Messy IT Asset Management: Unorganized Closet or Fire Starter?
IT Asset Management is often the un-owned, unwanted, and un-optimized major initiative that large technology (and especially non-tech) organizations continue to struggle with — especially in a modern ecosystem of hybrid infrastructure, legacy systems, microservices, and DevOps teams.
Most large organizations would be hard-pressed to score high on an asset management maturity rating, but is this simply a commonly ignored housekeeping exercise or is it a harbinger of doom based on the “you can’t protect what you don’t know” ideology?
This paper aims to present common pitfalls with attempting to build Asset Management at Scale while attempting to identify practical solutions that IT and Cybersecurity teams can begin to employ in order to create a solution that is sustainable and useful.
An Asset is not an Asset is not an Asset is not…
Physical and virtual hybrid infrastructure (especially among large technology companies supporting global applications, services, and products) are more tablestakes than ground-breaking at this point. IT support teams manage both physical data centers with racks of servers and network gear as well as sprawling virtual ecosystems with compute and storage being spun up and down constantly. The key question becomes how do you even begin to scale asset management when you’re managing inherently different resources (without even beginning to consider containerization). At least 3 large obstacles exist:
- Efficiently (and quickly) normalizing taxonomy and ontology, i.e. how do we deal with hardware identification (serial numbers) and virtual identification (account numbers) in the same data table as the same identifier?
- In the physical world, shadow IT was less of an issue (it’s hard to hide racks of servers and cables!). In the virtual world, employees and engineers can spin up compute and storage services in a matter of minutes and applications are more decentralized than ever. How do we handle (or even know about) enterprise IT infrastructure and assets that may be both temporary and unmanaged?
- Servers aside (physical or virtual) — how do we deal with network gear? What about employee workstations and mobile devices? Does the company have IoT technology? Are we only tracking IT resources or do we need to move up the stack and track applications and software as well? Are those also assets?
This is why solving the problem of asset management can seem like a messy closet, it’s usually built up (and then compounded) over years, includes additions from acquisitions or transitions, and it’s all “stuff” you need, but don’t quite know where else to put. The question that CTO, CIO, and CISO teams need to solve is how to prioritize this among an ever growing laundry list of large, messy, “unsolvable” problems before IT asset management transforms into a literal fire starter of security risks, issues, and incidents.
Should messy IT asset management move up the priority chain?
Program housekeeping often falls to the wayside in even the most mature technology organizations, so how should maturing IT asset management be slotted among all of the competing priorities, initiatives, projects, and routine operations? Some common pitfalls in kickstarting an enterprise asset management effort include:
- Who owns IT asset management? It could be the CTO organization, which most often owns the infrastructure and networking. It could be the CIO organization, responsible for the data governance and metadata associated with these IT assets. Finally, it could be the CISO organization, one of the primary customers of an enterprise IT asset management program.
- It’s a major initiative. Regardless of who owns the effort, enterprise-wide initiatives are hard to spin up without a well defined scope, resourcing and clear objectives — especially in this case where there are unknown unknowns. And IT asset ownership is typically spread throughout the organization. Change management and adoption efforts stack on top of the engineering challenges and form significant challenges.
- It’s not a problem — until it’s a problem. This is where the concept of asset management as a fire starter comes into play. In good times, messy IT asset management may only be a hindrance to BAU, but in situations where security teams are under pressure to fix or remediate security issues in a matter of minutes and hours (e.g. Zero Day situations), an unknown and/or unorganized cabinet of IT resources can quickly turn security risks into security incidents.
Solving the IT asset management problem not only requires getting past these large initiative pitfalls, but also collecting and defining all of the key variables that an asset management solution requires. An asset management solution on its own is not useful if it cannot be used for traceability or to slice and dice the data for reporting.
A few considerations for getting started
If we accept that maturing IT asset management *should* actually be a key priority of the business rather than just routine housekeeping, then getting started is the next huge hurdle — even if there is no clear end in sight.
Identify crown jewels
Scaling any enterprise program whether asset management, identity, vulnerability management, or the myriad of others can often feel like “boiling the ocean”. A technology organization with potentially hundreds of thousands of individual asset nodes could likely take months to years to identify everything. Locking down a subset of assets identified as the most important (crown jewels) not only offers a clear starting point, but allows for project management teams to put points on the board early by fully cataloging and defining their most critical assets and pushing that data to key internal customers (e.g. Security, Service Management, Finance).
Agree on a strategic north star solution
One of the largest challenges with messy IT asset management is that it is usually made more complex by a variety of grassroots projects and solutions that have attempted to catalog and use assets and metadata for various ad hoc purposes. This decentralized model *can* be successful, but only if it is an agreed upon model and doesn’t conflict with more top down approaches. Aligning on one strategic solution for asset management helps reduce duplicate work that teams often do to conduct individual asset management for their own use cases (see Ownership point above).
Treat as a real security risk
Asset management must be considered as more than just an unorganized mess — it can be a real issue for security teams trying to do mature vulnerability management, incident response, or even just data classification for compliance purposes. Ensuring that Security teams are not just external participants but are actually program sponsors and key stakeholders can help drive home the importance of a robust asset management and asset solution.
Lacking a mature solution can lead to missed security patches, increased time to recover and respond to incidents, and regulatory and compliance pains due to lack of documented asset and data classification — these are real issues for security teams and should not be “off the side of the desk” work efforts!
Conclusion
IT asset management should be viewed as a critical function for Technology & Information Security organizations as it is an underlying support function for key cybersecurity activities — yet, it is commonly ignored and kicked down the road. Generating leadership support for a major initiative is absolutely imperative as it will be required to get buy-in from key stakeholders across engineering, operations, cybersecurity, and data governance teams — all of whom store and use IT asset information. Organizations that are able to scope and prioritize an effort to mature their IT asset management capabilities are better positioned to avoid the potential hazardous risk that comes with leaving it unorganized and unstructured.
For any questions or comments on the analysis above — please contact:
Jacob Armijo, CISM, Manager — jacob.armijo@dayblink.com
Michael Morgenstern, Partner — michael.morgenstern@dayblink.com
Justin Whitaker, Partner — justin.whitaker@dayblink.com
