Few years back, I was asked to build an asset management solution which should include all computers, servers, laptops, software, mobile devices etc. It was to meet a regulatory compliance requirement. I was very happy to take up that project, because for me compliance requirement was secondary. If we have a list of assets, then the solution would help me with the analysis of threats and vulnerabilities associated with each of those. I can configure the solution to give notifications and also it will advise me when vulnerability related to the Operating system or software is released. It seems to be simple, but was very challenging.
While preparing the project management plan, the challenge for me was to get the information of the assets we have. We have more than sixty thousand employees, located in different geographies and we follow a traditional way of updating the internal inventory database. I was having the option of doing a network scan which will report me the asset details, generating a report from our ticketing tool where we have the details of assets. I might need to work with the IT administrators to validate the data and to make sure that no assets are missing. Still not satisfied, I was having a feeling that, there are more assets missing.
When I went through last 2 years security data breaches, one common thing I found in some breaches was that the server or machine that is not properly managed was getting breached. Not properly managed, what does it mean? This means you are not applying patches/updates to the Operating system, software etc. With an open vulnerability, exposed to internet it would be too easy for an attacker to exploit those. Here comes the importance of asset management. Still majority of the organizations do not know the total assets they have. They used to do a network scan to discover the assets. I have seen lot of cases where many of the devices are not properly reporting to a scanner. It is not only about discovering an asset and properly patching, we need to find who has access to which physical and electronic assets within the organization. Now due to the BYOD (Bring Your Own Device) policy, not only laptops, servers, computers and software we need to consider Ipads, mobile devices as well.
Not sure many of you agree with me, practically asset management is one of the challenging areas in Information Security without an Asset Management solution. In simple form we can say that it is all about tracking What you have? Where it is? Who owns and maintains it? And how important is it to the organization? If the organization is bigger, then the task is more complex. In past, I have seen most of the organizations have a database or an excel sheet where they will have a list of serial numbers and associated devices. This will not work anymore and it is important that we will look at an asset management solution.
Another important factor you have to consider is Software license compliance. If you want to see the software applications installed on client computers, how easy is that if we go through the traditional way? For one of the organizations I have associated earlier, I have seen a software audit initiated by a vendor and they detected lot of unlicensed software which resulted in paying heavy penalty. I was not sure whether that was intentional or unintentional, but here if you have a good asset management solution, you would be able to solve all these problems. Not only renewing the license part, if we can reduce wasted resources by identifying and removing underutilized software or we can redeploy those unused software licenses to other resources. Also we will be able to track entitlements so that unauthorized software can be flagged for removal or renewing the license.
For me it is not only about audits, Asset management is one of the key areas where I can address compliance risks and also can help my organization to save money, energy and time. I would be able to have better visibility into the asset usage; I can better govern by assets, can ensure software compliance and can easily prepare for audits with the help of automated reports.