Cyber Security is Still Missing IT Asset Management

The attack surface proves to be unmanageable without ITAM

What is the attack surface, and how can we manage it? The attack surface should reflect the IT asset inventory. An inventory includes corporate-owned, employee-owned, and vendor-owned assets. The challenge is keeping that inventory accurate. The solution is monitoring the changes made to the assets in near real-time. At the foundation is IMACD, or Install, Move, Add, Change, and Dispose. But IMACD efficiency depends upon upstream processes, policies, and standards. 

Critical upstream processes include acquisition, receiving, and acceptance. IT standards drive the acquisition process. Policies require all corporate-owned assets are acquired through this process. 

Corporate-owned, employee-owned, and vendor-owned must also adhere to the receiving and acceptance processes. A standard for prohibitive assets is applied to employee and vendor-owned assets. The asset appears in the IT asset inventory upon acceptance. Once again, policy requires all assets to follow the receiving and acceptance process.

The acquisition, receiving, and acceptance processes should be designed based on the information captured by the processes and not require a centralization based on location. For example, you most likely do not want to demand that all assets be received in one physical location only to be shipped to another country.

Furthermore, each of these processes is backed by policy. Any asset that does not follow these policies is considered a rogue asset and is reported to executive management.

At the backend of IMACD is Disposal. Disposal is not just a hardware asset process. Any asset type can be disposed, and many organizations have effective disposal processes for corporate-owned hardware assets. Organizations fail to formally dispose of software assets, cloud services, and employee-owned and vendor-owned assets. A policy dictates that all assets that are retired or leave the organization permanently must follow the Disposal process.

Policies must be easy to understand and communicated frequently. Executive management must support these policies. Exceptions to the policy must be few and far between. However, in the real world, you have executives, doctors, scientists, and other specialized professionals that may feel they are exempt from these policies. It is best to monitor their assets frequently through automation tools and physical inventory.

An accurate inventory reflects the data captured before, during, and after an IT asset’s lifetime. It is perhaps easy to identify where data about an asset can be captured. What is more difficult is determining what to capture. Is the data of value? Is the data available to be captured now, or will it be in the future as the ITAM program matures? Is the data incomplete? Can we trust the data? Is the data’s trustworthiness based on the asset type or the tool gathering the data? If we are collecting data to be provided to someone in the organization, then we want the information based on the data to be accurate. But who is that someone? This article is focused on the cyber security audience. However, ITAM brings value across the organization. A significant failure would be to collect data for just one audience. Chances are substantial the data required by one audience is produced by another. IT asset data should not be viewed with blinders on. ITAM value is delivered to the “many” at a cost distributed to that “many.”

“For example, the cloud’s ability to swiftly deploy assets and services helps organizations be more efficient; however, it can also prevent them from having full visibility over deployed assets.”

“37% of the organizations also claimed to have the least insight into cloud assets”

You may be tempted to say this about the cloud asset type – same, but different. From a thousand feet, this might be true. But as you get closer to the ground, this assumption can’t be more untrue. Assets managed by your IT department are now managed by a vendor. Cloud services can be adopted without the assistance of IT and cybersecurity. The services are cheap, easy to acquire, and easy to use. More complicated services, those used by the IT staff, are easy to acquire, install, use, and forget. Executives are distracted by the increasing cost of the cloud, and rightfully so, but at the expense of what? Cyber security, for one. Cloud Asset Management is the newest sub-discipline of ITAM and must be implemented to meet cyber security’s requirements.

“While containers can provide organizations an increase in the speed and efficiency of their development cycles, failure to implement proper security controls could result in compromise at various stages of the pipeline, from hijacked repositories to the exploitation of weaknesses in specific components of the container software.”

which has led to

“Misconfigured container software remains a significant issue for many organizations.”

“53% of the respondents detected a misconfiguration in their container and/or Kubernetes deployment.”

There was great emphasis placed on speed when I was a software engineer. The reasons were time-to-market, competitive advantage or closing the gap, and revenue. What was not clearly understood was the cost of speed. That cost could include the time to fix what was broken or re-design what was not designed well in the first place. Speed can be an illusion, which is what IT and cyber security are dealing with now. 

ITAM introduces speed bumps or, in process terms, gates that require criteria to meet to proceed. These speed bumps do not have to be catastrophic to your project schedule. These speed bumps are designed to introduce controls that ITAM and cyber security will benefit from while increasing security and reducing re-work.

Cyber security initiatives will continue to struggle and fail until organizations implement a complete ITAM program. Unfortunately, an ITAM program is not a short project. After all, the ITAM program has been neglected for years, and many bad habits need to be broken and replaced with a disciplined approach. While some may be betting on tools and AI to secure their data, the bad actors are also adopting tools and AI in response. You can’t secure what you don’t know you have.

“To know what you know and what you do not know, that is true knowledge.”

— Confucius

ITAM IQ offers a self-paced workshop mapping

ITAM to cyber security controls.