PDF

Early Release Version
BMC
Automation
Passport
2nd Edition
Maximizing the Business Value
of IT Automation
Executive Summary ................................................................................................................................. 5

The Automation Passport Framework ...................................................................................................... 6
Using the Automation Passport ............................................................................................................... 8
Automation Strategy................................................................................................................................ 9
The Automation Value Model .................................................................................................................. 9
Applying the Automation Value Model..........................................................................................................10
Begin with a Baseline: Automation Level Assessment ............................................................................. 11
Automation Value Measurement............................................................................................................ 12
Maximizing Value at Each Level ............................................................................................................. 13
Automating the Process: Automation Value Stages ................................................................................ 14
Automation Organization & Roles........................................................................................................... 15
Expanding the Technology Footprint: Automation Reference Architecture ............................................. 17
Case Study: IT Automation Value Realized at Large Financial Institution ................................................. 19
Provisioning & Configuration ................................................................................................................. 21
Automated Provisioning & Configuration Roadmap ............................................................................... 22
Provisioning & Configuration Tools Level: PROVISION ..................................................................................23
Provisioning & Configuration Process Level: CONFIGURE..............................................................................26
Provisioning & Configuration Standardized Level: COORDINATE ..................................................................29
Provisioning & Configuration Advanced Level: ON DEMAND ........................................................................33
Patching & Compliance.......................................................................................................................... 39
Automated Patching & Compliance Roadmap ......................................................................................... 40
Patching & Compliance Tools Level: PATCH...................................................................................................41
Patching & Compliance Process Level: ASSESS ..............................................................................................45
Patching & Compliance Standardized Level: COMPLY....................................................................................48
Patching & Compliance Advanced Level: INTELLIGENT .................................................................................53
Cloud Services ....................................................................................................................................... 59
Managing Multi-Cloud Environments ............................................................................................................59
Managing Services Hosted in a Public Cloud .................................................................................................61
Managing Services in a Private Cloud ............................................................................................................63
IT as Digital Services Broker ...........................................................................................................................64
Automated Cloud Services Roadmap ..................................................................................................... 66
Cloud Services Tools Level: IMAGE .................................................................................................................67
Cloud Services Process Level: MANAGE .........................................................................................................72
Cloud Services Standardized Level: GOVERN .................................................................................................77
Cloud Services Advanced Level: OPTIMIZE .....................................................................................................82
Appendix A: Automation Specialist Roles ............................................................................................... 88
Automation Strategist....................................................................................................................................88
IT Personnel Who Can Transition to an Automation Strategist.................................................................89

Automation Engineer .....................................................................................................................................90
Appendix B: Provisioning & Configuration Value Metrics Formulas ......................................................... 93
Provision.........................................................................................................................................................94
Configure ........................................................................................................................................................96
Coordinate......................................................................................................................................................98
On Demand ..................................................................................................................................................100
Appendix C: Patching & Compliance Value Metrics Formulas ................................................................ 103
Patch ............................................................................................................................................................103
Assess ...........................................................................................................................................................106
Comply .........................................................................................................................................................108
Intelligent .....................................................................................................................................................111
Appendix D: Cloud Value Attributes ..................................................................................................... 114
Cloud Characteristics....................................................................................................................................114
Cloud Drivers ................................................................................................................................................115
Cloud Management Capabilities ..................................................................................................................115
Value Attributes Aligned to Automation Levels ...........................................................................................116
Cloud Characteristics Aligned to Automation Levels ...................................................................................117
Cloud Drivers Aligned to Automation Levels ...........................................................................................117
Cloud Management Capabilities Aligned to Automation Levels .............................................................118
Cloud Management Capabilities Relationships ...........................................................................................119
Appendix E: Supporting Cloud Management Functions ......................................................................... 120
Supporting Functions: Visibility into the Cloud ............................................................................................120
Capacity Management .............................................................................................................................120
Performance Monitoring .........................................................................................................................121
Availability Monitoring.............................................................................................................................121
Glossary .............................................................................................................................................. 122
Executive Summary
Examples include:
IT must deliver new digital services cost-effectively while

minimizing riskyet at the speed that business demands. In
the age of the cloud, IT has many viable environments to
choose from for hosting basic services to achieve these
goals, but limited choices for production enterprise services
unless its data centers are fully automated.
Provisioning and configuration
Patching and compliance
Cloud services automation
Automation is one of the few IT initiatives that can

immediately pay for itself with hard-dollar savings in
operational costs, but even this is an unambitious view.
When implemented strategically, automation can deliver far
greater business value by dramatically improving time to
market and quality of service, increasing a companys ability
to respond quickly to changing business requirements, and
radically reducing security and compliance risks.
The benefits of automation are well documentednot the
least of which is to provide the foundation for cloud
services. However, treating automation as a core IT
competency with the same focus required for any
foundational activity provides benefits that outweigh the
sum of improvements from individual automation projects.
Yet only a very
small subset of IT
IT operations leaders should avoid ad hoc,
opportunistic automation implementations
organizations has
that introduce risk and result in expensive
been able to
mistakes. Instead, follow a systematic
approach that maximizes automations
maximize the full
benefits of agility and reducing cost.
business value of
Gartner
automation. Part
of the reason may Best Practices for Implementing
Automation in Data Centers With Cloud and
be that until now
Virtualized Environments
August 2013
there has not
Analysts: Ronni Colville and Milind Govekar
been a
comprehensive guide for fully implementing the primary
automation solution areas in a systematic and structured
way. Organizations have not had access to a roadmap that
considers strategic needs, technology, and organizational
maturity. In response to this void, BMC Software has
created an Automation Passport: a best-practices approach
to achieving outsized automation value.
This phased approach enables organizations to deploy

automation across an organization in a systematic way and
ensures that each individual automation project can be used
to justify the next one.
The Automation Passport outlines three ways to maximize
value at each automation level before progressing to the next
stage:
1.
Automate entire processes by including both pre- and

post-execution tasks, not just the procedure that does
the work.
2.
Develop specialized roles to embrace and drive

automation.
3.
Expand the technology footprint to include different

platforms and components, using the Automation
Reference Architecture. Orchestration software eases
high-level process design and improves the ability to link
disparate automation projects to achieve greater business
value.
The BMC automation approach results in multiple innovations.

One important example is that an organization can continually
measure and report on the value that each automation project
provides, so they may monitor and optimize the benefits
achieved. These innovations are built on a foundation of
metrics that measures business value and guides each projects
choice and purpose.
Companies that do not take a strategic approach to automation
risk being outperformed by more advanced competitors. BMC
Software provides the best-practices guidance, products, and
services that you need to achieve a lasting competitive
advantage through automation.
The approach begins with formulating an automation

strategy based on business needs and then assessing and
balancing the organizations maturity in people, process,
and technology. The Passport introduces the Automation
Value Model (AVM), which organizes automation into
multiple solution areas that demonstrate increasing
business value over multiple automation levels.
The Automation Passport Framework

CIOs have more choices today for where to host applications and infrastructure than ever before. Meanwhile, corporate IT has
been under siege, simultaneously fielding demands to deliver digital services faster and outsource services to reduce costs.
Their challenge comes down to a few key questions:
How can I radically reduce IT costs while increasing responsiveness to the business?
How can I shift my limited internal resources to the highest-value activities while also taking advantage of external
resources for flexibility?
How do I achieve these goals without exposing the company to the risks inherent in changing a complex IT environment?
Some analysts predict a massive shift away from central IT, as functional departments take advantage of new cloud-based
services that promise to replace internally developed applications, faster, better, and cheaper. Pundits theorize that shadow
IT will overshadow corporate IT as public clouds bloom, and IT decentralizes and is subsumed into business units.
IT as Digital Services Broker

To paraphrase Mark Twain, Reports of corporate ITs death have been greatly exaggerated.
In fact, BMC has a starkly different vision for the evolution of corporate IT. While switching to third-party software-as-a-service
(SaaS) applications may make sense for simple, commoditized services, we do not believe this migration will extend to the
mission-critical and mostly custom applications that give our customers a competitive edge. At the same time, IT executives will
assume responsibility not only for modernizing and improving the efficiency of the data centers that host these legacy
applications, but also for providing access to a plethora of new services. The latter includes hosted infrastructure that may be
more readily available, more cost-effective, yet must conform to corporate security or compliance requirements.
Rather than diminishing, corporate ITs role will become a more strategic one that brokers IT servicesobjectively evaluating
both internal and external services that best allow business units to push out production applications to customers quickly at
the lowest cost, without crashing servers or introducing vulnerabilities in the corporate network. With many more viable public
cloud options in the market, CIOs must source solutions shrewdly. At the same time, they must calculate the true cost to the
company of certain alternatives, which may be masked by lower upfront costs that escalate rapidly with higher usage or add
development expense to customize or bring generic services into compliance.
Meanwhile, certain workloads will always remain behind the firewall no matter what the cost because they represent the
companys crown jewels. Further, the relative attractiveness of hosting workloads internally or through a third party may
change with usage patterns, market conditions, or other factors over time.
Automation is the Answer

Holistic automation is the only way to both transform existing data centers and attain visibility and control over private and
public cloud choices, but its difficult to achieve. Most companies struggle to implement automation effectively and
comprehensively to maximize its total potential for business value.
In an environment where IT is pressured to achieve more while resources are cut to the bone, it is tempting to simply adopt
free, vendor-specific or open-source tools. Many corporate IT teams have independently and, often in parallel, tried to script
their way to automation. Because automation is often invisible, it can be difficult to justify the cost of more comprehensive
tool suites. Yet an ad hoc approach to automation in complex IT environments results in haphazard, incremental improvement
that masks the hidden costs of vendor-specific tool proliferation, specialized support staff, or maintaining and troubleshooting
custom scripts without audit trails.
Automation Passport Provides the Roadmap

BMC has compiled the lessons learned from hard-earned
experience with over a thousand customers to create this
Automation Passporta best-practices automation approach for
production enterprise environments. Based on the wisdom of
trailblazing CIOs, this guide will help your organization drive
production data center performance for mission-critical services,
spanning physical, virtual, and cloud infrastructure. The result:
outsized business value, lower cost, and higher security through
strategic automation. Any company committed to maximizing
value from automation can use this roadmap to formulate a
successful automation strategy adapted to its business needs and
achieve value similar to that of the most successful BMC
automation customers.
A leading market research company raised
service levels and IT agility by reducing

provisioning time from 3 months to 2 days and
increasing server administration ratio from 60:1
to 120:1.
A US bank scaled operations with the same
teamavoiding 600 new IT hires by saving

over 2.5 million hours of manual activity in
the last 3 years.
A global leader in multimedia reduced audit risk
by decreasing configuration compliance audit

cycle time from 2 months to 5 days.
Importantly, the roadmap factors in the changes in people (skills, roles, and organization) and processes (business and
technical) required to fully capture the benefits of automation technology, matching organizational readiness with increasing
technology sophistication.
The Automation Passport explains the three critical solution areas for high-value automation:
Provisioning and configuration
Patching and compliance
Cloud services
Each solution area level can be mapped to the Automation Value Model described within this text to gain greater clarity on the
potential automation value at each level and the organizational readiness required to achieve it. This measured approach is
the way to maximize automation value.
BMC delivers market-leading products across a broad range of established

and emerging automation needs, including configuration management for
application infrastructure, workload automation, and cloud management.
But first, BMC rigorously tests its automation portfolio internally. Every year,
companies from around the world visit the BMC Executive Briefing Center in
Houston to learn how the BMC IT operations organization dramatically
reduced its costs while increasing agility and improving service delivery.
BMC IT has established an Automation Center of Excellence (CoE) with
results that include:
600:1 server-to-admin ratio

20-minute server provisioning
100% compliance for networks, servers, and databases
Using the Automation Passport

The Automation Passport is divided into several sections for IT executives and managers responsible for leading automation
strategy and implementing automation initiatives. While the document may be read in a sequential, front-to-back order, it is
designed in a modular way so the reader can identify relevant areas of interest and focus on specific content to assess current
automation state and plot an actionable strategic path to achieve greater automation value.
Following are BMCs solution area recommendations for key stakeholders:
IT executives looking to understand the Automation Passport:

o
o
IT executives and strategists responsible for IT automation:

o
o
o
o
o
o
o
o
The Automation Value Model

Begin with a Baseline: Automation Level Assessment
Automation Value Measurement
Maximizing Value at Each Level
Automating the Process: Automation Value Stages
Automation Organization & Roles
Expanding the Technology Footprint: Automation Reference Architecture
Case Study: IT Automation Value Realized at Large Financial Institution
Implementation leads for data center automation:

o
o
The Passport Framework

Automation Strategy
Provisioning & Configuration

Patching & Compliance
Implementation leads for cloud:

o
o
Cloud Services
Automated Cloud Services Roadmap
The appendices should be read by IT professionals responsible for understanding automation value or architecting and
delivering an IT organizations automation strategy. This materials augments the core content, expanding on specific areas (e.g.,
Appendix B: Provisioning & Configuration Value Metrics Formulas) and providing information that supports the overall content
(e.g., Appendix A: Automation Specialist Roles).
Automation Strategy
IT is accountable for delivering business value. Automation enables IT to optimize resources and increase efficiencies,
lowering costs and improving quality of service. This translates to business value by accelerating the delivery of services to
customers or internal groups, decreasing the cost to provide those services, and reducing risk. The challenge is in developing
an automation strategy and the discipline to measure value, so that you can systematically achieve all the benefits that
automation can provide across your IT organization.
Automation typically starts with an IT team that uses a familiar tool to solve a specific need. Because of this, automation
efforts are typically uncoordinated across an organization, employ many different tools, and lack any mechanism to measure
the comprehensive value they create.
As a company grows, automation procedures often remain ad hoc. The basics of automating manual IT activities seem easy,
yet when IT attempts to scale automation across a complex environment, results can fall short of expectations. Tactical,
short-term automation decisions can either become a long-term automation enabler or an expensive inhibitor. Piecemeal
initiatives using simple, makeshift tools can create bottlenecks elsewhere or management headaches that negate the return
on investment. When it works, automation is often ignored; when it fails, it can be catastrophic.
Because new automation is typically integrated and used to augment existing automation, building an automation
environment with weak underpinnings can result in serious reliability and support issues. Modern organizations have large,
complex cloud infrastructure and constant pressure to control costs, increase quality of service, and meet compliance
requirements. In these environments, an ad hoc approach is likely to lead to unacceptable outcomes. It is important to
approach your automation strategy in a holistic way to maximize total business value.
The Automation Value Model

BMC has developed the Automation Value Model illustrated below to guide IT departments to greater automation
value and success. The model provides an automation path that maximizes value by matching the organizations
business drivers, technology sophistication, and organizational readiness.
Figure 1: Automation Value Model
Figure 1 shows how the three critical solution areas for production data centersprovisioning and configuration; patching
and compliance; and cloud servicesfit in the model, which illustrates the increasing levels of automation and business
value. The model starts where most companies begin, with tactical, ad hoc automation, and plots paths to advanced, ondemand IT services. Each level of automation improves quality of service and reduces cost, which in turn justifies and funds
further automation.
Applying the Automation Value Model

Apply the Automation Value Model to develop an automation strategy
customized for your business drivers. Use the needs and growth goals for the
company or business unit to determine which solution area(s) will drive the
greatest value. For example, with recent high-profile data breaches in the
retail and financial services industries, patching and compliance might be a
strategic focus.
Understand and measure the

contribution automation plays
by establishing value-based
measurement.
After identifying the key solution area(s), baseline your companys automation level and maximize value at that level
before progressing to the next one. By measuring and documenting the value realized along the way, each
automation project can justify investment for the next one, creating a virtuous cycle of business value. While it is not
necessary to complete the value path for one solution area before tackling another, the highest automation levels
cannot be easily achieved without attaining at least the related solution areas process levels.
The remaining sections in Part I elaborate on how to assess your level and maximize value, including a customer case
study. Part II explores detailed best practices and lessons learned by solution area level.
Figure 2: Automation Value Cycle
10
Begin with a Baseline: Automation Level Assessment

To begin the automation journey, IT organizations must first baseline their current automation levels or states.
Automation value is best realized when measured against an organizations strategic automation objectives, identified
in conjunction with business stakeholders. BMCs assessment framework provides a brief description of the
organization, process, and technology associated with each automation level. The assessment of the IT organizations
automation level should be aligned with the businesss strategic drivers, so that specific automation projects can be
prioritized to drive the greatest value inside and outside IT.
As shown, the automation levels start with Ad Hoc and move to Tools, Process, Standardized, and, lastly, Advanced.
This framework can be used to set expectations and evaluate automation readiness. Automation success is best
achieved when people, process, and technology are coordinated. As automation sophistication grows, so does the need
for process maturity and increased collaboration to match more advanced tools.
]
Figure 3: Automation Levels
Automation processes are initially focused on tactical operations and development needs (the Ad Hoc level). Examples include
server and application startup procedures, file movement, and procedures to test application software. As automation
sophistication increases, the need to plan, document, design, develop, and support automation dictates greater controls,
broader IT infrastructure coverage, increased organizational collaboration, and roles specifically aimed at delivering
automation and cloud services.
Successful BMC customers have achieved automation value by balancing technology adoption with organizational readiness
and process maturity. A short-term tactical decision made with medium-to-long term objectives in mind ensures automation
adopted today does not inhibit strategic automation objectives.
IT organizations that make tactical automation decisions for both technology and process without a strategy often fail to move
beyond their current automation states or incur significantly higher costs. The costs include ongoing development and support
of procedures, the re-evaluation of automation tools, the move to new tools, the training and re-training of staff, skills
retention, and the risks and impact of automation procedures unable to keep up with changes in IT and the business.
Use this framework to assess your overall automation level. Different IT teams may be at different levels. However, to ascend
to higher levels as a company, these teams must eventually be normalized and integrated. Also, value may not be maximized
within a level due to discrepancies between the adopted technology and the various teams organizational readiness.
11
Automation Value Measurement

Automation value is rarely measured once the initial return on investment or expectation has been achieved. This
makes the job of justifying further automation investment a difficult and, sometimes, labor-intensive task.
However, if automation activity is not measured, reported, and logged, its value is not understood and is therefore
diminished.
We have found a need for relevant and consistent measurements that can be used to prove value irrespective of
the procedures being automated. In working with customers, the most common automation value measurements
are speed, cost, and risk. Efficiency and agility are also measurements; however, in most cases, these are a result of
increasing speed, lowering cost, and reducing risk. In addition, efficiency is hard to benchmark, as it demands an
understanding of inefficiencya measurement many IT organizations are unable to articulate.
Using speed, cost, and risk factors, the Automation Passport provides guidelines on how automation is evaluated
against IT goals and its business value is measured against specific automation IT objectives.
For each Automation level, the Automation Passport suggests numerous calculations, such as those shown in the
table below. These hard numbers can then be translated into business value, such as accelerating business
services, reducing downtime, increasing resilience, and reducing business risk.
Value
IT Objectives
Metrics
Business Value Realization
Speed
Increase responsiveness by
removing manual activity
Manual process time(s)

Automation time(s) = Time
saved
Improved IT responsiveness to
business needs
Cost
Manual labor cost savings
Reduced operating expense

Time saved x hourly labor cost
Increased IT service availability
x automation executions =
Increased customer
incremental
savings tracked
Customercost
satisfaction
satisfaction
over time
IT service availability numbers
compared over time
Compliance adherence
Regulatory audit reporting
improvement to avoid financial Business reputation
Customer trust
penalties
Reduction in configurationrelated outages impacting the

business
Risk
Routine audit and compliance

reports (and time to run audit
and meet compliance)
Security flaws avoided to

increase IT infrastructure
resilience, measured against
historical occurrences
Figure 4: Measuring and Capturing Value
Using the automation value measurement, IT organizations are able to understand current automation value,
identify areas requiring further improvement, and plan and justify new investments. Note that its important to
collect current data for existing manual or semi-automated processes to get an accurate picture of the before
state prior to implementing the new automation project in order to capture the incremental value.
12
Maximizing Value at Each Level

Once you have assessed your baseline automation level, your goal is to extract maximum value at each level before
progressing to the next level. Unsurprisingly, the three sources of greatest automation value correspond to how you
automate a process, adapt your people, and implement the technology to fully capture the value of automation. Key
concepts that underpin every automation strategy include:
1.
Automating the process: automation value stages
2.
Automation organization and roles
3.
Expanding the technology footprint: the Automation Reference Architecture
Figure 5: People, Process, and Technology
Each level balances increasingly sophisticated people, process, and technology and often leverages orchestration technology
for integration.
13
Automating the Process: Automation Value Stages

Automation value typically focuses on task executionthe part of a procedure that does the work. However, as
automation sophistication grows, the activities required before and after the task execution will become part of the overall
automation procedure. This results in an automation procedure spread across three stages: pre-execution, execution, and
post-execution.
What occurs at each automation stage varies among procedures, with some requiring a significant amount of activity at the
pre-execution stage and others requiring very little. This means that focusing on automating one part of a procedure may
not demonstrate business value. Automating the execution stage (e.g., configure, install, patch, provision, and update) can
show significant savings in time, cost, and effort for IT operations. However, the value may not be realized or noticed by the
business unless the pre-execution (e.g., justification, approvals, custom requests, and scheduling) and post-execution (e.g.,
reporting, signoff, and verification) stages are also automated.
For example, if the business demands a 50% time reduction to provision a new IT service, it will only be achieved by
automating the entire processnot just the execution stage.
Figure 6: End-to-End Automation Value Realizations
Automating just the execution stage is easier, and many IT departments stop there. It does not require a collaborative
organization or integration between tools and automation workflows. However, effective IT transformation must accelerate
services to the businessnot just reduce IT workload. This requires more sophisticated automation with pre- and postexecution stages. Higher levels of organizational collaboration, automation roles, and tools/procedure integration, including
orchestration, are necessary to achieve on-demand and self-service goals.
The Automation Passport explains how to deliver the execution stage and enhance it through functionality and integrations
that deliver greater business value by incorporating pre-execution and post-execution automation.
Lessons learned: Automation value is diminished and unappreciated if the time- and effort-consuming parts of a procedure
are not automated, reducing overall benefits to the business.
Recommendations: When automating a complex and labor-intensive procedure, automation should consider all the tasks,
including those required before and after the execution stage to fully automate the process.
14
Automation Organization & Roles

