With drift and other issues putting your desired state at risk every day, you may wonder: What is configuration management? And how does it work?
Every organization needs to define the ideal configuration of its systems. That ideal configuration, or desired state, is the state in which systems and resources are aligned to support development, network performance, and efficiency.
In short, you want your environment to keep running in a desired state. Configuration management helps you do that. Read this blog to get a complete overview, including the configuration management process, including examples, use cases, and benefits.
Table of Contents
- What is Configuration Management?
- What is a Configuration Management System?
- What is the Main Purpose of Configuration Management?
- Configuration Management Processes: Essential Steps
- Configuration Management Examples
- The Benefits of Configuration Management
- Configuration Management Best Practices & Tips to Follow
- How to Get Started with Configuration Management
What is Configuration Management?
Configuration management is an automated process that keeps an organization's systems in a desired state. Configuration management helps configure systems like hardware and software as well as correct issues when changes are made.
Configuration management can also automatically correct issues to ensure that your systems perform as expected.
Once the desired state is determined, a well-designed configuration management system can monitor for changes, detect deviations, and correct those deviations (either automatically or after alerting the IT team). It ensures that the environment remains stable and prevents changes from going unnoticed and then becoming a bigger problem.
Back to topWhat is a Configuration Management System?
A configuration management system (CMS) is a set of tools and processes for managing the configurations of computer systems, including software, hardware, and networks. A configuration management system can organize and control configurations to enforce a consistent desired state over time.
A configuration management system enables visibility, reporting, auditability, and enforcement of configurations across a system. The basic functions of a configuration management system include version control, change management, configuration control, auditing, release management, and more.
Examples of a configuration management system include version control systems as well as specialized configuration management platforms like Puppet, Ansible, and Chef.
Find out how Puppet stacks up for configuration management in our comparison blogs on Puppet vs. Ansible and Puppet vs. Chef >>
Back to topWhat is the Main Purpose of Configuration Management?
Configuration management ensures a system performs as desired over time, even as changes are made to the system. Organizations often use configuration management to reduce configuration drift and maintain compliance with IT security standards.
Technology relies on correct configuration to support the organization’s business objectives. When properly configured, that technology enables an organization to move quickly and consistently while also maintaining security and reducing risk.
Specifically, the infrastructure involved in supporting the business depends on configuration management. In short, when change is made in the underlying business infrastructure, it needs to be automated and trusted in order to be useful.
Configuration Management Can Be Automated
Configuration of the infrastructure can either be accomplished through manual or automated means. Automated configuration management lets organizations move quickly and consistently over time while promoting better security and reducing risk for the business.
With automated data configuration management, the provisioning of new infrastructure and changes to existing infrastructure is accelerated to meet the application requirements that drive business outcomes. As a result, regardless of where the business needs to head, it can rely on automated configuration management to move quickly, be agile, and maintain consistent configurations.
Configuration Management Enables Visibility & Reporting
A configuration management tool also gives you visibility into the state of your organization’s infrastructure. That means you can see the current state of applications and other resources.
It also lets you build on top of existing system settings to create a larger, more versatile, more robust infrastructure. Because of this wide visibility, organizations trust automated configuration management to make changes in the organizations at scale — through existing or net new infrastructure.
Understanding what changes are being made begins with understanding that a system has remained consistent since the last set of changes. This is a vital part of maintaining desired state in configuration management.
By promoting a better understanding of change management in the organization, configuration management provides teams with the information they need to make better decisions quickly.
Back to topConfiguration Management Processes: Essential Steps
The configuration management process includes assessment, establishing baselines, automating configuration enforcement, and documenting changes to configurations.
The above is a simplified version of a typical configuration management process. A configuration management process can be as simple as a build checklist or document for administrators to follow.
In larger organizations and enterprises, the configuration management process can also integrate provisioning, change management, reporting, and other control processes.
What Do Configuration Management Tools Do?
Configuration management tools assess configurations, establish baselines, manage changes, and remediate drift in a system.
Every configuration management system is designed to do a similar set of basic things. The different types of configuration management and the specific ways it gets there all ladder up to enforcing a desired state in a system.
For infrastructure, that means establishing baselines, configuring applications, enforcing compliance, and more. But at a broader level, the actions a configuration management tool performs can be expressed in four common functions.
