Since a couple of days I’m a confused internet user. I don’t know which of all my internet services are affected by Heartbleed. Where I have to change my password? Let me move to a more abstract question: How could we get to this mess? It is only the pure information policy of the companies, which assume that only a small part of their customers is affected? Open information would led to uncerainity and thus loss of their good image. So they decided to stay rather silent. Or know some companies, not whether and how they are affected?
Where can IT jump in?
This brings me to the following point: What are the requirements, an IT organization have to catch to respond to such a situation. Internet usage, mobility and cloud computing will promote further catastrophic events like Heartbleed. Vulnerabilities and password theft will become our companions. Thus, there is a need to quickly determine the effects and to close the gap.
The following points are, in my opinion, crucial to IT organizations:
- Collaboration between development and operations: An organization must have the ability to transfer the software changes quickly into operations. This works usually only when both sides have in practice and there is a high degree of automation. This means that Continuous Integration, Delivery and Deployment must belong to the basic principles in the IT organization. Only if over and over again the process of deploying the production environment is practiced, it will work under pressure in an emergency situation. This principle operates under the term DevOps.
- Change and Release Management: If this is all agreed and practiced between development and operations, then the processes of the IT organization must be in proper place. There is a need for lightweight and appropriate processes in change and release management. Change management must be aware of ways that a change can be transferred to operations in a very short time. And I do not think that bypassing the processes is the proper remedy. An IT organization needs a procedure for “Urgent / Emergency Changes”.
- Configuration Management: In order to assess the impact properly even under time pressure, it is crucial to know about the relationships and dependencies within the IT landscape. The maintenance of the CMDB as an integral part of all processes is the basis for it. Only in this way there could be independence from the knowledge of individual employees. IT will be able to assess in a very short time, what is affected. Whether it is useful to maintain which version of the individual components (at Heartbleed the OpenSSL library) is used, one has to decide in each individual case. In any case, a good inventory solution should be in place that answers this question. Integration as a data source in the CMDB would of course be ideal.
- Communication: A clear and binding communication rounds from the behavior in a crisis. The leaders in the business and the customers are dependent on and want to rely on it. It is not just how to master a crisis quickly. It is important that IT establish itself as a reliable partner.
I think that it is worthwhile in any case, to consider how your own IT organization would have behaved in such a situation.