At the initial level, IT operations and development personnel develop and deliver the
automation activity to address ad hoc tactical requirements. There are no dedicated
automation specialists or formal processes to design, develop, and manage this
automation activity. As an IT organizations automation needs increase, so does the
focus required from IT personnel. New tasks will emerge, with a corresponding need
for new skill development and even new roles within IT.
Establish roles that can design,

architect, and select automation
technology while understanding
the role automation plays today
and into the future.
Emerging automation tasks include automation workflow design, development and testing, deployment, monitoring, and
support. Each company may have different job titles and descriptions (e.g., automation specialist, automation architect or
cloud architect) assigned to the tasks, but the automation objectives will be the same. However, to be successful, automation
roles must also include the ability to work closely with different organizations, promoting teamwork and collaboration to
support overall automation objectives.
Figure 7: Automation-Focused Roles Increase Value
Roles focused on automation must be both hired externally and nurtured from within. It is important to provide career
ladders for traditional IT professionals who can transition to new automation roles.
The people required to fulfill new automation roles will emerge from across the IT organization, including development, IT
operations, and IT service management. The skills necessary to fulfill these roles include project management, process
design, process management, workflow development, scripting, IT tools integration, and knowledge management.
Three types of roles with typical titles are specified at each automation level for each key solution area:
An automation enabler supports key automation activities (e.g., cloud service justification, design, release, service
support, automated task authorization, and activity surrounding security and compliance)
An automation operator executes the automation activities and process (e.g., providing step authorization,
deployment monitoring, or capacity optimization)
An automation stakeholder may be a user or approver and is involved in the automation design, delivery, and
usage
As automation sophistication and importance increases, not only do new roles emerge, but existing responsibilities can
change, which results in a shift in the number of personnel involved with automation. For example, the advent of widely
available public cloud options collapses many roles into one (e.g., software development).
15
Essentially anyone can be the user, justifier, designer, release manager, and IT manager. With the availability of free public
cloud provider tools, the need to get cheap resources fast may meet a tactical need. But it may create longer-term IT
management challenges if the build-up, tear-down use case evolves to a production cloud service that must be integrated
with existing IT governance and compliance processes (and touched by more roles).
Once automation is an established IT practice, the number of people involved in automation increases, while other roles
previously concerned with manual processes disappear. At the lower automation levels, processes are likely to be
fragmented and owned by a number of different people and teams. As automation maturity increases, the automation
processes consolidate, expand, and start to cross organizational silos. When this occurs, new automation roles and
responsibilities emerge to take ownership of the process as it crosses organizational boundaries. This allows IT to scale its
services as access to automation increases.
Because automation increases productivity by removing the need for manual interaction, it is often justified by a reduction
in staff. But few IT professionals willingly participate in initiatives designed to eliminate aspects of their jobs. An automation
strategy must align incentives by including career paths for key personnel who have the right skills to transition. As
automation sophistication increases, the contributions of existing roles can change, with new roles emerging to drive
automation initiatives.
Lessons learned: Successful automation transformations consider personnel aspects as much as tools and other aspects.
Automation strategies that dont consider future roles for IT staff may face resistance or even sabotage.
Recommendations: It is important to establish cross-functional automation specialist roles (including automation and cloud
architects) early to ensure short-term, tactical automation decisions and activities support a longer-term automation
strategy. The people required for the new roles typically emerge from IT administration and service management, bringing
with them the skills for process management, workflow management, and tools integration.
BMC Automation Center of Excellence (CoE) A Culture of Embracing Automation

The BMC IT organization incorporates automation principles and methodologies (practices) into its
working culture.
Everyone is encouraged to identify opportunities for automation
Automation must demonstrate clear proof of value
The BMC IT organization also has new career paths for automation specialists and engineers,
drawing from the existing IT team. Their role is to design, support, and deliver automation
solution areas and to ensure that they are enterprise-ready. They create dashboards to
calculate real-time automation value from time, effort, and cost savings.
This has fostered over 50 end-to-end automation use cases that automatically run when
required. This approach has enabled the BMC IT organization to show value to the business
and justify further investment in automation.
16
Expanding the Technology Footprint: Automation Reference Architecture

Automation value increases when including technology that covers more IT components and platforms across more teams.
For example, it is common to start with server automation and then realize more value in automating the entire application
infrastructure, including networks, databases, and middleware. Likewise, an automation initiative might begin with the
Microsoft Windows platform and then extend to Linux and various flavors of Unix.
A key challenge is managing automation tool proliferation. As part of the automation strategy, IT teams should use tools that
integrate with other technology and support multiple platforms. This will help prevent automation silos that can cause
functional and organizational barriers when trying to achieve higher-value automation objectives. This is particularly
problematic with cloud services, where each public and private cloud becomes a management silo. It will also ensure that
early investment in automation is protected and augmented.
As automation sophistication grows, process integration becomes increasingly important. This requires that other tools,
automation actions, and IT components are included in the automated process.
Orchestration is a key enabling technology that becomes a significant factor at the Process level. The business can use it to
pass data between tools, binding together disparate automation tools, systems, and people into holistic processes. While
most automation tools have some built-in workflow capability, they also have limited integrations with other tools,
particularly those from different vendors. As such, an automation strategy for complex IT environments should incorporate
orchestration technology to optimize business value.
Figure 8: The Automation Reference Architecture
Automation is, in essence, a number of actions run on the infrastructure and applications executed in a specific order to
support an IT process. For example, automation can start with discovering infrastructure, then assessing the discovered
infrastructure, making changes to any irregularities, and then reporting results.
Example Automation Actions
Discover
Create
Inspect
Provision
Monitor
Deploy
Revert
Track
Install
Move
Configure
Report
Image
Patch
Snapshot
Figure 9: Example Automation Actions that Support a Process
17
Orchestration acts as an abstraction layer that simplifies workflow design at the higher levels of automation by sequencing
and integrating actions that run across a broad range of infrastructure and applications. This allows companies to break
free of domain, hardware, or software-specific automation and deliver end-to-end IT automation services.
Orchestration provides two automation functions:
Task or machine orchestration: Creates well-defined automation workflow that extracts data from systems and
triggers execution of several different tools or scripts as part of a single procedure.
Process orchestration: Handles dynamic workflows that often require human judgment and intervention. This type
of orchestration is most appropriate for processes that require exception handling or where workflows are
dependent on multiple variables.
Orchestration software helps organizations leverage previous investments and tie different systems together to maximize
value as the automation technology footprint expands across a complex IT environment.
Lessons learned: Automation tools and procedures will emerge from different IT teams to solve specific challenges and
increase overall automation value. However, with short-term value realized, the different teams will be required to
consolidate and rationalize automation tools and procedures in support of more advanced requirements and value. Longerterm IT automation objectives will be difficult to achieve if the short-term tool decisions are not aligned across the IT
organization. The detrimental impacts of bringing together established but disparate automation initiatives include the
time, effort, and costs associated with automation consolidation, rationalization, and integration of competing toolsets.
Recommendations: Systematically expand the technology footprint to include major IT components and platforms,
factoring in the integration required between tools to support automation initiatives as they grow in sophistication.
Consider using orchestration technology to both provide greater control and visibility over the process, as well as the
integration it provides between different IT management tools and procedures.
18
Case Study: IT Automation Value Realized at Large Financial Institution

One of the worlds largest financial organizations embarked on an automation journey with BMC to lower costs, save
time, increase efficiencies, and improve quality of service. Over a three-year period, this resulted in savings of over 2.5
million labor hours. If the company reverted to manual activity, it would have required hiring 600 IT professionals.
Instead, automation has allowed them to scale the business with roughly the same number of IT support staff.
To achieve these results, the company did several things:
Communicated an overall vision for automations strategic role in transforming IT and creating
business value throughout IT.
Implemented automation one step at a time, each focusing on a specific objective.
Continually measured the outcome of each automation project to prove the value and help justify
further investment.
The companys automation environment consists of over 100,000 servers on different platforms, including Linux, Microsoft
Windows, IBM AIX, HP-UX, and Sun Solaris, supporting 12 lines of business (LOB) across 2 continents. The automation
includes provisioning, software deployment, change discovery, and audit and compliance for servers, networks, databases,
and middleware.
The companys approach ensures the investment in automation is tracked, proven, and then used to justify further
investment.
Figure 10: Company Automation Strategy Cycle
To measure value, automation activity is continually captured and logged. The activity is broken down by automation
activity, automation execution, time taken, and the savings attributed to the execution. It is critical to understand what is
run, when it is run, and how long it took. With this data, the company associates automation activity with time and cost
savings. Over a 12-month period, this customer recorded a total of over 6 million end-user automation jobs.
19
Figure 11: Number of End-User (LOB) Jobs Run over a 12-Month Period
Understanding how long a manual activity took before being automated has allowed the company to show how many hours
are saved each month with automation. This data is then broken down by automation process.
Figure 12. Time Savings (Hours) over a 12-Month Period
Not surprisingly, the most significant savings are in complex operations, such as change discovery and compliance and audit,
which involve time-intensive troubleshooting and cross-functional coordination if executed manually.
Figure 13: Time Savings by Automation Process over a 12-Month Period
20
The company achieved automation benefits over time using a strategy aligned with an automation readiness state. An
automation focus area was chosen, value was associated with the automation, and value was proven and used to justify
investment in new automation projectspart of the companys path toward IT transformation.
For a case study on the Bank of New York Mellon, please see a recent Forbes article, Cloud Computing Gets Real for the
Enterprise.

Automated provisioning and configuration are critical for IT organizations that strive to be responsive to ever-increasing
business demands. Automating the addition, updating, and removal of IT resources ensures executives are able to provide IT
value, while increasing customer satisfaction and minimizing costs. Without automation, the cost, time, and risks associated
with manual activity will become a business inhibitor.
Provisioning and configuring servers, networks, databases, middleware, and applications includes discovering devices and
changes; creating and organizing an inventory; and provisioning, customizing, deploying, and reporting configurations.
Figure 14: Provisioning & Configuration Core Capabilities
For automated provisioning and configuration management, IT organizations should start with a specific solution area and then
expand it once they have realized its initial value. This ensures the IT organization is ready and the technology is aligned and
able to serve as the foundation for the next automation value level. Otherwise, process and technology choices made
expediently in the short-term may not advance the longer-term objectives.
21
Automated Provisioning & Configuration Roadmap

Automated provisioning and configuration excellence is achieved with a roadmap that plots a path to greater value. The further
along the roadmap, the more sophisticated the automation. The more sophisticated the automation, the greater the value.
For most organizations, the desired automation end state is to provide IT services on demand. For many, this objective is a long
way from where they are today. To address this challenge, BMC has developed a Provisioning & Configuration roadmap with
four incremental value levels that correspond to the Tools, Process, Standardized, and Advanced levels in the Automation Value
Model. Each level aligns technology with organizational readiness.
Companies can be at any level depending on current automation maturity and can achieve significant value by advancing
through the levels.
Figure 15: Automated Provisioning & Configuration Value Path
Each level has a set of attributes associated with it, including:
Primary objective (e.g., provision)
Automation capabilities required to meet the primary objective (e.g., the ability to automatically deploy)
The Provisioning & Configuration roadmap also provides detail on what each level should deliver and what is required to
ensure successful delivery. This includes:
An overview of the level objectives
The justification for the primary objective and the benefits expected
The value required and the way the value is realized
A typical process diagram
The IT personnel required to support the objective
The technology required to meet the objective
22
Provisioning & Configuration Tools Level: PROVISION

Automated provisioning allows IT organizations to rapidly add and remove IT infrastructure components. This can be loading an
operating system, hypervisor, or a full-stack (a golden image clone) deployment that includes all relevant software and
databases.
Typically, IT starts with provisioning compute capacity, operating systems, and networks, and then adds depth with databases
and middleware. The automation Provision level is focused on creating an image or package; configuring it to adhere to policy
and requested requirements; deploying the image or package; and installing it. The addition of capacity management allows
better decision-making about what is actually available for use.
Provisioning starts with choosing the IT configuration ingredients needed for the image (the completed image is typically
referred to as a baseline or golden image). Components can be added to the image to meet a requesters specific needs. If the
image is to be loaded into an existing environment, available capacity must be checked and allocated. The image will be
installed and verified to ensure it was a success.
Provision Objectives
Create images or commands for installation.
Configure them for deployment.
Deploy them to the targeted environments.
Install them, verify installation success, and load additional software.
Lessons learned: There are many options for provisioning data center
and cloud environments, resulting in different teams choosing multiple
technologies to solve specific needs. This may satisfy short-term
requirements, but it creates longer-term issues associated with having
disparate, non-integrated technologies, increasingly higher automation
development costs, and an inability for the automation to keep up with
changes to the IT infrastructure and the companys service demands.
North American Bank

This BMC customer reduced provisioning time
for new servers from 6 weeks to hours.
Recommendations: Assume the IT environment will evolve, requiring increasingly sophisticated automation to keep up with
change, increase efficiencies, and drive down costs. Choose automated provisioning technology that can provide the following
capabilities:
1.
Automate provisioning irrespective of the different types of data center or cloud platforms.
2.
Work as an abstraction layer, allowing the business to choose different hardware, software, and services without
incurring costs or having to retool and retrain.
3.
Provision and de-provision infrastructure elements (virtual and physical, on-premises, or cloud-based) no matter
what elements are chosen.
4.
Unify and bring control to existing automation provisioning tools and procedures (e.g., scripts, open source, and
server/OS provided).
Provision Justification and Benefits
Reduce manual provisioning cost, effort, and risk.
Expedite deployment and decommissioning of infrastructure capacity.
Reduce operational expense.
23
Value Factor
Speed
IT Objectives
*Metrics
Accelerate provisioning of IT
infrastructure resources
Compare before vs. after time taken

to provision
Improved response time to business

requirements
Agile IT services provided when needed
Reduce the costs devoted solely

to provisioning
Compare related labor costs of

provisioning before vs. after
automation
Lower IT operations expense due to

provisioning and rework costs
Release IT personnel for more strategic
work
Cost
Risk
Reduce errors and incidents due

to manual provisioning activity
Compare service delivery targets

and quality before vs. after
automated provisioning
Increased service delivery consistency

and quality
*Detailed value metrics formulas for the Provision level can be found in Appendix B.
Provision Process
Figure 16: Provision Process Overview
24
Provision Roles
IT administrators deliver automated provisioning across specific IT component silos, decreasing manual support and
workflow creation (scripting) activity required at the Ad Hoc level. Capacity managers can be involved in the process to
ensure reliable provisioning.
Figure 17: Provision Roles
Provision Technology
Figure 18: Provision Technologies

Technology
Automation Activity Description
BMC Technology Alignment
Provisioning
Automates deployment and installation
BladeLogic Network Automation

BladeLogic Server Automation
BladeLogic Database Automation
BladeLogic Middleware Automation
Capacity
Management
Capacity evaluation and confirmation
BMC TrueSight Capacity Optimization
25
Provisioning & Configuration Process Level: CONFIGURE

Combining provisioning with configuration management provides the capabilities required for on-demand provisioning by
adding on-going configuration management after an image is installed. Configuration management is the process of
continually updating hardware and software settings to ensure optimal service delivery. This step delivers greater value for
provisioning and configuration, as well as the foundational capabilities required for patching and compliance.
The initial value of configuration management is realized by focusing on specific IT components (e.g., servers, networks, and
databases). As in the Provision level, the addition of capacity management allows better decision-making with respect to
what is actually available for use. Configuration management is added to collect and group configuration data; monitor for
configuration change; and install and update configurations and software.
The process for configuration management entails automatically collecting configuration attributes across all IT components.
This includes all types of servers, networks, and databases irrespective of platform or vendor, which results in a consolidated
Vehicle Market Research Company
set of configuration data that can then be logically grouped (e.g., by
device type or location). Managing configuration holistically allows
This BMC customer improved service levels for 17
companies to attain the standardization needed to reduce the
million unique online visitors every month by
complexities associated with making changes to the IT infrastructure.
reducing downtime caused by configuration issues
and compressing server provisioning time by over
All server, network, and database types will be configured and
90 daysdoubling staff efficiency.
managed consistently. Changes made to configurations are captured
and reported.
Configure Objectives
Inventory IT infrastructure configurations.
Capture configuration changes for all IT infrastructure components.
Change configuration settings on all IT infrastructure components.
Install and configure software.
Update software.
Lessons learned: An objective of configuration management is to create an ideal state by making changes to the existing IT
infrastructure. A common approach is to develop a configuration model, which is then used to make the changes. The
problem with this approach is that a new model will change both working and nonworking configurations, which can create
new problems when used in production. This often results in ongoing model changes and constant reconfigurations.
Recommendations: Automated configuration tools must assess what is working and what must change in production without
making widespread alterations that can create problems and break working configurations. Automation should apply
configuration changes surgically only to IT components with configuration issues.
26
Configure Justification and Benefits

Reduce manual configuration cost, effort, and risk
Provisioning and configuration change consistency to increase control
Configuration information to support key initiatives, including IT planning, capacity planning, patch and compliance
management, audit reporting, and fault management
Value Factor
IT Objectives
*Metrics
Speed
Increase change capacity
Compare manual vs. automated time

taken to run audit and configuration
procedures
Greater agility to deliver new or updated

products/services
Cost
Optimize IT resources and

reduce costs associated with
IT audit and configuration
changes
Compare the configuration audit and

deployment costs before vs. after
automation
Lower IT operations expenses related to

auditing and configuration change
management
Release IT personnel for more strategic
work
Risk
Reduce risk associated with

change
Compare change capacity and success

before vs. after automated auditing
and configuration management
Fewer IT-related business outages due to

failed changes
*Detailed value metrics formulas for the Configure level can be found in Appendix B.
Configure Process
The Configure automation procedure for provisioning with configuration management collects and organizes configuration
data to provide a detailed IT inventory that can then be grouped. The groupings allow an IT organization to better understand
how the IT environment is configured and enable changes to be made with greater logic (e.g., by location or device type). The
automation tools also monitor the IT environment for configuration updates and report changes that occur without
authorization or conflict with configuration policy.
Capacity management technology can be used at this level to ensure that provisioning or configuration changes are made
successfully with available resources.
Figure 19: Configure Process Overview
27
ONFIGURATION AGENT LOADED
Configure Roles
IT administrators continue to be automation operators, enablers, and users/stakeholders with significantly reduced manual
effort. Automation specialists emerge with responsibility for supporting and driving automation across the IT infrastructure.
Configuration managers add automation that shows how configurations across elements support applications and services.
Capacity managers can be involved in the process to ensure reliable provisioning.
Figure 20: Configure Roles
Configure Technology
Figure 21: Configure Technology
Technology
Provisioning &
Configuration Automation
Automates configuration change, software

deployment, and installation
BladeLogic Network Automation, BladeLogic Server Automation,

BladeLogic Database Automation, BladeLogic Middleware Automation
Capacity Management
28
Provisioning & Configuration Standardized Level: COORDINATE

At the Standardized level, Coordinate, the value is enhanced though sharing and enriching data, introducing greater
control, integrating different products, and orchestrating multiple automation workflows.
Interdependencies between IT components are important to understand, as configuration settings on different components
may be needed to support a shared IT purpose. Making changes without this knowledge will cause issues. Discovery and
configuration management technology provides visibility into component relationships, preventing misconfigurations.
Company policy may not permit unauthorized additions or changes to the IT infrastructure. However, the discovery
technology will capture all new devices. Configuration agents are loaded on servers with network devices and software is
added into the configuration model.
Including change management allows better planning and control, ensuring all changes are authorized, verified, and
recorded. This is typically accomplished with orchestration technology, which provides overall automation delivery through
integration and automated process visualization. Capacity management enables better decision-making by verifying what is
available or utilized.
Coordinate Objectives
Discover new IT components, their configurations, and interdependences/relationships.
Request software and changes through the use of standard interfaces.
Integrate the technology required to support the automation process.
Orchestrate the technology to automate the process.
Verify the health and success of the automated process.
Lessons learned: Automation value increases when IT tools and data

sources are integrated. Combining different technologies allows
automation to execute smarter, broader, faster, and with greater
accountability. These objectives are difficult to achieve when there are
too many integration points and no orchestration between different
procedures and workflows.
Global Leader in Multimedia

This BMC customer accelerated the
deployment of web services by 80%,
down to only 6 minutes.
Recommendations: Using technology that combines orchestration and integration allows greater control, visibility, and
reporting over the entire automated process, with management through a single interface and unified integration for all
workflows and data sources.
Coordinate Justification and Benefits
Increase real-time visibility into IT infrastructure state
Increase IT service quality and availability with configuration change planning
Increase automation execution efficiency
Reduce change impact on IT customers and the business
Optimize IT resources more effectively
29
Value
Factor
Speed
Cost
Risk
IT Objectives
*Metrics
Accelerate service request

execution time
Compare average service request

fulfillment time before vs. after
automation
Faster IT services with greater

control and repeatability
Reduce cost associated

with manual discovery,
capacity, and
orchestration activities
Compare total cost of request

fulfillment before and after
automation
Reduce the cost of service delivery
Manage IT infrastructure
change control
Configuration change reports

demonstrating few or no failures
for request fulfillment
Reduce the prevalence of shadow IT that

may not conform to corporate policies
*Detailed value metrics formulas for the Coordinate level can be found in Appendix B.
Coordinate Process
The automated process supports some basic steps. A service request is made, evaluated against available capacity, and
then approved. The requested service items (e.g., server, middleware, and database) are then packaged for
deployment, targeted, and installed. Upon completion, the installation is checked and, if successful, updates are made
to the configuration management model and the service request is updated and closed.
The automated process requires the technology to deliver and integrate specific capabilities to ensure the automation
executes seamlessly, without manual intervention. This level includes the technology that addresses all three process
automation stages: pre-execution, execution, and post-execution.
Figure 22: Coordinate Process Overview
Automation Pre-Execution
The service desk triggers the automation to provision a new service, while the tools that discover, configure, and
organize IT configurations enable the automation. The first part of the automation also runs the pre-deployment
checks, including confirming that the request is valid and that the required capacity is available on all required IT
components.
30
Automation Execution
Once the pre-execution automation completes, the provisioning and configuration execution are orchestrated,
ensuring changes are made in the right order.
Automation Post-Execution
The post-execution automation includes verifying successful installation and closing the service request.
Coordinate Roles
This level requires a high degree of organizational collaboration, with roles aligned specifically to drive automation. Job titles
may differ depending on organizational design, and several roles may be combined into a single position. IT administration
resources continue to be optimized. Additional automation specialists form a competency team focused on using automation
to increase IT efficiencies and reduce complexity. Change managers coordinate change automation with auditors and IT
executives who are new stakeholders of automation deliverables. Capacity managers are mandatory at this level to ensure
reliable provisioning.
Figure 23: Coordinate Roles
Coordinate Technology
The tools used at the Coordinate level are augmented with products that enhance automation capabilities in the execution
stage, while introducing automation in the pre-execution and post-execution stages.
Figure 24: Coordinate Technology
31
Technology

Automation

deployment and installation

Discovery
Discovers new components
Orchestration
Orchestrates overall process, manages the productto-product handoffs, coordinates the different
configuration tools, and integrates the tools for data
passing and activity activation
BMC Atrium Orchestrator
Capacity Management
Change Management
Changes to the automated process are formally approved
BMC Application Discovery and

Dependency Mapping
BMC Change Management
32
Provisioning & Configuration Advanced Level: ON DEMAND

At this level, the IT environment is managed as a whole and not as many parts. Provisioning is completed for entire IT
services, which consist of all the components needed to support a request for capacity, an application, or test
environment. Service requests are made through the service managers or through an on-demand self-service portal. Each
request is verified against agreed-upon organizational approval policies and service levels, and it is submitted with required
options and customization. Options can include where the service is delivered (e.g., in the data center or at a cloud service
provider) or device preference (e.g., physical or virtual). Note that this level focuses on full-stack services offered on
dedicated infrastructure in a data center. For more details on provisioning and managing public or private cloud-based
services, see the Cloud Services solution area.
To accelerate the process, the automation workflow has pre-authorized and agreed-upon reserved capacity to ensure
requests are delivered when required. Service requesters are kept up-to-date via the service portal or alerts are sent to their
preferred devices.
On-Demand Objectives
Enable on-demand self-service requests through common portals with options delivered from a service catalog.
Pre-approve service requests and/or automation step authorization to expedite automation process.
Package the software to meet a stacked/layered software deployment request.
Place the software to meet capacity/performance, service, or cost requirements.
Lessons learned: IT organizations have difficulty moving from the

automated provisioning of IT components (e.g., servers and storage) to
provisioning multiple components in support of a broader IT business
service. The challenge is due to both organizational barriers and an
inability to associate multiple different components with business
services. Companies are often stuck with automation that can only
provision siloed IT components, leaving the requester to bring it all
together. This decreases agility and increases risk.
A North American Bank

This BMC customer reduced fullstack deployment from 3 weeks
to 2 hours.
Recommendations: Success with on-demand IT service provisioning requires the following:

1.
Service-to-component alignment using a catalog supported by a configuration database
2.
Collaboration to ensure the process is supported across different IT teams
3.
Orchestration tools to coordinate the provisioning of components across multiple automation technologies
33
On-Demand Justification and Benefits
Automate the provisioning and decommissioning of packaged IT services.
Offer a broad range of IT services for data center and cloud.
Increase business agility.
Fully automate IT services with user self-service.
Maximize IT resources and cost.
Once justified, the high-level value achieved must be recorded and reported. The following chart shows how value is realized
for on-demand service provisioning.
Value Factor IT Objectives
*Metrics
Speed
Accelerate the end-to-end IT services delivery

time from request to completion
Compare end-to-end service fulfillment

and component decommission time
before vs. after automation
IT services on demand
Cost
Remove costs from the end-to-end service

fulfillment process
Compare lifecycle management costs of More IT services for lower IT

on-demand services before vs. after
cost
automation
Competitive advantage from
faster, more cost-effective IT
services
Risk
On-demand IT services with controls and

reporting
Compare before vs. after services

delivered within defined service level
agreements (SLAs)
IT is transparent to the business
*Detailed value metrics formulas for the On-Demand level can be found in Appendix B.
34
On-Demand Process
The automated process supports several basic steps. The business chooses a service from a menu and requests any
customization. The request is approved and the automated provisioning process commences. With the IT environment
targeted, the required capacity is checked. The automation tools install the IT environment or make changes to an
existing environment. During the post-automation stage, updates are made to the configuration management model
and the service request is updated and closed.
The automated process requires the technology to deliver and integrate specific capabilities to ensure the automation
executes seamlessly without needing manual intervention. This includes the technology that addresses all three
process automation stages: pre-execution, execution, and post-execution.
Figure 25: On-Demand Process Overview
A new service is triggered by the service request or through the self-service portal. This is enabled by the tools that
discover, configure, and organize the automation to provision.
Services are offered from the service catalog.
The orchestration product manages the overall automation procedure. The first part of the automation runs the predeployment checks, including taking the request and ensuring it is approved (change management), associating the
request with a service level (service level management), and confirming the required capacity is available for all
required IT components (capacity management).
Once the pre-execution automation completes, the automation tools (server, network, database, and middleware
automation) deploy and install all the required IT components.
Automation Post-Execution
The post-execution automation includes verifying successful installation, closing the service request, and
creating/publishing the service report.
35
On-Demand Roles
This level requires a high degree of organizational collaboration, with roles aligned specifically to drive automation. Job titles
may differ depending on organizational design, and several roles may be combined into a single position. IT administrators
and change managers are now primarily initiating automation activities, with automation specialists, configuration managers,
and capacity managers taking over automation design and delivery. The line-of-business (LOB) managers become key
automation users/stakeholders, as automation is integral to digital service delivery.
Figure 26: On-Demand Roles
On-Demand Technology
At this level:
Configuration management is required to unify the configuration components and their relationships.
Service level management is used to associate priority and ensure service delivery meets business expectations.
A service request is needed to process the required service.
The service catalog is required to manage the services offered to the business.
Figure 27: On-Demand Technology
36
Technology
Service
Orchestration
Orchestrates adding, managing, and removing the service Cloud Lifecycle Manager
and supporting infrastructure
Provisioning &
Configuration
Automation
Automates change, software deployment, and

installation

Discovery
Discovers new components and application

dependencies

Dependency Mapping
Orchestration
Orchestrates overall process, manages the product-toproduct handoffs, coordinates the different
configuration tools, and integrates the tools for data
passing and activity activation
Capacity Management
Change Management
Changes to the automated process are formally

approved and escalated
Configuration
Management
Configuration relationships are updated once the

package environment is deployed
BMC Atrium Configuration Management Database (CMDB)
Service Level
Management
Agreed-upon automation service delivery metrics
BMC Atrium Service Level

Management
Service Request
Management
Self-service portal providing access to key

automation services
BMC Service Request Management
Service Catalog
Provides a view of automation IT services available to

the business
BMC Remedy IT Service Catalog
37
Provisioning & Configuration Automation Business Value

The following diagram shows the automation value path for provisioning and configuration. The lower levels of automation
provide basic capabilities and produce corresponding basic levels of value. As the organization progresses through the path, the
complexity of the solution and the value to the business both increase.
Figure 28: Provisioning & Configuration Levels Mapped against the Automation Value Model
Each automation level along the path builds on the value from the previous one. However, as the automation increases in
sophistication, the requirement for IT organizational readiness increases too. Whereas provisioning may reside entirely in
one IT operations team, service provisioning may require the involvement of development, all flavors of IT administration
(e.g., server, network, database, storage, and application), service managers, change managers, application release
managers, and representatives from the lines of business. The diagram above matches the Provisioning & Configuration
levels against the five levels from the Automation Value Model.
38

Patching and compliance management can be complex and confusing. The need to adhere to internal operational policies,
secure IT infrastructure, and comply with external regulations is a basic business requirementand one with potentially
severe penalties if not met. Unfortunately, many organizations achieve compliance through heroic, last-minute activity to
generate proof of controls for auditors. This approach is expensive, prone to failure, and provides little protection from
ongoing IT security threats.
Whats worse, the dynamisms of virtualized environments and the public cloud make it even more difficult to actively
discover newly added assets and maintain compliance with important policies and regulations. The ability to comply and
automate the remediation of non-compliance is critical for organizations wishing to reduce risk, increase quality of service,
and improve control over their IT environment.
When compliance must be demonstrated, many organizations still rely on a combination of different configuration tools,
spreadsheets, and manual effort to provide the answer. As most compliance regulations are not written with IT components
in mind, this scattered approach often results in IT audit reports that are inconsistent with how auditors need to see them.
This can cause delays in the auditing process, significant time and effort, and a high level of frustration and conflict between
the team discovering vulnerabilities and the IT team trying to fix them.
The objective of automated patching and compliance management is to simplify the process of adhering to corporate policy
and compliance regulations, making it as non-intrusive as possible. Documented compliance controls are meaningless if they
are not implemented or functioning properly. The role of automated compliance management is to ensure compliance
adherence across the IT infrastructure. For IT, the ability to understand the compliance state and adhere to compliance
regulations should be simple in a strategically automated environment.
Figure 29: Patching & Compliance Core Capabilities
The core capabilities for delivering automated configuration compliance and patching are:
1.
Discover new and existing device configurations
2.
Define the relevant company policies and compliance to which each component should be compared for
adherence
3.
Audit all configurations against the specified policies and standards to reveal unauthorized changes to
hardware/software configuration, configuration drift, and configuration change anomalies
4.
Remediate by addressing the policy or compliance violation, either through corrective action or by tagging it as
an authorized exception
The entire process should be governed with integrated change management for a truly seamless effort.
39
There are a broad number of technologies that provide some compliance auditing functions. However, most focus on specific
software or element type (e.g., Windows servers), creating a fragmented, non-integrated view of the IT environments true
compliance state. Worse, most tools stop short of the real challenge, which is to remediate non-compliant IT components as
quickly as possible.
Automated Patching & Compliance Roadmap

As with provisioning and configuration management, each patching and compliance level is a path to maturity and value
realization. Proactively ensuring IT does not violate compliance is the ultimate objective. The Patching & Compliance value
path has four incremental levels that correspond to the Tools, Process, Standardized, and Advanced levels in the Automation
Value Model. Each level aligns technology with organizational readiness.
Companies can be at any level depending on current automation maturity, and can achieve significant value by advancing
through the levels.
Figure 30: Automated Patching & Compliance Value Path
Each level has a set of attributes associated with it. The attributes include:
Primary objective (e.g., comply)
Automation capabilities required to meet the primary objective (e.g., the ability to manage)
The Patching & Compliance roadmap also provides detail on what each level should deliver and what is required to ensure
delivery. This includes:
40
Patching & Compliance Tools Level: PATCH

Patch management is the process of determining which patches should be applied to which systems at specified times.
Patches are designed to fix security vulnerabilities, address software issues, and improve usability and performance.
Patches can be released frequently; many associated with security vulnerabilities arrive with little warning and a high
degree of urgency. Automation is used to manage the deployment and installation process, which must be accomplished
without disrupting the business.
While patch management is mandatory, it is accomplished with different levels of efficiency by different organizations. The
objective is not simply to do it, but to do it better. Effective patch management should ensure that the IT infrastructure is
secure and policy-compliant, while delivered quickly and cost-effectively.
Lessons learned: Based on industry data verified by BMC customers, it costs thousands of man-hours per month for the
average 10,000-server organization to keep up with patching its environment. Even in small 30-50 IT server environments, it
can take 120 hours a month to patch, which is significant when there are only a few people supporting the servers. Costs
rapidly escalate with manual patching, easily running into the
hundreds of thousands of dollars for patching each month.
IT Services Company
Additionally, a realistic assumption that approximately 5% of the
This BMC customer realized ROI goals within 6 months
patches will fail adds additional recovery time and cost.
by implementing a single solution for auditing system
status, generating alerts for unpatched servers, and
Recovering from a failed installation can be twice as long as the
assuring consistent patch levels. This automation
original failure time.
value was achieved with no increase in staff.
Patch Objectives
Library and reference all available patches.
Target the IT infrastructure components to be patched.
Install patches.
Verify patch installation success/status.
Recommendations: An automated patching process is a basic requirement to address security vulnerabilities and
performance issues speedily and cost-effectively. The most efficient processes include technology that seamlessly recovers
from failed patch applications.
41
Patch Justification and Benefits
Eliminate the risk from patches that are inconsistently applied.
Achieve rapid patch deployment.
Reduce time to restore to a secure state.
Improve usability and performance.
Attain control over the patch deployment process.
Value Factor
IT Objectives
*Metrics
Speed
Accelerate patching of IT
infrastructure
Compare before vs. after time

taken to patch
Software security and quality

improvements
Reduce the costs devoted solely

to patching
Compare related labor costs of

patching before vs. after automation
Reduce risk of errors from

manual patching and downtime
from unpatched infrastructure
Compare patching compliance across

the IT infrastructure before vs. after
automation
Cost
Risk
Increased IT service reliability and

productivity of L2/L3 IT staff
Optimize labor costs to patch due to
infrastructure or business growth
Minimize or eliminate risk of business
interruption or compromise due to known
application vulnerabilities
*Detailed value metrics formulas for the Patch level can be found in Appendix C.
42
Patch Process Overview

Effective patch management requires the ability to apply patches as soon as they are available and as fast as company policy
allows. (For example, the policy could include patch testing before distributing it across the entire IT environment.) The patch
library holds or points to the patch location. The patches are automatically deployed and installed, and success is verified.
Patches can arrive in waves, so it is critical for the automated patch technology to track each patch release and provide a
real-time understanding of current IT infrastructure patch compliance.
Patch release success requires an IT infrastructure readiness state. Configuration grouping allows patches to be released to
specific IT components at the appropriate time. This reduces the risk of patch installation failure (e.g., ensuring patches are
scheduled by location at 2 a.m. local time). This capability ensures patches are released when the IT infrastructure is ready to
receive the patch.
Figure 31: Patch Process Overview
43
Patch Roles
IT administrators deliver automated patching by IT component type and gain efficiencies through less manual, support and
workflow creation (scripting) activity. Patches are delivered faster and with lower risk than at the Ad Hoc level. Security
officers receive patch reports and request patching activity.
Figure 32: Patch Roles
Patch Technology
Automation patch management tools need to be deployed across the IT infrastructure for the greatest value. However,
most IT organizations start with network and server patching automation.
Figure 33: Patch Technology
Technology
Patch automation
Automation Activity
Description
Automates patch deployment,
installation, and reporting

44
Patching & Compliance Process Level: ASSESS

Augmenting the capabilities provided by patching, the Assess level collects and groups configuration data, updates
configurations, monitors for change, and installs software, providing the foundational capabilities required for effective
patching and compliance. The value is realized from IT infrastructure element and change discovery, inventory, grouping,
change management, and reporting.
Automatically collecting configuration attributes across all IT components, including all types of servers, networks,
databases, and middleware, ensures configuration policy information is consistent to realize time and cost savings across
the entire IT infrastructure. Configuration managed holistically delivers a higher level of cross-platform standardization,
which reduces the complexities associated with making changes to the IT infrastructure.
Assess Objectives
Inventory IT components.
Group IT components into logical groupings (e.g. type, location, and service).
Capture and evaluate change against policy.
Report changes and policy adherence.
Lessons learned: An audit can trigger a significant amount of work

to discover and log the configurations of all managed IT
components (e.g., servers, networks, etc.). This often results in
many disparate reports that then need to be consolidated for
evaluation. This work takes time and effort, and it can cause
unnecessary disruption to the IT organization.
Global Leader in Multimedia

This BMC customer reduced the
audit cycle time from 2 months to
5 days due to server configuration
compliance.
Recommendations: Use technology that runs automatically and routinely discovers, consolidates, and
reports IT configurations for all managed components to allow IT organizations to understand their
configuration state in an unobtrusive, ongoing way. This information can be used to satisfy an audit
without any additional cost, effort, or disruption to IT operations.
Assess Justification and Benefits
Reduce risk associated with manual activity.
Consolidate patch and configuration status information.
Report configuration compliance easily.
Increase control with consistent patch and configuration management.
45
Value Factor
Speed
Cost
Risk
IT Objectives
*Metrics
Accelerate time to assess IT

components and product audit
reports
Compare before vs. after

time to assess configuration
state against policy
On-demand configuration
compliance status reports
Optimize IT resources and

reduce costs of compliance
assessment and reporting
Compare the
compliance assessment
time before vs. after
automation
Reduce risk of u n d i s c o v e r e d
c o n f i g u r a t i o n issues
Compare audit costs before

vs. after automated
configuration management
Reduced audit costs and effort

Lower IT operations expense
Ongoing audit reporting proving IT

configuration compliance
*Detailed value metrics formulas for the Assess level can be found in Appendix C
Assess Process
The automation procedure for patching and compliance collects and organizes configuration data to provide a detailed IT
inventory that can then be grouped. The groupings allow an IT organization to better understand how the IT environment
is configured and enable patch and configuration changes to be made with greater logic (e.g., by location or device type).
The automation tools also monitor the IT environment for patch and configuration updates and report changes that are
done without authorization or that are in conflict with company compliance policy.
Figure 34: Process to Assess Compliance
46
Assess Roles
IT administrators continue to deliver patches and make changes to IT configurations with fewer resources. Supported by
tools, configuration managers consolidate IT infrastructure configuration compliance. Automation specialists emerge to
coordinate and manage the automated patch and configuration processes across the IT infrastructure. Auditors can easily
use consolidated patching and configuration reports.
Figure 35: Compliance Roles Involvement
Assess Technology
Figure 36: Assess Level Technology
Technology
Automation

47
Patching & Compliance Standardized Level: COMPLY

To understand IT adherence to policies and regulations, IT infrastructure configurations are grouped and measured
against policy and compliance rules. Any variance from policies is either remediated or logged as an exception.
To achieve policy or regulatory compliance, IT needs to discover and update all key components, including servers,
networks, databases, and middleware. To gain the most value from automation, it is important to gather configuration
data irrespective of platform or software and apply updates using tools that provide remediation capabilities for these
components. If data is collected in disparate ways using multiple approaches and technology, the costs and effort saved in
collection are lost when consolidating the output to demonstrate overall IT compliance. Bringing components into
compliance automatically eliminates a series of time-consuming, manual steps.
Comply Objectives
Discover new IT components.
Apply regulatory and corporate policy to IT infrastructure components.
Monitor for changes and policy adherence.
Remediate non-compliant components to conform with regulatory and corporate policy.
Lessons learned: IT configuration change remains a challenge for

IT organizations, not only because it is a primary contributor to
performance and downtime issues, but also because it can take a
company out of compliance.
Global Financial Exchange

This customer relies on BMC for full
Sarbanes-Oxley Act (SOX) compliance
while serving >$1 quadrillion annually in
trades.
Recommendations: Changes to the IT environment demand a best

practice for tracking and verification. Using configuration automation tools to make changes ensures configurations are
valid and adhere to policies and regulations. Integration with change management ensures that changes are tracked,
authorized, and reported. Seek tools that not only reveal compliance violations, but also provide automated remediation
capabilities.
Comply Justification and Benefits
Enforce regulatory and policy compliance across IT infrastructure.
Achieve regulatory and policy compliance violation reporting on demand.
Discover and bring newly added IT components into compliance.
Avoid fines and penalties for non-compliance.
48
Value
Factor
IT Objectives
*Metrics
Speed
Respond rapidly to
compliance violation
issues
Compare compliance audit, remediation, and

validation time before vs. after required to
bring non-compliant components into
compliance
Improved coverage of
compliance with policies
across business
applications
with policy.
Cost
Risk
Reduce costs for

maintaining compliance
including fines for audit
failures
Compare compliance costs before vs. after

automated remediation
Reduce risk of failing

internal/external audits
Compare compliance reporting and

remediation before vs. after automation
Minimize cost of
operations or cost to
compete
Reduced business and legal

compliance exposure
*Detailed value metrics formulas for the Comply level can be found in Appendix C.
49
Comply Process
The compliance report includes detail on how required software, patches, and configurations adhere to company policy
and government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card
Industry-Data Security Standards (PCI-DSS), the Sarbanes-Oxley Act (SOX), and the Federal Information Security
Management Act (FISMA).
Figure 37: Compliance Process Overview
Comply Roles
At the Comply level, IT administration resources continue to be optimized. The automation specialist role assumes
responsibility for patching and compliance automation, and additional automation specialists form a competency team to
deliver increased efficiency. Security officers can now automatically initiate patching. Capacity managers provide additional
understanding of added/new or removed IT capacity. Change managers can initiate configuration management requests. IT
executives receive consolidated IT infrastructure patching and configuration status and compliance reporting.
50
Figure 38: Compliance Roles
Comply Technology
Figure 39: Comply Technology
51
Technology
Automation


Discovery
Discovery of new components and

relationships/application dependencies
BMC Application Discovery and Dependency

Mapping
Orchestration
Orchestrates overall process, manages the

product-to-product handoffs, and coordinates
and integrates tools activity for data passing
and activation
Service Desk
Manages the reporting of new compliance

issues and the escalation and outage of the
remediation process
BMC Remedy Incident Management
Change Management
Ensures the automated process is managed

with required approvals and escalations
BMC Change Manager
52
Patching & Compliance Advanced Level: INTELLIGENT

At this level, we begin to measure configuration compliance at a business service level or against a measured or monitored
key performance indicator (KPI). New IT components are automatically discovered and mapped against the services they
support. Components that change are automatically assessed for compliance against business impact. That is, IT compliance
can now be viewed against business prioritization or the importance that one IT element has over others. This knowledge
hardens IT infrastructure in line with both compliance adherence and business value. Compliance violations are addressed
with minimal human intervention, enabling automatic remediation of pre-approved changes.
This capability requires a high degree of infrastructure standardization and an organization willing to pre-approve key
configuration remediation changes (e.g., reversal of the last known change or a restore to a steady state). Integration with
change management, the service desk, the configuration database, application discovery, and dependency mapping are
added at this level. Each is required to contribute to automating the decision-making process.
Change management is enforced at this level. Intelligent compliance controls what, how, who, and when changes can be
made on parts of or to the entire IT infrastructure. Granular permissions control what is changed and by whom on specific
components. Each component is aligned with its contribution to applications and other components. The more critical the
component, the greater the enforcement needs to be.
Intelligent Objectives
Align with business priorities by mapping IT component configurations to IT services.
Assure compliance through ongoing, controlled, automated change and remediation.
Prevent non-compliant changes through standardized interfaces and controlled change management.
Pre-approve changes to allow automatic remediation on non-compliant components.
53
Lessons learned: No matter how much rigor is put into IT change control,
assumptions should not be made about the IT infrastructures state of
configuration compliance. This is particularly true since IT experiences constant
change and is spread across different organizations, locations, and
environments (e.g., data center and cloud). Assuming 100% compliance across
the entire IT infrastructure without making frequent checks on configuration
state will likely result in ongoing availability issues and discrepancies when
audited.
Major Insurance Company

This BMC customer has maintained
100% regulatory compliance
continuously for the last 7 years for
over 6000 servers with integrated
change management.
Recommendations: Assume that there will be configuration issues and plan accordingly. Building on the best practice
outlined in the previous Comply level, the Intelligent level brings additional IT configuration compliance hardening
capabilities.
1.
Make automated changes to ensure changes are valid and in compliance.
2.
Ensure changes are captured, reported, and, where required, authorized.
3.
Establish ongoing discovery of configuration changes for all IT components and report compliance adherence.
4.
Measure and track regulatory compliance adherence to identify areas of improvement.
5.
Automatically remediate and/or report out-of-policy configurations.
Intelligent Justification and Benefits
Measure compliance against the business (lines of business and applications).
Align component relationships with compliance management.
Align responses to compliance violations with impact on business.
Remediate compliance violations faster.
Value
Factor
Speed
Cost
Risk
IT Objectives
*Metrics
Achieve ongoing
compliance discovery,
monitoring, remediation,
and change management
Compare end-to-end process time before vs.

after governed, automated compliance
monitoring and remediation
Highly available and

compliant business services
Reduce or eliminate cycle

time costs for compliance
processes
Compare end-to-end process costs before vs.

after governed, automated compliance
monitoring, and remediation
Lower- to no-cost audit cycles

from ongoing compliance
Avoided penalties for noncompliance
Ongoing security,
operational, and
regulatory configuration
compliance with controls
and reporting
Compare before vs. after compliance by

compliance policy and/or business service
Ongoing compliance risk

visibility
*Detailed value metrics formulas for the Intelligent level can be found in Appendix C.
54
Intelligent Process
At this level, the automation has three fully automated activities:
1.
The discovery of new and changed components
2.
The continual collection and evaluation of configurations against compliance
3.
Pre-approved compliance remediation (with manual approval where appropriate)
This level provides the ability to automate and fully track the compliance process from discovery to compliance remediation.
Figure 40: Process of Intelligent Discovery to Intelligent Remediation
Figure 41: Intelligent Automation Process
55
Intelligent Roles
This level requires a high degree of organizational collaboration, with roles aligned specifically to service automation. Job
titles may differ depending on organizational design. IT administrators and change managers are now primarily only
initiating automation activities, with automation specialists, configuration managers, and capacity managers taking over
automation design and delivery. Line-of-business (LOB) managers are updated on compliance reporting as it pertains to
their business systems.
Figure 42: Intelligent Roles Diagram
Intelligent Technology
Figure 43: Intelligent Technology Use Diagram
56
Technology
Automation


Application Discovery
Configuration Management
Orchestration
Change Management
Discovers all IT infrastructure components and

establishes their relationships in support of the
business applications. This information is used by
configuration and compliance to set priorities and
controls. Configuration management consumes the
data.
Provides the centralized collection of all configuration
data, organized as the business requires (e.g., by
relationship, application, location, and owner)
Automates process required to automatically bring an

IT component back into compliance
Supports the automated compliance process,
providing the pre-approvals required for automatic
remediation

Dependency Mapping
BMC Atrium CMDB

BMC Change Manager
57
Patching & Compliance Automation Business Value

As with the Provisioning & Configuration value path, each level along the Patching & Compliance path builds on the
value achieved from the previous one. In fact, software patching can start at a basic level and increase in
sophistication and value in parallel with the compliance processes, leading ultimately to continuous policy, security,
and regulatory compliance through highly automated processes.
Figure 44: Patching & Compliance Mapped Against Automation Value Model
58
Cloud Services
Whether motivated by the promise of faster service delivery with self-service, the cost savings from paying for
infrastructure only when needed, or the risk mitigation from high availability, enterprises have many reasons to embrace
the cloud. But almost 10 years into the cloud revolution, companies are still struggling to find the optimal strategy for
harnessing the cloud and realizing its potential for increased speed, lower cost, and reduced risk.
Experienced companies have moved beyond proof-of-concept pilots and are tackling the challenge of offering and
managing more complex, production cloud services. In the process, theyve discovered that just like ad hoc data center
automation projects, poorly planned cloud implementations can dramatically increase the management costs and risks,
ultimately obviating the speed benefits.
Managing Multi-Cloud Environments