A configuration management system performs four basic functions:
- Identification: Identifying all elements of a system's state.
- Control: Coordinating and limiting access to configurations in a system. The benefits of configuration control include preventing unauthorized or unintentional changes (called configuration drift) and stopping changes from getting lost.
- Auditing: A series of checklists confirming that changes are being made to conform to a system's desired state.
- Status Accounting: Automatically recording code changes as well as why they were made, when they were made, and who made them.
There are several factors to consider when selecting a configuration management tool. Provisioning, monitoring, cataloging, continuous delivery, and reporting are all IT infrastructure lifecycle components that should integrate with configuration management.
Configuration management tools should also offer the flexibility to both manage systems on an ongoing basis and perform ad hoc administrative actions when required. Configuration management should also allow systems to be self-healing to enable continuous compliance.
A configuration management tool should enable you to:
- Define, test, and deploy changes with infrastructure as code using task-oriented or model-driven workflows
- Assess configurations, lay down baselines, and automate standards for continuous enforcement of desired state through configuration management
- Manage the state of your infrastructure with a dashboard view of inventory across the organization and track exceptions in a repeatable way
- Manage changes at scale with control and auditability; track and report on corrective and intentional changes from a centralized configuration management interface
- Reduce operational risk with a consistent and predictable environment that meets security and compliance requirements
- Manage drift between the desired and actual configuration state with agent-based drift alerting (a crucial component of configuration management tools)
- Safely scale automation across teams with greater insight into proposed code changes while avoiding conflict and collisions
- Stay compliant with automated patching workflows and eliminate multiple tools and manual, error prone processes
- Build security, compliance, and operational policies right into your infrastructure with policy as code
- Automatically assess compliance with specific guidelines such as CIS and NIST
Configuration Management Examples
A basic example of configuration management might involve installing Apache on all of your web servers, configuring Apache settings through its configuration files, deploying web application files to the server's document root, and setting firewall rules to allow HTTP traffic.
To make it even more concrete, let's break down the types of configurations managed in that example!
Baseline Configuration
In configuration management, a baseline configuration is an established and described state of the infrastructure at a single point in time. Baseline configuration is used as a control for defining change from a set state.
- In the example above, the baseline configuration would include the initial setup of the Apache web server, including installing the operating system and Apache, configuring basic firewall rules, and configuring system updates.
Baseline configurations are essential to providing consistency in both provisioning infrastructure and change management. Traditionally, adding simple baseline configurations for operating system security has been cumbersome for IT staff and fraught with errors. Configuration items such as user accounts, compliance standards, and information security requirements often go misconfigured across operating systems, driving inconsistency and increasing risk.
Baseline configuration management is a common use case for automated configuration management because it drives out these inconsistencies and reduces risk easily. With baseline configuration management of the operating system(s), provisioning and change can be secured across the fleet of infrastructure — whether it resides on premises, in the cloud, or both.
Application Configuration
Application configuration is the act of defining and enforcing a state in web applications, database applications, or containerized platforms.
- In the example above, application configuration would include configuring specific application files, Apache virtual host settings, and application dependencies.
In today’s IT world, applications can exist in multiple locations around the world for a single organization. They may have the same application that exists in their on-premises data center(s), but they may also distribute those applications across cloud environments for redundancy. Manual configuration across this disparate scenario can be extremely difficult, particularly at enterprise scale.
Automating these processes is yet another example of the strength of configuration management. These applications provide a valuable service to organizations. Automated configuration management builds consistency at scale for these applications while also ensuring the applications are configured correctly, secure in their configurations, and consistent across public, private, or hybrid cloud scenarios.
Compliance Configuration
Compliance configuration is the act of configuring infrastructure and systems to enable compliance with regulatory standards such as GDPR, HIPAA, and PCI.
- In the example above, compliance configuration would include configuring security and regulatory settings like SSL/TLS configurations, role-based access control (RBAC), monitoring tools, and security updates.
Regulatory and corporate compliance requirements are a significant consideration for initiating and maintaining infrastructure. Many of the compliance requirements are designed around data and privacy regulations required by government entities, like:
- General Data Protection Regulation (GDPR) in the EU
- The Health Insurance Portability and Accountability Act (HIPAA) in the US
- The Payment Card Industry Data Security Standard (PCI DSS) worldwide
- Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs) for organizations that connect to US Department of Defense systems or networks
- Center for Internet Security (CIS) Benchmarks, international security standards for protecting IT from cyberattacks
Every organization is expected to be compliant with at least one regulatory framework, which is why they should be considered when configuring infrastructure.
