By Mark McCullough

Your superior asks you and a coworker for the list of systems on the network. You both consult your sources and come up with completely different answers. Who’s right? Both of you.

Your coworker consulted the source of record, the CMDB. Pulling from the CMDB gives your coworker the list of all approved systems, including, (hey, this is fantasy), why the system exists and what application the system supports. However, several of the systems on your list are not in the CMDB, such as ephemeral systems, and what is more, many of the systems listed in the CMDB do not exist anymore.

You went to each known source of truth and queried them directly. That means all the known hypervisors, each known AWS, Azure and GCE account console. However, many of the systems you found, no one knows how they are used, or even if they are needed anymore. In addition, since no single source of truth exists, just lots of little ones, you missed several cloud accounts with their own lists of servers, and a bunch of physical systems, such as the security tool servers.

After review, your manager produces the third list, pulled from memory, of systems not on either of your lists. Each one is a physical system; most of them exist under the desks of developers, or in specialized labs with full network access. This list relied on tribal knowledge.

It is important to realize that the source of record and the sources of truth are two different things. Source of truth is a list of what is, but source of record is a list of what should be. They provide two different views but are not quite the same problem. The problem with a source of truth is making sure you find all sources of truth; each source is limited in scope, like a physical inspection of a single data center floor. The source of truth also may be missing key information about a resource, such as a history about the resource, linkages to other resources, or even why it exists. The problem with a source of record is it does not provide what necessarily is, only what is approved, and thus is unlikely to be accurate.

Both tools have a role in an enterprise environment, but they are not the same thing.