Wow skeptic! This time you hitted hard and it hurts!
You are right in the fact that this is really difficult to get up and running. I think that a medium CMDB is a need and it is quite feasible, but only if you forget the auto-discovery and the manual entries to the database. I always recomend to go straight to the source: ¿Where it all start? In the ordering system. Whenever you buy it, you insert it into the CMDB and by discipline (important thing here!) whenever you throw it, you deactivate it in the CMDB.

It's not an easy thing, but I'm wishing to read on how to govern it without a CMDB.

Regards,
Antonio

It´s right, there is no standard for a CMDB, yet. That might change in the future though, as some vendors (HP, IBM, BMC Software and Fujitsu Limited, as well as CA) seem to work together to get a standard running, see http://www.itsmwatch.com/news/article.php/3608331 for more info.

Whilst I understand that compiling the CMDB is a mammoth task there are two things that this post immediately made me think of:

1. ITIL is IT Infrastructure. One of your examples mentions "(tanks, trucks, warehouses, shops…)". Where does a truck fit into IT as far as the CMDB is concerned?

2. I have only done ITIL Foundation recently (I found out today that I passed the foundation exam). One of the things that the course trainer kept mentioning is that ITIL is not mandatory. It's a set of guidelines that an organisation can "adapt and adopt" to suit their needs.

Last year, over four months or we did a complete audit of every IT asset in our organisation. We captured something like 40,000 assets and recorded all that information in our CMDB and immediately we are seeing benefits with licencing, move management, change management, and problem control to name just a few.

Yes, it took an organisation of 35 people over four sites, four months alongside "business as usual" to complete, but as far as the IT organisation is concerned it was time well spent.

I have had similar concerns and written about these here (http://servicecatalogs.typepad.com/servicecatalogs/2006/04/what_is_the_rel_1.html). It's clear there are pragmatic wins for managing change, but the one ring to rule them all hype gets in the way. Here's post on the relationship between service catalogs (my blog) and the CMDB.

The achilles heel is not just the sheer amount of stuff to be discovered but the fact that some aspect of those relationships are always changing. For example, in the U.S. SOX compliance has required that IT understand and track the relationship between application access, people's roles and financial results in a new way -- none of that is in the CMDB today and nor is it discoverable.

My blog: http://servicecatalogs.typepad.com/servicecatalogs

You know what, Mr. Skeptic? A friend of mine told me some time ago that I am a secondary person. With the term "secondary" he wanted to express that I don't use to follow primary instints and I use to think about what I want to say, so I'm not good for quick discussions.

I've been thinking, and I wanted to express my opinions about your (incomplete) posting (i mean incomplete because I'm waiting for the next one: how to survive without a CMDB) :-)

1.- About the point that it is impossible to track all the CIs: my opinion is that information starts in the beginning with that thing that you call "the asset list", when we place the order the CI appears. Then the configuration management PROCESS starts: as soon as the new object arrives to the company it is processed (and the information is modified), and as soon as the CI is installed we hace 50% chances that it will be detected by our discovery tools and updated (a very common mistake is to let those discovery tools *create* the CI, and it should be allowed for automatic creation of new CIs). This update can be, for example, add the relationships that the tool can discover.

2.- About the number of CIs: yes, we can have tons of Cis. I think that a good and strong Release Management can help us a lot.

3.- About Relationships and its need. I think that all will depend on the maturity level of the company. At least, 90% of companies where I have done ITIL work they were not mature enough to have the imperious need for Impact Analysis derived from CMDB and relations between CIs. May be this is not the final focus. You can a good maintenance contract management, good support, good "going live" preparation, etc. And, of course, you don't have to maintain the same CMDB detail level and relationship level for all the areas in your CMDB. I mean that you can have detailed relationships in those areas where the ROI is better.

4.- And lastly... a company with 100.000 objects in the CMDB is a big company... I bet that they will have 100.000.000 movements in their annual accounting system. And they *can* manage the acounting. How? With something that accountants have, but IT people use to leak: DISCIPLINE. My company is a small one, but I really flip out when I see how the girls at the accounting department work.

Of course, it is a really hard way and many times (if not used properly) it doesn't pay the money. That's why in some cases I agree with you.

Regards,
Antonio

Everything is related to everything, and in this world, made smaller by the Internet this is what you get.