Most large organizations have at least two cloud environments, typically a private cloud and one or more public clouds
(with or without ITs blessing).
While popularly called the hybrid cloud, most enterprises are actually multi-cloud environments that each host entirely
independent applications. This is in contrast to a truly advanced hybrid cloud that shares application components and
enables application mobility among public and private clouds. Managing services in a private cloud differs from working
with public clouds, since a multi-cloud environment usually consists of cloud silos. Typically, each comes with its own
management tools and provisioning portals. In addition, each public cloud provider has different APIs and tools.
59
Figure 45: Cloud Types
Automation Management Consistency

Over time, organizations will have a mix of different cloud environments, each chosen to meet business requirements using
different application approaches. The challenge is in managing across them in a consistent way to ensure migrated and native cloud
IT services are delivered and managed quickly and cost-effectively within corporate policy and regulatory compliance guidelines. In
addition, a consistent management process is essential in order to offer true hybrid cloud services that integrate and optimize
applications across two or more cloud environments. Attaining these objectives requires technology that can automate cloud
service management processes while abstracting the underlying applications architectural designs.
The Cloud Management Ecosystem

To appreciate the cloud services management challenge, one must first understand the key components of the cloud management
ecosystem. Each cloud service has three sets of functions that must be managed:
1.
2.
3.
User Services: This consists of all the ways a cloud service may be requested, such as a selfservice portal, via email, or through a mobile app.
Core Functions: These include all the functions required to provision and deploy a cloud service,
which can be provided by a cloud management platform (CMP), independent APIs, or tools.
Supporting Functions: These include additional functions called by a cloud management platform
to manage and monitor a deployed cloud service.
The cloud delivery process figure below illustrates how a cloud service request is actually executed in this ecosystem. A user
requests a cloud service from a catalog presented through a service portal or other user interface. The core functions first assemble
the service, e.g., the appropriate cloud infrastructure components (which can be a cloud platform or cloud stack), options, and
revisions. Then, they deploy it in the correct order based on the service model. A cloud governor (i.e., a function that makes
decisions based on request and cloud preparedness) makes the placement decisions, verifies the readiness of the environment, and
initiates the automation process.
60
For clouds that span different providers and environments, the decisions for placement and optimized management require greater
visibility into the cloud infrastructure configurations, available capacity, and the levels of service required. In short, companies with
multi-cloud or hybrid-cloud environments require access both to more sophisticated core and supporting functions. Appendix D
explores how and where a cloud derives its value and delves into the management capabilities required. Cloud management tools
aimed at providing support for a single cloud, environment, instance, or type are unlikely to scale to meet the needs of a multi-cloud
environment. Appendix E provides detail on critical supporting functions and how they must scale with cloud sophistication.
Figure 46: Example Cloud Services Delivery Process
Managing Services Hosted in a Public Cloud

Many enterprises start their cloud journey in a public cloud. Managing a digital service in a public cloud is a seemingly attractive
option, but it requires varying levels of effort, skill, and technology investment depending on the complexity of the service. Thats
because public cloud providers offer lowest-common denominator options through APIs that may work fine for spinning up a basic
development/test environment, but may not fit that well with a business needs for more complex services.
While public cloud environments generally come with free or low-cost management tools (e.g., cloud monitoring), these will differ
by provider. The tools are likely to have gaps and functionality shortfalls that a user must compensate for through tools
development or with other technology in order to customize the environment appropriately, as shown in Figure 47 below.
Figure 47: Public Cloud Management Service Disparities
61
The following is an example of the capabilities a large user needed to configure and manage their production service in a public
cloud environment.
User Services:
Cloud Service Requests: The mechanism to interact with the cloud infrastructure and request cloud services (portal,
API call, script, third-party catalog)
Core Functions:
Loading the Application: Getting the business applications in the cloud run-time environment (e.g., install, deploy,
etc.)
Integration & Connectivity: Connecting the company cloud components together (e.g., via an abstraction layer,
orchestration template, or script). Enabling components in a multi-tier application to communicate and be
accessible from outside the cloud (e.g., public IP address)
Supporting Functions:
Configuration: Configuring the businesses cloud applications and components
Capacity: Determining the capacity needed to run the applications. Decisions on compute, memory, storage,
network, ancillary services, etc.
Performance Management: Ensuring performance visibility and determining if additional performance is needed
(e.g., caching, load balancing, content delivery network)
Security: Security and compliance of cloud components (e.g., hardened Linux, firewall configurations)
IT Operations: Ongoing management of the business cloud components (e.g., starting/stopping servers, provisioning
new servers, defining scale-out rules, taking snapshots, ensuring leases are persistent, etc.)
o
o
o
o
Cloud environment health and availability monitoring

Applications monitoring (end-to-end transaction and response times)
Problem management (including integration to automate problem outage and
escalation)
Patching, upgrading, and changing the cloud application with multiple options,
including: creating a new image and deploying it over existing software, creating a
new image and deploying it on a new infrastructure and fail forward, patching the
installed software directly, etc.
Debugging problems and root-cause analysis (application and/or infrastructure)
To address the gaps and create a manageable public cloud environment, the user had to employ many IT operations tools. This
particular company required 40 additional tools and functional enhancements, which were all integrated with the cloud
environment using the providers APIs to cover key areas, including:
Usage monitoring (e.g., cost, usage, and trends)
A web interface for managing requests
Automation workflows integrated with the service providers workflow
Monitoring to measure remote access latency
There is a clear division of labor between the cloud service provider and the cloud user. Public cloud providers refer to this
as shared responsibility. The division of labor must be clearly understood, as it determines the effort, skills, and costs
required to augment the services and tools available from the cloud service provider. It also helps to determine potential
privacy, policy, and security challenges using a public cloud for sensitive company applications and services.
62
Figure 48: A CMP Addressing Cloud Management Shared Responsibilities
A cloud management platform addresses cloud provider management tools disparity (see Figure 48) and should provide the
following capabilities:
Provide consistent cloud management capabilities, filling gaps (e.g., tools functionality/missing tools) left by the
public cloud service providers.
Enable unified cloud automation that executes in a uniform, standard way irrespective of the underlying cloud
environment.
Integrate cloud management activity, allowing seamless process automation.
Enable an organization to establish itself as a digital services broker where services are offered, provisioned, and
managed irrespective of the cloud or data center environment chosen to meet the service need.
Leverage existing/provided cloud silo management technology to optimize management capabilities and realize
value that may be unique to different cloud environments.
Reduce complexity by providing an abstraction layer that normalizes management across different cloud
management tools.
Reduce risks associated with cloud silos by using common change management processes and uniform compliance
management.
Without a flexible cloud management platform, using more than one public cloud provider multiplies the management
effort, which can defeat the advantages of multi-sourcing.
Managing Services in a Private Cloud

A private cloud requires the development or purchase of all technology required for providing cloud services, but allows for full
customization and control. For example, a service could include the option to use existing hardware or operating systems, which
would not be an option otherwise. Security, compliance, and control are common reasons companies choose to act as an internal
service provider. Yet, many struggle to emulate the public cloud providers simplicity and speed, especially when it comes to cloud
service request and delivery.
Initial private cloud decisions include what services to offer, which data center facilities to host the cloud infrastructure (onpremise, off-premise), the run-time environment (e.g., images, stacks, operating systems, etc.), and the most appropriate
physical infrastructure and software to use to divide the single-tenant and multi-tenant shared infrastructure (e.g.,
hypervisors, clustering, resource pooling, abstraction layers, container support, etc.)
A key difference is how a private cloud is managed. A public cloud provider uses tools to address core cloud capabilities (e.g.,
capacity optimization, workload movement, and high-availability and failover). They will also provide the user with a disparate
toolkit of management technology to deal with basic requirements such as monitoring. These tools are provided without things like
integration, common repositories, or consolidated reporting (i.e., shared responsibility). The assumption is if this is needed, the
cloud user will address it with APIs and skilled resources. A private cloud may offer the users access to monitoring and reporting, but
the underlying management environment will be the responsibility of the IT organization.
Managing a private cloud will also include all aspects of user services, core functions, and supporting functions.
63
User Services:
Cloud Service Requests: The mechanism to interact with the cloud infrastructure and request cloud services (e.g.,
portal, API call, script, and third-party catalog)
Core Functions:
Loading the Application: Getting the business applications in the cloud run-time environment (e.g., install, deploy,
etc.)
Integration & Connectivity: Connecting the cloud components together (e.g., via an abstraction layer,
orchestration template, or script)
Supporting Functions:
Configuration: Configuring the businesses cloud applications and components
Capacity: Determining the capacity needed to run the applications, including decisions on compute, memory,
storage, network, ancillary services, etc.
Performance Management: Ensuring performance visibility and determining if additional performance is needed
(e.g., caching, load balancing, and content delivery network)
Security: Security and compliance of cloud components (e.g., hardened Linux and firewall configurations)
IT Operations: Ongoing management of the business cloud components (e.g., starting/stopping servers, provisioning
new servers, defining scale-out rules, taking snapshots, ensuring leases are persistent, etc.)
IT as Digital Services Broker

The cloud has created opportunities for companies to re-evaluate how they provide IT services and how they choose and
develop applications. Business users have found they now have choices. If the corporate IT organization cannot provide IT
services, there might be more flexible, cloud-based alternatives available elsewhere. Visionary IT organizations are offering
cloud services of their own and brokering cloud services from external providers.
A cloud service brokerage objective assumes that an organization, internal or external, will offer a broad range of cloud
services, off-the-shelf and custom, from both private and public sources. According to analyst Gartner, A cloud services
brokerage (CSB) plays an intermediary role in cloud computing. CSBs make it easier for organizations to consume and
maintain cloud services, particularly when they span multiple providers.
From a business perspective, it makes sense for a company to have a CSB, as it allows control over multiple cloud IT services
and ensures that cost and risk are managed. However, a CSB should not become a barrier or the judge of what services a
business requires. The objective of a CSB is to offer and facilitate the delivery and on-going management of a requested
cloud service, ensure the cloud user gets the value they expect, and that all services comply with company and regulatory
policy.
Key CSB objectives and deliverables include:
Cloud Service Options: Provide more IT cloud services to the business, not less.
Ongoing Evaluation: Constantly evaluate cloud service options and offer new ones.
o New options could include better costs, support, infrastructure options, etc.
Business Alignment: Understand the way the business uses cloud services, measure and monitor user experience,
and seek continual improvement.
Performance: Ensure cloud service performance meets business expectations and/or service level agreements.
Guidance: Make recommendations on cloud service options based on business needs, expectations, and
corporate policy.
Education: Educate the IT users of cloud services to help them make the best cloud decisions for their business
units.
Simplification: Allow focus on the business service requirements, while masking the details of which underlying
cloud service is used to support it.
Cloud Management Responsibilities

A public cloud service provider delivers management capabilities through refactoring, wrapping, or most commonly through
integration with the tools APIs. A company using services from different cloud sources will find that each public cloud has
different levels of management capabilities, requiring different skills and resources. This situation can create disparate
64
cloud management silos, each using different tools with varied levels of integration (see Figure 49).
Figure 49: Cloud Management Silos
As cloud sophistication increases (e.g., mixed/multiple cloud service environments hybrid clouds) and maturity grows,
companies look for ways to provide greater management control over multiple cloud environments. This is typically
addressed using a cloud management platform (CMP), which acts as a resource abstraction layer that provides cloud
orchestration across different cloud environments. Large organizations may require their CMP to manage the services their
corporate data center provides. This ensures the IT services utilize as many common skills and resources as possible,
providing a level of user consistency while optimizing complexity and cost.
The CMP provides the integration with management tools, automation products, workflows, and scripts to deliver
automation and management activities while masking the underlying tools complexities (see Figure 50). Using a CMP also
consolidates different tools functions, allowing IT organizations to create a standard method for delivering cloud
automation even if the underlying cloud environment changes.
Figure 50: CMP Serving Digital Services Brokerage
A CMP enables the automation of cloud activity across a shared infrastructure (e.g., compute, memory, storage, network,
and ancillary services). This allows a company to manage the cloud as a set of building blocks that create the companys
base services. Even though infrastructure as a service (IaaS) and platform as a service (PaaS) can be described as units of
cloud, a CMP manages beyond the units and across different units, and integrates with a broader set of management
technology to deliver greater cloud automation value (e.g., change management, problem management, end-user
performance monitoring, and tools that enable cloud brokering). As cloud needs evolve, IT organizations may seek to
automate the movement of workloads across different clouds (e.g., for cost or performance reasons). That automation will
require CMP management technology capable of orchestrating the process and interoperating with a broad range of cloud
service provider management tools.
65
Automated Cloud Services Roadmap

As with the patching and compliance solution area, each cloud services level is a path to maturity and value realization. The
objective is to seamlessly offer a range of on-demand cloud services to users while optimizing speed, cost, and risk through
consistent, automated management across cloud environments. The cloud services roadmap has four incremental value levels that
correspond to the Tools, Process, Standardized, and Advanced levels in the Automation Value Model. Each level aligns the
technology with organizational readiness.
Companies can be at any level depending on current automation maturity and can achieve significant value by advancing through
the levels.
Figure 51: Cloud Services Value Path
Each level has a set of attributes associated with it. The attributes include:
Primary objective (e.g., provision)
Automation capabilities required to meet the primary objective (e.g., the ability to automatically deploy)
The cloud services roadmap also provides detail on what each level should deliver and what is required to ensure successful
delivery. This includes:
Lessons learned and recommendations
66
Cloud Services Tools Level: IMAGE

At this level, the cloud is used to provide a core set of capabilities that include the creation, configuration, packaging, deployment,
and installation of virtual capacity, an IT infrastructure environment, software, or full application. This can include the loading of an
operating system, hypervisor, or a full-stack such as a golden image clone that includes all relevant software and databases to a
specific set of configurations.
Image Objectives
Create cloud images

o Offer cloud services via a portal/menu
o Support private and/or public cloud environments
o Provide options (e.g., cloud environment, OS/hypervisors, storage devices, networks, and capacity)
Configure services to meet requesters specific needs
Package cloud services
o Provide managed capacity allocation/placement
Deploy packages
Install packages and activate service
Lessons learned: For some, this level has meant virtualization plus automation, however this overly simplistic view does not provide
a path beyond server provisioning. Cloud deployment and service model choices will determine the options for cloud provisioning.
This will result in different teams using multiple technologies (e.g., provided with OS/hypervisor, cloud service, in-house
development, or purchased from a software vendor) to solve a common task of adding and removing IT resources. This may satisfy
short-term requirements but creates longer-term issues due to inconsistent processes and disparate, non-integrated provisioning
technology.
Recommendations: Assume the cloud environment will evolve, requiring increasingly sophisticated automation to keep up with
change, increase efficiencies and drive down costs. Choose automated technology that can provide the following capabilities:
1. Automate cloud service delivery irrespective of the different cloud models.
2. Treat cloud provisioning as an abstraction layer allowing the business to choose different hardware, software, and
services without incurring costs or having to re-tool and re-train.
3. Unify and bring control to existing cloud services provisioning tools and procedures (e.g., scripts, open source, public
cloud tool APIs, and server/OS provided).
Image Justification and Benefits
Expedite the delivery of IT services to the business.

Remove manual work and process lag through process automation.
Reduce the cost, effort, and risk associated with manual activity.
Reduce complexities for cloud management.
Reduce the risk of cloud silos emerging.
Expedite deployment and decommissioning of infrastructure capacity.
Reduce operational expense.
Automate the provisioning of cloud IT services.
67
Value Factor
IT Objectives
Reduce time to deliver
Speed
cloud services
Install cloud images on
demand
Enable changes to cloud
environment quickly
Cost
Increase IT
administrator-to-cloud
component ratio
Decrease cloud management
manual activity
Decrease time to provide
business IT services
Risk
Reduce risk of issues

associated with manual
cloud service delivery
activity
Reduce risks associated
with multiple organizations
delivering cloud services
Metrics

automated service provisioning,
measured from service request
notification to successful
deployment
Track number of times cloud
services are delivered over a set
period
Improved service response time to

business
Cloud service performance and quality
improvements
Compare cost reductions for

multiple organizations managing
cloud vs. optimized cloud
management function
Compare the IT staff-to-cloud
component ratio before vs. after
automation
Time and effort saved by the
number of IT staff no longer
needed to provision cloud
services manually
Costs associated with business
service request before cloud
automation vs. after
Compare errors made before vs.
after the unification of cloud
processes and policy across
disparate cloud environments and
activities
Compare number of problems
caused before vs. after the
adoption of unified cloud
automation
Cloud services on demand

Increased IT responsiveness to cloud
service requests, reducing a financial
impact to the business
Increased cloud service reliability
Increase productivity of cloud support
staff
Lower IT operations expense
Increased IT user satisfaction

Increased control of cloud service
delivery
68
Image Process
At the Image level, the cloud service begins with the service request and extends to service activation. The service can be the
loading of software, the creation and deployment of an image, the allocation of infrastructure resources, or the loading of an entire
application stack. The following process is an example of an automated cloud service process.
Figure 52: Cloud Image Process Overview
The cloud service image is created and packaged
The cloud service image is loaded into an image library
Cloud services are offered through a portal/menu (cloud services can be requested through other methods, e.g., via
email)
Cloud service requests are configured and patched
The request is approved (if not already pre-approved)
Cloud resources are checked (e.g., available capacity)
The network address is applied with the appropriate network access
The packaged image is distributed to the cloud and installed
Upon completion, the installation is checked and verified
The cloud service is activated
Post-Execution Tasks Automation
Product licenses are assigned
69
Image Roles
At the Image level, multiple teams may be involved in cloud deployments and usage. Internal IT may provide a private cloud
environment, while software development and application testing teams may use public cloud services. The challenge is to manage
the cloud environment in a consistent and controlled manner to ensure costs are in line and skills applied when and where it makes
the most sense from a company perspective.
Figure 53: Cloud Image Roles
Image Technology
Figure 54: Cloud Image Technology
70
Technology
Network Automation
Server Automation
Database Automation
Middleware Automation
Cloud Provisioning
Orchestration
Cloud Service Portal
Image Library
Service Catalog
Capacity Management
Automates cloud infrastructure provisioning

and change
BladeLogic Automation Suite
Workflow for delivering cloud services. Typically

provided with cloud automation tool(s)
Cloud service menu (e.g., application store,
custom request, guided options, and identity
mgmt.) for mobile & desktop
A library of pre-built cloud images
Provided with BladeLogic Automation Suite & Cloud

Lifecycle Management (CLM)
Provides a view of automation IT services

available to the business
Used/available cloud capacity that provides the
optimization of dedicated/shared resources
across difference cloud environments

71
Cloud Services Process Level: MANAGE

At the Manage level, cloud management consolidation enhances value by providing the ability to manage across different cloud
services and deployment models in a coherent, consistent manner.
The Manage level includes pre-packaged cloud services delivered by orchestrated workflows that describe components, capacity
required, and deployment order. Integrated with a catalog of services, the cloud package includes the service parameters (e.g.,
requester, entitlements, and costs). This allows increased control over the environment and further expedites the release
management process.
The services are submitted with the configurations and parameters applied and authorized against agreed priorities and service
level. At this level, the requested service can be aligned against a type of cloud environment (e.g., a service for application testing
can be provisioned in a public, low-cost cloud).
Services are provisioned with capacity automatically verified to ensure that the cloud environment is able to support the service
request. The requested service is delivered in-line with internal policy and external compliance regulations.
This process supports both cloud service delivery models (i.e., native and migrant cloud environments), allowing change to occur
prior to release or once the environment is established.
Manage Objectives
Consolidate cloud option menus for consistency.

Catalog services to ensure managed cloud deliverables.
Orchestrate workflows to aid provisioning speed, efficiency, and accuracy.
Manage change to ensure requests are tracked, reported, and processed.
Verify sufficient resources are available to support service requests.
Integrate with service management to manage issues efficiently.
Monitor to agreed service levels and reporting.
Lessons learned: Cloud choices made at this level can create significant management challenges, especially when the requirement
is to apply common processes across clouds and enforce company policy and regulatory compliance. The challenges are caused by
treating every cloud or cloud service as a unique instance, with each requiring different levels of infrastructure control, different
tools for management, and different levels of infrastructure visibility. This scenario contributes to increased organizational
complexity (i.e., cloud-specific management silos) and increased business risk through the inability to consistently manage
regulatory compliance for all parts of the IT infrastructure that supports the business applications.
Recommendations: Control of a companys cloud environment should factor in both current cloud usage as well as new use cases
and cloud options likely to appear in the future. For example, as companies move from private and/or public to multi-cloud
environments, from software as a service (SaaS) to PaaS, and from migrated cloud applications to native cloud applications, the
management technology must be able to adapt and encompass the cloud flavors to maintain control and IT resilience while
providing the cloud service options the business needs to prosper.
This implies the following requirements:
1. Cloud management technology that allows holistic and consistent cloud control for all business cloud services choices
2. A cloud management strategy that factors in the key integrations required to support the automation of processes
across different cloud service and delivery options
3. The adoption of a cloud services tools strategy that integrates and orchestrates all required cloud management
componentsincluding public cloud tool APIsfor service options, packaging and delivery, cloud monitoring, change
management, and service management
72
Manage Justification and Benefits
Provide the business with cloud service options while masking underlying cloud complexity.
Accelerate automation execution through consistent management tools and architecture.
Reduce business risk through consistent IT compliance management across cloud services.
Increase business efficiencies by providing cloud service options without sacrificing control and IT visibility.
Optimize IT resources through the abstraction of cloud service diversity, the removal of repetitive manual activity and the
elimination of cloud management silos.
Value Factor
Speed
IT Objectives
Cost
Cloud environments
managed in a consistent
way
Issues managed through an
integrated service
management process
Cloud monitored against
availability policies
Managed cloud
infrastructure change
control
Cloud monitored against
availability policies
Consistent cloud
orchestration
Issues managed through an
integrated service
management process
Risk
Reduce request execution

time
Service requests delivered
against agreed service
levels
Standard/common services
with options
Metrics
Compare execution time
before vs. after the menu
(cloud service) consolidation.
Compare the time taken to
create and request cloud
services before vs. after the
implementation of
standard/common service
options
Time and effort saved
The number of IT staff no
longer needed to manage
every cloud type
Compare downtime cost
before vs. after the
automation of the cloud
service mgmt. process
Change managed and
measured against historic
regulatory configuration
compliance reports
Compare cloud downtime
statistic before vs. after the
implementation of service
management process
integration
Visibility into cloud service
irrespective of type or location

Standard choices requiring less time to
choose and option
Faster IT cloud services with greater
control and visibility
Cloud services delivered to an agreed
timeframe based on agreed service
levels
Increased application availability
Operational expenses reduced through the
optimization of human resources
Trusted IT cloud service resilience and

reliability
Lower risk of compliance issues due to poor
change management practices
IT service problems are managed in-line with
agreed business service levels
73
Manage Process
At the Manage level, the automated activities expand to include resource checking, service levels, network connectivity, and final
deployment packaging and verification procedures. Steps noted in italics below are incremental to the previous level.
Figure 55: Cloud Manage Process Overview
The catalog of services provides the applications and required resources
The service deployment is delivered via the service orchestration
email)
Service levels (e.g., entitlement, performance measurement, and service termination agreement) are associated with the
requester and the service requested
Package configurations and policies are applied to the cloud service
Cloud configuration is updated as part of a new image (ongoing activity)
Patches are applied to the cloud service as part of a new image (ongoing activity)
Service request is closed (part of the change management process)
Problems are managed through the service desk
Cloud infrastructure component issues are monitored
Cloud infrastructure application transaction performance monitored
74
Manage Roles
The Manage level starts to include different IT professionals, teams, and members of the user community. Multiple teams can be
involved in cloud deployments and usage. Internal IT may be providing private cloud environments while software development
and application testing teams may be using public cloud services. Capacity management may be involved in the planning for the
cloud, with the security officers and auditors involved in identifying risks and compliance irregularities.
Figure 56: Cloud Manage Roles
Manage Technology
Figure 57: Cloud Manage Technology
75
Technology
Network Automation
Server Automation
Database Automation
Cloud Provisioning
Orchestration

and change
Workflow for delivering cloud services,

typically provided with cloud automation
tool(s)
mgmt.) for mobile & desktop

Capacity Management
Used/available cloud capacity that provides

the optimization of dedicated/shared
resources across difference cloud
environments
Availability Monitoring
Performance and availability monitoring of

the cloud IT infrastructure
Associates priority and ensures service
delivery meets agreed business expectations
Associates disparate IT components into
logical groups to support cloud service
delivery, which can be an attribute of
configuration mgmt.
Provides the ability to manage, approve,
track, and report changes occurring in the
cloud environment
Manages the reporting, escalation, and
outage of cloud service issues
The monitoring of performance and
availability of application software from backend cloud infrastructure transactions to enduser response times
BMC TrueSight Operations Management
Image Library
Service Catalog
Service Level Mgmt.

