How IT Asset Management Ensures Security and Visibility Throughout the Asset Lifecycle

By fusing several processes, merging installation and modifications, and verifying the functioning of systems, ITAM ensures effective management of all IT assets. This article explains how a feature-rich ITAM platform ensures security throughout the asset lifecycle.

August 17, 2022

A computer can be located using the physical asset management system, but in order to know what operating systems laptops are using or which device is most at risk, one needs an effective IT asset management system. This article provides a comprehensive understanding of how ITAM operates data flow and enhances asset utilization and security in general.

Every IT asset has a lifecycle, starting with requirements definition and ending with final disposition. As an asset performs its daily duties, organizations are responsible for ensuring its safety and a level of trust maintained from a system’s beginning to its end.  

Although some lifecycle segments are only performed a few times before retiring a system, daily management of that system, including changes, patching, and management, needs continuous attention. Integrated into traditional lifecycle stages, IT asset management (ITAM) provides guidelines for implementing policies, procedures, and technology for maintaining required system trust levels.

See More: IBM Maximo vs. Oracle Asset Management: Which Enterprise Asset Management Software Is Best?

The IT Asset Lifecycle and the Role of ITAM

Before diving into ITAM, a good understanding of the entire asset lifecycle is needed. When researching this article, I found many approaches to the lifecycle, using four to eight stages. For a traditional look at lifecycle management, I settled on the lifecycle in Figure 1, provided by the National Institute of Standards and Technology (NIST) in SP 1800-5Opens a new window , the document that forms the basis for my ITAM recommendations.

Traditional Asset Lifecycle

Figure 1: Traditional Asset Lifecycle. Source: NIST

While daily ITAM activities focus on the operate, maintain, and modify stages that have their own continuous loop (planning and integrating ITAM capabilities for a system) begin during the design phase, ensuring relevant safeguards are inherent in the system and the intended operating environment.  

One stage not specifically shown is deployment, the point at which systems are placed into the operating environment. ITAM also tracks what is implemented, ensuring policy-compliant deployment, with integration into the ITAM processes and related technologies.

This is only one lifecycle perspective. As shown in Figure 2, DevSecOpsOpens a new window has its own lifecycle. This article’s ITAM review focused on the deploy, operate and monitor stages. But like in the traditional life cycle, ITAM capabilities should always be considered throughout the rest of the stages, ensuring built-in system safety.

DevSecOps Lifecycle

Figure 2: DevSecOps Lifecycle

How Data Flows Through the ITAM System

Figure 3 is a general look at how ITAM solutions work. To clarify, no one single solution provides all the functionalities we discuss here. Organizations can use existing controls, reconfiguring them as needed, supplementing them with additional vendor solutions, and adjusting or adding existing and new policies and procedures where appropriate.

ITAM Levels (NIST SP 1800-5)

Figure 3: ITAM Levels (NIST SP 1800-5)

Corporate governance and policies

As shown at the right of the ITAM model, ITAM is governed by the organization’s governanceOpens a new window framework, including policies that define internal and regulatory compliance objectives. The ITAM effort is driven by governance, which falls under the jurisdiction of senior management and aids in establishing acceptable risk thresholds and risk management budgets.

Tier 3 – Enterprise assets

Enterprise assets are any software, hardware, or systemsOpens a new window that support business operations. Extending this, devices may be connected that add nothing to business operation, thereby falling short of the asset label and requiring some risk analysis regarding why they should be connected at all.

Before integrating an asset into ITAM, an organization must know it exists, knowledge gleaned from an existing asset database, a configuration management system, or via a complete inventory. Once an asset is identified, the ITAM team must ensure it can communicate with Tier 2. This communication usually requires some agent or the use of vendor-supplied APIs. 

Enterprise asset management must ensure a complete picture of what is connected and protected, requiring close integration with the organization’s change managementOpens a new window processes, guaranteeing the integration of new systems, and tracking modifications to existing systems.

