Skip navigation

Server Automation

5 Posts authored by: Neil Karani Moderator

Closing the SecOps Gap

Posted by Neil Karani Moderator Jan 28, 2015

The whole area of Governance, Risk and Compliance (GRC) is a perfect example of automation failing to live up to its full potential. There are many products automating aspects of the GRC process, but none that look at the whole process from end to end.


The result is what BMC calls the SecOps gap.

The SecOps gap

The SecOps gap


This is named by analogy with the more famous DevOps gap. In that case, the gap between Developers and Operations results in botched application rollouts and production outages. In the same way, the SecOps gap between Security (GRC) and Operations (ITOM) spans two very different ways of looking at the world. GRC teams focus on working out how things should be in an ideal world, and want to get there as quickly as possible. On the other side, ITOM teams have to deal with the messy real world, and live by the maxim “if it ain’t broke, DON’T TOUCH IT!“.


The conflict between these two different worldviews arises over the issues of changes. GRC teams want changes to be made as quickly as possible to reduce vulnerability windows and non-compliance exposure. ITOM teams know that change is dangerous, especially in modern environments with many moving parts and interactions between different teams. Gartner tells us:

Through 2015, 80% of outages impacting mission-critical services will be caused by people and process issues, and more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues.

(Ronni J. Colville and George Spafford, Configuration Management for Virtual and Cloud Infrastructures).

In both cases (SecOps and DevOps) both teams have dedicated tools, and indeed various sub-teams within each area will have their own increasingly specialised tools. While these tools may help with one specific task, none address the overall issue of the entire process.


What BMC does is to close that gap, providing a single unified view of how things should be and how they are, and giving options to manage the inevitable differences. BMC plans to provide SecOPs Portal application which leverages the power of Vulnerability Scanning tool for identification of vulnerabilities and then leverage the BladeLogic Automation to automate the triage and remediation of vulnerabilities to improve the overall security posture of the organization and close the SecOps gap.


If you are interested in learning more about the SecOps application or would like to get demo or would like to explore the SecOps Portal application then feel free to contact


In the request please provide your name, organization you are working for and name of vulnerability scanning tool is used by the organization.


There is also a whitepaper on this topic, which you can download here


It gives BMC immense pleasure to make Generally Available (GA) announcement for BladeLogic Server Automation (BSA) release version 8.6.00 on December 12 2014. This release is special for BMC due to variety of reasons and we hope you as esteemed customers of BMC and BladeLogic Server Automation (BSA) find it equally valuable in moving the infrastructure automation initiatives to the next level of maturity in your organizations. BMC cannot wait to hear good stories you will be sharing once you get on with BSA 8.6.00!



Let me share some of the cool stuff which makes this release very special for BMC and hope it gives enough sound reasons for you to adopt BSA 8.6.00.


First and foremost, via this release we were able make measurable inroads to deliver releases at a much faster pace. In the past BMC BSA team required “12-18” months’ time period to deliver product releases. We have delivered BSA 8.6.00 release in 6-9 months’ time frame considering the fact that we delivered BSA 8.5 SP1 July 2014 earlier this year. The story gets even sweeter as you read few other things BMC has done.


We have instituted 100% QA automation as a mandate for all new features we develop. This is on top of already high level  of existing QA automation. BMC does not stop there. BMC has a process in place to go through independent Quality certification including application security check for BSA which addresses lot of quality and security issues before it reaches the hands of our customers.


BMC is delivering Health and Value Dashboard (HVD) to help our customers ensure BSA application is tuned based on BMC best practices to not only function at optimal performance to automate repetitive server management tasks but also  provide time and costs savings by increased used of automation. BMC is taking additional steps around HVD in future release to provide time series trends around key parameters to further simplify management of BSA itself.


Many of the customers have asked for support for popular new platforms and certain features to manage the current and upgraded server infrastructure optimally. BMC responded by delivering support for Windows 2012, RHEL 7 OS and HyperV 2012 hypervisor platform. On the Patching front we have enhanced support for AIX patching and added Ubuntu and RHEL 7 patching support. Additionally we provide capabilities for customers to now install agents which are behind restricted Proxy settings.


We all have witnessed that in year 2014 many of the organizations we work spanning private, public and federal and local government were plagued with plenty of security breaches and Heartbleed and shellshock like vulnerabilities. U S Postal Service and Sony Pictures Entertainment were two latest one out of many affected organizations. BMC BSA responded to this crisis situation by providing content to detect and remediate Heartbleed and shellshock vulnerabilities. With BSA 8.6.00, BMC is providing 21 Out of the Box Compliance templates covering the DISA, CIS and PCI v3 security and regulatory standards. BMC is delivering revamped compliance capabilities including simplified rule authoring so customers are capable for authoring custom content for urgent or unique needs.