Component Container
Change Management
Service Management
Applications
Performance
Management
Provided with BladeLogic Automation Suite & CLM


CLM

76
Cloud Services Standardized Level: GOVERN

At the Govern level, the introduction of a service model allows delivery of cloud services on demand, with the ability to make
changes to the cloud services offerings. The combination of the service model and the service governor enables cloud services to be
updated, provisioned, and managed across different cloud environments in-line with business policy and requirements.
The ability to govern cloud (e.g., workload placement decisions, deployment execution verification) is enhanced when combined
with technology that provides greater visibility into how the existing cloud infrastructure is configured, used, and performing across
all cloud environments. This requires integration and orchestration with a number of supporting technology areas, including
configuration, capacity, and performance management.
After cloud services have been delivered, IT user performance and IT infrastructure health is monitored, measured, and reported.
This information is used to ensure service levels are maintained. The impact of change is understood. Service usage is metered and
costs are recognized and used to justify further investment.
Govern Objectives
Provide intelligent service placement, resource availability, and automation execution.
o Analyze user behaviors to identify usage patterns and deliver better cloud services.
Define service levels to deliver and measure cloud services.
o Increase cloud infrastructure resilience in-line with agreed service levels.
Recognize cloud service value and aid investment decisions through cost-aware (show-back) services.
Monitor user experience against cloud infrastructure performance.
Lessons learned: As different cloud service models are adopted to meet the needs of the business, the costs associated with
customization and managing the increasing complexity grows rapidly. In addition, deploying cloud services without measuring
performance blinds IT organizations from the impact of change and the value being provided to the business.
Recommendations: Using cloud service automation technology, such as a service governor supported by a service catalog and
configuration management, allows intelligent placement of cloud services aligned with the appropriate delivery model and cloud
service usage requirement without the need for manual intervention or an increase in costs and effort. We have found that a cloud
strategy that includes monitoring the cloud service from both the IT infrastructure and the end-user perspective ensures the
supporting IT infrastructure is configured and performing within policy and to expectations, and that end users have a positive
experience.
Govern Justification and Benefits
Respond faster to cloud service change with smarter placement and resource utilization.
Reduce cloud service down time while increasing end-user satisfaction.
Understand cloud service user experience.
Demonstrate cloud service costs and value.
Compare cloud service value and costs across company cloud environment.
Automate the provisioning and decommissioning of cloud services.
Fully automated IT cloud services available through multiple self-service options.
77
Value Factor
IT Objectives
Reduce time to deliver cloud
Speed
services from request to
delivery
Identify and respond faster to
service issues
Cost
Understand and measure the

cost of cloud services
Risk
Safe and secure on-demand IT

cloud services
Increased cloud infrastructure
resilience
Metrics
Service delivery times
monitored and measured
through change management
process reporting
service request time
Costs metered and reported
Compare costs between different
cloud environments in an
ongoing fashion
Measured IT user and business

satisfaction
Service-aware monitoring

IT cloud services on demand
Increased cloud service
availability
Minimal business impact
Increased user satisfaction
More IT cloud services for lower
cost
Cloud services delivered faster
and cost effectively
Private cloud service value
recognition
Minimal IT disruption to the
business
Govern Process
At the Govern level, the automated execution activities expand to include configuration management and cloud governance,
making placement decisions, cloud service verification, and automation execution initiation. End-user monitoring, usage metering,
and the process for service retirement are now embraced to support post-execution activities. Steps noted in italics below are
incremental to the previous level.
Figure 58: Cloud Govern Process Overview
The catalog of services provides the applications and requires resources
email)
78
Configuration management stores cloud component configurations and component cloud service relationships, aiding
cloud governance decisions and the service management process
Cloud governance makes placement decision and cloud service verification, and initiates automation execution
Cloud infrastructure component health monitored
Cloud infrastructure services health monitored (service-grouped cloud components)
End-user performance monitored and experience captured
Cloud service usage tracked and evaluated against costs for investment justification and showback purposes
Cloud services are retired in-line with SLAs, usage, and activity
Govern Roles
At the Govern level, cloud roles start to change. With effective and flexible cloud service offerings, application developers and
testers can leave the job of managing cloud resources and focus on using cloud resources. With better-managed, more costeffective cloud options, line-of-business managers will find more reasons to use the services offered.
Figure 59: Cloud Govern Roles
79
Govern Technology
Figure 60: Cloud Govern Technology
80
Technology
Network Automation
Server Automation
Database Automation
Cloud Provisioning
Orchestration
Image Library
Service Catalog
Capacity Management
Service Level Mgmt.
Component Container
Change Management
Service Management
Applications Performance
Management
Cloud Governance
Cost Recognition
End-User Monitoring
Configuration Mgmt.

and change
Workflow for delivering cloud services, typically

provided with cloud automation tool(s)
mgmt.) for mobile & desktop.
Provided with BladeLogic Automation Suite &

Cloud Lifecycle Management (CLM)
CLM

optimization of dedicated/shared resources
across difference cloud environments
Performance and availability monitoring of the
cloud IT infrastructure
Associates priority and ensures service delivery
meets agreed business expectations
Associates disparate IT components into logical
groups to support cloud service delivery, which
can be an attribute of configuration mgmt.
Provides the ability to manage, approve,
track, and report changes occurring in the
cloud environment
Manages the reporting, escalation, and outage
of cloud service issues
The monitoring of performance and availability
of application software from back-end cloud
infrastructure transactions to end-user response
times
Software responsible for workload placement and
movement decisions, deployment execution
decisions, and resource availability confirmation
A method used to allocate and show IT costs to
internal businesses based on their use of IT cloud
services at rates based on levels of consumption,
commonly referred to as show-back
Monitors application performance from the enduser perspective, providing visibility into clouduser activity irrespective of the application source
Consolidated cross-component, cross-cloud
configuration and relationship management

CLM

CLM

CLM
CLM and BMC TrueSight Capacity Optimization
BMC Remedy Configuration Management

Database (CMDB)
81
Cloud Services Advanced Level: OPTIMIZE

At the Optimize level, cloud services are brokered offering the user a choice of cloud service provider. The cloud management
software guides the cloud user through available options and provides recommendations on cloud service configuration and
capacity.
Optimizing cloud usage requires a holistic and vendor-neutral view across an organizations IT environment. Optimization
should allow comparison of both internal and external cloud service alternatives.
Optimize Objectives
Analyze cloud services and dynamically adjust resources to optimize performance and usage (e.g., bursting to available or costeffective cloud environments).
Reclaim inactive or underutilized virtual resources to reduce costs associated with software licensing and
management effort.
Optimize virtual resource costs by enforcing expiration dates for virtual machine reclamation (e.g., through SLAs
and workload types).
Implement process to automatically retire temporary, underutilized, or abandoned cloud resources.
Analytics provide workflow data patterns, enabling decision-making and optimizing process execution (e.g., higher
performing workflow paths that cross networks and servers).
Broker cloud services with user guidance.
Align costs by charging for cloud service usage to appropriate units managed to SLAs.
Lessons learned: Cloud service usage and activity that is not monitored has caused companies to experience increased costs, effort,
and risk. IT resources that are not used, misconfigured, or underutilized will continue to incur costs to the business (e.g., license and
management). An inability to aid cloud users on the resources required to fulfill their service requirement creates waste and
additional costs, as many will choose to over-provision if they are not guided.
Recommendations: IT organizations wishing to drive down cloud service costs and increase business satisfaction should monitor
how cloud services are being used and ensure optimal resources are chosen by guiding users on the appropriate resources required
to fulfill their cloud need while leveraging, where possible, existing IT resources.
Optimize Justification and Benefits
Reduce new cloud service costs by leveraging existing IT resources.

Reduce costs and effort of existing cloud services by optimizing cloud service resources.
Optimize virtual resources to drive down costs associated with licensing and management.
Increase efficiencies by guiding users on the right cloud service type and configuration.
Understand user experience, using the data to tune current cloud service usage.
Establish cloud costing and chargeback to the business for cloud services based on cloud service type, configuration, and
usage.
Cloud services are continually monitored to ensure resources are optimized to maximize performance and reduce unused capacity,
including cloud bursting to available or more cost-effective cloud resources when necessary. Resources that are not used or are
underutilized are reclaimed to reduce costs. Service costs based on usage by options chosen are attributed, tracked, and charged.
The ability to optimize the cloud requires the orchestration of tools that provide the information required to make these
decisions, such as understanding capacity, cloud infrastructure component utilization, performance bottlenecks, usage
patterns, services cost profiles, and user experience.
Guiding business units on the most appropriate cloud service options for their needs, moving workloads (on an interim or
temporary basis), removing redundancy (e.g., underutilized cloud infrastructure), analyzing usage patterns (e.g., high/low
performance/usage peaks), and continually evaluating cloud options allows cloud service costs and resources to be
82
optimized. To achieve this objective, the tools that enable cloud optimization need to be applied differently and, in some
cases, enhanced. See Appendix D for further detail on the evolution of supporting functions at the Optimize level.
Figure 61: Dynamic Workload Balancing
Value Factor IT Objectives

Deliver services faster by
Speed
providing guided cloud service
options
Changes to optimize cloud
resources made more
frequently and with greater
accuracy
Cost
Deliver services with greater

accuracy through guided cloud
service options
Reduce cloud costs by
dynamically optimizing
resources and removing
infrastructure wastage
Implement cloud cost
management to understand and
plan cloud expenditures
Implement cloud cost
management to charge for
cloud services
Risk
Reduce configuration
compliance risk through better
cloud service delivery and
optimizing existing resources
Cloud infrastructure change
made with greater accuracy
Metrics
Compare time to assess, choose,
and configure cloud service
before vs. after automated,
guided assessment and options
Compare time to monitor,
analyze, and make changes
before vs. after automation of the
cloud optimization process
Compare ongoing operating
expenses (opex) costs before vs.
after optimized cloud
infrastructure resources by cloud
service
Compare cloud infrastructure
license costs before vs. after
optimization
3rd-party cloud service costs
managed with greater accuracy
and accountability to the
business, measured over time
Cloud services charges managed
more effectively, measured over
time
Risk reduced by compliance
factored in to the cloud service
delivery options and managing
compliance on optimized
resources, over time. Compare the
number of resources used before
vs. after optimization
Reduction in cloud service issues
due to errors made when making
changes to the cloud
infrastructure, measured over time

Guided IT services on demand
Less effort to get cloud services
Better quality cloud services
Managed and transparent cloud costs

Accurate budget planning, with cloud
charges aligned with cloud service costs
Internal IT organization services become a
profit center
Increased business effectiveness from using

compliant cloud services
Increased cloud service reliability to the
business
83
Optimize Process
At the Optimize level, automated execution activities expand to include greater visibility into how cloud resources are being used,
allowing the cloud governance to make recommendations on capacity, infrastructure allocation, and workload distribution. The
post-execution activities now include full cost management. When tied to a companys financial applications, this view will provide
cloud expense management and chargeback. Steps noted in italics below are incremental to the previous level.
Figure 62: Cloud Optimize Process Overview
The catalog of services provides the applications and required resources
email)
Configuration management stores cloud component configurations and component cloud service relationships, aiding
cloud governance decisions and the service management process
Cloud governance makes placement decisions and cloud service verification, and initiates automation execution
Cloud usage and capacity is analyzed with the data provided to cloud governance to make change recommendations on
workload movement and capacity allocation
84

Cloud infrastructure component health monitored
Cloud infrastructure services health monitored (service-grouped cloud components)
End-user performance monitored and experience captured
Cloud service usage tracked and evaluated against costs for investment justification and showback purposes
Cloud service billing is implemented, tied with company financial applications for cloud expense management and
chargeback
Cloud services are retired in-line with SLAs, usage, and activity
Optimize Roles
At the Optimize level, more roles become stakeholders as the cloud environment increases in stability and service breadth. An
internal IT cloud organization focused on brokering cloud services, both internal and external, provides the business with greater
options at a known cost and value.
Figure 63: Cloud Optimize Roles
Optimize Technology
Figure 64: Cloud Optimize Technology
85
Technology
Network Automation
Server Automation
Database Automation
Automates cloud infrastructure provisioning and change
Cloud Provisioning
Orchestration
Workflow for delivering cloud services, typically provided

with cloud automation tool(s)
Cloud service menu (e.g., application store, custom
request, guided options, and identity mgmt.) for mobile
& desktop
Provides a view of automation IT services available to the
business
optimization of dedicated/shared resources across
difference cloud environments

Performance and availability monitoring of the cloud IT

infrastructure.
Associates priority and ensures service delivery meets
agreed business expectations.
Associates disparate IT components into logical groups to
support cloud service delivery, which can be an attribute
of configuration mgmt.
Provides the ability to manage, approve, track, and
report changes occurring in the cloud environment
Manages the reporting, escalation, and outage of cloud
service issues
Applications
Performance
Management
The monitoring of performance and availability of

application software from back-end cloud infrastructure
transactions to end-user response times
Cloud Governance
Software responsible for workload placement and

movement decisions, deployment execution decisions,
and resource availability confirmation
CLM
Cost Recognition
A method used to allocate and show IT costs to internal

businesses based on their use of IT cloud services at rates
based on levels of consumption, commonly referred to as
showback
Monitors application performance from the end-user
perspective, providing visibility into cloud user activity
irrespective of the application source
Configuration Mgmt.
Consolidated cross-component, cross-cloud

configuration, and relationship management
BMC Remedy Configuration Management Database

(CMDB)
Cost Management
Cloud cost usage metrics, predictions, and charging.

Visibility into cloud service consumption and utilization.
Typically integrated with the public cloud providers and
internal financial systems for cost management and
planning
Image Library
Service Catalog
Capacity Management
Service Level Mgmt.
Component Container
Change Management
Service Management
End-User Monitoring


CLM

86
Cloud Services Automation Business Value

The following diagram shows the automation value path for Cloud Services Automation. The lower levels of automation provide
basic capabilities and produce corresponding basic levels of value. As the organization progresses through the path, the complexity
of the solution and the value to the business both increase.
Figure 65: Cloud Service Automation Levels Mapped against the Automation Value Model
Each automation level along the path builds on the value from the previous one; however, as the automation increases in
sophistication, the requirement for IT organization readiness increases. Whereas provisioning may reside entirely in one IT
operations team, service provisioning may require the involvement of development, all flavors of IT administration (e.g., server,
network, database, storage, and application), service managers, change managers, application release managers, and
representatives from the lines of business. The diagram above matches the Cloud Services Automation levels against the five levels
from the Automation Value Model.
87
Appendix A: Automation Specialist Roles

IT professionals from different backgrounds can fulfill the role of an automation specialist; however, they will be required to
broaden their skills. Only the most competent automation specialists with the broadest understanding will deliver a
successful automation strategy that addresses process, people, and technologyfrom applications development to business
service management.
Automation Strategist
An automation strategist may be responsible for the development of IT automation strategy and/or automation processes
and solutions to implement strategy. Actual job titles may vary by organization and depth of responsibility, such as
automation strategy architect, automation architect, automation specialist, or automation evangelist.
The automation strategist is a relatively new position reporting to the director of operations or, in IT organizations where
automation is a competency, the automation director. Automation strategists in large organizations often act as the bridge
between enterprise (solutions) architects, application architects, and cloud architects.
The automation strategist is a highly seasoned IT professional who has successfully led projects in either software
development, IT operations, or IT service managementideally in a variety of roles. The automation strategist is primarily
focused on strategic design considerations of the automation environment and is instrumental in the design of tactical
decisions such as the development of automation processes. As such, the automation strategist must be able to share and
communicate ideas clearly, both orally and in writing, to executive staff, business sponsors, and technical resources in
concise language that is the parlance of each group. Accordingly, the automation strategist role is not designed to deal with
day-to-day operational issues, but to help business units leverage automation for the greatest value.
The automation strategist has skills spanning process, people, and technology. These include:
Designing, planning, and documenting process workflows
Working with different teams to ensure the automation is embraced and supported across the organization
Identifying and selecting the right technology to enable automated processes with all the required integrations and
controls
IT organizations will need to prioritize the hiring of automation strategists based on primary automation objectives.
Companies that need to build automation around a specific IT domain area will recruit from personnel with domain-specific
technical background, whereas companies requiring the development of cross-domain automation processes will need to
look to personnel from service management.
Key Responsibilities:
Define and document the automation processes, best practices, standards, automation frameworks, and
implementation strategy.
Communicate the business case for automation initiatives to executive and business sponsors.
Analyze current state of IT processes and prioritize automation projects according to business value.
Evaluate, select, and formulate best usage of automation tools.
Maintain, improve, and implement an automation framework across the IT organization, including clear value
metrics.
Collaborate with project teams to strategize and align long-term solutions for automation including roadmap, tools,
framework, and approach.
Create white papers and technical documentation, and communicate automation processes to project teams and
testers.
Provide leadership, guidance, training, and mentoring to project teams and automation engineers for the
implementation of automation processes and best practices.
88
Desired Experience:
IT automation knowledge, including familiarity with a range of automation technology (e.g., workload brokers,
orchestration tools, and script toolkits) and how each is used to support an automated process
Experience working with product development teams to ensure future versions of specific products have the
functionality required to support strategic automation objectives
Research, test, and recommend new and/or complementary technologies offered by various vendors that can
contribute to automation initiatives
Establishment of best-practice frameworks to automate specific tasks, procedures, and activities that are optimally
suited to automation products
Experience and comfort with complex heterogeneous IT infrastructure, including existing IT platforms, as well as a
variety of operating systems, middleware, and applications
Familiarity with how IT automation is used to support development, IT operations, and IT service management
Strong understanding of compliance/regulatory issues and broad understanding of application security
IT Personnel Who Can Transition to an Automation Strategist

The role and strengths required by an automation strategist can differ by company. The key is to identify an automation
strategist who is process aware first.
Organizations planning to redesign IT service processes to better serve the business should consider experienced
personnel in the IT service management organization.
Organizations planning to automate IT infrastructure activities should consider experienced, proven personnel in the
IT operations team with expertise and knowledge of scripting, management tools, integration methods, and
practices.
Organizations planning to automate processes for application development, testing, and deployment should
consider experienced personnel in software engineering.
Basic Qualifications and Requirements
Bachelor of science degree in computer science or equivalent

Expert in adopting and using leading automation methods and tools
7 or more years in information technology, focusing on automated applications test and deployment, IT
operations (workflow design/management), or IT service management (process design/management)
5 or more years of experience in designing and developing automation frameworks and strategies
Expert knowledge in one or more scripting languages and/or programming languages is a plus
Responds appropriately and competently to the demands of work challenges when confronted with changes,
ambiguity, adversity, and other pressures
Excellent analytical and problem-solving skills
Effective written and verbal communication skills
Good team and interpersonal skills
Then build out your automation competency team with subject-matter expert (SME) specialists who have the experience to
add value for critical solution areas.
89
Automation Engineer
The purpose of this position is to implement, operate, and improve the automation infrastructure and processes. Actual job
titles may vary by organization and depth of responsibility, such as automation architect, automation specialist, automation
administrator, or automation lead.
This position is responsible for the day-to-day operations involving the automated deployment of software and
configuration packages. This position will identify repetitive tasks and activities that may be performed more efficiently
through automation. He/she will also identify critical workflows, such as system failover and fallback during disaster
recovery operations, which could be performed in a more reliable/predictable fashion through automation.
The automation engineer plays a pivotal role in achieving quantifiable operational benefits through the implementation of
automation best practices. The position automates repetitive/critical workflows within IT operations and collaborates with
operations managers and staff in replacing those processes with automated practices. The on-going objectives of the
automation engineer position are to facilitate the migration of operational work to progressively lower tiers of the support
organization enabled by automation, the wholesale elimination of existing work practices, and the reduction of operational
risks that could potentially impact business operations.
Key Responsibilities:
Identify existing operational tasks, procedures, and activities that could benefit from automation.
Collaborate with key members of IT, specifically those individuals responsible for incident, problem, and change
management, to identify chronic operational issues that require extensive staff time to remediate. The problem
and change managers will assist in identifying historical situations where human error triggered or prolonged
operational outages.
Assist in the creation of business cases for automating specific processes that clearly delineate prospective
benefits in terms of labor savings, incident reduction, risk reduction, etc.
Install and configure specific automation solutions.
Drive adoption of automation solutions throughout IT and mentor staff members in using specific automation
tools.
Monitor the efficiency and effectiveness of automation practices post implementation, and validate achievement
of business case benefits.
Desired General Experience:
IT automation knowledge and skills, both broad and deep, including familiarity with a range of automation
technology (e.g., workload brokers, orchestration tools, and script toolkits) and how each is used to support an
automated process
Experience and comfort with complex heterogeneous IT infrastructure, including existing IT platforms, as well as a
variety of operating systems, middleware, and applications
Familiarity with how IT automation is used to support development, IT operations, and IT service management
Desired SME Experience:
Depth with specific IT components and related tools is required to ease implementation. The following describes several
specific SME roles to fill out the automation competency team.
General systems knowledge and experience, including:
UNIX and Windows knowledge: Application server administration
Network knowledge: The ability to log into network devices to troubleshoot connection and command actions
Must understand the different kinds of devices within their own environments
Specific systems knowledge and experience, including:
Platform-specific network installs: Oracle Solaris Jumpstart, AIX network installation manager (NIM), HP-UX
Ignite/UX
Multi-tier application design and support: For server automation for initial deployment and then ongoing support
90

General systems knowledge and experience, including:
Networking knowledge: To support remote agent connection problems and more importantly network boot
protocols (PXE)
Patching specialist: Patches from vendors for servers operating systems and applications
Specific systems knowledge and experience, including:
Windows specialist: To create patching update packages, jobs, and other content in server automation
UNIX specialist: Create patch update packages, job, and other content in server automation
Orchestration
Patching and compliance as well as provisioning and configuration solution areas require specific orchestration knowledge
and experience, including:
Ability to understand and work with various APIs
Scripting languages: ability to leverage existing scripts and also to create new ones
Integration specialist: understanding of how various products/applications interact
General programming skills: PHP, Java, Python, Ruby, etc.
Work with adapters: SMTP, SQL, SSH, SNMO, HTTP, etc.
Windows specialist: To create packages, jobs, and other content in server automation
UNIX specialist: To create packages, job, and other content in server automation
Networking knowledge: To support remote agent connection

