We do that! It really doesn’t matter what ‘that’ is. It could be API monitoring, it could be networking monitoring, it could be security services. It could be one of a dozen things. But the sales team for your infrastructure vendor is sure they do it or have a module for it, and they’ll do it for you for free as part of the large contract you’re signing with them.
This offer of free software (or security or whatever) reminds me of two common problems.
Problem one: the ‘free puppy problem’
Somebody gives you a free puppy. That’s great! You love puppies; they’re lovable. But they also stay up all night, and need house training, and chew things and grow up into dogs. Dogs are also great and lovable, but they eat a lot, get sick, and need walking and other stuff.
Before you know it, your free puppy is a sunk cost that you’re going to be living with for more than a decade and it’s a bit late to wonder if you might have been better off starting with a spider plant.
Problem two: the fox and the hen house
This is pretty simple. So, let me get this straight – a large software company has installed the systems that run your operations, your APIs, your messaging, microservices, etc. It provides all the monitoring you’ll ever need. Trust them, they say; they installed it, and they know best how it should work.
Each of these scenarios is a problem. But together with APIs, they can be catastrophic. Time and time again, we find this to be the case with clients who come to us:
- The problem IS the vendors’ products. Whether it’s the security module, the gateway or something else – it’s not working as you expect when you measure what it actually does using something else.
- It only measures a very specific subsection of the solution. So it misses some of the failure modes that are essential to users, to TPPs, to regulators and others.
- It doesn’t monitor anything OUTSIDE of the vendor stack. If you’re a bank or large solution provider with other partners and systems, your services can’t be monitored with the same product. This is a serious problem. Those gaps, those are the gaps into which your reputation, your customers and ultimately your business is going to fall into.
This is part of a familiar pattern with IT monitoring and testing. People want a short cut, they want the easy solution. It’s an extension of the ‘we can write that’ suggestion – sure you can, but you’ll need a project team and a budget and a plan.
The free software from your vendor is just the same. It needs to be managed. It may leave gaps . And it will certainly be unlikely to pick up on the major problems with your stack.
The best thing to do is understand that for modern regulators and infrastructures, you should have a dedicated monitoring stack (you may need multiple products looking at all the critical pieces). And you need to manage the pieces to drive the data you need, when you need them, and not opt for the short cuts that could, at best, leave you with gaps in coverage – or at worse, leave you in open conflict with customers, TPPs and regulators.