While digital transformation initiatives have pushed many organizations toward more cloud-based workloads and multiple Internet of Things (IoT) devices on their networks, the process of keeping track of everything remains in the dark ages. Immature and manual practices for IT asset management still rule, with 43% of organizations still relying on spreadsheets to track their IT assets, according to data released in February by Ivanti.
In addition, the recent global scramble to enable workforces to shift to remote work due to COVID-19 means hardware and software deployments may have been hastily pushed out, leaving a chaotic and spotty inventory for IT managers to oversee in its wake.
That's where a comprehensive IT asset management (ITAM) program can help, saving you money, ensuring compliance, and helping you make better purchasing decisions. In fact, not having an ITAM program can be damaging – because it can lead to major security vulnerabilities. If you don't know what you're securing, you simply can't protect it.
"With no formal IT asset management program in place, teams often rely solely on Active Directory or basic inventory information, which often does not give the full picture and opens the organization up to security risks," says Mareike Fondufe, technology evangelist at Ivanti.
So there's no time to waste to get back on top of ITAM. Here are the questions to tackle to dig through the noise, find what you need to track, and get it secured.
What Assets Should I Be Looking For?
The types of assets that need to be managed in an enterprise fall into four categories: software, hardware, mobile devices, and cloud. And if those assets handle or communicate with corporate data – the kind of sensitive data that might end up in the hands of an attacker or competitor – their management is especially crucial.
"When you fully understand what is connected to your network, you can put checks in place to verify that assets are compliant with your security policies," Fondufe says. "With ITAM, you can also be notified when an asset doesn't report into your network, allowing you to investigate missing assets that have been stolen or lost and are now posing a threat to your environment or data. For IT and security teams, it's vital to have a proper baseline to understand what you truly have before you can manage and secure it."
What kind assets are in these four categories and what do they do? Here are some examples of each:
• Software assets: This is the most complex and vast area, obviously, but it is exactly as it sounds: all software applications within the organization.
• Physical (hardware) assets: Laptops, PCs, printers – really, all hardware connected to the network.
• Mobile assets: Smartphones, tablets, and smart devices connected to the network.
• Cloud assets: Any workloads that communicate with your network, including cloud-based databases and applications.
What Tools Can Help Me Find and Secure These Assets?
Remember the spreadsheet statistic from earlier? If that includes you, it is time to significantly upgrade your ITAM toolbox.
"Don't rely on spreadsheets. Gain complete visibility to maximize the performance and value of your hardware and software assets," Fondufe advises. "Instead of keeping up with endless spreadsheets manually, simply guessing what you have, or relying solely on Active Directory, ITAM will help you see what assets you have, where they are physically located, and how they are used, even down to the associated cost center or department level."
What Types of Tools Can Be Part of My ITAM Security Strategy?
An ITAM security strategy can incorporate a variety of tools to discover, monitor, and manage assets. Here are a few to consider:
• Vulnerability assessment tools: Initially, you can rely on a vulnerability assessment tool to scan and identify known vulnerabilities on the devices it can find and can scan. But that is just the beginning. Plenty of assets can be missed because a vulnerability assessment tool simply does not know it exists.
• Identity access management tools: IAM tools like Active Directory or Azure AD authenticate and authorize users and devices for a broader picture of what you have on your network.
• Network data mapping tools: Mapping network infrastructure for IT asset discovery and inventory can further generate a foundation of all hardware and software assets on your network.
• Cloud access security brokers: CASBs help govern cloud deployments. They can be used to discover, monitor, control, and secure access between end users and cloud services they access.
• IT asset management reporting tools: This many be obvious, but ITAM software specifically designed to generate reports on hardware and software usage can provide detailed insights on asset workflows, communication, life cycle, and other important metrics.
What Questions Should I Ask While Organizing?
Asset managers need to ask basic questions about every asset on the network. Is it known and managed? Where is it located and what does it do? Is it up to date? Does it adhere to my security policy?
But beyond those, here are some additional questions to consider to up-level your ITAM security strategy.
• How has the pandemic changed things in our environment? This one is a doozy. The first consideration just might be how your environment has changed in the past few months now that most workforces have shifted to remote arrangements.
"I think COVID-19 has forced many organizations to accelerate plans for things like cloud migration, collaboration to support remote working, and the adoption of new device types – all of which need effective ITAM if they are to be achieved cost-effectively and without introducing risks into the organization," says Matt Fisher, director, digital platform strategy at SHI International.
Before going any further in your ITAM organization, it's important to assess what new devices and other connections may have been put in place in the scramble to stand up home office environments. What may have been overlooked and not accounted for in the rush?
• Do the assets we have align with business objectives? Again, changes brought about by the pandemic may have caused your organization to shift its business priorities. This is a good time to ensure the assets you are managing still align with the current goals of the organization. If they don't, they're really just a liability.
"Whether you're implementing ITAM from scratch or building on what's already there, the first step is to make sure that you understand what your organization needs," says Victoria Barber, technology guardian at Snow Software.
• Where can we find cost savings? Computers often have hundreds of dollars' worth of unnecessary, unwanted, or unused software on them. Each software license and hardware, whether used or not, represents a risk or vulnerability, Fondufe says. If it's not used, it should not remain in the environment. A solid ITAM strategy can help you figure that out.
• Are we ready or the future? As we have seen from the business disruption over the past few months, a network today is not the same network tomorrow. Things change. Quickly.
"ITAM is not a set-it-and-forget-it activity," says Jimmy Tom, research adviser at Info-Tech Research Group. "It is something that needs to be revisited on a regular basis in order to keep the ITAM inventory current."
The recent explosion in the adoption of collaboration and productivity suites will also potentially create challenges for ITAM in the medium term, SHI International's Fisher says.
"As vendors have rushed to fuel adoption with extended free trials and 'credit-card-sized' pricing plans, so many apps have been adopted – some companywide but many at a department level," he explains. "At some point, these apps will no longer be free or cheap, and ITAM will have to take the lead in understanding consumption, identifying waste and duplication, and ensuring that new apps don't create security or data integrity issues."
- Abandoned Apps May Pose Security Risk to Mobile Devices
- 3 Ways the Pandemic Will Affect Enterprise Security in the Future
- Why All Employees Are Responsible for Company Cybersecurity
- Latest Security News & Commentary About COVID-19
- How Cybersecurity Incident Response Programs Work (and Why Some Don't)