Several years ago, I worked with a large organization that wanted to re-evaluate their cell phone policies. They wanted to see if they could re-allocate some of their cell phone budget to another project. To accomplish this, they created four objectives.
- Identify who has a cell phone
- Who uses their cell phone
- Collect cell phones from those people who don’t use them
- Re-negotiate the cell phone contract with the service provider by reducing the amount of cell phone accounts
To meet their objectives, we deployed IT asset discovery tools to collect the data from three separate sources: internal spreadsheets, the organization’s Active Directory database, and the cell phone provider’s account database.
- The spreadsheets contained a list of people who had a cell phone, the type of cell phone, and the associated phone number.
- Active Directory contained each person’s title, location, and the department where they worked.
- The cell phone provider’s database contained account numbers and phone numbers as well as the phone that was assigned to each number.
After the discovery was completed, the organization was surprised to learn the following information:
1. Most people who had a cell phone had more than one phone assigned to them.
Why did this happen?
- This was because their refresh cycle policies did not have an efficient process to confirm that older phones were returned back to the organization. Many old phones were finally recovered from the employees’ desk drawers.
- The spreadsheet entries only allowed one phone and one number per entry; however, most people were listed several times with one phone per entry, but the same phone number was displayed in each of those entries.
- A B2B connection/integration was not established with the service provider, which could have flagged the duplicate entries.
2. Several people were no longer with the organization; however, their cell phone accounts were still active. In fact, one person had been using his phone for six years after leaving the organization. Why? We wanted to know so we called his number. He said, “because it still works.”
Why did this happen?
- The organization is very large, and spreadsheets containing people authorized to have a cell phone were not integrated with Active Directory account information nor the HR database, which would have informed those managing the cell phones that a person’s account had been disabled.
When discovery is implemented in such a way that it can document IT asset information from different perspectives and data sources, IT asset managers can cross reference that information to ensure it is up-to-date and accurate. Furthermore, it will facilitate asset managers with the capability to add intelligence to the asset management database, which will be discussed in more detail in the next installment of this series.
Collecting IT Asset information is the first component of a complete IT asset management solution. Discovery is how an organization can document IT assets that are on the network. Before a discovery process is implemented, it is important to have a strategy in place for collecting, storing, and monitoring IT Assets. I recommend the following three steps when planning your discovery strategy:
1. Define IT assets that need to be discovered
Define IT Assets that will be managed and added to the IT asset management database. Start by identifying assets that are typically assigned to the end-user such as PCs, laptops, mobile devices, and software. When modeling the asset management database, it is important to understand that assets assigned to end-users are at greater risk for being lost, stolen or misplaced. Network devices such as routers, switches, and printers will need to be documented, but will probably not require “monitoring” from the asset management database.
2. Identify IT assets that need to be monitored
Discovery is not the same for every IT asset. Some assets need to be re-discovered or updated every day (i.e., monitored) while others might only need to be updated after a change process (i.e., unmonitored.)
Monitored assets will generally be the devices controlled by the end-user like a laptop or PC. These assets are usually at most risk for security attacks. Monitored devices generally need a service or client that runs on the device. A monitored device needs to be able to report changes quickly and automatically.
Servers and their associated applications should also be considered for monitoring; however, many organizations do not like adding agents to critical servers. At a minimum, IT asset managers need to have the ability to perform discovery in the datacenter for software. Be advised that agentless discovery solutions are available for the datacenter.
Remember, software is an asset and needs to be monitored for changes. If software is not monitored, the organization will be at risk with regards to their software licenses. Furthermore, documenting software assets can provide important information to the security team with regards to older, outdated software and operating systems that might be vulnerable to cyber-attacks.
Unmonitored assets would typically be devices that support the network infrastructure such as network printers, routers, and switches. When these devices are changed, they should be changed using a “change process.” Make sure that change management processes include a task that will update the asset management database after the change has been completed to ensure IT asset information is up-to-date.
3. Choose asset discovery tools that meet the requirements
Discovery tools use several different strategies to collect asset information. Be sure to consider discovery tools that can document information provided by network directories or third party databases.
Also, discovery tools that support a variety of discovery methods, such as ping sweeps or discovery through network management protocols like SNMP will help ensure that every asset touching the network is documented. Finally, discovery tools should be able to access data from XML files, Excel files, delimited-ascii files barcode scanners, and in some cases RFID scanners.
Discovery Services for the Data Center
Accurate discovery is critical for managing and calculating software license positions in the data center. To build effective license positions, discovery tools need to discover across multiple vendors such as IBM, Oracle, and Microsoft.
- All Hypervisors and servers in the cloud
Be sure to choose data center discovery tools that include the following:
- Ability to accurately interpret Hypervisor processor and core usage in all environments
- Ability to map servers from Cluster – Host – Hypervisor to create a full relationship view of the estate
- Ability to map dependencies of servers and services across all software
In the next installment of this series, I will discuss the importance of adding intelligence to your IT assets.
Other posts in this series: