10 June 2019–
By Marco Rottigni, Chief Technical Security Officer EMEA at Qualys–
The Forth Bridge in Scotland is famous for being painted; continuously. As soon as the work is completed from one end of the bridge to the other, the maintenance team restarts with the painting activity. Obviously, we are talking about a false urban legend, but if the news were true it would be of great interest to paint manufacturers and maintenance companies. In fact, before being treated with a special coating that lasts more than 25 years, the bridge required close attention from the maintenance workers given the continuous exposure to bad weather.
What does the Forth Bridge have to do with IT asset management, also known by the acronym ITAM? We are talking about an essential requirement for those responsible for the security of IT tools, for compliance and the management of IT operations. In fact, a coherent and continuous approach is required to keep information on IT equipment constantly updated and yet, it is not as simple a process as it seems.
Configuration management and resource monitoring have become an important component of the IT Infrastructure Library since the 2000s, while IT equipment databases were already managed years before. Yet, according to Gartner analyst Hank Marquis, 80 percent of companies investing in Configuration Management Data Base (CMDB) projects see their efforts fail, making ITAM coordination extremely difficult.
Managing an accurate and updated list of IT devices helps security teams prevent problems. According to Verizon's 2016 Data Breach Report, the top ten software vulnerabilities are responsible for 85% of confirmed compromises; without this in-depth perspective it is very easy for attackers to remain in the compromising positions they have earned. An example is the case of Apache Struts, where errors that could be remedied with available patches caused successful attacks in some large companies with fines of millions of euros.
Why is it so difficult to implement ITAM correctly? Although we have seen CMBD initiatives for over twenty years, why is it so difficult to have accurate and up-to-date IT data?
How to obtain more accurate data on IT assets
One of the first reasons is related to the number of equipment that today must be tracked by CMDB systems. Every single PC has its own operating system, hardware and various applications installed; just as for each device there will be versions and patch levels to check. If we multiply everything by the total number of employees of a large company, the numbers grow rapidly: each employee also has a smartphone or tablet, further increasing the number of devices.
Without forgetting corporate IT services, web applications, cloud deployments and other IT resources that need to be controlled, monitored and managed.
With so many IT tools constantly in motion in an organization, it is not easy to build a CMDB or perform regular asset inventories. It's a problem of scale.
Secondly, each platform may have data on the same devices, but provide this information differently, using different definitions and for different reporting objectives. A PC on a network can be identified in different ways, while the software installed on that machine is otherwise tracked for licensing, security and workstation management purposes. This large data variance is one of the first reasons CMBD initiatives fail.
Even when a CMBD implementation gets off to a good start, the operational burden takes up time that could be spent on more important, data-driven decisions.
To solve this problem we suggest collecting all the information about ITAM together in one place. Rather than monitoring different sets of asset data regarding endpoints, IT network devices and cloud services separately, all data should be consolidated and sorted.
Automating the data normalization process can also offer the opportunity to enrich the data itself, for example by including information on the status of “end-of-life” and supporting information rather than requiring additional manual effort.
This ensures that the data sets are incomplete.
For mobile or remote devices, software agents should provide accurate information about what these devices are, to ensure consistency and security regarding what connects to the corporate network.
All this information should be constantly updated, reflecting the changes that occur every day as new equipment is added, upgraded, modified or decommissioned.
Use data more effectively
Creating a CMDB or other IT asset library can help improve the accuracy of data usage within your company. However, there are other ways that can facilitate collaboration between teams, such as prioritization. With so many new updates arriving, it can be difficult to know which updates are the most urgent, and which can wait, as well as knowing the impact each update has on IT software releases. Consequently, it is not enough to have a list of resources but it is necessary to work on which are most important for business development and which have a lower priority.
Perhaps through dashboards that highlight when situations exceed certain attention thresholds.
Similarly, this list should provide insight into applications or services that cannot or will not be updated but still provide business value, so that other teams in the organization are aware of them and can plan ahead for how to proceed. For example, let's think of hardware dedicated to the manufacturing or healthcare sector that can only support a specific operating system and which at a certain point sees its support end.
The protection needs, the criticality of a probability of attack continue to exist and this situation must be traced.
Another issue is how IT teams collaborate.
ITAM data can be used effectively for security, compliance and risk management. If they are not accurate, timely and visible to these teams, their performance will be affected. Additionally, it can be difficult to obtain accurate information about all the software assets and potential vulnerabilities that exist on devices. When different teams are responsible for their own IT assets, they may use different tools to gather information about how much is being used, a process that can lead to inconsistencies in the data captured.
Define the price of the ITAM
Oscar Wilde wrote in game Lady Windermere's Fan that a cynic is “… a man who knows the price of everything, but the value of nothing.” For IT teams, the big challenge around ITAM is that they don't have accurate information about the price and value of their IT assets.
However, this data can be used to demonstrate how better IT management could be achieved. For example, offer important elements for more accurate financial planning and forecasts on IT tools to purchase. The essential element therefore remains that of having an accurate list of resources and a constant process to verify that these resources are still necessary and used in the company
Conclusions
ITAM is critical to successfully managing IT resources over time. Without accurate data, it is impossible for IT teams to ensure the security, compliance and operational support that the rest of the business expects. ITAM approaches must keep pace with the rapid changes occurring across enterprise IT, providing real-time information on what problems exist. By working more efficiently and adopting a data-driven approach, ITAM teams can help their companies improve security and budget utilization by keeping tools up-to-date and using resources where they are needed. Like the Forth Bridge painters, we need to break out of the potentially infinite cycle of mechanically repeated behaviors to achieve better results.






