Working in IT means working with and managing assets of all kinds, including hardware, software, clouds, services, licenses, contracts, subscriptions, and pay-as-you-go consumption plans. To practice IT Asset Management (ITAM) properly, IT professionals must coordinate with upper management, stakeholders, users, finance and purchasing, and other key members of the organization.

ITAM records and monitors the organization’s assets to make them accessible, visible, and subject to functions, controls, policies, processes, and workflows across the organization. To some extent, ITAM is about understanding an organization’s inventory and the potential exposure to it. In fact, this is a key area in which security is not only an important concern but one upon which ITAM can shed considerable light.

How ITAM Plays into Security

A detailed inventory of hardware assets helps organizations zero in on potential (or actual) firmware vulnerabilities, and can guide them to updating, patching, or replacing vulnerable devices as circumstances dictate.

A detailed software inventory does likewise for updates, patches, and fixes that must be applied to address or remediate associated vulnerabilities. And for both hardware and software, ITAM can provide notice of impending end-of-life (EOL) conditions. This helps organizations remove and replace assets, or upgrade them, to avoid getting caught outside the support umbrella.

Understanding Asset Roles and Identities

Cybersecurity professionals often talk about role-based access security, usually abbreviated RBAC. RBAC essentially means associating access and privileges with job roles, then granting associated access rights and account privileges accordingly.

It also means that administrative users typically work from a pair of accounts. One is for ordinary logins and resource access with limited rights and permissions (regular users). The other is an elevated account used to perform tasks that fall within the administrator job role. Most software and SaaS vendors charge a premium for higher role-based licensing which can increase costs quickly.

The built-in discovery capability ITAM provides is key to seeing and understanding the security risks and exposures associated with assets in actual use, or deactivating employee and contractor accounts who have left the company. This is how organizations can recognize which versions of software, SaaS accounts and firmware are active, tie them to associated security risks, and apply appropriate patches, fixes, updates, or (where necessary) workaround or mitigation strategies.

At the same time, ITAM can help organizations consolidate and simplify their software holdings, by making sure users run the most secure (and best patched and updated) software available to them.

ITAM is a key ingredient in every major cybersecurity framework. This includes the NIS Cybersecurity Framework (where ITAM is labeled an “identity function”), the ISO 27001 Security Framework, the Cloud Security Alliance’s (CSA’s) Cloud Controls Matrix (CCM), the Control Objectives for Information and related Technology (COBIT) framework, and more. All of these frameworks insist that asset management is key to managing security threats and vulnerabilities in an organization. Simply put, that means: You must know what you have so you can protect it.

Increasingly, organizations are adding data and information assets to the items that ITAM discovers, tracks, and manages. This makes it easier for organizations to visualize and manage key data collections and repositories to keep them secure, private, and confidential (if called for).

ITAM tracking keeps up with locations where information assets are stored, where it moves, who’s accessed it, and what changes have been made. This creates valuable tie-ins to compliance regimes that cover identity data, personally identifiable information (PII), financial and health records and transactions, and other kinds of data subject to compliance rules, regulations, and audits.

ITAM can also help organizations keep with such compliance regimes as General Data Protection Regulation (GDPR), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standards (PCI DSS).

Unexpected Assets Can Cause Unplanned Issues

The practice of “shadow IT” refers to individuals or departments within an organization going off on their own and acquiring assets or services without IT’s knowledge or participation. ITAM discovery has a dramatic way of bringing this kind of off-the-books IT out of the shadows and into the light, where it can be properly tracked, licensed or contracted, and used above-board and legally.  Even when business units are authorized to acquire their own IT assets, enterprise security still needs to be sure that the assets are compliant with policy standards. 

Across-the-board discovery also helps organizations keep up with all the security risks they must cover (threats, vulnerabilities, and exposures). This improves the security team’s ability to understand what’s potentially concerning or vulnerable for faster—and more accurate—zero-day response. These are vulnerabilities that get exploited at the same time they become known, so organizations must be able to respond immediately to avoid damage or loss.

Solving Service Issues

ITAM also helps organizations provide and manage service delivery more effectively. Because services contracts and costs should be tied to assets under ITAM’s purview, it can track those things as part of the IT workflows it handles. This means that IT and purchasing staff can see all vendor contracts across the organization through a single view, and work together to negotiate the best possible deal for all parties involved.

It also lets security, IT, and support concentrate on assets that are actually in use and track support trends by asset area, keeping the organization from paying for excess assets and support costs. Ditto for assets that are unwanted, out-of-date, or otherwise unnecessary (or perhaps even against company policy or acceptable use).

By providing an accurate, timely inventory of assets in need of management and security, ITAM also helps to boost security and control costs. The security team can focus on all the assets needed and used, and none of the assets that are unneeded, unwanted, or unused. With less to take care of and a more accurate focus on relevant threats and vulnerabilities, the security team can patch and update quickly, and provide more rapid responses to security incidents. It’s a win-win for security all the way around.

Get Secure Now

As you can see, proper ITAM is no longer optional for organizational security. To learn more about ITAM and security, and ITAM in general, download ServiceNow’s ebook: The Gorilla Guide to Elevating ITAM with Workflow. To learn more about digital workflows for IT in general, visit ServiceNow’s IT Workflows page.

Authored by Ed Tittel