Today published article:

http://en.itsmportal.net/news.php?id=2257

:-)

The CMDB is a GIS problem not an RDBMS problem. Mapping the infrastructure, the databases, the applications, the wires, the firewalls, the routers, the switches isn't impossible. We are just forced to use the wrong tools by the vendors that lack vision.

Change mangement is a spatial-temporal problem. Where is the change going to be made? When is the change going to be made?

You would even get further than the current offerings if you used MS Project with it's predecessor-successor mechanism, which just doesn't go nicely into an RDBMS.

I've doen ITIL. Nobody liked it. Nobody noticed that they were not getting called in over the weekend. But, the oncalls were doing less work over the weekends. The changes were made over those weekends. Less outages drove down the oncall impacts. But, nobody liked it.

People would refuse to close their change logs, refuse to take responsibility for process improvement, and tell me how production was more important, which was just a way of saying I'm dealing with reactive situations so much that I'll never get proactive.

ITIL is possible. But, not with the attitudes. Doing it has nothing to do with tools or effort. It has everything to do with people's attitudes towards it. Those attitudes are even manageable, if managment tried.

Skeptic,

I'm new to your site. First, let me say that I was pointed to this post by a colleage who spoke very highly of the content, here. I want to say that after reading many of the posts, myself, I have to agree with much of what you say.

Second, specifically to do with this thread, your post on CMDBs not being achievable (based on the constraints you mentioned) is "very" accurate. It's probably one of the most realistic looks at the implementation of a CMDB that I've seen in a long time. (If you're interested, I have a white paper I wrote last year that breaks down Configuration Management into his most primitive and common requirements, that span all areas of a business. You'll find that it matches your requirements, almost exactly.) I have shared your views on this topic for a number of reasons. I'll get to the details, down below, but first I'll say that my view comes from having managed many different organizations within small, medium, and large IT organizations in many different vertical industries. I believe that I came to the same conclusions you did, even if it was through a different path.

Before I go any further, I want to make it clear that I own and run a company that delivers ITIL related solutions and that we use "your" criteria for a CMDB as the foundation for our offering. I'm not trying to market our solution and I make no claims to our solutions being perfect (although I am biased and I do believe it's a better solution!) We do not believe in building and integrating a separate CMDB. We believe that a CMDB is a "side effect" of properly having all of your data connected, together. I stress the word "properly", as it ties back to your criteria: Reconciliation, Mapping and Visualization, and Synchronization. In short, we view a CMDB to be composed of 3 basic things: 1) An inventory of anything and everything, 2) Relevant descriptive data about each and every entry into each and every inventory, and 3) The ability to truly map and manage the details of each and every relationship. BTW, your description of the complexity of relationships was right on the money.

Anyhow, to support why the ITIL direction for a CMDB is flawed, I'd like to point out some flaws and/or limitations with ITIL, itself, that ultimately cause the definition of a CMDB to be inadequate. In other words, since ITIL has these issues, they trickle into the definition of the CMDB.

First, ITIL is only intended to cover IT Infrastructure "Support". It is weak on all the other areas of IT and general business management. Examples include but are not limited to:

- Up front design and development for Infrastructure
- Up front design and development for Software
- Non-IT Product Management and Development
- Manufacturing
- Business Finance
- Sales
- Marketing
- Etc.

Second, another "critical" flaw, in my opinion, is that ITIL only covers the Production environment and doesn't cover any of the other environments, such as Development, Systems Integration Testing, Performance & Stress Testing, User Acceptance Testing, etc. For example, if you're a QA tester and your test systems go down in your QA environment, to the point where your entire organization is down, you now have a Critical Incident and an Outage in your QA environment. ITIL does not properly address such issues. Any experienced manager will tell you that there is a huge quantity of relevant data/information that is generated and needs to be managed in each and every one of these environments before you can ever even conceive of managing your Production environment, properly. The data/information generated in any one up front environment is, itself, a dependency for the next environment in your product development and management pipeline. A good CMDB will cover each and every environment.

Third, a big issue with ITIL is that it conflicts with other so called best practice specifications, such as RUP, SDLC, AGILE, MSF, MOF, PMI, CobiT, etc. While each tries to cover different areas of IT, you'll see that they bleed across each other, many times in a conflicting manner. If you try to implement ITIL in an organization that already has one or more of these, you will instantly introduce conflict between stakeholders.