Cloud Services
Ability to understand and work with various APIs

Scripting languages and the ability to leverage existing scripts
Microsoft AD, LDAP, DNS, and TCP/IP
Integration specialist: understand how various products/applications interact
General programming skills: PHP, Java, Python, Ruby, etc.
Work with adapters:, SMTP, SQL, SSH, SNMO, HTTP, etc.
Windows specialist: To create packages, jobs, and other content in server automation
UNIX specialist: To create packages, job, and other content in server automation
Networking engineering experience: To build virtual data centers and configure the various network devices (e.g.,
switches, load balancers, and firewalls) to work with newly provisioned virtual machines (VMs)
VMware specialist: To define, provision, manage, and delete VMs, and troubleshoot the same
Specialist in Amazon Web Services (AWS), Microsoft Azure, or whatever other cloud computing platforms may
be in use: To define, provision, manage, and delete VMs, and troubleshoot the same
General knowledge of storage used in conjunction with applicable cloud computing platforms: To manage the
cloud storage resources
Solid understanding of XML: To build and modify network pod and container blueprints of virtual data centers
Experience configuring database platforms, such as SQL and Oracle, and middleware platforms such as WISA,
J2EE, WAS, and WBL
Basic Qualifications and Requirements
Expert in adopting and using leading automation methods and tools

5 or more years in information technology, focusing on automated deployment, IT operations (workflow
design/management), or IT service management (process design/management)
General knowledge in one or more scripting languages and/or programming languages is a plus
Responds appropriately and competently to the demands of work challenges when confronted with changes,
ambiguity, adversity, and other pressures
Excellent analytical and problem-solving skills
Effective written and verbal communication skills
Good team and interpersonal skills
91
Recommended Professional Education:

Course topics that may help to train IT personnel transitioning to automation engineers include:
Basic Orchestration: Introduces students to the potential power of automating business processes with orchestration. The
primary focus of the course is to provide students with a basic foundation of the architecture, concepts, and terminology of
orchestration.
Advanced Orchestration: Advanced topics and features of orchestration software should introduce students to core web
services standards such as SOAP, WSDL, and HTTP communication. Students should be taught auditing and metrics
collection facilities and how to instrument individual workflows with metrics activities. The course should teach integration
with server automation to conduct data center-wide audit, compliance, and software deployments across multiple
operating systems and servers.
Basic Network Automation:
Recommended prerequisites: Students should have network engineering and/or operations experience, including:
Managing and configuring IP-based networks

Configuring network devices, from one or more vendors, deployed in the production network
Operating network applications installed on Linux, Solaris, or Microsoft Windows platforms
Administering third-party network management systems
Maintaining integrations with other network enablement tools
A basic network automation course presents information on how to use network automation to administer networks on a
day-to-day basis. This course provides extensive hands-on exercises with the software user interface and covers all major
aspects of using the software. It familiarizes the student with different troubleshooting techniques and effective
administration techniques. Students should receive in-depth presentations and demonstrations by expert instructors.
Hands-on lab exercises in a virtual environment provide the opportunity for practical application of the presented concepts,
methods, and procedures.
Basic Server Automation: This course should introduce students to the core components that comprise the server
automation environment and the user interface used to provide end-user functionality. Through examples, students learn
about key benefits and features of the software. Students will also learn about the architecture of the server automation
solution, and concepts and terminology related to product functionality.
Advanced Server Automation: This course is designed for administrators responsible for administering and maintaining the
server automation environment. Students should learn how to plan and scale the server automation environment using
best practice techniques; plan and apply best practice techniques to security and access management; perform application
release management; configure a PXE-based provisioning solution, NSH scripts, and the command line interface (CLI).
92
Appendix B: Provisioning & Configuration Value Metrics Formulas

This appendix includes detailed formulas and examples for calculating the speed, cost, and risk value metrics at each level
for the Provisioning & Configuration roadmap. The suggested formulas and key performance indicators (KPIs) are intended
to be a guide to develop typical quantitative metrics and may not be comprehensive for every complex IT environment. In
addition, these can form the basis for business value realization calculations that may combine a number of elements
beyond IT.
Since a complex IT environment includes multiple platforms (e.g., Windows, Linux, Android, etc.), component types (e.g.,
networks, servers, etc.), and different IT roles (e.g., server admin, capacity manager, etc.), formulas must account for these
in order to tabulate the total value across the environment. In most cases, formulas can be applied to before and after
states, allowing one to measure the incremental value as the organization progresses from one level to the next. However,
the nature of risk mitigation is such that we recommend monitoring at more frequent intervals to identify trends, as data
from arbitrary points in time may be inaccurate or misleading. Note that some baseline data must be collected to perform
these calculationsmuch of which may not be currently measuredand there must be a management discipline to gather
this data in order to demonstrate value.
93
Provision
The table below summarizes the key calculations required to quantify the metrics for the Provision level.
Value Factor Measurement

Objectives
Calculate
Speed
total time to
provision
environment
Metrics Factors
Data/Formulas
IT component build
process steps
IT component build
process step time
Number of annual IT
component builds
Annual provisioning
time
Labor rate
Percentage of labor
time provisioning
Work hours/year
Number of provisioning
errors found during
validation check
Total number of
provision configuration
changes
Number of
provisioning-related
incidents
Total number of
production incidents
Cost
Calculate the
cost to
provision
environment
Risk
Determine
provisioning
quality/consi
stency risks
Component Provision Process Time: See

example below for Red Hat build*
Annual Component Provision Time:
Provision time per component x # of
annual builds
Total Annual Provision Time: (Annual
component provision time)1 + (Annual
component provision time)2 + ()3
Annual Component Provision Cost
(simple): Annual Component Provision
Time x Labor rate
Annual Component Provision Cost: Work
hours/year x % of time provisioning x
Labor rate
Total Annual Provision Cost: (Annual
Component Provision Cost)1 + (Annual
Component Provision Cost)2 + ()3
Provisioning Error Rate: (# of errors /
total # of changes) x 100
Provisioning Incident Rate (# of
provisioning-related incidents / total #
of production incidents) x 100
Figure 66: Provision Summary Metrics Formulas
*Red Hat Build Process Step

OS Build Using Kickstart
Update Packages
Patch to Current
Apply Custom Configurations
Total Provisioning Time
Time
45 minutes
30 minutes
30 minutes
25 minutes
4 hours
Figure 67: Component Provision Process Time Example
Provision Speed KPIs
Provision time per platform
Number of provisioning requests
Successful provisioning request turnaround time
94
Provision Speed Sample Calculations

Provision Speed (Before)
Component Provision Process Time: 7 hours
Annual Component Provision Time: 7 hours x 35 annual builds = 245 hours
Total Annual Provision Time: (245)1 + (450)2 + (135)3 = 830 hours
Provision Speed (After)
Component Provision Process Time: 1.5 hours
Annual Component Provision Time: 1.5 hours x 35 annual builds = 52.5 hours
Total Annual Provision Time: (52.5 hrs)1 + (90 hrs)2 + (27 hrs)3 = 169.5 hours
Provision Speed Savings
Before After Component Time: 7 1.5 = 5.5 hours

Before After Annual Component Time: 245 52.5 = 192.5 hours
Before After Total Annual Time: 830 169.5 = 660.5 hours
Figure 68: Provision Speed Metrics Example
Not
calculated. Placeholder number for illustration.
Provision Cost KPIs
Labor cost to provision components
Number of provisioning roles
Provision Cost Sample Calculations

Provision Cost (Before)
Annual Component Provision Cost (simple): 460 hours x $70/hr = $32,200
OR
Annual Component Provision Cost: 2000 hrs x 0.25 x $70/hr= $35,000
Total Annual Provision Cost: ($32,200)1 + ($45,000)2 + ($52,000)3 = $129,200
Provision Cost (After)
Annual Component Provision Cost (simple): 52 hours x $70/hr = $3,640
OR
Annual Component Provision Cost: 2000 hrs x 0.03 x $70/hr = $4,200
Total Annual Provision Cost: ($3,640)1 + ($7,900)2 + ($4,500)3 = $16,040
Provision Cost Savings
Before After Annual Component Cost (simple): $32,200 - $3,640 = $28,560

Before After Annual Component Cost: $35,000 - $4,200 = $30,800
Before After Total Annual Cost: $129,200 - $16,040 = $113,160
Figure 69: Provision Cost Metrics Example
Not
Provision Risk KPIs
SLAs breached from provisioning delays
Number of provisioning rework requests
Number of incidents resulting from incorrectly configured new environments
Tribal knowledge vs. documented provisioning procedures
Cost/benefit of provisioning technology in use
95
Provision Risk Sample Calculations

Provision Risk
Provisioning Error Rate: (8 errors/250 changes) x 100 = 3.2%
Provisioning Incident Rate: (3 provisioning incidents/83 total incidents) x 100 = 3.6%
Figure 70: Provision Risk Metrics Example
Configure
The table below summarizes the key calculations required to quantify the metrics for the Configure level. The examples
below introduce the concept of component groups: logical groupings of IT infrastructure that share a similar operating
system, service/function, configuration, location, support team, etc. There are many ways within IT to logically group
infrastructure. We have left this exercise to the reader, as you will know how to best apply the following calculations, based
on your unique logical groupings. What you must understand is all of the groups, and the components within each group,
that fall under IT operations management.
Value Factor
Measurement
Objectives
Metrics Factors
Speed
Calculate total
time to audit &
configure
environment
Cost
Calculate the
cost to audit &
configure
environment
Risk
Determine
change risks
Data/Formulas
Number of IT components
Number of audit cycles/year
Time to audit configuration
state per component
Number of package
deployments/year
Time to install & verify
package
Annual Component Audit

Time
Annual Component Groups
Audit Time
Annual Package Deploy Time
Labor rate
Number of incidents
resulting from change
Total number of production
incidents
Total number of changes
Number of changes rolled
back due to failure
Annual Component Group

Audit Time: Components x
audit time x cycles
Total Annual Audit Time:
(Annual Component Group
Audit Time)1 + (Annual
Component Group Audit
Time)2 + ()3
Total Annual Package Deploy
Time: Package deployments x
install and verify time
Annual Component Group
Audit Cost: Annual Component
Group Audit Time x Labor rate
Total Annual Audit Cost: Total
Annual Audit Time x Labor rate
Annual Deployment Cost:
Annual Package Deploy Time x
Labor rate
Change Incident Rate: (# of
change-related incidents /
total # of production
incidents) x 100
Failure Rate: (# of rollbacks /
total # of changes) x 100
Figure 71: Configure Summary Metrics Formulas
Configure Speed KPIs
Configuration state assessment time
Number of configuration changes possible within maintenance window
Percentage of successful configuration changes per maintenance window
96
Configure Speed Sample Calculations

Configure Speed (Before)
Annual Component Group Audit Time: 150 components x 60 minutes x 4 cycles = 600
hours
Total Annual Audit Time: (600 hours)1 + (1200 hours)2 + (800 hours)3 = 2,600 hours
Annual Package Deploy Time: 35 deployments x 1 hour/ea = 35 hours
Configure Speed (After)
Annual Component Group Audit Time: 150 components x <1 minute x 4 cycles = 10 hours
Total Annual Audit Time: (10 hours)1 + (20 hours)2 + (13 hours)3 = 43 hours
Annual Package Deploy Time: 35 deployments x <1 min = 0.5 hours
Configure Speed Savings
Before After Annual Component Group Audit Time: 600 10 = 590 hours
Before After Total Annual Audit Time: 2,600 43 = 2557 hours
Before After Package Annual Package Deploy Time: 35 0.5 = 34.5 hours
Figure 72: Configure Speed Metrics Example
Not
Configure Cost KPIs
Number of configure roles
Number of people performing change
Number of people required during change
Configure Cost Sample Calculations

Configure Cost (Before)
Annual Component Group Audit Cost: 600 hours x $40/hr = $24,000
Total Annual Audit Cost: 2,600 hours x $40/hr = $104,000
Annual Deployment Cost: 35 hours x $70/hr = $2,450
Configure Cost (After)
Annual Component Group Audit Cost: 2.5 hours x $40/hr = $100
Total Annual Audit Cost: 11 hours x $40/hr = $440
Annual Deployment Cost: 0.5 x $70 = $35
Configure Cost Savings
Before After Annual Component Group Audit Cost: $24,000 - $100 = $23,900
Before After Total Annual Audit Cost: $104,000 -$440 = $103,560
Before After Annual Deployment Cost: $2,450 - $35 = $2,415
Figure 73: Configure Cost Metrics Example
Configure Risk KPIs
Time between application service mapping refresh
Percentage or number of unauthorized configuration changes
Number of failed configuration changes
Number of incidents resulting from unintended change
Formal change approval process
Auditability of changes
Lost revenue due to change/capacity-related outages
97
Configure Risk Sample Calculations

Configure Risk
Change Incident Rate: (24 change-related incidents/ 83 total incidents) x 100 = 29%
Failure Rate: (11 changes rolled back / 230 total changes) x 100 = 4.7%
Figure 74: Configure Risk Metrics Example
Coordinate
The table below summarizes the key calculations required to quantify the metrics for the Coordinate level.
Value Factor
Measurement
Objectives
Metrics Factors
Data/Formulas
Speed
Number of IT
components
Time to audit
component
configuration
Number of
component audits
cycles/year
Number of manual
pre-execution steps
Time per preexecution step
Time to perform ad
hoc capacity analysis
Number of ad hoc
capacity analyses
required per year
Annual
Configuration
Discovery Time
Total Pre-Execution
Time
Annual Ad Hoc
Capacity Evaluation
Time
Labor rate
Number of failed
requests
Total number of
requests
Calculate time
to increase
integration
across request
process
Cost
Calculate the
cost of request
fulfillment
Risk
Reduce error
rate in request
fulfillment
Annual Configuration
Discovery Time: Components
x Audit time x Audit cycles
Total Pre-Execution Time:
Step time1 + Step time2 + Step
time3 +
Annual Ad Hoc Capacity
Evaluation Time: Analysis
time x analysis frequency
Annual Configuration
Discovery Cost: Annual
Configuration Discovery Time
x Labor rate
Pre-Execution Cost: Total PreExecution Time x Labor rate
Annual Capacity Evaluation
Cost: Annual Ad Hoc Capacity
Evaluation Time x Labor rate
Request Failure Rate: (# of
failed requests / total # of
requests) x 100
Figure 75: Coordinate Summary Metrics Formulas
Coordinate Speed KPIs
End-to-end request fulfillment time
Change impact analysis time
Number of manual hand-offs to complete request
98
Coordinate Speed Sample Calculations

Coordinate Speed (Before)
Annual Configuration Discovery Time: 60 minutes x 20 components x 4 cycles = 80 hours
Total Pre-Execution Time: 45 minutes + 2 hours + 6 hours = 8.75 hours
Annual Ad Hoc Capacity Evaluation Time: 3.5 hours x 12 = 42 hours
Coordinate Speed (After)
Annual Configuration Discovery Time: <1 minute x 20 components x 4 cycles = 40 minutes
Total Pre-Execution Time: <1 min + 30 minutes + 1 hour = 1.5 hours
Annual Ad Hoc Capacity Evaluation Time: <1 min x 12 = 6 minutes
Coordinate Speed Savings
Before After Annual Configuration Discovery Time: 80 hours - 40 minutes = 79+ hours
Before After Total Pre-Execution Time: 8.75 - 1.5 = 7+ hours
Before After Annual Ad Hoc Capacity Evaluation Time: 42 hours - 6 minutes = 41+ hours
Figure 76: Coordinate Speed Metrics Example
Not
Coordinate Cost KPIs
Yearly software license, maintenance spend
Yearly compute/network/storage spend
Frequency of capacity-related purchases (interval vs. just-in-time)
Percentage of utilized compute/network/storage capacity
Spend on overlapping capability technology not strategic to automation strategy
Coordinate Cost Sample Calculations

Coordinate Cost (Before)
Annual Configuration Discovery Cost: 80 hours x $50/hr = $4,000
Pre-Execution Cost: 8.75 hours x $70/hr = $613
Annual Capacity Evaluation Cost: 42 hours x $70/hr = $2,940
Coordinate Cost (After)
Annual Configuration Discovery Cost: <1 min x $50/hr = $50
Pre-Execution Cost: 1.5 hours x $50 = $75
Annual Capacity Evaluation Cost: 6 min x $50 = $5
Provision Cost Savings
Before After Annual Configuration Discovery Cost: $4,000 - $50 = $3,950

Before After Pre-Execution Cost: $613 - $75: $538
Before After Annual Capacity Evaluation Cost: $2,940 - $5 = $2,935
Figure 77: Coordinate Cost Metrics Example
Coordinate Risk KPIs
Number of manual service delivery steps
Estimated revenue loss caused from service request delays
Spend on unapproved external IT services (Shadow IT)
99
Coordinate Risk Sample Calculations

Coordinate Risk
Request Failure Rate: (20 failed requests/ 315 total requests) x 100 = 6%
Figure 78: Coordinate Risk Metrics Example
On Demand
The table below summarizes the key calculations required to quantify the metrics for the On-Demand level. Note that at
this level, the company must evaluate more than just the direct labor costs associated with offering the service. Other
direct/indirect costs must be included to accurately reflect the full cost of providing the service. Direct service costs include
support, problem, change, and release activities. Indirect costs include other supporting functions for the service such as
shared infrastructure and LAN; job scheduling; monitoring; and discovery and configuration management activities. It may
be easier to evaluate these costs on a monthly basis or other budget interval.
Value
Factor
Speed
Measurement
Objectives
Metrics Factors
Data/Formulas
Approval time for IT

components provisioning
Request review & capacity
confirmation time
Time to package
configurations per request
Number of decommission
requests per year
Time to decommission IT
components
Number of IT component
refresh requests
Time to refresh IT component
Monthly support cost per

service
Monthly problem cost per
service
Monthly changes cost per
service
Monthly releases cost per
service
Service
infrastructure/LAN/job/
monitoring cost per service
Monthly discovery &
configuration cost per service
Number of requests delivered

within SLA
Total number of requests
made with defined SLAs
Calculate total
time for request
fulfillment
Cost
Calculate the
cost to provide
on-demand
services
Risk
Determine
efficacy of ondemand
capabilities
Pre-Execution Task Time: Approval

time + Request review time +
Configuration packaging time
IT Component Reclamation Time:
Time to decommission x # of
decommission requests
IT Refresh Time: Time to refresh IT
component x # of component refresh
requests
Monthly Service Effort Cost: Support

cost + Problem cost + Changes cost +
Releases cost
Monthly Supporting Services Cost:
(Infrastructure cost + LAN cost + Job
Scheduling cost + Monitoring cost) /
12 months
Monthly Total Service Cost: Monthly
Service Effort Cost + Monthly
Supporting Services Cost + Monthly
discovery & configuration cost
% Service Delivery Within SLA:

(Requests within SLA / total SLA
requests) x 100
Figure 79: On-Demand Summary Metrics Formulas
100
On-Demand Speed KPIs
End-to-end request fulfillment time
Number of requests met within SLA, OLA
Number of new automation processes defined
On-Demand Speed Sample Calculations

On-Demand Speed (Before)
Pre-Execution Task Time: 12 hours + 6 hours + 36 hours = 54 hours
IT Component Reclamation Time: 1.5 hours x 60 requests = 90 hours
IT Refresh Time: 2.5 hours x 200 requests = 500 hours
On-Demand Speed
Pre-Execution Task Time: <1 minute + <1 minute + 0.15 hours = 12 minutes
IT Component Reclamation Time: 2 minutes x 60 requests = 2 hours
IT Refresh Time: 0.45 hours x 200 requests = 90 hours
On-Demand Speed Savings
Before After Pre-Execution Task Time: 54 hours - 12 minutes = 53+ hours

Before After IT Component Reclamation Time: 90 - 2 = 88 hours
Before After IT Refresh Time: 500 - 90 = 410 hours
Figure 80: On-Demand Speed Metrics Example
Not
On-Demand Cost KPIs
Percentage of services delivered on demand
IT spend as percentage of revenue, and operating expenses
Staffing distribution percentage: in house, contractor, offshore
Lights-on expense percentage
Number of new automation roles created
101
On-Demand Cost Sample Calculations

On-Demand Cost (Before)
Monthly Service Effort Cost: $8,710 + $360 + $2,900 + $4,140 = $16,110
Monthly Supporting Services Cost: ($116,400 + $2760 + $4,680 + $6480) / 12 = $10,860
Monthly Total Service Cost: $16,110 + $10,860 + $5,340 = $32,310
On-Demand Cost
Monthly Service Effort Cost: $6,097 + $252 + $2,030 + $1,656 = $10,035
Monthly Supporting Services Cost: ($81,480 + $2,208 + $1,170 + $4,536) / 12 = $7,450
Monthly Total Service Cost: $10,035 + $7,450 + $2,136 = $19,621
On-Demand Cost Savings
Before After Monthly Service Effort: $16,110 - $10,035 = $6,075

Before After Monthly Supporting Services: $10,860 - $7,450 = $3,410
Before After Monthly Total Service: $32,310 - $19,621 = $12,689
Figure 81: On-Demand Cost Metrics Example
Not
On-Demand Risk KPIs
Time spent reviewing existing processes for continual improvement, changing business needs
Flexibility/sustainability of external service provider(s)
Service level actuals vs. targets per service
Business, customer satisfaction scores
On-Demand Risk Sample Calculation

On-Demand Risk
% Service Delivery within SLA: (240 Requests within SLA / 265 total SLA requests) x 100 =
90.5%
Figure 82: On-Demand Risk Metrics Example
102
Appendix C: Patching & Compliance Value Metrics Formulas

This appendix includes detailed formulas and examples for calculating the speed, cost, and risk value metrics at each level
for the Patching & Compliance roadmap. The suggested formulas and key performance indicators (KPIs) are intended to be
a guide to develop typical quantitative metrics and may not be comprehensive for every complex IT environment. In
addition, these can form the basis for business value realization calculations that may combine a number of elements
beyond IT.
Since a complex IT environment includes multiple platforms (e.g., Windows, Linux, Android, etc.) and component types
(e.g., networks, servers, etc.), and different IT roles (e.g., server admin, capacity manager, etc.), formulas must account for
these in order to tabulate the total value across the environment. In most cases, formulas can be applied to before and
after states, allowing one to measure the incremental value as the organization progresses from one level to the next.
However, the nature of risk mitigation is such that we recommend monitoring at more frequent intervals to identify trends,
as data from arbitrary points in time may be inaccurate or misleading. Note that some baseline data must be collected to
perform these calculationsmuch of which may not be currently measuredand there must be a management discipline
to gather this data in order to demonstrate value.
Patch
The table below summarizes the key calculations required to quantify the metrics for the Patch level.
Value
Factor
Speed
Measurement
Objectives
Metrics Factors
Data/Formulas
Calculate total
time to patch
environment
Average patch management

time per component
Number of annual patch
cycles
Cost
Calculate the
cost to patch
environment
Component Group Patch

Time
Work hours/year
Percentage of labor time
patching
Number of annual patch
cycles
Labor rate
Risk
Determine
patching
compliance
# of elements currently
meeting the policy (in
compliance)
# of elements that require
compliance
Component Patch Time:

See example below for
Windows server*
Component Group Patch
Time: Component Patch
Time x # of components
Total Annual Patch Time:
(Component Group Patch
Time x patch cycles)1 +
(Component Group Patch
Time x patch cycles)2 +
()3
Annual Component
Group Patch Cost
(simple): Component
Group Patch Time x
Labor rate x patch cycles
Annual Component
Group Patch Cost: Work
hours/year x % of time
patching x Labor rate
Total Annual Patch Cost:
(Annual Component
Group Patch Cost)1 +
(Annual Component
Group Patch Cost)2 + ()3
Component Patch Risk
Assessment: (# in
compliance / Total #
requiring compliance)
x100
Figure 83: Patching Summary Metrics Formulas
103
*Windows Server Patch Step

