Configuration Management & Configuration Items (CI) Explained

Every organization grapples with two dueling concerns: introducing better features while enhancing resilience. As IT teams struggle to meet these competing demands, the complexity within their technology environments balloons exponentially.

This is as the result of trying to support legacy infrastructure, cloud environments, remote working, device sprawl, cybersecurity controls, and numerous integrations, among other concerns. And with this complexity comes additional issues such as:

• Poorly executed changes
• Long times to incident resolution

Why all the issues? Because IT staff have inaccurate information on the current state of IT services and their underlying components. Configuration management can serve as a solution to this conundrum, by providing the mechanisms by which an organization can track the significant components that are used to deliver IT services.

Let’s take a look.

What is configuration management?

Let’s start with a definition.

This practice is based on systems thinking, where an IT service can be considered a whole system that is the product of the interactions by its constituent elements — that is, configuration items (CI).

In configuration management the primary objective is to efficiently provide useful information to key stakeholders that can support the enhancement and performance of IT services.

The role of configuration information

At the heart of configuration management is trustworthy data — accurate, reliable, and updated information concerning configuration items that is of value during service design, deployment, and support activities.

Configuration items (CIs) are the elements that need to be controlled to deliver services. CIs exist at various levels depending on:

• The service type
• Criticality
• Level of control required

Examples of CI types include hardware, software, OS, databases, cloud systems, facilities, and IT services.

For each configuration item, certain configuration attributes should be captured to support this practice. Some examples according to the ISO 20000 standard guidance for service management include:

• Unique identifier of the CI
• Type of CI
• Description of the CI
• Criticality of the CI
• Relationships with other CIs
• Status of the CI e.g. as active, standby, decommissioned.

To ensure that configuration information is fit for purpose, organizations carry out continual verification activities to identify and correct gaps and deviations between configuration records and the actual/approved IT environment configurations. This can be either:

• Regularly scheduled audits
• Automated checks that validate completeness, correctness, and compliance

Investigations into failed changes or incidents that took long to resolve are additional triggers towards improving configuration information accuracy.

Configuration modeling

Whenever relationships between configuration items are identified and documented, the result is usually known as service configuration models. These relationships indicate how CIs interact with each other and include interconnections and dependencies, the latter being associations between CIs that require both to work together correctly for an IT service to function effectively.

For example, a license or software version can impact how a piece of hardware or an application works, or a database locks impacting applications querying information. If an upgrade is done on one CI but not on a dependent one, this might result in performance issues.

According to ITIL® 4 guidance, configuration models can be focused on various aspects of the service architecture. These models represent various levels of abstraction — from high-level to detailed mapping of the interconnections and relationships between CIs.

In service management, configuration models serve as useful references for certain key activities including:

• Impact analysis: Assessment of effects of incidents, errors, planned and ongoing changes, events, disasters, and attacks on IT services and their components.
• Cause and effect analysis: Localization of problematic CIs that result in service outages, failed changes, and vulnerabilities within the IT environment.
• Risk analysis: Assessment of potential uncertainties or threats as a result of service errors, monitoring alerts, planned changes, security attacks, or developing incidents.
• Cost allocation: Allocation of costs related to supporting customers, planned changes, enhanced availability, or security controls.
• Availability analysis and planning: Assessment of impacts of planned changes, service errors, workarounds, continuity measures, and security controls on IT services.

Visualization of configuration models can provide useful insights to IT teams during solution design, change planning, or troubleshooting investigations.

Configuration management systems

For any medium to large-sized organization, configuration management involves a significant amount of data from various sources, including but certainly not limited to on-premises data centers and cloud environments. Managing such configuration records manually via spreadsheets or standalone databases is neither efficient nor effective — you’ll never be able to keep up with the fast- and ever-evolving IT setup.

Instead, use specialized configuration management systems (CMS) to aid in the collection, integration, processing, and presentation of configuration records in a reliable and cost-efficient manner. These systems are usually complex, combining one or more specialized solutions and integrations with configuration data sources. Examples include:

• Configuration management databases (CMDB)
• Monitoring systems
• Asset management tools
• Service management systems

CMS solutions come as a standalone solution or a module within an observability or IT service management solution.

How to track CIs

Tracking of configuration item relationships is usually the main differentiator between configuration management systems and other inventory tools. For instance:

• Asset management tools are more concerned with financial, regulatory, and contractual management of assets.
• Specifically-built CMS solutions focus on supporting operational excellence by narrowing in on how the assets support existing or soon-to-be-deployed IT services.

Key functionalities of CMS solutions include automation of discovery, updating, modelling, impact assessment, data health checks and verification, and open APIs to support integration with a variety of external data sources.

In DevOps, configuration management tools are used for storing and deploying actual configuration data, and come with features such as version control, dependency management, task automation, and orchestration.

One of the main capabilities of configuration management systems is the visualization of configuration models, which can provide useful insights to IT teams when:

• Designing solutions
• Planning change
• Troubleshooting investigations

Example of a Configuration Model visualized as a mind map

Metrics for configuration management

Effective configuration management is characterized by the capture and provision of relevant, accurate, and timely configuration records when required by stakeholders involved in the service lifecycle.

The actual value is realized when this information is used to better maintain and enhance IT services, such as:

• More successful change enablement
• Faster incident resolution

So, selecting the right metrics for this practice comes down to the quality of configuration information provided, and the stakeholders’ satisfaction in fulfilling their objectives using it.

Example metrics suggested by the COBIT 2019 IT governance framework include:

• Percentage accuracy of relationships of configuration items
• Percentage accuracy of status changes of CIs against the baseline
• Number of identified discrepancies related to incomplete or missing configuration information
• Number of identified unauthorized changes

Configuration management tips & best practices

Configuration management is often referred to as the unicorn of service management, due to the few real-world examples of organizations that have complete and comprehensive coverage of all their configuration items.

The danger of capturing and verifying all available IT environment data in a CMDB introduces complexity and requires significant deployment of resources toward this effort. Importantly, the return for such an investment may not be substantive.

Yet, on the flip side, lack of or ineffective configuration management is a pointer to an immature service management practice that will hamper efforts toward IT operational excellence.

Scoping CIs. Scoping of CIs becomes the most important focus, since configuration management is only as valuable as the information it provides — accurate, updated, reliable, understandable, easy to use, and relevant. Successful configuration management is heavily restricted in scope to support the design and management of a limited set of critical business services in production and focused on achieving a specific set of outcomes and benefits related to these services.

Robust processes, tools, and personnel. This is supported by a robust process, quality tools, and dedicated roles in managing the selected CI scope. Choosing the right CMS solution should be informed by this scope and outcomes to prevent wasting resources on bureaucratic control systems, but rather ensuring that the selected tools facilitate efficient and effective configuration record management.

Configuration management should be spearheaded by a dedicated team but supported by the entire cross-section of IT systems administrators who feed into and extract information from the CMS.