How to reduce IT security risk with IT asset management

IT asset management expert Barb Rembiesa explains how ITAM best practices like IT asset standardization and rationalization reduce IT security risk.

At a glance, the concept of enterprise information technology asset management hardly sounds glamorous, but information...

security practitioners might be surprised to learn the ways in which the two disciplines intersect. Even better, knowledgeable, resourceful infosec pros can leverage IT asset management best practices to reduce IT risk within their organizations. That's what we'll discuss in this tip.

What is ITAM?

Information technology asset management is a set of business processes designed to manage the lifecycle and inventory of technology assets. It provides value to organizations by lowering IT costs, reducing IT risk and improving productivity through proper and predefined asset management. IT asset management (ITAM) has only existed as a formal set of business processes for about a decade, which is immature in comparison to typical business processes.

With the elimination of each application comes increased security for the IT security team because that's one less application to harden, patch, monitor and audit.

It may not be completely obvious where IT asset management and enterprise information security come together. After all, information security is a complex activity involving highly skilled IT engineers, architects and strategists, charged with defending against everything from run-of-the-mill spam and phishing to multinational terrorism cells bent on causing instability in financial markets through computer-based terrorism, and all points in between.

IT asset management has many goals, including maximizing the value of an organization's investment in information technology. One common approach to meeting this goal is through understanding the IT needs of the organization and then establishing standards that serve to facilitate those needs. This leads to the rationalization of asset types (specific guidelines defining acceptable IT assets) and, more often than not, the reduction of asset types. For example, organizations can see a significant reduction in the number of software applications through an application-rationalization exercise -- this involves defining which types of applications meet the predefined guidelines that support the organization's IT objectives, and working to remove the applications that don't meet the guidelines. With the elimination of each application comes increased security for the IT security team because that's one less application to harden, patch, monitor and audit.

Another benefit of the ITAM discipline is the increased understanding of who in the organization needs which IT assets in order to fulfill their assigned roles. Organizations that practice this discipline understand who has access to sensitive data, and user permissions can be more logically restricted based on need, in some cases even serving as the basis of or logic check for privilege management systems.

As you can see, it turns out that these two fields actually intersect on a multitude of levels.

Ghosts of ITAM past; trends of the present

Coming into the 21st century there was little-to-no connection between IT asset management and information security. ITAM focused on gaining credibility in organizations through hardware management and software license compliance. The primary focus was on the basic ability to know where physical hardware was at any time, control its entry and exit from the organization, and establish bulk-buying opportunities for pricing leverage; from a software standpoint, the focus was on consolidating license negotiations, building general awareness concerning license compliances and heading off vendor audits to keep costs in line with expectations. ITAM started with the viewpoint that IT asset managers just counted "things."

Current trends show ITAM overlapping data security processes and concerns in several ways, especially around end-of-life hardware disposal and data security during the disposal processes. Also overlapping now is shared responsibility for mobile inventory control and risk management, focusing on network entry-point management and device security while outside of general organizational controls.

This is a real overlap between the two disciplines that brings additional ITAM tools to the information security space that otherwise might not exist or that would have to be purchased or developed from scratch in an organization without a strong ITAM program. ITAM asset management controls and end-of-life disposal processes are fairly mature now, with asset tagging though bar codes or RFID tags, generally mature inventory-tracking systems and clear assignment of assets to individuals. These capabilities, coupled with information security identity management and strong access-tracking and access-management controls provide a broad base of capabilities, shared across the two fields, that provide compelling controls addressing base security risks, making it easier to know who is doing what with a particular IT asset at any given time.

Additionally, lost or stolen assets are easier to identify and track, network communications tie better to individual devices and access points, and software can be identified as authorized or unauthorized based upon up-to-date ITAM data repositories. While there remains some real risk here, IT asset management programs feature good additional tools to address data security concerns.

Proper deployment and use of applications have made monitoring of these assets more efficient. However, perhaps the largest return that has yet to be realized in many organizations is in communication and education. A successful ITAM program relies heavily on the cooperation of everyone in the organization, and this cooperation can only be achieved once the employees understand their responsibilities to the organization when it comes to proper use of IT. While IT is extremely beneficial to an organization, IT will always pose serious risks; but a sound IT asset management program can help mitigate many of those risks.

Predictions about ITAM future

ITAM and IT security have similar goals. Because of this, some ITAM programs fall under the guise of IT security, or both are grouped together within broader IT operations groups. In some cases, linking ITAM to security was the only way to get funding for ITAM initiatives. In the next two to five years, however, ITAM process and capabilities and the needs of information security will intersect and overlap in some new, meaningful ways. It would not be surprising to see, in some larger organizations, these two sets of controls merge into single departments with broad responsibilities. The primary driver is the emerging global positioning (GPS) integration into information technology devices at all levels. Capabilities will start to merge with asset tracking, user identification and network access controls.

Today network access is generally controlled through enterprise authentication systems and supported by a variety of other technologies like network access control (NAC). Some high-end systems restrict access to specific pre-approved IP addresses. However the increasing commonality of bring your own device (BYOD) programs pushes IP-controlled access pretty far. As GPS is integrated, however, a natural usage point is to add GPS to authentication protocols, only allowing access from certain geographic locations. As this capability emerges, ITAM will be integrated from an asset-tracking standpoint, replacing current clunky nonintegrated assets tags with an asset-to-GPS-to-unique-identifier-tag trifecta of tracking. Data security will build on this capability, building in geolocation maps, eventually in a second generation of capabilities tying location identification to not just network access, but also application usage.

As ITAM and IT security controls evolve together, where you are will matter as much as who you are.

Future IT roadmaps

If you spend some time thinking about what ITAM does, what GPS style capabilities are emerging and the needs of organizations around data security, it become an identifiable trend to see where things are heading, especially in today's hyper-risk-aware and changing world, with information security threats emerging from all possible areas: state-sponsored cyberespionage/terrorism, anarchists and the ever-present financially motivated attacks. Information security teams would be wise to remember that IT asset management is a trend that can work to their benefit. Watch for ways in which the two disciplines intersect, and start finding ways to tie the respective IT strategies and roadmaps together in the coming years.

About the author:
Barb Rembiesa is founder and CEO of the International Association of IT Asset Managers Inc. (IAITAM). Rembiesa brings more than 20 years of leadership to the organization. She is the driving force and conceptual architect of the only global IT asset management-focused organization. For nearly a decade, Barb has groomed IAITAM into a worldwide association focused on education, with individual and enterprise members in over 50 countries. IAITAM's asset-management certification courses have become the industry standard, and are endorsed and required by organizations striving to maximize IT spending, reduce risk and create more efficient budgets.

This was last published in May 2013

Dig Deeper on Risk assessments, metrics and frameworks