Run Windows Update
Select/Download Updates
Install Patches
(Reboot) Validate Success
Total Patching Time
Time
5 minutes
10 minutes
10 minutes
15 minutes
40 minutes
Figure 84: Component Patch Time Example
Patch Speed KPIs
Number of servers behind on patches
Number of SLA violations
Frequency of maintenance window overrun
Patch Speed Sample Calculations

Patch Speed (Before)
Component Patch Time: 40 minutes
Component Group Patch Time: 40 minutes x 350 components = 233 hours
Total Annual Patch Time: (233 hours x 3 cycles) + (200 hours x 2 cycles) + (1000 hours x 1
cycle) = 2100 hours
Patch Speed (After)
Component Patch Time: <1 minute
Component Group Patch Time: <1 minute x 350 components = <5.8 hours
Total Annual Patch Time: (<5.8 hours x 3 cycles) + (<6.7 hours x 2 cycles) + (<7 hours x 1) =
< 17.5 + 13.4 + 7 = <37.9 hours
Patch Speed Savings
Before After Component Patch Time: 40 <1 = >39 minutes

Before After Component Group Patch Time: 233 <5.8 = >227 hours
Before After Annual Total Patch Time: 2100 <37.9 = >2062 hours
Figure 85: Patch Speed Calculation Example
Patch Cost KPIs
Cost of unplanned downtime due to patching incidents
Monthly/annual SLA violation charges
Annual labor cost to patch components, groups
104
Patch Cost Sample Calculations

Patch Cost (Before)
Annual Component Group Patch Cost (simple): 233 hours x $70/hr x 3 cycles = $48,930
OR
Annual Component Group Patch Cost: 2000 hours x 0.25 x $70/hr = $35,000
Total Annual Patch Cost: ($35,000)1 + ($46,000)2 + ($48,000)3 = $129,000
Patch Cost (After)
Annual Component Group Patch Cost (simple): 2.5 hours x $70/hr x 3 cycles = $525
OR
Annual Component Group Patch Cost: 2000 hours x 0.05 x $70/hr = $7,000
Total Annual Patch Cost: $7,0001 + $9,6002 + $9,8003 = $26,400
Patch Cost Savings
Before After Annual Component Group Patch Cost (simple): $48,930 - $525 = $48,405
Before After Annual Component Group Patch Cost: $35,000 - $7,000 = $28,000
Before After Total Annual Patch Cost: $129,000 - $26,400 = $102,600
Figure 86: Patch Cost Metrics Example
Not
Patch Risk KPIs
Patch compliance state
Failure rate for patch installation
Percentage of environment being patched
Compliance program effectiveness surveys
Number of outages due to missing patches
Patch Risk Sample Calculations

Patch Risk
Component Patch Risk Assessment: (1400 components in compliance / 2000 components
requiring compliance) x 100 = 70% Patched
Figure 87: Patch Risk Metrics Example
105
Assess
The table below summarizes the key calculations required to quantify the metrics for the Assess level. Assessment can be
performed against a policy on a component, on a group of components, and across the entire enterprise. The examples
below demonstrate assessment performed against components and component groups. To understand the speed, cost, and
risk across the enterprise, perform the example calculations below for each applicable policy and to all applicable
component groups, and then add the times and/or costs for each group together to solve for the entire environment. Risk
should be evaluated not across the enterprise as a whole, but in chunks no larger than component policy groups. This is so
proper risk assessment and, later, remediation can be planned to address the highest/higher risk areas first.
Value
Measurement
Factor
Objectives
Speed Calculate total
time to audit
environment
Metrics Factors
Data/Formulas
Number of policy
configurations per
component
Average audit time for each
configuration
Number of audit cycles
Component Policy Audit Time

Component Policy Group
Audit Time
Labor rate
Number of audit cycles
Cost
Calculate the cost

to audit the IT
environment
Risk
Determine risk of
undiscovered
configuration
issues
Number of applied policy

configurations on a
component
Total number of
recommended policy
configurations per
component
Components assessed
Total number of IT
components
Component Policy Audit

Time: # of policy
configurations x audit time
Audit Time: Component
Policy Audit Time x # of
components
Total Annual Policy Audit
Time: (Component Policy
Group Audit Time x cycles) 1
+ (Component Policy Group
Audit Time x cycles)2 + ()3
Cost: Component Policy
Audit Time x Labor rate
Audit Cost: Component
Policy Group Audit Time x
Labor rate
Total Annual Policy Audit
Cost: (Component Policy
Group Audit Cost x cycles) 1
+ (Component Policy Group
Audit Cost x cycles)2 + ()3
Component Policy
Compliance State: (Applied
policy configurations /
Total recommended
configurations) x 100
IT Environment Audit State:
(Components audited /
Total IT components) x 100
Figure 88: Assess Summary Metrics Formulas
Assess Speed KPIs
Policy audit time
Number of assessment cycles possible annually
Time to consolidate configuration reports for audit
106
Assess Speed Sample Calculations

Assess Speed (Before)
Component Policy Audit Time: 150 configurations x 1.5 minutes= 3.75 hours
Component Policy Group Audit Time: 3.75 hrs x 25 components = 93.75 hours
Total Annual Policy Audit Time: (93.75 hrs x 2 cycles) 1 + (30 hrs x 2 cycles)2 + (500 x 2
cycles)3 = 187.5 + 60 +1000 = 1247.5 hours
Assess Speed (After)
Component Policy Audit Time: 150 configurations x 3 seconds = 7.5 minutes
Component Policy Group Audit Time: 7.5 minutes x 25 components = 3.1 hours
Total Annual Policy Audit Time: (3 hrs x 2 cycles) 1 + (1 hr x 2 cycles)2 + (25 hrs x 2 cycles)3
= 6 + 2 + 50 = 58 hours
Assess Speed Savings
Before After Component Policy Audit Time: 3.75 hours - 7.5 minutes = 3.6 hours
Before After Component Policy Group Audit Time: 93.75 3.1 = 90.65 hours
Before After Total Annual Policy Audit Time: 1247.5 58 = 1189.5 hours
Figure 89: Assess Speed Metrics Example
Assess Cost KPIs
IT staff productivity impact during assessments
Number of IT staff involved in assessment activities
Assess Cost Sample Calculations

Assess Cost (Before)
Component Policy Audit Cost: 94 hrs x $70/hr = $6,580
Component Policy Group Audit Cost: (94 hrs x $70/hr)1 + (30 hrs x $70/hr)2 + (500 hrs x
$70/hr)3 = $6,580 + $2,100 + $35,000 = $43,680
Total Annual Policy Audit Cost: ($6,580 x 2 cycles)1 + ($2,100 x 2 cycles)2 + ($35,000 x 2
cycles)3 = $13,160 + $4,200 + $70,000 = $87,360
Assess Cost (After)
Component Policy Audit Cost: 0.5 hrs x $70/hr = $35
Component Policy Group Audit Cost: (0.5 hrs x $70/hr)1 + (0.2 hrs x $70/hr)2 + (1 hr x
$70/hr)3 = $35 + $14 + $70 = $119
Total Annual Policy Audit Cost: ($35 x 2 cycles)1 + ($14 x 2 cycles)2 + ($70 x 2 cycles)3 =
$238
Assess Cost Savings
Before After Component Policy Audit Cost: $6,580 - $35 = $6,545

Before After Component Policy Group Audit Cost: $43,680 - $119 = $43,561
Before After Total Annual Policy Audit Cost: $87,360 - $238 = $87,122
Figure 90: Assess Cost Metrics Example
Assess Risk KPIs
Percentage of IT environment not assessed
Lack of well-documented configuration exception procedures
Audit failures due to delays producing configuration reports to auditor
107
Assess Risk Sample Calculations

Assess Risk
Component Policy Compliance State: (187 policy configurations / 212 policy
configurations) x 100 = 88.2%
IT Environment Assessment State: (1200 components assessed / 3400 components) x 100
= 35%
Figure 91: Assess Risk Metrics Example
Comply
The following table summarizes the key calculations required to quantify the metrics for the Comply level. Compliance can
be performed against a policy on a component, on a group of components, and across the entire enterprise. The examples
below demonstrate compliance performed against individual components. To understand the speed, cost, and risk across
component groups or the enterprise, perform the example calculations below for each applicable policy and to all
applicable component groups, and then add the times and/or costs for each group together to solve for the entire
environment. Risk should be evaluated not across the enterprise as a whole, but in chunks no larger than component policy
groups. This is so proper risk assessment and remediation at this maturity, can be planned to address the highest/higher
risk areas first.
Value
Factor
Speed
Measurement
Objectives
Metrics Factors
Data/Formulas

Time
Total number of IT
components
Non-compliant
configurations
Time to package & deploy
a remediation
Time to validate
configuration remediation

Cost
Component Policy
Remediation time
Component Policy
Verification Time
Labor rate
Number of components
currently meeting policy
that must meet policy
Number of failed
remediations per cycle
Total remediations per
cycle
Calculate time
to identify outof-compliance
configurations
and bring them
back into
compliance
Cost
Calculate the
cost of
compliance
violation
discovery and
remediation
Risk
Calculate
configuration
compliancerelated
exposure risk
Component Policy Remediation

Time: Non-compliant configurations
x Package & deploy time
Component Policy Verification Time:
Non-compliant configurations x
Validation time
Component Policy Compliance Time:
Component Policy Audit Time +
Time + Component Policy
Verification Time
Cost: Component Policy
Remediation Time x Labor rate
Component Policy Verification Cost:
Component Policy Verification Time
x Labor rate
Component Policy Compliance Cost:
Component Policy Audit Cost +
Component Policy Remediation Cost
+ Component Policy Verification
Cost
Configuration Policy State:
(components meeting policy /
components required to meet
policy) x 100
Remediation Failure Rate: (# of
failed remediations / total
remediations) x 100
Figure 92: Comply Summary Metrics Formulas
108
Comply Speed KPIs
Number of audit cycles possible annually
Percentage of environment compliant
Number of security bulletins addressed
Comply Speed Sample Calculations

Comply Speed (Before)
Component Policy Remediation Time: 27 Non-compliant configurations x 15
minutes/each to remediate = 6.75 hours
Component Policy Verification Time: 27 Non-compliant configurations x 10 minutes/each
to validate = 4.5 hours
Component Policy Compliance Time: 7.5 minutes + 6.75 hours + 4.5 hours = 11.4 hours
Comply Speed (After)
Component Policy Remediation Time: 27 Non-compliant configurations x 10 seconds = 4.5
minutes
Component Policy Verification Time: 27 Non-compliant components x 5 seconds = 2.3
minutes
Component Policy Compliance Time: 7.5 minutes + 4.5 minutes + 2.3 minutes = 14.3
minutes
Comply Speed Savings
Before After Component Policy Remediation Time: 6.75 hours - 4.5 minutes = 6.7 hours
Before After Component Policy Verification Time: 4.5 hours - 2.3 minutes = 4.5 hours
Before After Component Policy Compliance Time: 11.4 hours 14.3 minutes = 11.1 hours
Figure 93: Comply Speed Metrics Example
Comply Cost KPIs
Cost of unplanned downtime (lost revenue)
User productivity impact during downtime
Non-compliance violation charges
SLA/audit violation charges
Comply Cost Sample Calculations

Comply Cost (Before)
Component Policy Remediation Cost: 6.75 hours x $70/hr = $473
Component Policy Verification Cost: 4.5 hours x $70/hr = $315
Component Policy Compliance Cost: $35 + $473 + $315 = $823
Comply Cost (After)
Component Policy Remediation Cost: 4.5 minutes x $70/hr = $5
Component Policy Verification Cost: 2.3 minutes x $70/hr = $3
Component Policy Compliance Cost: $35 + $5 + $3 = $43
Comply Cost Savings
Before After Component Policy Remediation Cost: $473 - $5 = $468

Before After Component Policy Verification Cost: $315 - $3 = $312
Before After Component Policy Compliance Cost: $823 - $43 = $780
Figure 94: Comply Cost Metrics Example
109
Comply Risk KPIs
Number of IT components out of compliance
Number of failed internal/external audits
Number of policy violations
Comply Risk Sample Calculations

Comply Risk
Configuration Policy State: (1700 components that meet policy / 2000 components
required to meet policy) x 100 = 85%
Remediation Failure Rate: (14 failed remediations / 203 total remediations) x 100 = 6.9%
Figure 95: Comply Risk Metrics Example
110
Intelligent
The following table summarizes the key calculations required to quantify the metrics for the Intelligent level. Note that at this
level, compliance is an on-going process where new components are discovered, existing infrastructure is monitored for
violations, pre-approved remediation occurs, and all phases are governed by change management, automatically. To
determine the value of this process, it must be compared to a more typical compliance process that is kicked off with an audit
and includes many manual handoffs between automation steps, including approvals. With intelligent compliance, tickets are
automatically created and manual intervention is limited to managing exceptions, reviewing reports, and refining the
process.
Similar to the example calculations in earlier levels, the examples below show how to solve for value not at the enterprise
level, but at a smaller subset. Knowing the totals for each of these subsets (i.e., by process, by logical component grouping, or
by policy) relevant to business need, an enterprise-wide view can be determined.
Value
Factor
Speed
Cost
Risk
Measurement
Objectives
Metrics Factors
Data/Formulas
Calculate the endto-end process

time to identify and
correct out-ofcompliance
configurations,
incorporating
change governance
as part of the
process
Number of handoffs in
overall process today
Average cycle time
incurred during each
handoff
Time to create, update,
and close change ticket
Approval time
Component Policy
Compliance Time
Calculate the endto-end cost of

compliance with
change
management and
governance
included
Labor rate(s)
Cycle Time
Component Policy
Compliance Cost
Change Record Time
Calculate
configuration
compliance-related
exposure risk to the
IT environment and
the IT services
provided to the
business
that must meet policy
Components by service
Number of compliant
components
Policy type (e.g.,
regulatory, operational,
or security)
Cycle Time: # of handoffs x Average

cycle time per handoff + Approval time
Change Record Time: Change ticket
create time + Update time + Close time
End-to-End Process Time: Cycle Time +
Component Policy Compliance Time +
Change Record Time
Cycle Cost: Cycle Time x Labor rate

Change Record Cost: Change Record
Time x Labor rate
End-to-End Process Cost: Cycle Cost +
Component Policy Compliance Cost +
Change Record Cost
Compliance by Policy Type: (Compliant

components by policy / Compliance
Policy) x 100
Compliance by Business Service:
(Compliant components by service /
Compliance Policy) x 100
Figure 96: Intelligent Summary Metrics Formulas
Intelligent Speed KPIs
End-to-end process time
Number of pre-approved compliance changes
Number of compliance changes requiring approval
111
Intelligent Speed Sample Calculations

Intelligent Speed (Before)
Cycle Time: 4 Handoffs x 25 minutes/each handoff + 12 hours approval time = 13.7 hours
Change Record Time: 2 hours creating change records + 2 hours updating + 5 minutes to
close = 4 hours
End-to-End Process Time: 13.7 hours + 14.3 minutes + 4 hours = >17.9 hours
Intelligent Speed (After)
Cycle Time: 0 Handoffs + 0 hours approval time = 0 hours
Change Record Time: 30 seconds
End-to-End Process time: 0 hours + 14.3 minutes + 30 seconds = 14.8 minutes
Intelligent Speed Savings
Before After Cycle Time: 13.7 0 = 13.7 hours
Before After Change Record Time: 4 hours 30 sec = <4 hours
Before After End-to-End Process Time: 17.9 hours - 10 minutes = 17.7 hours
Figure 97: Intelligent Speed Metrics Example
Intelligent Cost KPIs
Penalties for non-compliance
Productivity impact of compliance activities
Cost of unplanned downtime (lost revenue)
Intelligent Cost Sample Calculations

Intelligent Cost (Before)
Cycle Cost: 13.7 hours x $70/hr = $959
Change Record Cost: 4 hours Change Record Time x $70/hr = $280
End-to-End Process Cost: $959 + $43 + $280 = $1,282
Intelligent Cost (After)
Cycle Cost: 0 hours x $70/hr = $0
Change Record Cost: 0.0 hours Change Record Time x $70/hr = $0
End-to-End Process Cost: $0 + $43 + $0 = $43
Intelligent Cost Savings
BeforeAfter Cycle Cost: $959 - $0 = $959

Before After Change Record Cost: $280 - $0 = $280
Before After End-to-End Process Cost: $1,282 - $43 = $1,239
Figure 98: Intelligent Cost Metrics Example
Intelligent Risk KPIs
Number of failed internal process audits
Percentage compliance by policy type
Percentage compliance by business service
Downtime historical metrics
112
Intelligent Risk Sample Calculations

Intelligent Risk
Compliant to HIPAA: (1700 components meet policy / 2000 components required to meet
policy) x 100 = 85%
Compliant to Warehouse Management System: (22 components meet policy / 30
components required to meet policy) x 100 = 73%
Figure 99: Intelligent Risk Metrics Example
113
Appendix D: Cloud Value Attributes

BMCs cloud value attributes describe key aspects of the cloud that combine to create increasing business value
with cloud sophistication and maturity. They consist of cloud characteristics, drivers, and management
capabilities. Characteristics are always present, but manifest in more automated ways that deliver
correspondingly better value along the Cloud Services roadmap. Drivers for the cloud become more complex and
demand greater management capabilities at higher levels.
Figure 100: Cloud Value Attributes
Cloud Characteristics
Cloud descriptions can vary wildly. Some consider the cloud a remote IT service provisioned through a self-service portal,
whereas others may consider the cloud to be a mix of virtualization and scripting. According to the U.S. National Institute of
Standards and Technology (NIST), cloud computing is:
a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal management effort or service provider interaction
This NIST cloud description is widely accepted as an accurate middle ground containing all the key characteristics.
114
Greater detail on the five NIST cloud computing characteristics descriptions are reproduced below (figure 101) for
convenience.
Cloud Characteristics
On-Demand
Self-Service
Broad Network Access
Resource Pooling
Rapid Elasticity
Measured Service
Definition
A consumer can unilaterally provision computing capabilities, such as server time and network
storage, as needed automatically without requiring human interaction with each service provider.
Capabilities are available over the network and accessed through standard mechanisms that
promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops,
and workstations).
The provider's computing resources are pooled to serve multiple consumers using a multi-tenant
model, with different physical and virtual resources dynamically assigned and reassigned according
to consumer demand. There is a sense of location independence in that the customer generally has
no control or knowledge over the exact location of the provided resources but may be able to
specify location at a higher level of abstraction (e.g., country, state, or data center). Examples of
resources include storage, processing, memory, and network bandwidth.
Capabilities can be elastically provisioned and released, in some cases automatically, to scale
rapidly outward and inward commensurate with demand. To the consumer, the capabilities
available for provisioning often appear to be unlimited and can be appropriated in any quantity at
any time.
Cloud systems automatically control and optimize resource use by leveraging a metering capability
at some level of abstraction appropriate to the type of service (e.g., storage, processing,
bandwidth, and active user accounts). Typically this is done on a pay-per-use or charge-per-use
basis. Resource usage can be monitored, controlled, and reported, providing transparency for both
the provider and consumer of the utilized service.
Figure 101: NISTs Essential Characteristics Definitions (source: SP800-145.pdf)
Cloud Drivers
Cloud drivers are the motivations for delivering a cloud service. The cloud use case and cloud user drive the type of cloud
environment required and how it must be managed.
Cloud Driver
Cloud Use Case
Cloud User
Definition
Influences the deployment, management, measurement, compliance requirement, and cost for each cloud
service. This can range from clouds that are low/no cost and short-term/disposable, with minimal IT
component options (e.g., single OS/hypervisors), to long-term strategic clouds for mission-critical applications,
with multiple cloud providers and significant IT component heterogeneity.
Can include both internal and external users, software developers, IT operations personnel and service
managers.
Figure 102: Cloud Driver Definitions
Cloud Management Capabilities

Cloud management capabilities are the common management functions required to support the cloud characteristics and
deliver against the cloud drivers. These can be core functions provided as part of a CMP and/or supporting functions provided
through integration with other software. More detail on some key supporting functions and how they evolve through the
levels is provided in Appendix E.
115
Value Attributes Aligned to Automation Levels

It is unrealistic to expect every company embarking on a cloud strategy to aim at an unrealistic, utopian ideal. The ability to
deliver cloud is determined by the readiness and maturity of the IT organization. To help plan, set expectations accordingly,
and deliver value, cloud characteristics and cloud management capabilities need to be aligned with cloud drivers at a
particular automation level.
Cloud Management
Capabilities
Definition
Provisioning
Adding and removing IT infrastructure components. This can be the loading of an operating system or
hypervisor, or a full-stack (a golden image clone) deployment that includes all relevant software and
databases.
Configuration
Collecting, organizing, analyzing, changing, and reporting configuration data. Configuration management
can also actively monitor the IT environment for configuration updates and report changes that are made
without authorization or are in conflict with configuration policy.
Capacity
Cloud service capacity is planned and optimized in-line with availability and usage requirements. Capacity is
assessed holistically across all cloud components, allowing capacity to be managed as it relates to IT
services. Capacity managed dynamically provides the information needed to ensure accurate resource
allocation and workload placement.
Service Level
Assigns priority and ensures service delivery meets agreed business expectations.
Service Cataloging
Provides a menu and/or view of IT services available to the business.
Change
Provides the ability to manage, approve, track, and report changes occurring in the cloud environment.
Service
Manages the reporting, escalation, and outage of cloud service issues.
Monitoring
Monitors the health and performance of the IT infrastructure, application, transactions, and end-user
experience. Aids root-cause analysis and supports the remediation process. At advanced automation levels,
monitoring contributes to the process for adding/removing cloud services, moving resources dynamically,
and providing the intelligence to aid decision-making for cloud service delivery.
Compliance
Ensures adherence to both internal and regulatory policy compliance across different cloud environments,
encompassing cloud configurations and software patch levels.
Orchestration and
Governance
Orchestrates overall process, manages the product-to-product handoffs, coordinates the different
configuration tools, and integrates the tools for data passing and activity activation. As sophistication
grows, the orchestration starts to govern how the cloud environment is managed (e.g., dynamic workload
placement and workload movement).
Costing
Charging against the usage of particular services. Costing includes showback typically used to show IT
service value when an organization is not ready or required to charge for services. Cost management is
integrated with a companys financial applications and used to control, plan, and evaluate IT spend.
Figure 103: Cloud Management Capabilities Definitions
116
Cloud Characteristics Aligned to Automation Levels

Each cloud characteristic evolves in-line with cloud maturity, growing more sophisticated at higher levels. As a companys
maturity and needs increase, these characteristics are delivered with increasing sophistication and corresponding business
value. The following chart shows the characteristics aligned against the four cloud services levels.
Image
Manage
APIs and disparate menus with

options. Menus provide access
to library of cloud services with
non-standard support for
mobile, laptop and desktop
(physical/ virtual) devices.
Access provided through
different interfaces on a limited
number of devices.
APIs, consolidated
menus with
customization
options.
Unified cloud catalog of tiered

services offered in-line with
roles and business need.
Service menus standardized
across all cloud user devices.
Catalog of tiered services with

recommendations and decision
aids.
Cloud capabilities
available over the
network through
different nonstandard
interfaces.
Users access cloud services

(applications, data, resources,
voice and video) in a consistent
way from wherever they are,
using a broad range of media.
Resource Pooling
Minimal. Cloud resources

chosen/allocated.
Resources monitored and

allocated across multiple cloud
instances.
Rapid Elasticity
Minimal. May be provided

through a non-integrated 3rdparty service.
Measured Service
Private cloud service measured

against basic infrastructure
availability reports. Public cloud
usage reports.
Resources
allocated within
specific cloud
environment.
Resources and
capacity added
when needed
either manually or
through manual
execution of an
automated
process.
Cloud service
measured against
reports from
service
management,
responsiveness,
and customer
satisfaction.
Extreme network agility,

enabling users to access cloud
services (e.g., applications,
data, resources, voice, and
video) in a standard, consistent
way from wherever they are,
using whatever media is
chosen, with both thin or thick
clients.
Resources pooled and
allocated dynamically in line.
with current and planned
usage.
Capacity and resources
dynamically adjusted in line
with use.
On-Demand SelfService
Broad Network
Access
Govern
Optimize
Capacity and resources

adjusted across hybrid cloud.
Cloud service is measured

against reports from service
management, end-user
satisfaction, application
performance, and availability.
Metering allows resource

usage to be monitored,
controlled, charged, optimized,
and reported, providing
transparency for both the
cloud provider and user.
Cloud Drivers Aligned to Automation Levels

Cloud drivers are typically different at each automation level. At lower levels, cloud service requirements are less complex. At
higher levels, service requirements will be more sophisticated. The following chart shows the cloud drivers aligned against
the four cloud services levels.
Cloud Use Case
Cloud User
Image
Manage
Govern
Optimize
Low/no cost, shortterm, disposable IT

resource. Minimal
component options
(e.g., single
OS/hypervisors).
Operations,
development and test.
Short-term cloud
usage/longer-term business
use cases for capacity, IT
resources, and applications.
Long-term strategic use.

