The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), IT development and IT operations. A quick visit to the home page of the official ITIL website confirms that “ITIL is the most widely accepted approach to IT service management in the world”.
Now over 20 years old and on its third version, ITIL provides a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the organisation.
Before we go any further, it’s worth clarifying that ITIL is not a method, tool or standard – it is a cohesive set of best practices, drawn from the public and private sectors internationally.
The evolution of
The UK’s Office of Government Commerce first identified that, by introducing consistent practices for all aspects of a service lifecycle, it was able to create organisational effectiveness and efficiency as well as predictable service levels. ITIL was born.
Many organisations understand that adopting ITIL practices can offer a huge range of benefits that include:
According to the experts ITIL initiatives often fail because employees and organisational factions try to circumvent newly implemented service management controls. Instead of complying, they continue to make changes to critical IT components and services without the reviews and sign-offs that are required for the ITIL process to succeed.
A quote that comes to mind is: “What is often overlooked is that if one person can single-handedly save the ship, that one person can probably single-handedly sink the ship, too” – Source unknown.
There are a number of well-known, independent books on the subject, such as “The Visible Ops Handbook”, in which the authors make a strong case that unless you’ve got a way to prevent unauthorised changes to systems and applications, there’s a good chance that your ITIL implementation will fail. Their advice is to use passive monitoring solutions to detect unauthorised changes. The four steps they recommend are to:
Now, while that’s great advice, it can be argued that advancements in technology have provided more compelling options.
Today, more organisations have adopted an active approach to prevent destructive changes instead of simply detecting them.
Rather than respond to each unauthorised change, IT management can now take advantage of software that allows them to determine in advance who can change configuration settings, at what time, with least privileges necessary – while fully documenting the stated purpose of each change. Because this category of software – called Privileged Identity Management (or PIM) – provides an authoritative record of who accessed what system or application, when, and for what purpose, it helps to create a culture of accountability within IT.
Best-of-breed PIM solutions also integrate with SIEM systems to tie individuals to any resulting security events that may result from their privileged access. PIM can also make it much easier for management to demonstrate regulatory compliance when it comes to control of the powerful administrative logins used by IT staff.
Critically, PIM software can help to avoid ITIL failure by automating the four steps it takes to secure privileged access to systems, applications, and network hardware:
First, PIM identifies all of the privileged accounts on the network that grant access to change configuration settings or access sensitive data; along with their interdependencies.
Second, it helps you configure and enforce rules to delegate privileged access to every IT resource, so only authorised personnel can access privileged accounts in a timely manner, using the least privilege required, with documented purpose, only during designated times.
Third, PIM software helps you enforce rules for password strength, uniqueness and change frequency, synchronising changes across dependencies – to prevent unauthorised insiders, hackers, and malicious programs from ever gaining access to change configuration settings or view sensitive data.
Fourth, it helps you audit and alert so that the requesters, purpose and requested duration or each access are documented and management is made aware of unusual access and other events.
Information technology brings innumerable benefits and yet can be dauntingly complex to manage. That is why ITIL came into existence 20 years ago, continues to evolve today, and is heralded as the world de-facto framework for service management. Unarguably, following ITIL guidelines will realise many benefits for the organisation. Nonetheless, not every process or practice will automatically be understood by your end-users.
While it’s human nature for individuals to circumvent what they consider to be a ‘blockage’ – especially if they don’t understand the reason for its introduction, it’s also unrealistic for every element of each process to be communicated to everyone. Organisations need a way to ensure their largest asset – their people, don’t become their biggest problem. Using another proverb, businesses need to prevent ‘one bad apple rotting the barrel’.
Philip Lieberman is the CEO and president of Lieberman Software
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…