Before I talk about how to increase cooperation between ITAM and Cybersecurity, let me quickly set the background.
What does Asset Management mean?
The term Asset Management has different meaning to different people. When I tell my friends I am in “Asset Management” they think I manage investment portfolios… Even within the IT world, it is too generic to be commonly understood. Therefore, we need to prefix it to give it precise meaning. IT Asset Management (ITAM) means we are talking about the discipline of tracking hardware, software, and subscriptions for the purpose of reducing contractual and financial risks related to IT assets. Cybersecurity Asset Management (CAM) means we are talking about tracking hardware, software and subscriptions for the purpose of minimizing security risks related to IT assets.
As you can see, both disciplines are interested in tracking hardware, software, and subscriptions for the purpose of managing various aspects of risk. In addition, both teams need to “enrich” the inventory to gain additional insights before they can deliver the benefits their organization is expecting.
In smaller companies, individuals have multiple roles, so they are more likely to manage financial and security risks. But they are at the mercy of the selected tools, likely using multiple products. They simply don’t have the resources to minimize the number of tools they are using by building and maintaining custom integrations.
In larger organizations, the challenge is different. Each discipline has a team focused on a specific function. This naturally results in each team wanting their own tools, resulting in increased “management overhead” of agents and network scanners collecting largely same information for each team.
Bringing Cybersecurity and IT Asset Management closer means using common tools to collect and enrich inventory information.
I am not proposing we should be using an ITAM tool to manage cybersecurity, or CAM tool to do Software (SAM) or Hardware (HAM) Asset Management. But there are some obvious opportunities to share data without impacting your goals. By having a common source of data, IT management will be able to make better decisions by being able to correlate financial and cybersecurity data to build stronger business cases to support future activity. IT Operations teams will appreciate the reduction in the number of agents, or “management overhead”, especially in the datacenter. And each of your teams will be able to understand each other better as well.
Let’s dig into some details.
There are a few mechanisms that can be used to collect information about the hardware and software in your environment. These include passive network scanning, active scanning (i.e. “remote inventory”), agents and 3rd party integrations. Cybersecurity and ITAM teams should be consuming data from the same data sources, otherwise the data they use for decision making will start to differ. Each method has its strengths and weaknesses.
Many organizations have multiple tools for collecting inventory. Desktop Management teams use their tools (e.g. SCCM). Datacenter Management teams often use different tools (e.g. Big Fix). Configuration Management teams import data from many 3rd party tools and often have their own tools to populate and maintain CMDB (e.g. ServiceNow Discovery). Likewise, IT Asset Management teams have their own inventory tools (e.g. FlexNet Manager) and Cybersecurity teams use their tools (e.g. Qualys).
These tools will often require you to deploy agents, network scanners and other components to collect inventory. Enterprises often wish they could reduce the number of agents, but individual groups push back because they know their own toolsets and are afraid of losing key data they need to deliver results. If you eliminate SCCM, how will you deploy software? If you remove Qualys, how will you scan for vulnerabilities?
You will probably not reduce management agents to one, but you will be able to reduce the number of agents. In the example above, we will need to maintain SCCM and BigFix because we need to distribute/remove software and software updates. We will need Qualys because we need to scan for vulnerabilities. We may need FlexNet Manager to collect specialized inventory on some devices (but may be able to limit where that specialized agent is distributed). But we may be able to eliminate ServiceNow Discovery, because CMDB can be populated by the other inventory sources.
This means most systems will have two (2) agents, rather than 3 or more.
With that goal accomplished, we will have more consistent inventory of hardware and software. Since we are using common tools, and these tools often normalize raw results, consistency in device model and software title naming will help improve cross-team communications.
In addition to common naming, both CAM and ITAM teams also share the need for the same insights.
Asset Lifecycle information:
This information provides insights about serviceability of assets.
On the hardware side, ITAM will be concerned about their ability to get replacement units or parts, CAM will focus on security updates (e.g. BIOS updates) and ability to meet internal and external security standards (e.g. PCI or FedRAMP). Since this data has to be artificially collected, having a common source of that data will facilitate unified response to End-of-Life events and strengthen business cases for replacement of aging hardware.
Lifecycle information is even more important for installed software. On ITAM side, SAM teams need to understand lifecycle as it will impact their ability to procure more licenses and obtain cost-efficient support agreements (many enterprise software publishers offer custom support agreements at a premium price). CAM needs to be aware of upcoming lifecycle dates because End-of-Life increases chances old software will have unpatched vulnerabilities that can result in security incidents.
Categorization provides ITAM and CAM teams with additional useful information. Standardization helps both teams – ITAM can reduce purchase and maintenance costs and CAM will be able to reduce potential attack vectors. Cybersecurity also needs to see a macro view – what software categories are in use (some software categories may expose organization to more risk – e.g. file sharing tools).