Mission-critical applications.
Multiple cloud
types/providers, significant
component heterogeneity.
On-going usage analyzed,

optimized, and enabled aligned
against cost, usage, and service
level.
Operations, development,
and test.
Operations, development,
test, and lines of business.
Operations, development, test, and

lines of business.
117
Cloud Management Capabilities Aligned to Automation Levels

Cloud management capabilities at lower cloud service automation levels will be basic. At higher levels, cloud management
capabilities are further enhanced through integration with each other. The following chart shows the management
capabilities aligned against the four cloud services levels.
Image
Manage
Govern
Optimize
Provisioning
Automated deployment
and installation of
resources and capacity.
Automated deployment and

installation of resources,
capacity, and software.
Cloud resources and full-stack

workloads provisioned automatically
in a consistent and standard way
across all cloud environments.
Configuration
Basic component
configuration. Network
configuration (including
IP addresses) applied
with appropriate cloud
service network access.
Capacity
Capacity checked for

availability and used as
a reference for
workload placement.
Minimal.
Service Catalog
Service catalog provides

basic cloud service
offerings.
Capacity managed as
cloud services and
planned in support of
multi-cloud and hybrid
cloud usage.
Service levels used for
entitlement, workload
placement, performance
measurement, and
service termination.
Service catalog provides
options for workload
placement.
Capacity managed dynamically inline with need and usage behavior

for all cloud types.
Service Level
Automated package
configurations and policies
applied to cloud service. When
applicable, the cloud
configuration is updated and
patches are applied ongoing
(to new cloud image or live
environment). In some cloud
environments, a component
container is used to group
cloud components to aid cloud
service delivery.
Capacity management
consolidated across all cloud
infrastructures, managed, and
planned across public and
private clouds.
Service levels used to define
cloud service entitlement,
performance measurement,
and service termination.
Cloud resources and fullstack workloads

provisioned
automatically in a
consistent and standard
way across all cloud
environments.
Configuration
management stores
cloud component
configurations and
component cloud service
relationships, aiding
cloud governance
decisions and the
problem management
process.
Change
Cloud service request

process established.
Change extends
capabilities to include
pre-approval. Change
process includes cloud
service retirement in line
with SLAs.
Service
Providing cloud service

problem management.
Typically non-integrated
with the cloud
management tools and
platforms.
Basic IT infrastructure
availability. Provided by
public cloud provider or
leveraging existing
monitoring tools.
Automated user problem

reporting/tracking and basic
capabilities for analyzing and
remediating common IT cloud
service issues.
Cloud users proactively

provided with cloud
service metrics, issue and
remediation guidance,
and collaboration tools.
Changes to the automated process

are formally approved and
escalated. Supports the automated
compliance, configuration
management, and fault
management processes to provide
the pre-approvals required for
automatic remediation.
Cloud users provided with cloud
service performance metrics,
problem and remediation guidance,
and community and collaboration
tools.
Monitoring enhanced to
include performance and
availability of the application
from back-end IT infrastructure
transactions to end-user
response times.
Minimal. Cloud service

configured and
patched. Network
access applied to
support cloud service.
Cloud configurations are

monitored against company
policy.
Dynamic change
monitored and
associated with service
models. IT infrastructure
health and performance
correlated with end-user
activity and performance.
Cloud configurations that
break compliance are not
deployed; once deployed
are monitored against
regulatory compliance
and corp. policy.
Monitoring
Compliance
Service catalog provides cloud

service with options for
customization associated with
additional effort and time.
Change process manages
service request, service
approval, delivery notification,
request close, and reporting.
Consolidated configuration data,

organized in-line with cloud service
and business requirements (e.g., by
IT component relationships,
application, location, and owner),
allowing cloud environment to be
managed and optimized.
Service levels managed to enable

dynamic cloud workload placement.
Service catalog provides visibility

into cloud services with options tied
to distributed workloads and costs.
Monitoring information analyzed to

identify usage patterns. This is used
to aid/make decisions and
recommendations on how the cloud
services can be optimized.
Intelligent cloud compliance ensures

dynamic change (e.g., IT
configurations, data placement, and
access permissions) is managed inline with regulatory process and
reporting.
118
Orchestration &
Governance
Basic orchestration with

workflow management
for automating cloud
service image
configuration, patching,
deployment, and
verification.
Costing
Public cloud may incur a

cost associated with
options. Private cloud
will not. Costing
accomplished in an
adhoc, tactical way.
Orchestration provides greater

control and governance over
service workload deployment
(e.g., pre-req checking and
component deployment
order), expanding the
automated process to include
capacity, and SLA and
entitlement checking.
Public cloud cost associated
with resources and use.
Configuration, workload
packaging, and service
level data enables
governance for cloud
service placement
decisions (e.g., resource
availability, cloud service
verification, and
automation execution).
Cloud service usage
tracked and evaluated
against costs and budget.
Private cloud cost may be
recognized through
showback but not
charged.
Cloud infrastructure and workloads

dynamically managed and optimized
in-line with usage, availability,
performance, costs, and service
agreements.
Costs measured and analyzed across

all cloud environments. IT cost
management integrated with
company financial systems. Costs
optimized. Resources allocated inline with SLAs.
Cloud Management Capabilities Relationships

The cloud is an IT ecosystem where greater management control is realized when different cloud management capabilities
work in support of each other. For IT organizations to realize increasing automation value, it is critical that the management
solutions are integrated.
The following chart explains the value each management capability offers to the others when integrated.
Provisioning
Configuration
Capacity
Service Level
Service
Catalog
Change
Service
Monitoring
Compliance
Orchestration
& Governance
Costing
Provisioned environment
(live/image)
configurations updated
Provisioned cloud
services delivered with
pre-defined, optioned, or
requested capacity
Cloud services
provisioned in-line with
service level
Provisioned cloud
services offered through
the service catalog
Provisioning managed
through the change
management process
Configuration
Cloud service
configurations or
configuration
changes delivered
with pre-defined,
optioned, or
requested capacity
Configurations and
configuration updates
made in-line with
service level
Configuration options
and changes offered
through the service
catalog
Configuration
managed through the
change management
process
Capacity
Capacity allocation
and capacity updates
made in-line with
service level
Capacity options and
changes offered
through the service
catalog
Capacity requests and
modifications
managed through the
change management
process
Provisioning processes
requested and supported
through service
management
Configuration
update/change
processes requested
and supported
through service
management
Capacity issues and

requests supported
through service
management
Newly provisioned cloud

services monitored.
Availability and
performance data used to
guide provisioning
decisions
Availability and
performance data
used to guide
configuration
decisions.
Performance data
used to help tune
configuration setup
and changes
IT resources
performance
monitored with data
leveraged to support
capacity decisions
Configurations set
and updated in-line
with corporate policy
and government
compliance.
Configuration
technology used to
monitor for
configuration
compliance drift
Unified configuration
of cloud services
resources across all
cloud types
Capacity allocated inline with compliance

policy
Cloud services
provisioned in-line with
corporate policy and
government compliance
Unified provisioning of
cloud services (e.g.,
resources, software, and
applications)
orchestrated across
different cloud types.
Costs associated with

cloud service (e.g., type,
delivery speed, and
workload placement)
Cost associated with

configuration settings
and associated
updates
Capacity
management provides
cloud process
automation with the
data required to
provision, change,
configure, and move
workloads
dynamically across
different cloud
environments
Costs associated with
capacity allocated
and used
Service Level
Services offered
in-line or with
service level
options
Change managed
in-line with
agreed service
levels
Service level data

used to ensure
support is
delivered in-line
with agreements
and business
priorities
Cloud service
availability and
performance
monitored against
service levels
Service
Catalog
Services
delivered as
part of the
change
management
process
Offered
services
include the
support
agreement
Service
catalog offers
monitoring
options
Change
Changes
managed
through
service
support to
agreed service
levels
Change
process
incorporates
monitoring
requirements
Service levels set

and delivered inline with
compliance
regulations
Services
offered with
corporate
policy and
compliance
regulations
Compliance
regulations
incorporated
into change
processes
Service level data

used as
foundational
decision criteria
for establishing
the delivery,
support, and
pricing of the
cloud service
Chosen cloud
services
orchestrated
through to
delivery
Change
process
aligned with
orchestrated
cloud service
delivery
Costs aligned
with service level
Costs
associated
with cloud
service
offerings
Service
Faults and
performance
issues
automatically
reported and
managed by
service
management.
Monitoring data
used to aid rootcause and
remediation
processes
Compliance
policies
incorporated into
support
management
activity (e.g.
changes and
updates)
Service support
uses orchestration
to provide
customer support,
diagnose, and
remediate
common issues
and provide
customer services
Service supported
in-line with
price/cost of cloud
service
Monitoring
Compliance
state is
monitored,
measured, and
reported across
all cloud
services
irrespective of
where service is
sourced
Monitoring data
integrated with
the automated
cloud processes
and used to
evaluate cloud
service
availability and
performance and
end-user activity
and satisfaction
IT service
monitored inline with service
cost
Compliance
Orchestration
and governance
used to automate
the processes for
identifying and
remediating
policy and
compliance
issues
Compliance
factored into
cost of cloud
service
Orchestration
& Governance
Costs aligned with

automated cloud
processes
Figure 104: Management Capabilities Relationship Mapping
119
Appendix E: Supporting Cloud Management Functions

While automating the process for delivering services remains a key focus for cloud, the ongoing management and
optimization of the cloud environment will become critical to the ongoing success of cloud services. This requires
tools that provide supporting functions to adapt to each evolution of an enterprise cloud environment and process
maturity. Tools that are initially focused on evaluating the basic health of the cloud infrastructure must evolve into
tools that provide information to make decisions across the cloud environment.
Supporting Functions: Visibility into the Cloud

Capacity management, performance monitoring, and availability monitoring are management areas that enable
cloud decisions to be made with greater accuracy and effectiveness. All contribute to the measurement and
reporting of service level agreements (SLAs).
Functionality for these areas can be found in public cloud providers tools, provided through interfaces or
integration with APIs. However, as cloud sophistication increases, tools focused on a specific environment or cloud
type will not scale to provide the holistic visibility required to make decisions across multiple clouds for a companys
needs. As Figure 105 shows, as companies move from managing cloud instances to sophisticated multi-cloud
environments, capacity management, performance, and availability evolve to ensure the cloud services are efficient,
under control, and effectively managed.
Figure 105: Supporting Function Requirements Must Scale with Cloud Sophistication
Capacity Management
Capacity management is a critical function for successful cloud management. At the lowest value level, capacity
management provides cloud administrators and capacity planners with the ability to monitor cloud component
capacity usage and effectively plan the resources required for additional cloud services. As cloud sophistication
increases, capacity management becomes a critical input to ensure cloud services are automatically provisioned
quickly and reliably. This value is best realized when the capacity technology is able to encompass and group
disparate cloud components, viewing them logically as services (this may include integration with a configuration
database) that span cloud environments. This may mean integrating directly or via a CMP with a public cloud
providers capacity tool APIs. The value capacity management provides cloud includes:
Resource usage monitoring and reporting
Resource (component) planning
Cloud infrastructure capacity optimization (allows removal of redundant/underutilized resources)
120
Cloud workload planning
Cloud workload movement
Usage vs. cost evaluation
Performance Monitoring
Cloud performance monitoring includes monitoring the health of the cloud infrastructure and the performance of
the applications. The output from both contributes to how services are measured (against SLAs) and delivered.
Application performance will include component diagnostics (e.g., the performance of a database), transaction
tracing (e.g., the application-related communication between cloud infrastructure components), synthetic
transaction monitoring (e.g,. a basic response-time measurement between cloud and cloud user), end-user
experience monitoring (e.g., the ability to monitor each application transaction from source to user), and end-user
activity monitoring (e.g., the ability to monitor the IT cloud users application experience from their IT devices). As
the cloud environment grows in sophistication, infrastructure and backend transaction performance monitoring
extends its reach towards the IT cloud user. Monitoring the user provides a more holistic view of overall cloud
service health no matter where the cloud service is sourced, providing visibility into 3rd-party cloud service
performance as show in Figure 106 below.
Figure 106: Cloud Performance Focus Changes with Increasing Cloud Sophistication
Tools that monitor cloud infrastructure health move from component to cloud services spread across different cloud
environments. As cloud environments may change frequently, monitoring tools must discover change as it occurs
and alter their monitoring policies accordingly. The IT infrastructure health status is used to assess the impact on
cloud services measured against SLAs.
At lower levels of cloud sophistication, basic monitoring may be provided as part of the cloud service. As
sophistication increases, basic monitoring contributes to an enterprises overall understanding of the entire cloud
environment and to how cloud services are managed (e.g., an exceeded threshold starts the automation to alter the
allocation of cloud resource).
121
Glossary
This glossary includes definitions of common data center automation and cloud terminology, as well as
other terms used in this document. For many of these words or phrases, BMC builds on and extends the
work of the U.S. Department of Commerces National Institute of Standards and Technology (NIST)
Special Publications (SP) and references these sources where appropriate.
Automation Value Model: BMCs schema that organizes automation into multiple levels of increasing
business value. Examples include Provisioning & Configuration, Patching & Compliance, and Cloud
Services Automation.
Automation level: Refers to the level of practice, procedure, and technology deployment for a given
problem area for execution of business needs. Each automation level is a precursor for the next one,
creating a virtuous cycle of business value.
Broad network access: Capabilities are available over the network and accessed through standard
mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones,
laptops, and personal digital assistants (PDAs)). This is one of five essential characteristics of cloud
computing, as defined by NIST SP 800-145.
Cloud Management Platform (CMP): The source for consistent management and delivery of automated
cloud services such as provisioning, configuration management, change management, problem
management, end-user performance monitoring, and tools.
Cloud computing: A model for enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with minimal management effort or service provider
interaction.
Cloud infrastructure: The collection of hardware and software that enables the five essential
characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical
layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary
to support the cloud services being provided, and typically includes server, storage, and network
components. The abstraction layer consists of the software deployed across the physical layer, which
manifests the essential cloud characteristics. Conceptually, the abstraction layer sits above the physical
layer. Defined in NIST SP 800-145.
Cloud native application: An application that was conceived and created to exist as a cloud-based
application.
Cloud migrant application: An application that has ported to exist partially or in its entirety in a cloud
instance but was not originally a cloud-based application.
122
Cloud service brokerage (CSB): A cloud service brokerage objective assumes that an organization,
internal or external, will offer a broad range of cloud services, off-the-shelf and custom, from both
private and public sources. According to Gartner A cloud services brokerage (CSB) plays an intermediary
role in cloud computing. CSBs make it easier for organizations to consume and maintain cloud services,
particularly when they span multiple providers.
Community cloud: The cloud infrastructure is shared by several organizations and supports a specific
community that has shared concerns (e.g., mission, security requirements, policy, and compliance
considerations). It may be managed by the organizations or a third party and may exist on premise or off
premise. It is one of four cloud deployment models, as defined by NIST SP 800-145.
Digital services broker: This is the future of ITs role in pushing the business forward, objectively
evaluating both internal and external services that best allow business units to push out production
applications to customers quickly at the lowest cost, without crashing servers or introducing
vulnerabilities in the corporate network.
Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or
public) that remain unique entities but are bound together by standardized or proprietary technology
that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
This is one of four cloud deployment models, as defined by NIST SP 800-145. It is often used incorrectly
in laymans terms to describe a multi-cloud environment.
Infrastructure as a Service (IaaS): A capability provided to the consumer to provision processing,
storage, networks, and other fundamental computing resources, allowing them to deploy and run
arbitrary software, which can include operating systems and applications. The consumer does not
manage or control the underlying cloud infrastructure but has control over the operating systems,
storage, and deployed applications, and possibly limited control of select networking components (e.g.,
host firewalls). This is one of three service models, as defined by NIST SP 800-145.
Measured service: Cloud systems automatically control and optimize resource use by leveraging a
metering capability at some level of abstraction appropriate to the type of service (e.g., storage,
processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and
reported, providing transparency for both the provider and consumer of the utilized service. This is one
of five essential characteristics of cloud computing, as defined by NIST SP 800-145. This is also a BMC
cloud management capability that delivers different value at different automation levels.
Key Performance Indicator (KPI): A performance indicator or key performance indicator (KPI) is a type of
performance measurement. KPIs evaluate the success of an organization or of a particular activity in
which it engages. Often success is simply the repeated, periodic achievement of some levels of
operational goal (e.g., zero defects, 10/10 customer satisfaction, etc.). Sometimes success is defined in
terms of making progress toward strategic goals. Source: Wikipedia.
Multi-cloud: An environment where a company has a mix of private, public, hybrid, and community
clouds used and managed in isolation from each other.
123
Operational-Level Agreement (OLA): An operational-level agreement (OLA) defines the interdependent

relationships among the internal support groups of an organization working to support a service-level
agreement (SLA). The agreement describes the responsibilities of each internal support group toward
other support groups, including the process and timeframe for delivery of their services. The objective of
the OLA is to present a clear, concise, and measurable description of the service provider's internal
support relationships. Source: Wikipedia
On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server
time and network storage, as needed automatically without requiring human interaction with each
services provider. This is one of five essential characteristics of cloud computing, as defined by NIST
SP 800-145. This is also a BMC cloud management capability that delivers different value at different
automation levels.
Platform as a Service (PaaS): A capability provided to the consumer to deploy consumer-created or
acquired applications (created using programming languages) and tools supported by the provider onto
the cloud infrastructure. The consumer does not manage or control the underlying cloud infrastructure
including network, servers, operating systems, or storage, but has control over the deployed
applications and possibly application hosting environment configurations. This is onne of three service
models, as defined by NIST SP 800-145.
Private cloud: The cloud infrastructure is operated solely for an organization. It may be managed by the
organization or a third party and may exist on premise or off premise. This is one of four cloud
deployment models, as defined by NIST SP 800-145. For enterprises, this generally means it is operated
behind the corporate firewall under the control of IT, often to remove security, privacy, and compliance
concerns.
Public cloud: The cloud infrastructure is made available to the general public or a large industry group
and is owned by an organization selling cloud services. This is one of four cloud deployment models, as
defined by NIST SP 800-145. Popular public cloud services include Amazon Web Services Elastic
Compute Cloud (Amazon EC2) and Microsofts Azure.
Rapid elasticity: Capabilities can be rapidly and elastically provisioned, in some cases automatically, to
quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for
provisioning often appear to be unlimited and can be purchased in any quantity at any time. This is one
of five essential characteristics of cloud computing, as defined by NIST SP 800-145. This is also a BMC
Resource pooling: The providers computing resources are pooled to serve multiple consumers using a
multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned
according to consumer demand. There is a sense of location independence in that the subscriber
generally has no control or knowledge over the exact location of the provided resources but may be able
to specify location at a higher level of abstraction (e.g., country, state, or data center). Examples of
resources include storage, processing, memory, network bandwidth, and virtual machines. This is one of
124
five essential characteristics of cloud computing, as defined by NIST SP 800-145. This is also a BMC
Self-service: See on-demand self-service.
Service Level Agreement (SLA): An operational-level agreement (OLA) is a contract that defines how
various IT groups within a company plan to deliver a service or set of services. OLAs are designed to
address and solve the problem of IT silos by setting forth a specific set of criteria and defining the
specific set of IT services that each department is responsible for. Source: whatis.com
Software as a Service (SaaS): A capability provided to the consumer to use the providers applications
running on a cloud infrastructure. The applications are accessible from various client devices through a
thin client interface such as a Web browser (e.g., Web-based email). The consumer does not manage or
control the underlying cloud infrastructure including network, servers, operating systems, storage, or
even individual application capabilities, with the possible exception of limited user-specific application
configuration settings. This is one of three service models, as defined by NIST SP 800-145.
Solution area: Focus areas within the Automation Value Model that demonstrate increasing business
value over multiple automation levels. Examples include Provisioning & Configuration, Patching &
Compliance, and Cloud Services.
125
To learn more about how BMC can help you automate your business, visit bmc.com/passport or call 800.841.2031
126

127

PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PDF

Uploaded by

Copyright:

Available Formats

Early Release Version

Executive Summary ................................................................................................................................. 5

IT Personnel Who Can Transition to an Automation Strategist.................................................................89

IT must deliver new digital services cost-effectively while

Provisioning and configuration

Patching and compliance

Cloud services automation

Automation is one of the few IT initiatives that can

This phased approach enables organizations to deploy

Automate entire processes by including both pre- and

Develop specialized roles to embrace and drive

Expand the technology footprint to include different

The BMC automation approach results in multiple innovations.

The approach begins with formulating an automation

The Automation Passport Framework

IT as Digital Services Broker

Automation is the Answer

Automation Passport Provides the Roadmap

A leading market research company raised

service levels and IT agility by reducing

teamavoiding 600 new IT hires by saving

by decreasing configuration compliance audit

Provisioning and configuration

Patching and compliance

BMC delivers market-leading products across a broad range of established

600:1 server-to-admin ratio

Using the Automation Passport

IT executives looking to understand the Automation Passport:

IT executives and strategists responsible for IT automation:

The Automation Value Model

Implementation leads for data center automation:

The Passport Framework

Provisioning & Configuration

Implementation leads for cloud:

The Automation Value Model

Figure 1: Automation Value Model

Applying the Automation Value Model

Understand and measure the

Figure 2: Automation Value Cycle

Begin with a Baseline: Automation Level Assessment

Figure 3: Automation Levels

Automation Value Measurement

Business Value Realization

Manual process time(s)

Manual labor cost savings

Reduced operating expense

Reduction in configurationrelated outages impacting the

Routine audit and compliance

Security flaws avoided to

Maximizing Value at Each Level

Automating the process: automation value stages

Automation organization and roles

Expanding the technology footprint: the Automation Reference Architecture

Figure 5: People, Process, and Technology

Automating the Process: Automation Value Stages

Figure 6: End-to-End Automation Value Realizations

Automation Organization & Roles

Establish roles that can design,

Figure 7: Automation-Focused Roles Increase Value

BMC Automation Center of Excellence (CoE) A Culture of Embracing Automation

Everyone is encouraged to identify opportunities for automation

Automation must demonstrate clear proof of value

Expanding the Technology Footprint: Automation Reference Architecture