I can go into much more but these three should be enough to make the point.

As you can see from the above, ITIL's "scope" is only a very small piece of a very big picture. The bigger picture is managing the whole enterprise, itself, not just IT. Most stakeholders, especially in medium to larger companies, can't see the bigger picture unless they've been fortunate enough to move up through the ranks and manage large, multi-purpose, multi-regional organizations. This is why ITIL is instantly appealing to larger organizations than it is to smaller ones. In a small company you have a higher probability of wearing many hats/roles and, therefore, a higher probability of seeing a bigger picture and possible conflicts. Unfortunately, in a small company, you won't have access to "scale" issues that only come with bigger enterprises (Another issue, altogether).

Anyhow, a CMDB is something different to each and every stakeholder that exists in different parts of the enterprise. Think about this, if you ask a Software Engineer or Developer what their view of a CMDB is, it will be very different than the ITIL definition of it. If you ask a PMO resource what their view of a CMDB is, they will throw Project information into it. If you ask a non-IT Product Manager what a CMDB is to him/her, again, you will get a different description. If you ask a competent CIO/CTO what he/she thinks a CMDB is you'll probably get the closest thing to a realistic answer, as they are forced to deal with the bigger picture, each and every day. To these C-Level executives, an Asset is anything and everything they own and/or need to run their business.

The bigger picture issue is probably why your skeptism exists. You see a bigger picture based on experience and common sense. However, you also see the "intent" of ITIL, which is good. Its intent is to improve "IT". Not a bad premise and I think we all agree with this basic principle. But, because of its flaws and limitations, we all have room for skeptism.

Something non-IT infrastructure people should think about: "Assets" mean different things to different people. To a CxO, an Asset is anything and everything he/she owns, within the enterprise. Also an Asset does not have to be infrastructure related. If you're a financial company and you offer Mutual Funds, these are Assets you proactively manage. If you're an insurance company and you offer Term Insurance products, these are Assets you proactively manage. Non-IT Product Managers care about managing their Assests and the details around them just as much as any IT person. Now, to support your statement about large quantities of assets, if you total up anything and everything that you need to "track and manage", within your enterprise, the list is huge and your CMDB will fall short of taking all of this into account.

So, if you want to build a CMDB and you use "ITIL" as a guideline for specifying it, I agree, you will fall very short of where you need to be and do so burning a huge quantity of money, energy, and time. You will have very little to show for your efforts. However, if you use the basic principles of Knowledge Management as the requirements for your CMDB, you will at least be on the right track... until you realize what it costs to do so. These statements go back to your very first line, which states "CMDB can't be done... not with a justifiable return on investment of doing it". I believe it can be done and I'm betting my business on it. I just don't believe it can be done, properly, by an organization whose job it is to focus on a vertical industry that has nothing to do with CMDBs. It's worth my investment because I'm in the business of specializing in it. It's not worth your investment if you're in the business of anything other than providing a CMDB.

I throw this out to your community as food for thought: ITIL, by itself, is a very limited view of what is right or wrong. Its intent is correct but by itself it will conflict with best practices that come from other very solid and proven principles derived from drivers such as SDLC, RUP, MSF, MOF, PMI, CobiT, etc. You need to use your experience and common sense to come up with an answer that combines them all. Your enterprise can't exist with IT Infrastructure, by itself. You need Sales. You need Marketing. You need Development. You need Manufacturing. Etc.

It comes down to common sense, which, if you think about it, will probably tell you that there's good in all of those best practice specifications. The issue now becomes... "Who has the time to read, dissect, and understand all of them?" My poor wife and children had to deal with me taking the time to do so and I'm nowhere near being done!

Anyhow, I hope this information helps. I look forward to more of your posts.

Regards,

Frank Guerino
Chairman & CEO
TraverseIT
Frank.Guerino@TraverseIT.com
http://www.TraverseIT.com

OK so it has been superceded by a new book, and it is only a Complementary guidance, not the core set, but look what I found in the previous ITIL in Small IT Units book:

In many small units, taking the full ITIL approach to configuration management will not be worthwhile – the overheads of establishing and maintaining the configuration links will be too great. However, it is still essential to record assets accurately in some way.
When change requests are received, a small unit may well be able to assess them without using a designated change manager, by setting up and documenting appropriate consultation processes instead.

