IT asset management might not be the most scintillating topic of discussion, but it continues to be a critical one, and industry observers say that with the exploding instances of both on-premises and cloud-based assets, along with the internet of things (IoT) devices and digital transformation, CISOs should be having a holistic view of their business assets top of mind for 2020.
Too often asset management programs are ignoring the fact that more and more capabilities and services are outside of IT’s control. “The biggest trend is an IT asset management program needs to be an all-encompassing program and include business-led technology,’’ says John Watts, senior director, analyst, at Gartner. “They can’t just focus on the IT assets anymore; it’s not comprehensive enough.”
Collaboration among ITAM and security teams
But this might be easier said than done. IT security professionals and IT asset managers tend to operate in silos when it comes to the toolsets they use and they need to join forces because there is overlapping functionality, says Matt Corsi, senior research director at Gartner.
Typically, security teams are buying their own tools to understand what is in the IT environment since they need information in real time, while asset managers need a more comprehensive view for lifecycle management and to ensure compliance with licensing terms, Corsi says.
Watts says Gartner sees gaps and overlaps in network access control tools, some of which integrate with IT service management (ITSM) tools, “and they provide a bidirectional integration so you can take assets discovered and put them in a CMDB (configuration management database),’’ he says.
“I think there’s opportunities for both of these teams to collaborate more and I think it would increase the success of both,’’ says Corsi.
Watts agrees, saying “There’s a lot of synergy that needs to [happen] between the asset management and security teams, and we think there should be a more aligned process there, especially because the growth of digital business is driving the diversity of assets.”
For example, operational technologies used on the manufacturing floor tend to be owned by business units and are outside of IT’s control, Watts says. Yet, “they’re often vulnerable and need special consideration, and IT has a special interest in seeing those devices — where they are and where they can be isolated and secured from a breach,’’ he says.
The only way to do that and keep them from infecting other devices is to know where on the network they are so that security officials can set up network security controls, Watts says. “They are not part of the IT asset inventory and not part of IT’s scope, but a security team absolutely needs to know where they are.”
The onus is not just on asset management teams. Security teams are just as guilty of creating their own repositories of all the devices they use, “and they’ll say, ‘Since we’re security, we can’t share our data with anybody and have to go it on our own,’” observes Charles Betz, a principal analyst at Forrester Research.
“We are seeing a definite trend toward the chief information security officer realizing that standalone security siloed data management is ineffective,’’ Betz says, “and that the way you get to accuracy is through common enterprise shared data.”
The same basic scanning of the environment is needed for a variety of operational purposes and it is senseless to allow security to run separate scans, he maintains.
Security teams need to cooperate with asset and configuration management teams, while insisting on things like “yellow taping” and data segregation, which is a reasonable requirement, Betz says.
“Both sides, both security professionals and traditional asset management professionals need to have … a commitment to data governance and data quality,’’ he says.
Cloud complications
Another issue complicating IT asset management is the fact that so many organizations are moving core applications and workloads into the public cloud, observes Dave Gruber, a senior analyst at ESG Research. This is a major disruption to the traditional ITAM function, he says.
“When you think about asset management you think about pure hardware and software, but in the public cloud world there’s a whole other array of workload asset management, which includes things like containers, virtual machines, APIs and serverless,’’ he says.
IT cares about those inventories because if they’re not careful about what they’re running they can’t manage the cost of their cloud infrastructure well, Gruber says.
Additionally, there is a “ton of BYOD use and an IoT explosion happening that changes the asset management landscape in a big way for asset management guys and security guys,’’ he says. “Existing, traditional asset management tools weren’t built to track those workloads.”
That means IT security teams need to purchase more tools that are designed to find rogue assets, which has caused a proliferation of additional tools to track all these different things, Gruber says.
If you are the chief risk officer for your organization and have been tasked with assessing the comprehensive risk associated with all the devices and assets in your IT infrastructure, it becomes a big struggle, he says.
Gruber concurs with the others that silos exist between asset management and security teams. “So there’s definitely an opportunity here for some new technology to bring all this together and certainly, companies are out there working on … a more integrated view” in a single platform.
“The big driver for this is security. You can’t secure what you can’t see,’’ he adds. But it also takes a lot of time to pull disparate inventories together and this leaves gaps “so there’s unsecured assets out there,’’ he says. Couple that with the fact that new devices are being added to the network all the time, so the gap is continuous.
Investments in ITAM
Understanding ITAM and its implications, both on premises and in the cloud, can be daunting. Understanding what assets a company has, where the assets are located, how the assets are connected to the spider web of connections that make up a corporate infrastructure, and what it all means is a massive undertaking.
According to the National Institute of Standards and Technology (NIST), “An effective IT asset management (ITAM) solution can tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets are being used. ITAM enhances visibility for security analysts, which leads to better asset utilization and security.”
Making it all happen, however, is the secret sauce of ITAM frameworks, applications, and how companies implement the technology.
When Watts looks at an organization’s IT structure, the ITAM organization “seems to be underinvested” and in some cases, “it may not even exist. But the info security organization? That’s the first to always get funding,’’ he says. “It’s very easy for them to get resources they need.”
That is not to say they are not doing a good job, Watts adds, but there is a discipline to what ITAM professionals do and greater awareness is required to increase investment in the asset management side of the house, he says.
Corsi says he thinks the C-suite is looking to the CISO to explain what the drivers are for continuing to invest in ITAM.
Gruber says ESG’s most recent data indicated that people plan to increase investments in asset management in the next 12 to 24 months. Funding is “definitely going up … because people realize this is an important problem to solve” in light of all that is being moved to the public cloud.”
Betz also concurs that investments in ITAM are up. “People are starting to realize we can’t not understand this stuff. We’re absolutely under regulatory and due diligence obligation to understand” ITAM, he says.
ITAM outlook for 2020
Don’t expect the complexity of ITAM to lessen anytime soon, industry experts say; in fact, it will become more complex moving forward because of industry trends around cloud and IoT, among other areas.
“Therefore, we need to stop thinking about asset management as an individual, or device or workload-specific task and think about it more holistically and look for solutions that take a holistic approach to asset management that can serve the needs of both asset management and security teams together,’’ says Gruber.
There are various providers that offer these capabilities, he says. “So you’re going to want to look for solutions that were designed for this rather than those that were retrofitted for this and architected to take broad view of assets with both security and IT in mind.”
While everyone will say that they have defined their processes, Betz advises them to think about redefining them. “Consolidate scanning, consolidate repositories and aggressively manage data quality,’’ he says.