Tiers 2 & 3 – data collection and storage

As I wrote above, each asset must report its presence, health, and other monitored characteristics to a central collection point. One example of a central collection point, useful throughout the ITAM process, is a configuration management databaseOpens a new window (CMDB) that stores individual asset information and relationships between assets. Information reported helps IT manage and support updates, vulnerability management, and other security activities.

Muhammad Raza provides a listOpens a new window of some information needed for each asset (remember that an asset is either hardware or software).

  • Configuration identification: Classification and categorizationOpens a new window of each asset and its cross-operability with other assets.
  • Configuration control: Policies and procedures that control asset builds, patch levels, licensing, changes, and recovery. Agents or logs should provide near real-time updates when an asset is modified in any way, including the addition of running processes/applications.
  • Status accounting and reporting: A record of all changes to an asset throughout its lifecycle, requiring close integration with change management and one place to log known vulnerabilities and risk assessment findings.
  • Verification and audit: Reviews of asset information, including audits, to ensure policy compliance, timely vulnerability management, and identification of missed configuration updates.

Raza’s list essentially includes manual entries. Also needed are near real-time updates from the assets themselves, enabled by agents residing on them, and by aggregated and correlated logs, including

  • IPS/IDS activity and continued operation
  • Antimalware update levels, activity, and continued operation
  • Firewall activity and ongoing operation
  • List of all installed applications, with flags for applications not on the organization’s approved application list

Other information is needed from the overall operating environment. This information should provide a clear picture of network and asset behavior, alerting when behavior shows a statistically relevant move from established baselines.

See More: What Do New Cybersecurity Rules Mean for the Cloud, ITSM and ITAM?

Tier 1 – data analytics

All information collected must be accessible for analysis, automated analysis when possible, and human analysis when required. As with all operational analysis, organizations should strive to correlate all aggregated data to gain an overall picture of network behavior and each asset’s related behavior and health. This begins with at least a SIEM solution, improves significantly with an entity behavior analytics solution, and achieves primary ITAM objectives when extended with APIs and human analysis to integrate all leftover pieces of ITAM operational data.

Reporting and visualizations

Alerting is a given when implementing ITAM, ensuring drifts from expectations are quickly addressed. However, it is also the responsibility of security and other teams to inspect the status of assets, looking for policy compliance, expected operation, unexpected asset implementation, and implementation of allowed assets that bypassed change management procedures or disallowed hardware or software.

Monitoring of ITAM information is most effective when done via a centralized portal. All ITAM components, like those used in the proofs of concept in SP 1800-5, should participate in collecting and analyzing collected information.

In addition to portal review, analyzed ITAM information should support reports that provide evidence of met objectives and clearly flagged questionable results.

Final thoughts

ITAM ensures broad management of all IT assets, integrating multiple processes, combining implementation and change information, and ensuring expected operation across systems. Going beyond SIEM, ITAM opens a perspective into all facets of each asset’s lifecycle’s implementation, operation, and modification stages and how these aspects affect the behavior, availability, and integrity of the system or systems it supports.

It does not appear that a single solution can provide all ITAM capabilities, but SP 1800-5 shows in detail how to use multiple tools to achieve ITAM objectives. Starting with a vendor that provides the core capabilities and understands what you are trying to achieve can help bring together the partners needed to address all required elements.

Does your company have a robust ITAM strategy in place? Let us know on LinkedInOpens a new window , Facebook,Opens a new window and TwitterOpens a new window . We would love to hear from you!

MORE ON ASSET MANAGEMENT

Tom Olzak
Tom Olzak

Cybersecurity Researcher, Author & Educator

Independent security researcher and an IT professional since 1983, with experience in programming, network engineering, and security. I have an MBA as well as CISSP certification. I am also an online instructor for the University of Phoenix. I've held positions as an IS director, director of infrastructure engineering, director of information security, and programming manager at a variety of manufacturing, healthcare, and distribution companies. Before joining the private sector, I served 10 years in the United States Army Military Police with four years as a military police investigator. I've written four books, Just Enough Security, Microsoft Virtualization, Enterprise Security: A Practitioner's Guide, and Incident Management and Response Guide. I am also the author of various papers and articles on security management.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.