Three Reasons You Need ITAM for the Internet of Things (IoT)

It was 1984, and I was off to the only movie theater in the town where I lived. The movie was called Terminator and although it was science fiction, the story line had an eerie ring of truth. It was about intelligent computers rising up and rebelling against its human progenitors . This movie introduced many of us to the concept of the internet 10 years before it started to become part of our lives.

Soon after we started connecting personal computers and laptops to the internet, smartphone and tablet technology took root and were mainstream by 2010. Today we are witnessing another major shift in technology with the Internet of Things (IoT).

Gartner forecasts that 4.9 billion connected things will be in use in 2015, up 30% from 2014, and is expected to reach 25 billion by 2020.

How do you choose what to manage and what not to manage for IoT?

With the increased amount of smart devices coming online, the question becomes what smart devices do we track and how do we track them? Many organizations are still figuring out how to implement ITAM with BYOD. Therefore, an ITAM solution for IoT might not be on the radar for many organizations; however, a strategy should be considered for the following reasons:

  • To control inventory
  • To control access
  • To provide security

Control Inventory

When assets are tracked, information about purchase dates, warranty, and lifecycle states help to control the inventory of the assets. Organizations have to decide which smart devices should be tracked using an ITAM solution. For example, should the ITAM solution track a smart light bulb? It might not make sense to track just one, but it could make sense to know how many smart light bulbs are owned and where they are installed.

Furthermore, if there is a software package that controls smart light bulbs, a relationship could be created linking the application to the light bulbs and to an associated software entitlement license. For IoT, I believe it is more practical to manage the contracts, licenses, and vendor information in the ITAM database versus tracking each smart device individually.

One could also argue that smart light bulbs are not considered IT assets and should be managed by facilities’ systems. However, the line between facilities and IT becomes blurred when smart light bulbs are controlled by an application that requires a software license.

Gartner states, “the IoT is not only about the introduction of different forms of networked devices into digital business moments; it is a transformational approach to viewing and implementing processing, analytics, storage and communications.”

Control Access

Relationship management is an important part of an ITAM strategy. Relationships are also very important in the context of IoT. Not only does an organization need to know which devices to connect to their systems, they need to control access between IoT devices and other IoT entities, IT assets, applications, and people.

 IOT

Access to systems and applications is provided using Identity and Access Management (IAM). However, traditional IAM solutions are not capable of dealing with the relationship and access requirements that come with IoT. Therefore, the Identity of Things (IDoT) is an extension of IAM that applies a unique identifier (UID) to IoT devices/objects, which allows you to control relationships and access between IoT and other entities inside and outside of your organization.

Gartner says that “IT asset management (ITAM) and software asset management (SAM) systems have traditionally managed IT and software assets of all types. The IDoT will assume some functional characteristics of ITAM and SAM within or integrated with IAM architecture, or be linked to ITAM as attribute stores.

Provide Security

The National Cybersecurity Center of Excellence (NCCoE) is addressing IT asset management for the financial services sector.

“An effective IT asset management (ITAM) solution can tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets are being used. ITAM will enhance visibility for security analysts, which will lead to better asset utilization and security.”

IoT security is an evolving endeavor to provide security to all devices connected to the internet. Security experts have warned of the potential risk of large numbers of unsecured devices connecting to the Internet since the IoT concept was first proposed in the late 1990s

Smart light bulbs in the home are a great way to save energy, and smart vacation settings turn lights on and off in different rooms to make it appear someone is home. Smart criminals, such as organized crime or cyber-criminals, could hack your system and learn your vacation programs, thus alerting them that you are on vacation. They could then sell that information to street criminals informing them of who might be out of town in that criminal’s area. From this example, it is clear that organizations need to apply security to IoT devices so that access is denied to unauthorized users, devices, and malware.

According to Proofpoint, more than 25 percent of the botnet was made up of devices other than computers, including smart TVs, a refrigerator, and other household appliances.

ITAM will provide inventory information to a security system. Without the inventory information, an organization might not be aware of existing connected IoT entities and their potential security risk. If you don’t have an inventory of all devices connected to the internet, then you don’t have a complete security solution. In my opinion, the lines between ITAM and security will continue to disappear; meaning, that one day, complete security solutions will not exist without an ITAM solution in place.

Conclusion

The good news so far is that Skynet is not yet self-aware which, if you are familiar with the movie Terminator, signaled the beginning of the rebellion against humans. We might not be facing a threat from intelligent interconnected computers waging war on the human race; however, we do face threats from other countries, criminals, and terrorist factions. Computer systems as well as all their connected devices could be used against us if compromised by someone with malicious intent. IoT will force a fundamental change in how security is implemented by making inventory control and knowledge about the presence of connected entities a priority security requirement.

 

-follow me on Twitter @marcelshaw

ITAM vs CMDB – Choose the Right Tool

This year, I decided to make some landscaping changes around my property. I have been repairing fences, planting new gardens, and pulling up trees in my efforts to meet the landscaping goals I set. Throughout the process, I learned I do not own the correct tools for many of the tasks I intended to complete. On several occasions, I have improvised using tools in my possession instead of purchasing the recommended tools. For example, I wonder if I should have purchased and used a chain saw to cut down a tree, or was the hand saw I currently own sufficient? And will it continue to be efficient? Only time will tell, but I do fear the outcome from some of my decisions.

To CMDB or Not to CMDB?

For IT asset management and support, ITIL and ITAM provide guidelines for best practices.  To see the entire article, click here.

Contributors to this Blog:

Co-Authored by Patricia Adams

Graphic by Nicole Shaw @nshaw1991 (copyright)

Edits by Carrie Shaw @carrieshaw and Chase Christensen @chasechris8 >> THANK YOU!!

Five Steps to Build an Efficient ITAM Process

Sixteen years ago, I took my first business trip to Europe. After two weeks of staying in a lovely furnished house courtesy of a corporate relocation company (for all things corporate relocation check out that page) and busy customer visits I returned home and proceeded to do my expense report. Back then, I had to itemize my expenses using a spreadsheet and then submit all the original receipts, along with the spreadsheet, to our office administrator. She would then mail them to our headquarters located 2,000 miles away. Typically, within two weeks I would receive a check in the mail reimbursing me for business expenses. Often businesses will use solutions like the Everlance expenses tracker in order to keep on track with company finances.

On this particular occasion, our headquarters claimed they did not receive my expense report. Was it lost in the mail? I know I gave it to the administrator and she claims she sent it to our headquarters. My company quickly resolved the matter by sending me a check; however, the missing expense report was a mystery for quite some time.

A year later, I received a large check in the mail for business expenses. After looking at my records, I realized the amount of the check was the same amount I had received the previous year from my trip to Europe. The new office administrator found the lost expense report that had fallen behind a desk, so she submitted the expense report through the normal process. The accounting department at headquarters processed the expense request, unaware they had already paid for these expenses the previous year.

Why did this process fail?

  • The process was manual
  • The office administrator had been replaced
  • The expense process did not plan for exceptions, so accounting had no method in place to be alerted of a duplicate expense request

An important part of ITAM is the process that manages the lifecycle of an IT asset. The objective is to track an IT asset from the time it is purchased until it is retired. Patricia Adams, a Research Director for Gartner once stated “ITAM depends on robust processes, with tools to automate manual processes. This data then enables organizations to effectively manage IT assets, vendors and a software and hardware asset portfolio from requisition through retirement, thus monitoring the asset’s performance throughout its life cycle.”

In a blog I wrote last year, I defined a three-tiered approach to asset management. I defined ITAM process management to be the third tier in an IT asset management solution. Be sure to understand tier one and tier two before taking on tier three. You will find that discovery and data intelligence are required for to build effective ITAM processes. When built properly, automated ITAM processes will enforce your IT asset management procedures and policies.

Gartner defines an ITAM process as follows:

“IT asset management (ITAM) entails collecting inventory, financial and contractual data to manage the IT asset throughout its life cycle. ITAM depends on robust processes, with tools to automate manual processes. Capturing and integrating auto-discovery/inventory, financial and contractual data in a central repository for all IT assets enables the functions to effectively manage vendors and a software and hardware asset portfolio from requisition through retirement, thus monitoring the asset’s performance throughout its life cycle.”

5 Step Process

To build an efficient ITAM process, I recommend 5 steps in the following order.

  1. Understand the procurement process
  2. Define the lifecycle
  3. Solicit input and feedback from each department
  4. Define and build the process
  5. Test and adjust the process

Understand the Procurement Process

IT asset management begins when the asset is purchased. Many organizations do not begin to track an asset until it hits the network. This is poor asset management. IT assets should be documented in an ITAM database as soon as they are purchased. Do you purchase from resellers, direct, or even from the local store? How do you pay? Do you finance, use a credit card, or make an electronic payment? Do you purchase from an existing contract? To build an efficient ITAM process that tracks an asset from the time it is purchased, you need to know from whom you purchase and how you purchase all your IT assets.

Define the Lifecycle

An IT asset will go through different stages in its lifecycle. For example, a laptop might be purchased, shipped, received, available, assigned, and retired.

Laptop Lifecycle

To build an efficient ITAM process, define the different stages of the lifecycle according to the asset and have the process change the lifecycle property when needed. For example, when a laptop is assigned to a user, have the process change the state of the asset from ‘available’ to ‘assigned.’ This will help to identify where the assets are in the process at any time.

Solicit Input and Feedback from Each Department

DO NOT force automated processes on employees outside of the IT department without their feedback and suggestions if you wish to be successful with your automated ITAM processes.

Nicole2

Unlike other IT projects, IT asset management touches everyone in the organization. Typically the people in IT evaluate, recommend, and purchase IT solutions with little input from other departments; however, ITAM processes will affect all departments such as HR, Legal, Finance, Sales, etc. It is important to solicit input from each department when designing your ITAM processes, especially if you will be automating any of their manual tasks.

Define and Build the Process

To define the ITAM process, use a whiteboard or a tool such as Visio to outline your process. Define ‘users’, ‘groups’, and ‘roles’ that will be assigned tasks in the process. For example, a purchase request for an IT asset may need to be authorized. Define a role or group with the power to ‘authorize’ in the process. Avoid assigning users to any task within a process since users often change their roles. Only assign users to ‘groups’ or ‘roles’ when building an ITAM process.

Choose an ITAM software solution that will help you meet your automation objectives. Be sure the solution can integrate with other databases including your ITSM solution. Furthermore, choose an ITAM solution that enables you to build B2B connectors so that you can directly connect and build automated processes with external partners.

Finally, prepare and plan to manage exceptions in your ITAM processes. For example, if someone purchases an IT asset on a credit card, instead of using the request portal, how do you plan to bring that laptop into the existing ITAM lifecycle process?

Test and Adjust the Process

Always test the process before soliciting feedback from each department. Make adjustments based on the feedback, then retest as needed. In large organizations, it is recommended a pilot group be created with representatives from each department. Test and retest with the pilot group before rolling out the processes to the entire organization. Be sure to properly train anyone who might be assigned a task from the process. For example, someone who authorizes the purchase of IT equipment needs to be comfortable performing that task prior to rolling the ITAM processes out to everyone.

Summary

The time it takes to actually build an ITAM process using available software solutions is minimal compared to the time it takes to understand and design the ITAM process. Be sure to dedicate resources and time during the design phase. Keep processes simple in the beginning to ensure success. Most importantly, measure ROI after implementing ITAM processes by showing before and after data analytics. ITAM processes will save your organization a lot of money; however, this is only evident if measured and reported.