Now the number of managed objects may not increase linearly with increasing company size but it must be close. All you mathematicians out there; how does the number of permutations of those objects (an approximation for the number of multiple relationships between them) increase with increasing number? By a factorial! yes very good. For you poor non-mathematicians, it looks like an exponential i.e. it rockets up.

So if the (old) ITIL guidance acknowledges that a small IT unit will struggle to maintain a CMDB, how the frederick is a big IT unit going to cope??!?!!!?

I wonder if the new book says something similar???

In my experience most organizations are not culturally ready to tackle a CMDB even though it is in my view it is something that is inevitable.

Most IT organizations are at the very early stages of an evolution from technology-focused to service-focused. The challenge before us is how to convince both the IT techies and the business customer that IT does not simply manage hardware and software.

The evolution of a service mentality starts with the awareness that a customer facing service can not be understood to be collections of like technology segregated by domain, platform, or protocol. And that it is the rudimentary responsibility of IT to understand how any given IT component enables or disables a business process. Until this is known it is difficult to claim that IT is aligned to business goals.

The primary reason why an organization has multiple redundant solutions for managing data about their environement is a result of history, internal politics and IT procurement practices focused on the domain an not the enterprise. Based on a traditional technology management view each IT domain is managed as a unique function and procures tools for its own needs. From this perspective each group has separate data sources to manage their own CIs in protective isolation.

However what do you do when you realize that managing each domain in mythical isolation prohibits you from understanding the relationship of dependency between them? It is only when an organization begins to move to service orientation that this question becomes a burning issue.

In many IT organizations maturity around Configuration Management and Processes in general follows a similar pattern.

Level 1 – IT is Project and Portfolio Focused but Operationally Challenged.

Good processes and controls exist to evaluate, control and execute projects in order to ensure on time, on scope and on budget delivery of initiatives. However, once those projects arrive in production the controls evaporate. In this model little to no concern is given to the processes which need to receive and support the project deliverable once it is live. For this organization Configuration Management makes sense while the project is being developed but not a concern once the project is closed since the attention of management is now focused on the next big initiative.

Level 2 – IT Realizes that Availability and Reliability of Technology is Tied to Business Success

At this point focus is shared between project execution and the management of an IT operational environment. IT will begin to fund monitoring tools, develop rudimentary IT Inventory lists of assets and work on basic support processes such as a Service Desk and Change Management.

Level 3 – IT Realizes that Technology Components Don’t Live in Mythical Isolation

It is only when an IT organization realizes that availability and reliability have to be looked at from and end to end solution or in ITIL words a service view that the need for a CMDB begins to become an issue. It is also at this point that the organization is even ready to support the development and implementation of processes that are required to keep a central source of data up to date.

My Thoughts
Troy
http://blogs.pinkelephant.com/troy
Recently Posted a series on the different uses of the term "CMDB Federation"

Your article makes many interesting points. My rule of thumb is that there are no silver bullets and no perfect solutions, hard as we may try. I hate to use the words "Best Practices" because it implies that better practices are not being considered. So I think it is generally good to be skeptical of "conventional wisdom", since it is most often an oxymoron.

The OGC books describe practices that were observed in successful IT organizations. The ITIL documentation reflects the fact that some organizations have been able to manage their configurations successfully with the help of a CMDB.

What an organization will need to invest in a CMDB itself is a given: the increasing need for a successful CMDB is met by the increasing effort to achieve it. The more I need it, the more difficult it becomes.

The return on investment for a CMDB is threefold: (1) as a means for impact assessment for changes and incidents, (2) as a source of lifecycle information for IT resources, and (3) as a common reference point for resources and documentation among various processes.

The situation you describe is typical of many organizations: the IT configuration is unmanageable. A manageable configuration is not achieved by a CMDB in isolation. This means that the first problem is to achieve a manageable configuration, then populate the CMDB with it.

For example, you could be offering desktop users a choice between a "standard configuration" or an "ergonomic configuration", rather than managing individual pointing devices. If a better ergonomic pointing device is found or required, a new version of the ergonomic configuration is created. Release Management rolls out the configuration in phases, or as needed, or only for new deployments.

How would we get to this point? First, the services must be identified that meet the business needs (e.g. standard, ergonomic, high-availability application service, etc.). Then the configurations are planned by the Capacity, Availability and Continuity processes. Then the requests for change are submitted, evaluated and approved. Then the Release is planned, tested and deployed. Then the new configuration and its instances are documented in the CMDB.

