Why Asset Management Is the Most Important Security Control
The first five controls in the CIS Top 20 identify two controls relating to asset management. Numbers one and two talk about managing hardware and software assets. The question comes up pretty frequently: Why would managing assets be the single most important thing a company can do to improve security? It seems counterintuitive, like perhaps antivirus software or strong passwords would be more important.
Well, first off, it's important to remember that this list is based on the experience and opinion of industry experts. That means it is opinion-based, so their conclusions might not be yours, but there is a strong case to be made for asset management being the most important security control you can implement at your workplace. To help explain this, I want to share an experience.
The Necessity of ITAM
When I was working as CISO for a financial services company, we were being interviewed by the FFIEC (think bank examiners). They started the discussion with a simple question: “Are you patching your servers and workstations?”
I was able to answer that with a single word: “Yes.”
Their next question took several hours to fully answer. They asked, “How do you know?”
The meaning and depth of that question dawned on me over the next few hours, and prompted even more questions:
- How do I know that I am patching all the servers and workstations?
- How do I know I haven’t missed any laptops that move around?
- How do I know that I am patching all the software products on these systems?
- How do I know I’m capturing the virtual systems that are coming up and going down several times during the week?
- How am I capturing software and hardware assets in the cloud?
In order to answer these questions, I needed an accurate inventory of my software and hardware assets. Not only that, but because these assets move, change, and get deleted frequently, I needed to have a process for collecting new information in the environment. Long gone are the days when I could ask purchasing for a list of servers, workstations, and software products in order to track my inventory.
Components of Effective ITAM
Effective asset management today requires multiple components.
The first is a discovery process. Discovery is the act of collecting new software and hardware in your environment in real-time. This requires you to be actively monitoring the environment for the addition of new assets through a variety of techniques, from network to business application intelligence. Several asset discovery modules perform a ping scan to discover new assets.
While this is a good step, in today’s network, this will often not yield the true asset inventory by itself. Many servers and workstation configurations do not respond to ping, so if that is the only way your asset management system is discovering new systems, it might not be adequate or accurate. Modern network-based asset discovery includes multiple active and passive scan and discovery modules including ping, tcp syn scans, arp, dhcp, wifi and other techniques that will hep discover the most bashful systems on your network.
After discovery comes inventory. This can be more challenging than it seems at first. Systems move around or they might change network configuration, software is added and removed, and management responsibility changes. All this needs to be accounted for, and the change process needs to be as automated as possible. Managing a dynamic software, hardware, and virtualized asset inventory requires automation, a great storage design and workflow that maps to your organization’s requirements. Without these components, the best asset inventory in the world will quickly become stagnant and useless.
Managing Software Assets
Managing software assets can be even more challenging than managing hardware assets. Long gone are the days when your company ran exclusively on Microsoft operating systems and applications.
Most environments are a hodge-podge of operating systems from Microsoft, Apple and various flavors of Linux, with applications from dozens of vendors, open source, and a huge variety of license configurations. Licenses might be managed by several different groups and departments, as well as some being centrally managed. Legacy systems might have older software that cannot be upgraded. Some software is free, so there is no financial record of it. You need a way to coral all these different licenses and automatically capture what new software appears on the endpoints, and accurately interpret the license terms so you know if the company is in or out of compliance.
How Ivanti Can Help
If this all sounds like a daunting task, that’s because it is! It is also the linchpin of all other security components in your environment. You cannot know about the effectiveness of patching, log management, risk management, antivirus, license violations and physical theft without these inventories. Fortunately, Ivanti offers software that takes on these very tall hurdles.
At Ivanti, the powerful combination of Ivanti Service Manager (ISM), Asset Manager, and Ivanti License Optimizer (ILO) can put a very effective process around the exercise of inventory, discovery, storage, management and workflow of your hardware and software assets. Talk to a sales professional today about how Ivanti can help make short work of the most important component of your security framework!