Transforming IT
Showing results for 
Search instead for 
Did you mean: 

CMDB – The Overlooked Security Imperative


CMDB.jpgI have always been amazed at how little attention the security industry has paid to the use of a CMDB to elevate security programs to the next maturity plateau.  This lack of attention is even more concerning when one considers the nascent move toward converged data centers (CDC). 


Before I discuss the importance of the CMDB to security, let me provide the working thesis for my position. I base my position on the fact that the realization of the CDC is achieved through the instantiation of IT assets within a data center where assets are virtualized and delivered as a service. Server, storage and network administration converge into a single administration platform.  Logical and physical asset attributes and their associated qualities are enforced and managed as amalgamated IT services provisioned as abstractions according defined policies and prescribed service levels.  Assets can now automatically react to service disruptions and security events.


The next generation data center will need to converge like assets into like shared virtual pools or fabrics allowing them to be dynamically assembled and allocated at the bequest of an application.  The application would make a service request; assets would be allocated and then returned to their reserve state upon the service request being satisfied.  The application service requests would not only include the compute power, storage and networking requirements but also the required security and system availability by ordering the requisite security and continuity services from the service catalog.


Creating these abstractions require that assets and IT services are uniquely identified and categorized as well as maintained in a central repository. This is accomplished through the use of a (CMDB) that stores all relevant information and detail regarding the CDC’s configuration items (CI). CIs are CDC infrastructure assets, services, documentation or other essential aspects of the data center. The CMDB serves as an authoritative “as built” inventory of the assets within a CDC.  Specifically, the CMDB would contain types of CIs, in particular security CIs. The Security Architecture Type CIs constitute everything that is required to build an Information Security Management System (ISMS) as defined by ISO/IEC 27001.  Correctly aligning the Security Architecture CI Types with CDC assets ensures that abstractions are created with the necessary security and availability controls.


Has the light gone off yet? It should have, as a CMDB is the key to optimizing and dramatically improving the effectiveness of your security program.


Benefits include:


-       Auditing & Compliance of CDC Assets

-       Security & Recovery Services Mapping

-       Breach Detection

-       Policy Enforcement

-       Security Standards Alignment

-       Security Change Management

-       Modeled Security “To Be” States


If you want to learn more, check out HP’s Universal CMDB (uCMDB) resource page. I would like to know how you have leveraged your IT organization’s CMDB to improve your ISMS, drop me a line.

0 Kudos
About the Author


Tari is a Distinguished Technologist with 30 years of IT and cyber security experience. He is dual board certified in information security/business continuity and is responsible for a wide range of management and technology consulting services encompassing information security, disaster recovery, privacy, and risk management. His problem-solving skills, knowledge of various technology platforms, compliance statutes, industries, as well as his experience in deploying defense-in-depth and InfoSec Program solution architectures is commonly applied when advising CIOs/CISOs as well as leveraged in numerous HP client engagements throughout the world. Tari has designed, built, and managed some of the world’s largest InfoSec programs allowing them to defend against even the most aggressive attackers.