In the end, to help customers adopt BSA 8.6.00 at a faster pace BMC has simplified install and upgrade to the point where getting to 8.6 literally becomes boringly simple! We also are launching a short time promotion called early adopter program where BMC will provide R&D SMEs to help assess your BSA implementation and guide you through the process to get to 8.6 all free of charge!! All we ask from you is please try BSA 8.6.00 as you have nothing to miss but to let BMC and other fellow customers to know how cool BSA 8.6.00 really is.


Need more information? Check out what’s new in BSA 8.6


Contact –



Per Brian Stevens, CTO of Red Hat Inc,  Red Hat has slowed the release cycle for its flagship OS distribution and to lower operational costs. Users costs aren't just the OS cost. It's all the costs of configuration, management and provisioning that far outweigh technology replacements.


Many customers plan to skip RHEL  6.5 and planning on upgrading straight from RHEL 6.4 to 7.


Per RedHat,  version 7 garnered its largest beta testing community to-date -- 10,000 RHEL users.


Let's talk about few cool features.


(1) Ksplice  -  allows administrators to patch the kernel without rebooting servers. This is good for environment which needs 24/7 so scheduling downtime is no longer a need.


(2)Improvement to SELinux - This version includes security and systems management and the ease of use improvements to SELinux


(3) Active Directory interoperability -  in RHEL 7 provides RHEL more compatibility with Windows OS. The question used to be Linux or Windows on servers; now Linux and Windows OSes coexist in the data center.Customers will be able to sync Windows domain controllers with RHEL 7 for easier identity management. There are many customer shops uses Windows and Linux on a mix of virtualized and physical servers so this will be a good news.


(4) Red Hat Enterprise Linux Atomic Host - lightweight Linux Container host. RHEL 7 can abstract and isolate applications by deploying them in containers with RHEL Atomic Host. It has strong integration with Docker, which allows applications to be packaged in isolated containers. RHEL 7 containers keep applications from fighting over resources, which version of Java to use or other factors. The application takes as much of the OS as it needs to be able to move around and perform equally on bare metal, virtualized servers and private and public cloud infrastructures.


(5) Additional Interesting thing - Red Hat also flipped the relationship between the CentOS operating system and RHEL this year. Per CTO, CentOS is an OS for big data, for software-defined networking and the end users don't need or want the same kind of support that goes to RHEL users. For the first time now, CentOS development goes ahead of RHEL, rather than trailing the Linux distribution, giving Red Hat more feedback to parlay into new RHEL editions and also increases the cloud-friendly, OpenStack nature of RHEL over time.


What challenges or problems server automation tools solves?


Server automation software performs a variety of server management tasks that would otherwise require the direct or manual attention of IT professionals. Some of the repetitive tasks performed include:  inventory, configure, compare, provision, snapshot, audit, deploy, break-fix, patch, regulatory standards scan, remediate, update, roll back, reporting, VM sprawl management if necessary and track performance over time.

Why use server automation tools in Datacenters?


From the owner of the Server Automation tools perspective, Cost Reduction and Cost Avoidance can be two business reasons for adopting server automation tools in Datacenter as these tools help organization to do more with less.

Below are few key reasons for using server automation tools


  • Growing Volume of  Servers to be managed - With increased levels of virtualization adoption, server management demands are overwhelming enterprise datacenter managers and throwing labor to solve the issue is not feasible.
  • Time Factor - The biggest issue with server management is the time burden. Each aspect of server management demands an IT administrator's time and attention --   and every server multiplies time required. IT talent is so consumed  performing a host of relatively simple tasks "fighting fires"    that they are` not able to focus on strategic  projects. Additionally with increased adoption of agile methodology by many IT organizations, time factor available for managing severs is   constantly shrinking putting additional pressure on IT datacenter managers.
  • High Chance for Human Errors - Even an expert IT administrator can make mistakes is a fact of life. For example, a busy administrator might forget a server's configuration -- easy to do with dozens or hundreds of different systems -- and omit an important patch. Human errors cause poor workload performance or compromise security and compliance on servers.
  • Improving Consistency is the only way to manage- Server automation software automates highly interdependent complex tasks which otherwise would take expert to perform via scripts and if passed on to  junior administrator  can results in many variations and inconsistencies. Use of Server automation tools increases consistency, eliminates variations between administration styles, and minimizes errors and omissions.  Companies can better control provisioning, security and compliance and have better level of governance if they use server automation tools to perform server management tasks.


Ultimately use of Server Automation tools help valuable IT staff become free to focus on evaluating new technologies, improving data center architecture and working on projects that add value to the business and move from reactive fire fighting mode to proactive planning and execution mode.


