A chain is only as strong as its weakest link and all too often, seemingly effective cybersecurity programs suffer from a fatal flaw, ineffective IT asset management practices (ITAM).
You simply cannot protect the assets you do not know about.
In IT speak, an asset is data, people, process, or technology, all of which represent an investment by the organization. Assets like hardware have intrinsic value and others have operational value – some assets have both.
In addition to being value-laden business enablers, assets are under constant threats to confidentiality, integrity and availability based on their individual risk profile, which must be periodically evaluated.
Every organization must determine the number, type and complexity of assets required for their specific business operations. Once they’ve done so, those assets must be managed effectively and proactively from cradle to grave. This is sometimes referred to as positive asset management.
Positive asset management is . . .
. . . knowing and documenting where your assets are – today.
. . . knowing and documenting who is authorized to use each asset and denying all others.
. . . not limited by the lack of a special-purpose, technical asset management platform.
. . . knowing what level of risk to assign to each asset based on criticality and sensitivity and ensuring it’s protected accordingly.
. . . an enabler to organizational planning and budgeting.
Positive asset management is not . . .
. . . guesswork and supposition.
. . . scanning your network periodically to create a new asset list.
. . . the exclusive realm of your Finance department’s ERP depreciation tracking module.
. . . delegating accountability for the asset to the last known recipient.
ITAM practices often fall prey to, “perfect is the enemy of good,” as organizations believe a dedicated asset management solution is required and blame insufficient budgets rather than neglectful practices. While a dedicated ITAM platform would be helpful, it’s not necessary. Existing endpoint management solutions including anti-malware and IT service management (ITSM) platforms often have basic asset tracking capability that can serve as the core or baseline for effective practices.
Instead of waiting for a budget windfall and depending on the organization’s size, you can make use of simple tools like Excel for asset tracking and pair it with a well-documented ITAM procedure. Use every technician-to-end-user touchpoint as an opportunity to update the inventory list. If an asset hasn’t been seen in a set number of days, ask a technician to investigate.
Asset tracking should include at least the following fields:
-Date Placed in Service
-Asset Name
-Location
-Device Type
-Serial Number
-Operating System
-Primary or Authorized Users
One especially tricky asset class is ephemeral assets, which are created and destroyed as they are needed. Ephemeral assets may exist for seconds, minutes, hours or days and often include microservices, containers and virtual machines in on-premise or cloud environments. The obligation to manage an asset is not proportional to its lifespan but I often hear this invoked when referring to ephemeral assets. These assets should be managed similar to any other asset including creating a record of their creation and by whom, application of hardening measures such as anti-malware and patch application, a record of authorized users and their eventual secure destruction.
Asset management is a foundational component of an effective cybersecurity program. Organization’s that lack sufficient ITAM will find themselves more vulnerable to threats, ill prepared if a cyber incident should occur, failing to achieve availability targets due to outages from aging equipment or overspending on asset replacement.
To learn more about effective asset management practices for your cybersecurity program, please contact me.