I would not allow unmanaged or unmanageable configurations in the CMDB, because there would be no benefit. You need a CMDB available for configuration management, but let the configurations be managed as a prerequisite. Otherwise, you're only documenting chaos without yielding sufficient benefit from Service Management in general.

This way, a Configuration Item is an Item in a Configuration. The Configuration itself becomes an organizing principle for disciplined IT practice. Anyone involved in Service Management will need to convince customers, users, and IT staff that such discipline is in their best interest in terms of timeframes, quality, and cost.

To implement Configuration Management this way, Service Level and Release Management need to be brought into the foreground more than one normally hears about. Being skeptical of conventional wisdom myself, I tend to look at Service Level, Release, and Configuration Management as the first processes to implement. Then you want to improve their support with the remaining Service Support processes. Finally, the remaining Service Delivery processes improve the service and configuration planning.

...or I could be completely off base!

Thanks for your article and the thinking it inspires.

Mark

Hi Skeptic,

I read your strong statement against configuration management, whereas I would state that configuration management is the single most important thing that any project needs, and could be almost the only process that a project needs. I have real practical experience with resurrecting huge projects that have failed, so I don't start from an academically clean slate.

I would be interested in investigating whether we actually disagree, or you're using some definition of 'configuration management' from the ITIL standards. I don't know ITIL, nor do I wish to know. I don't know about a lot of other standards too, and I'm very pleased about that. My ignorance would not be noteworthy other than my status as a professional in the field that these standards are supposed to be about.

My definition of configuration management diverges at this point: "What set a CMDB apart from an ordinary asset register are the relationships, or links, that define how each CI is interconnected and interdependent with its neighbours". I would claim that it is versioning and change management of the items in the database.

I also don't care a great deal about pre-loading the database, as it is sufficient to load data in when it is used. If it's not in CM, it can be used but needs to be registered in CM. This: “the relationships, or links, that define how each CI is interconnected and interdependent with its neighbours" is bullshit. All we want is a copy of the data, to have a time and date on it.

For me, configuration management is a capture of data to answer "how, where, what" with documents in CM answering "why". Data could be on the back of an envelope, it could be a PDF of an equipment order to know how to order another one. The intent and purpose of CM is to record how to repeat the project, so that it would be possible to say "do it again".

So if we disagree, I can only offer the reality of actual projects that recovered when all other processes were stripped and CM was applied.

Steve.

Hay Skeptic, may your clouds be long and white and your sheep bleeting.

I have stood up at many industry conferences and said that the general IT community has been fooled by the vendors and industry analysts about the CMDB. The reason I say this is that they have led everyone to believe it is all about a peice of technology. In no other part of ITIL has the race to provide a peice of technology been so bitterly fought by the vendors and ably supported by the analysts.

It is not about the technology it is about the process and most organisations just forcus on the technology, blindly discovering CI's and federating data sources until they have stuck every bit of possible information in a big stinking database and then the wonder what they should do with it.

I also think people forget the purpose of the CMDB (because thats what the vendors and analysts want so they can sell stuff). It should not be there to hold everything so resist the urge to increase its scope when you do not have a handle on the Config process itself.

Oh, and do not get me started on ISO20000 when it comes to being fooled. Ask yourself how you can distil all the requirements around Change Management into little over a page and the certify against that. Well this is what they did for AS8018 and I think it is the same for ISO20000.

Love your work,

ITIL Master
The last lesson of a Master is simplicity

Management of infrastructure can be done without a cmdb. Just refer to the General Motors presentation given at the itSMF USA 06 National Conference. They have:
7000 Servers
20,000 Engineering Workstations
140,000 PCs
2500 WAN Links
12500 LAN Switches
8200 Changes per month
17+ Service Providers
15+ Major HW providers
50+ Major SW Providers
located in a global environment.
They don't have a CMDB.

They manage the environment through various consoles, that provide the visability needed.

Also, I am not one of these people who subscribe to the ITIL text as gospel. ITIL is ment for 'fit for YOUR purpose'. Sometimes all a org needs is incident and change magement to stabilize an environment.
ITIL is a best practice - it is NOT a standard .... and furthermore, standards are still ment to be applied per organization.