If you are running a sizable infrastructure automation initiative to manage your Data Center server assets then having  visibility  and ability  to track the progress of your Infrastructure automation journey  is critical for overall success. As an organization one should have milestones which helps organization track operational efficiency gains and  use of automation tool in meeting the  organizational security and regulations compliance needs .

Tracking progress of Infrastructure Automation initiative is not only critical to determine current level of ROI but also helps identify areas of operations where use of automation tools can aid value to make  organization more agile and aligned with business priorities.  Let’s discuss few KPIs measures that owner of Infrastructure Automation Initiative should leverage as they are on board with their infrastructure automation journey.




  • Tracking servers in the Data Center – This KPI tracks the scope of automation initiative.  Tracking overall server numbers including growing Vs shrinking stats helps understand if owner  to focus on what matters and identify  if is a need to extend  automation to cover most if not all server assets.
  • Tracking composition of Physical Vs Virtual Servers by OS and OS versions – This KPI helps understand strategic OS vendors,  versions being used,  standardization opportunities across business units  and identification if there are any OS vendor contractual arrangements  which better serves the organization.
  • Virtualization genealogy - Tracking virtualization genealogy information is critical to control virtualization sprawl.
  • Hypervisors used - Tracking  hypervisor platforms and inventory of them helps with standardization and usage pattern across business units.
  • Identification of EOL OS and App Versions -  Tracking inventory details for your servers and apps is a typical starting point for robust asset management. Tracking inventory of Server OS and App versions helps identify  OSs and commercial/open source app versions which are currently EOL. This information helps identify lack of vendor support and security risks exposures to the organization.
  • IT Team needs quantification -  IT team who is using infrastructure automation tools wants to track bare metal provisioning as well as virtual machine provisioning activities have been carried out and details of how long it has taken to see if they are benefiting from use of automation tools. They should see improvement to the tune of activities taking minutes and hrs Vs days and weeks.
  • Capturing Server Configuration Details - Leveraging automation tools for capturing each and every server configuration information across server landscape for Disaster Recovery purpose helps organization prepare for adverse event.
  • Track infrastructure operational tasks performed by automation tools -  Understanding operational tasks done using automation tools prepares organization for identifying areas which are well suited for such tools and where to focus limited resources.  Initial and on going successes achieved due to focused effort helps organization become mature and help it better in grain automation tools to be part of their operational processes.
  • Server to Admin Ratio -  Ability to track servers to admin ratios over time helps determine automation tool in helping do more with few resources or less skilled resources. It is the key measure of ROI.
  • Determining Access Level -  Having details of per infrastructure user level access including access at server assets and permissions granted provides organization with a view of who and what level of access users have . It is also critical for organization to understand roles used and permissions are available at the role level. This information provides a centralized view of access control across Data Center and identify weak spots or potential security weaknesses.
  • Maturity of Automation -  Use of automation tools in the Data Center  needs to be policy driven to exercise right level of governance. Understanding of  number of patch, security and regulatory compliance and audit policies that are used to manage the infrastructure showcases organization intent to enforce the internal and external policies and how mature/serious organization is about use of infrastructure automation tools.
  • Level of Effort spent Vs success achieved using automation tools -  Jobs level visibility detailing out of different types of job runs, how long  and overall status of those jobs allows administrators determine effectiveness of automation tools for infrastructure management.
  • Meeting organization security considerations -  Organization’s security team cares for full visibility into how often operations team is running patch scans. Security team wants  periodic feeds  showcasing per server level status of missing and installed patches as well as compliance achieved  against regulations as well as identification of known exceptions.  Auditors need details and historical reporting  for certain automation activities to track SOX and other forms of operational compliance.
  • Patching Level visibility -Having  visibility into  latest server status across all applicable patch catalogs, trend of patch compliance% over time, correlating peaks and valleys with when OS patch vendor is releasing patches and when security team has agreed to push patches to servers in the  Data Center showcases the time lag between availability and application of the patches.
  • Commands Executed -  Having visibility into which commands have been run on the servers helps security team detect abnormal activities.
  • Compliance Details over time - Security team periodically wants IT team to generate Compliance details report showcasing per rule level status of the compliance scan, remediation done and wants to continuously monitor the operational environment for any lapses to take corrective actions.



There are many more KPI metrics  beyond  what we have covered above which are needed to run an effective infrastructure automation initiative and seeing the value in action. Good news is that Reporting engine for BladeLogic Server Automation is designed from ground up to provide such KPI metrics easing the burden of IT system administrators and Data Center IT managers responsible for Infrastructure Management.

Filter Blog

By date:
By tag: