For those of you who have read my article “Generations of IT Asset Management” in the CIO Express magazine last month, I hope it has given you some inspirations and supported your development of IT Asset Management strategy. As a supplement I hope this blog will help you see how defining the right IT Asset Management strategy provides a useful tool to support your IT Security Management.
You may recall I pointed out the very core of IT Asset Management tool is the Asset Database, and towards end of the year 1999 how the asset data was used to identify any Y2K risks. This blog is about how 10 years later in the year of 2009 the asset data could be used to identify security issues in your IT infrastructure. (Note. Whether I am the first to write about security management utilizing the asset inventory database is not as important, as the fact that while most businesses have some form of IT Asset Management, the asset data is not effectively utilized in such a way to improve the value of IT.)
Let us start with the minimum security measure – security patching to the operating system and applications. And do not under estimate the importance of managing patches in a corporate environment, system vulnerability is one of the main root cause of security breaches. Whether it is interruption to the business, or data theft that ultimately results in lost profit or even bankruptcy, security breaches are utmost priority in the corporate security management. It is a known fact that when vulnerability is discovered and publicly known, attacks against the vulnerabilities are appearing sooner and sooner. The term “zero-day attack” was born as threats come before a patch is available, or worse, before the manufacturer becomes aware of the vulnerability. By analyzing the software inventory data in your IT Asset Database, you should be able to classify each application into one of the following states:
a) Latest version/patch in use (green)
b) Patch available but not yet applied (yellow)
c) Known vulnerability but patch not yet available (red)
d) Software no longer supported by manufacturer (red)**
** When a software is no longer supported, it means the manufacturer no longer commits to provide software patches should a vulnerability is reported. Many enterprises have corporate security policy that prohibits the use of software that is not supported. Do not be mistaken about supported software does not have vulnerabilities, but as it is supported the manufacturer has the commitment to provide a patch or an upgrade or a workaround to alleviate the risks. A good example is Microsoft’s Windows XP operating system has ended its “mainstream support” and onto “extended support”, which is scheduled to end around the year 2014. And this means enterprises will be migrating onto the next operating system once the next SOE (standard operating environment) is designed and tested for compatibilities with business applications.
** When a software is no longer supported, it means the manufacturer no longer commits to provide software patches should a vulnerability is reported. Many enterprises have corporate security policy that prohibits the use of software that is not supported. Do not be mistaken about supported software does not have vulnerabilities, but as it is supported the manufacturer has the commitment to provide a patch or an upgrade or a workaround to alleviate the risks. A good example is Microsoft’s Windows XP operating system has ended its “mainstream support” and onto “extended support”, which is scheduled to end around the year 2014. And this means enterprises will be migrating onto the next operating system once the next SOE (standard operating environment) is designed and tested for compatibilities with business applications.
Pop quiz: If Windows XP support ends in 2014, how long has this operating system been around?
** If you started using Windows XP since the introduction, and is still using it today, you may be on your 5th computer hardware as I have gone through:
1st computer: an Intel Pentium processor 133MHz
(0.133GHz for the younger generation :P)
2nd computer: an Intel Pentium MMX processor 266MHz
3rd computer: an Intel Pentium III processor 800MHz
4th computer: an Intel Pentium 4 processor 1.7GHz
5th computers: an Intel Core2Duo processor (2.4GHz dual core) and an Intel Atom processor (1.6GHz) for home
Now we have started using the IT Asset Database to analyze your software patching status, you have the needed data to allocate resources to deploy patches and eliminate security risks. But don’t stop here, there is more. Often software license management is an aid to identify if sufficient software licenses are in place for the business users. IT Asset Management helps measure the hardware and software population and the utilization of licenses. The objective is to improve the efficiency of software licensing, in other words not excessive nor insufficient, but the right quantity of licenses the business requires.
Now take that to the next step – Installed Application Monitoring. By analyzing the software inventory in the Asset Database, we can identify whether an application is approved for use. This can be a combination of whether if the software is licensed to be used, if the software product is approved, if the version and patch level is approved, if the user (owner) of the computer is approved to use this application, and if the configuration of the application is approved. Once you have this analysis, it is just a matter of removing the un-approved application, certifying the application for approved use, and other security measures to eliminating the risks.
(Note. Some time ago when I was having dinner with a colleague – an experienced service desk manager, we discussed the fact that incidents (faults) are often the result of deviations from the SOE, and/or compatibility with unapproved application(s). If such can be identified and eliminated, the amount of incidents would be significantly reduced. And ultimately translates into support cost improvements. This is a positive result of utilizing the Asset Database to manage your SOE, and improving support cost in the process.)
If they answered NO to any of these questions, it is a potential security risk and should seek advice and method to remove the unknown application(s).
The point I am trying to make, is while we train our managers to be more aware of security practices, the enforcement of application security can be done with readily available data from the Asset Database. With the right ingredients (tool, process, and people), and you have increased the value of your IT Asset Management and Security Management.
