecture for the future -- and can we improve the present in a future-compatible way?
The New Software Landscape
Cloud is here. You can see it in the success of Amazon EC2 and the explosion of investment in enterprise private cloud. Most of the attention is on the cloud infrastructure because it radically changes the cost structure and agility of compute, network, and storage.
What about enterprise software? After all, business outcomes depend on applications, not virtual machines.
Here's a quick primer on what happens when cloud slams into the enterprise application landscape. The most dramatic effects are self-service, multi-tenancy, and new system life expectancy.
Self-service, not infrastructure cost, is what sells lines of business on private cloud. No more filing a ticket and waiting months for your database to go live. Lines of business expect to control their own application deployment life cycle through a self-service portal. That decentralized control gives better business alignment but increased system diversity.
Multi-tenancy shows up at every level of cloud. It's not just shared hardware and disk shelves under your VMs. Cloud enables multi-tenant application components, such as common Web services, databases, and message busses.
Finally, system life expectancy is dramatically different -- and almost always shorter -- in the cloud. Lines of business can spin up application capacity to respond to short-term business demand. Cloud also enables full agile development and continuous delivery, leading to rapid deployment and update cycling in IT.
If you're a line of business, cloud is the central IT you always wanted.
Cloud Impact on Patch and Update
Unfortunately, cloud is a headache for architects and operations managers in charge of compliance, patching, and application updates. Here are just a few of the practical issues that arise when traditional patch/update best practices meet the cloud.
Lines of business take advantage of cloud agility and self-service to better connect with their customers. This translates to more systems on the Internet, which ultimately also means more security exposure. As so many recent enterprise embarrassments have demonstrated, hackers are getting faster and more sophisticated at exploiting these security mistakes.
The torrid pace of application updates poses two problems. Someone has to manage the actual implementation of all those updates. Worse, rapidly changing applications -- and multi-tenant shared application components -- have rapidly changing interactions with OS and middleware patches. It's hard enough to test a proposed patch for application compatibility in a traditional environment – on-demand application life cycle makes it impossible. The inevitable result is patch paralysis, noncompliance, and public consequences.
Last but not least, we have an explosion in system diversity thanks to self-service. IT has been striving for decades to standardize environments, but self-service gives lines of business the personalized control they always wanted over the application deployment lifecycle, making it harder than ever to reduce the number of unique combinations of OS, middleware, and application software.
Even organizations that have already invested in patch and update automation are in for a rude awakening. Traditional, independent OS, middleware, and application teams will find that the change review board is simply incapable of preventing conflict at cloud scale.
Architecting for the Future
IT can evolve gradually to cloud-scale patch and update management because its principles improve productivity and compliance in pre-cloud environments as well. You can prepare for the future and still make things better today.
Principle #1: Take a holistic, application-oriented approach to business service management.
The days of independent teams separately managing OS, middleware, and application layers are over. New security patches must feed into the same test cycle as application updates. New application releases must release on current, secure foundations on Day 1.
Principle #2: Embrace automation.
Cloud forces this choice. The old approach of starting with manual process, then automating the hot spots, doesn't work when anything and everything can be a hot spot. Every layer of a system must be deployable, updatable, and configurable automatically -- otherwise, systems will go unpatched or business demands will go unmet.
Principle #3: Use standardized building blocks.
IT needs standardized building blocks -- modular components, such as operating systems, middleware stacks, patch policies, and applications -- that application teams can assemble into secure, ready-to-deploy systems. A modular software library is the agile way to combine layer-specific expertise from multiple teams.
Principle #4: Keep up to date.
As enterprises embark on designing their next-generation cloud architectures, patch and update must have a first-class seat. It's too easy for infrastructure concerns to take over cloud decision making.
With these principles, you can build an application cloud instead of an infrastructure cloud. If your cloud vision is limited to self-service compute, network, and storage, you are not solving the business problem. Business outcomes depend on applications -- and applications depend on consistent, reliable patches and updates at any scale.
Shawn Edmondson is the vice president of product strategy at rPath, where he is responsible for driving strategic direction for the company's technologies and business objectives. You can contact the author at firstname.lastname@example.org