Let’s not forget the reduction in training costs and improvements in productivity that standardization provides to the entire organization. Enterprise Architecture is another team that will be interested in reviewing categorization information to ensure only authorized tools and categories are in use in the organization.
This capability is very important for Cybersecurity teams. Being able to identify unauthorized software, helps them quickly action (remove/quarantine) these applications, reducing security risks to the organization. This information is less critical for SAM teams, but tracking unauthorized software helps reduce financial compliance risk, overall costs and increases license utilization. Enterprise Architecture will also benefit since it helps enforce standardization.
Knowing who is responsible or using a specific application or device helps both teams get insights into the need for these assets and appropriate remediation action. If you see a blacklisted application installation, knowing it’s on a security analyst’s or CIO’s machine will likely result in a different action than on an average user’s device. Having to update a database requires coordination with application owner to ensure it is done during a maintenance window and does not impact existing business services.
Hardware Asset details:
Device details (CPU, memory, disk, etc.) provide ITAM with information for hardware and software asset management purposes. Changes in reported memory or disk may suggest theft, CPU information is needed for accurate license consumption tracking. Cybersecurity is less focused on this information, but we have seen CPU-based vulnerabilities (Spectre/Meltdown in 2018), so Cybersecurity needs this information in order to prepare for potential firmware based attacks. In addition, this information may be required to maintain industry specific certifications.
Cybersecurity is very interested in tracking all devices – hackers use a variety of methods to attack, so knowing what devices are on the network and their vulnerabilities is just as important as for computing devices. ITAM is often less concerned with non-computing devices (e.g. network devices, printers, IoT, etc.), only needing to track what’s deployed and what’s in stock.
Software Asset details:
Both ITAM (Software Asset Management, or SAM) is primarily interested in knowing the Publisher, title, edition and major version – software licensing typically stops at this level. ITAM will also need to understand what features of the software are installed/used (e.g. Oracle DB Options and Management Packs). Cybersecurity will need to know detailed versions deployed, since vulnerabilities are specific to patch levels.
What about subscriptions?
I purposely kept this area separate. While we are all using Cloud and SaaS, the management tools are still evolving. CAM and ITAM have slightly different interests in this area.
Both disciplines need accurate inventory and usage information. CAM is more likely to focus on configuration of Cloud Instances, to ensure external access is minimized and the environments are patched, while ITAM will focus on maximizing utilization of these subscriptions by rightsizing and shutting down unused instances. However, when integrating with Public Clouds, you usually have access to rich APIs and most tools in the market today already integrate using those APIs to get the data they need.
On the SaaS side, CAM and ITAM’s interest vary a bit more. While both disciplines want to know what SaaS is used in the organization, ITAM focuses on ensuring subscriptions are highly utilized. CAM is focusing on the users of these subscriptions. Should they have access? What level of access should they have? What information are they allowed to view/edit/delete? Is the information shared with any other applications or can be downloaded? If SaaS products support download and installation of components on endpoints, then we need to make sure we track and scan those installations to reduce cybersecurity risks and potentially to validate subscription compliance.
CAM is likely to require the most data, but in today’s market CAM tends to focus on a few key SaaS applications to ensure in depth coverage, rather than tracking a wide range of SaaS products. The biggest area of common interest is User Information, which is typically collected through integrations with corporate directories, like Active Directory. You will likely need to use both ITAM and CAM to manage SaaS. I expect this to change in the next 2-3 years, at which point CAM tools will likely once again have an advantage over ITAM tools.
If we use common datasets, it will be easier to provide management with consistent information. There may be some differences at the normalized data level (if the raw inventory is fed into multiple dedicated systems) but those normalization differences will likely be small – both teams will be able to talk about “Microsoft” software related issues, regardless of whether the normalized producer is “Microsoft”, “Microsoft Inc.” or some other variant of the name. Same with application titles. When looking at software versions, the cybersecurity team will need to know specific patch level of Microsoft SQL database, while ITAM team will simply need to know the edition and main version.
If cybersecurity team determines the need to upgrade MS SQL database 2012 (actual version is 11.0) because of its End-of-Life status, ITAM team will be able to easily check whether the organization has upgrade rights or if a new version needs to be purchased. You will also be able to dig into additional details – who is responsible for managing (and upgrading) this database? Are there other database tools permitted for use in the organization? Are there any databases that are explicitly prohibited (blacklisted)? Those additional insights will help you not only better respond to current risks but may help you work together to minimize future risks.
Bringing CAM and ITAM closer together will help organizations not only minimize financial and cybersecurity risks, but will also have additional benefits. These will include reduction of “management overhead” on all your devices, increased standardization, reduced risk of having unsupported software and hardware in your environment and stronger business justification for getting replacement assets. Your overall IT costs are likely to be reduced, as will be security and compliance risks.