Again, automated configuration management plays a large role in ensuring that infrastructure meets regulatory and corporate compliance. Configuring at the system and app level automatically creates consistency and reliability for IT compliance.
📢 Want to see configuration management in a real-world environment? The Puppet team is happy to walk you through a demo! >>
Auditing compliance in IT is also easier with automated configuration management. Configuration management helps organizations pass audits by allowing auditors to compare the required configurations with reporting from the configuration management system. Once the two are compared and reporting shows compliance being enforced across the infrastructure, the audit becomes a breeze.
Back to topThe Benefits of Configuration Management
Configuration management is essential for software development because it creates a consistent and predictable development environment.
It ensures that software development and infrastructure deployment control processes follow required compliance frameworks, enforce consistency and stability throughout on-premise and cloud-native environments, and reinforce security through application of self-healing infrastructure as code.
In short, configuration management ensures that misconfigurations don’t go unnoticed and prevents them from creating problems across the environment.
At a broader level, it enables automation that supports continuous compliance. It empowers IT teams to determine the ideal configuration across the environment, prevents unauthorized changes, catches deviations, and corrects the system back to desired state (often with self-healing capabilities, depending on the configuration management tool).
Without configuration management, environments can fall into chaos and disorder, with variant configurations on different computer systems. Consistency matters, especially across enterprises, so that changes can be made efficiently at scale. Configuration management enables organizations to facilitate streamlined updates and upgrades and improve stability across environments.
Back to topConfiguration Management Best Practices & Tips to Follow
Configuration management starts with defining the desired state of your environment. Once you understand and codify the components that make up the computer systems in your organization, configuration management can help you establish and maintain that desired state across environments.
After you've established baselines, best practices for configuration management include:
- Extensive documentation: Document every item to be configured, from hardware and software to network settings.
- Version control: Track changes to config files and scripts so you can roll back when needed.
- Automation: Eliminate errors and save time with a configuration automation tool.
- Change control process: Require testing, approval, and documentation for desired changes to any configurations.
- Testing: Use a CI/CD tool to test configuration changes in a staging environment before deploying them to production.
- Drift detection: Scan your systems for configuration drift, which will leave your configurations out of alignment with your baseline.
- Compliance assessment: If your organization has to comply with a security framework (like DISA STIG, PCI DSS, HIPAA, or CIS Benchmarks), use a compliance scanning and assessment tool to confirm that your configurations are compliant — or find out why they're not compliant.
- Auditing and review: Even if you're automating configuration management, you should still schedule regular reviews of your processes to make sure it's still working as intended.
- Train and collaborate: Make sure your stakeholder departments have visibility into your CM processes. That can include devs, IT ops, security, and more.
The best configuration management processes result in systems that share as much commonality as possible, require as little bespoke work as feasible, and comply with all applicable internal and external compliance requirements.
As mentioned, manually handling configuration management processes isn’t realistic for larger organizations. A configuration management tool like Puppet Enterprise makes this an automated process that frees IT to focus on other priorities. (No more 2 a.m. alerts!)
Back to topHow to Get Started with Configuration Management
Of course, you can’t go from ‘zero’ to 'desired state’ overnight. In fact, before you even pick a configuration management system, it’s best to spend time identifying why you need one.
Here’s how to get started with configuration management:
- Begin by assembling manual checklists and building documents into a common grouping of configuration options that exist on all (or most) systems. Focusing your configuration management efforts on the most common patterns first will help save the most human effort and bring immediate automation benefits to your organization.
- Ensure that monitoring, anti-virus, and other highly common software are included in the checklist as well.
- Categorize systems based on what must change to make them specific to certain applications, geographic regions, or other categories to build reusable blocks of infrastructure as code.
- Select a configuration management system.
Puppet offers several ways to get started with configuration management. The Puppet Forge has more than 7,000 ready-to-use modules to help install software, maintain websites, run databases, manage operating system parameters, and thousands of other configuration management tasks.
Puppet also offers free configuration management training options including instructor-led classes, web-based labs, and self-contained virtual environments to safely explore how Puppet can help you move from configuration management to configuration excellence.