Treasured possessions

Asset management is the Forth Bridge of IT. Just as painting the bridge is a perpetual task, managing your software and hardware assets is not something you can do once a year and think you have it covered. An audit of your assets will be out of date as soon as soon as it is completed.

That's if it is done at all. A November Mori poll found that while IT directors agree they need a clear picture of their IT assets to manage them effectively, more than a third said they were some way short of achieving that. Add in the tales of large companies finding rooms of servers they never knew they owned, and it is clear there is room for improvement.

But this picture is changing fast, as factors such as corporate governance have ratcheted asset management up the corporate agenda.

"Drivers pushing people to do this include compliance, risk management, managing and optimising IT costs and showing the linkage between IT assets and value contribution to the organisation as a whole," says Ian Macdonald product marketing manager for asset management EMEA at Peregrine Systems.

From a security standpoint, it's obvious that if you don't know exactly what you own, you can't protect it. Without an audit, hardware, software and sensitive corporate data could be walking out of the door without your knowledge. You could unknowingly be running illegal or unlicensed software, leaving you vulnerable to viruses and spyware, let alone the possibility of prosecution for contravening licensing agreements.

Yet even in large businesses, asset management can still be overlooked. So why aren't companies doing more?

The simple reason is because it's damn hard. First, it's hard from a time and resources point of view. Fast-expanding small companies are too busy growing to set up rigorous processes, whereas for large firms the task seems as complex as the human genome, especially if mergers and acquisitions are thrown into the mix.

But it's also hard from an implementation and management perspective. Challenge number one is to find out exactly what you have on your network, so you can manage and protect it. That means collecting data on every device and every application, and version of application, on your network. This task is complicated further by mobile devices and users. You need to know which staff use laptops, PDA and mobile phones.

"It's not just who has got what and where, but which operating system version and software is installed and which virus software is installed," says Macdonald.

"Once you have that information, you can be very specific about who is under threat, when, and be proactive about it."

The tools that automate this asset scanning process split into two main camps: an agent approach and a network approach, both of which have pros and cons. A network scan will automatically discover everything connected to your network at a precise moment, but that information will rapidly become out of date. Agents will proactively send updates when something changes on a particular device, but not all devices will have agents on them.

"I would argue that you need both approaches and you probably need a good patching system too," says Paul Simmonds, chief security officer (CSO) at speciality paint and chemicals giant ICI. "In a way, you have to do exactly what hackers do: scan systems for faults or weaknesses."

In a few years, Radio Frequency Identification (RFID) technology should make the scanning process much easier as products automatically transmit their current status. At the moment, the cost of deploying RFID is such that it only works for whole pallets of goods.

Simmonds warns that it's hard to find all your network discovery and scanning needs under one roof: "Vendors will tell you it's what you want because it's in their interests. The Holy Grail of marketing managers is to tell you they've got a really joined-up product suite. I've been told that for 15 years. I'm still waiting. What I actually want is products that communicate with open APIs and protocols."

He uses a range of tools, including Qualys to give him the best data available. "You need to have tools that integrate. I need have an AV tool (Symantec in our case) interrogated by Qualys and then compare results," he says.

And this information needs to be kept centrally. Blair Kantolinna, EMEA business manager at BMC, recommends that companies establish a configuration management database (CMDB), which has emerged from the IT Infrastructure Library (ITIL) standard for defining best practice for managing IT services. The CMDB will act as a central repository for all the asset data and make it available to other areas of the business, such as the help desk. Having a central database will ultimately make it much easier to maintain as well.

But all this data is just a heaped mess of Alphabetti Spaghetti if you don't have the right policies and procedures in place or know what information you want from all this data.

"A fool with a tool is still a fool. You need to have good processes and procedures too," says Mark Nutt, divisional director at technology integrator Morse. Asset management is 80 per cent about the processes and 20 per cent about the technology.

The policy should set out staff usage guidelines, and establish which people have access to which applications and which versions of applications – or even set the policy for which devices or applications they are allowed to use. Standardisation is key. If a virus attacks a company, it makes the problem much harder to solve if different parts of the business use different processes to assess virus infections, even supposing there is an inventory of all the PCs and servers in the company. Likewise, a lack of procedures or control over company assets could delay the process for bringing the business back up, if disaster strikes.

You need to know who your users are, what they have access to, how they use the machine and who approves their assets. Once you have all that information, then you can set up guidelines for how often to scan your business systems – which will vary, depending on their criticality.

Establishing these procedures needs backing and input from the senior management if it is to work. Without that backing, it could be hard to force through policy on software or hardware usage across the different silos of the business, reluctant to change just because the IT department says so.

The security and asset policy also needs to be integrated with the business strategy. If policy-setting is left to the IT department, you will have inventory of equipment, but will not know the business weighting for each device and application, or the relationships between them. If the finance department is left in charge, it will look at each asset from a net worth perspective. Both sets of information must be linked and mapped to the business needs.

Then, of course, you have to enforce the policy. "How quickly do your policies and procedures react? A lot of people will set up policies and procedures and then it will sit on the shelf," says Simmonds.

He points out that in the four years he has been at ICI, the mobile policy has been revised four times, and is about to change again. But ICI is unusual, even among the FTSE 100, in having a chief security officer to drive through all these changes.

Having a dynamic, living policy and an up-to-date inventory of systems means you can respond faster to situations.

"Security is all about managing your specific policies in a specific time-frame," says Dave Robbins, president and chief executive of security configuration management company BigFix. The faster that companies can patch their systems, the better.

'What we have found in most environments we go into is that if they can achieve more than 50 per cent patching, they consider that successful," he says.

While patching is unavoidable, prevention is better than cure. "Security is a lot more difficult to do bolt-on than built-in. So if you build it into the contract, you can build that into your SLA and then you are going a long way, because if SLAs are written by the business then it's institutionalised," says Simmonds.

Asset management needs to cover the whole lifecycle of a product, from requisition to retirement. With accurate information about a system, you can decide when maintenance costs outweigh a product's usefulness and it's time for it to be put out to grass. From a security perspective, it's also crucial to know what corporate data is stored on a decommissioned laptop or PC before it leaves the building.

In essence, asset management is like security as a whole. You can't lock down everything, but you need a pragmatic, sensible approach to risk. Concentrate on the important business-critical systems.

And each enterprise must work that out for itself. "Organisations want to get to a reasonable level of managing assets, but what one company might consider reasonable is different from another," concludes Nutt.