IT asset management is often the elephant in the room that IT, security and senior executives try to ignore until a security incident or other event sheds light on how critical it is. Asset tracking – and the inevitable data cleanup – of everything from the virtual and physical servers that keep your business running smoothly to the smartphones and other devices your employees use daily is a persistent problem for organizations of all sizes and industries.
Despite being an important foundation underpinning your company’s ability to execute well on critical security functions such as incident response and vulnerability management, few companies have comprehensive and accurate asset management strategies in place. IT asset management needs to answer the question of what, where, and how IT assets are being used. This data supports security’s questions of “which devices are vulnerable to the latest threat?” And “which devices need the most recent vendor patch?”
Although IT asset management may be viewed as a perpetually unsolved problem, it doesn’t need to be the most difficult one. Like brushing your teeth, you may not enjoy it, but you need to do it on a regular basis to prevent future pain and significant expense. Practicing due diligence is a must.
Here are four ways to successfully tackle asset management at your organization with less pain and more gain.
Narrow your thinking.
Even the term “asset” gives many practitioners pause because, in a cybersecurity and IT context, an asset simultaneously refers to physical hardware devices, virtual assets like software and even data itself. Asset management, on the whole, includes all assets of value, although data is typically handled independently from traditional IT asset management, with control mechanisms defined and applied to different data classifications.
Limit the scope of your IT asset management endeavors to the traditional IT categorization of hardware and software, knowing that what you do about those assets (once you know you have them) will be driven by the value of the data they contain and the protections dictated by your data classification standard. For example, you may need to monitor a certain server’s access more than others if it contains systems that house confidential data.
Define yours, mine, and ours.
The assets themselves ultimately belong to the business group that needs them. However, because of shared infrastructure, which is driven by cost savings and a desire for simplification and efficiency, specific departments do not typically procure specific hardware or software for only their team’s use. Security is a primary consumer of asset management, so it is not surprising that they commonly inherit aspects of the asset management program. Security is also typically the squeaky wheel that gets asset management higher on the organizational priority list because they desperately need to trust the data presented to them when investigating incidents or triaging and treating vulnerabilities. Ultimately, IT should be the custodian of the asset management program, working in close coordination with security and the group that “owns” the asset to identify and classify the discovered information. It is a team effort that requires constant diligence by all parties to keep the data accurate and actionable.
Tame the technological terror (it’s complex, but not impossible).
There are a wide variety of ways to identify, track and classify assets, and despite vendors’ best efforts to convince you otherwise, there is no one solution to all your asset management needs. At the core, you should be able to correlate data elements such as host name/IP address and any other unique identifiers that you can tie to other data such as business group ownership, end users, and assigned software licenses. Many product companies provide robust IT asset management (ITAM) products, but in addition to looking at individual product functionality, you should also look at what tools will complement your existing products and vendors you already use for patch management, software license upgrades, network access control and any other capabilities where you have the opportunity to identify, log and classify an asset.
Your company also needs to be able to distinguish between known and unknown assets that are connected to your network. Many organizations are moving to a device-agnostic network security model, where bring your own device (BYOD) is prevalent and corporate offices are no more physically or even logically secure than a Starbucks’ Wi-Fi network. In these architectures, you need the ability to report on both managed and unmanaged devices, with the understanding that there will be a discrepancy in the data you can correlate depending on device type.
Take baby steps first.
The best asset management program for your organization is the one that leverages your existing capabilities and tools, and tracks your assets to the level of detail that is commensurate with your organizational risk appetite. For smaller organizations, a good starting point is with a basic device-driven IT asset management program. As your organization matures, you will likely advance toward an “asset-criticality driven program” that recognizes the differences between unmanaged, but low-risk devices, and higher value devices where interrogation is required before access is granted.
Asset management may never be the job your teams clamor to take on, but you can make the medicine taste better with the right approach and strategy.