Three Reasons You Need ITAM for the Internet of Things (IoT)

It was 1984, and I was off to the only movie theater in the town where I lived. The movie was called Terminator and although it was science fiction, the story line had an eerie ring of truth. It was about intelligent computers rising up and rebelling against its human progenitors . This movie introduced many of us to the concept of the internet 10 years before it started to become part of our lives.

Soon after we started connecting personal computers and laptops to the internet, smartphone and tablet technology took root and were mainstream by 2010. Today we are witnessing another major shift in technology with the Internet of Things (IoT).

Gartner forecasts that 4.9 billion connected things will be in use in 2015, up 30% from 2014, and is expected to reach 25 billion by 2020.

How do you choose what to manage and what not to manage for IoT?

With the increased amount of smart devices coming online, the question becomes what smart devices do we track and how do we track them? Many organizations are still figuring out how to implement ITAM with BYOD. Therefore, an ITAM solution for IoT might not be on the radar for many organizations; however, a strategy should be considered for the following reasons:

  • To control inventory
  • To control access
  • To provide security

Control Inventory

When assets are tracked, information about purchase dates, warranty, and lifecycle states help to control the inventory of the assets. Organizations have to decide which smart devices should be tracked using an ITAM solution. For example, should the ITAM solution track a smart light bulb? It might not make sense to track just one, but it could make sense to know how many smart light bulbs are owned and where they are installed.

Furthermore, if there is a software package that controls smart light bulbs, a relationship could be created linking the application to the light bulbs and to an associated software entitlement license. For IoT, I believe it is more practical to manage the contracts, licenses, and vendor information in the ITAM database versus tracking each smart device individually.

One could also argue that smart light bulbs are not considered IT assets and should be managed by facilities’ systems. However, the line between facilities and IT becomes blurred when smart light bulbs are controlled by an application that requires a software license.

Gartner states, “the IoT is not only about the introduction of different forms of networked devices into digital business moments; it is a transformational approach to viewing and implementing processing, analytics, storage and communications.”

Control Access

Relationship management is an important part of an ITAM strategy. Relationships are also very important in the context of IoT. Not only does an organization need to know which devices to connect to their systems, they need to control access between IoT devices and other IoT entities, IT assets, applications, and people.

 IOT

Access to systems and applications is provided using Identity and Access Management (IAM). However, traditional IAM solutions are not capable of dealing with the relationship and access requirements that come with IoT. Therefore, the Identity of Things (IDoT) is an extension of IAM that applies a unique identifier (UID) to IoT devices/objects, which allows you to control relationships and access between IoT and other entities inside and outside of your organization.

Gartner says that “IT asset management (ITAM) and software asset management (SAM) systems have traditionally managed IT and software assets of all types. The IDoT will assume some functional characteristics of ITAM and SAM within or integrated with IAM architecture, or be linked to ITAM as attribute stores.

Provide Security

The National Cybersecurity Center of Excellence (NCCoE) is addressing IT asset management for the financial services sector.

“An effective IT asset management (ITAM) solution can tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets are being used. ITAM will enhance visibility for security analysts, which will lead to better asset utilization and security.”

IoT security is an evolving endeavor to provide security to all devices connected to the internet. Security experts have warned of the potential risk of large numbers of unsecured devices connecting to the Internet since the IoT concept was first proposed in the late 1990s

Smart light bulbs in the home are a great way to save energy, and smart vacation settings turn lights on and off in different rooms to make it appear someone is home. Smart criminals, such as organized crime or cyber-criminals, could hack your system and learn your vacation programs, thus alerting them that you are on vacation. They could then sell that information to street criminals informing them of who might be out of town in that criminal’s area. From this example, it is clear that organizations need to apply security to IoT devices so that access is denied to unauthorized users, devices, and malware.

According to Proofpoint, more than 25 percent of the botnet was made up of devices other than computers, including smart TVs, a refrigerator, and other household appliances.

ITAM will provide inventory information to a security system. Without the inventory information, an organization might not be aware of existing connected IoT entities and their potential security risk. If you don’t have an inventory of all devices connected to the internet, then you don’t have a complete security solution. In my opinion, the lines between ITAM and security will continue to disappear; meaning, that one day, complete security solutions will not exist without an ITAM solution in place.

Conclusion

The good news so far is that Skynet is not yet self-aware which, if you are familiar with the movie Terminator, signaled the beginning of the rebellion against humans. We might not be facing a threat from intelligent interconnected computers waging war on the human race; however, we do face threats from other countries, criminals, and terrorist factions. Computer systems as well as all their connected devices could be used against us if compromised by someone with malicious intent. IoT will force a fundamental change in how security is implemented by making inventory control and knowledge about the presence of connected entities a priority security requirement.

 

-follow me on Twitter @marcelshaw

ITAM vs CMDB – Choose the Right Tool

This year, I decided to make some landscaping changes around my property. I have been repairing fences, planting new gardens, and pulling up trees in my efforts to meet the landscaping goals I set. Throughout the process, I learned I do not own the correct tools for many of the tasks I intended to complete. On several occasions, I have improvised using tools in my possession instead of purchasing the recommended tools. For example, I wonder if I should have purchased and used a chain saw to cut down a tree, or was the hand saw I currently own sufficient? And will it continue to be efficient? Only time will tell, but I do fear the outcome from some of my decisions.

To CMDB or Not to CMDB?

For IT asset management and support, ITIL and ITAM provide guidelines for best practices. ITSM and ITAM software are tools that manage and support IT assets and their configuration. An ITSM Configuration Management Database (CMDB) is a tool that documents an IT asset, much like a software tool that provides ITAM functionality. It is important not to confuse the different objectives of the CMDB and ITAM software tools.

  • ITAM objectives focus on managing an IT asset’s overall cost, including ownership, associated contracts with asset lifecycle, warranty, and refresh information. ITAM focuses on IT assets from an organization’s financial perspective.
  • Configuration Management objectives look at IT assets from an operational and support perspective. Asset availability and stability impact an organization’s day-to-day operations, so assets need to be documented along with their configuration and service offerings.

Although the objectives of ITAM and Configuration Management are different, one could argue that the CMDB could easily be used as a tool that can store both discovered ITAM data and Configuration Management data. This is similar to my landscaping question about using a hand saw versus a chain saw to cut down a tree. Is there a difference? Is one more effective than the other, or is the additional tool worth the expense? Regarding ITAM and the CMDB, consider the following three questions:

  1. Can I use the CMDB to store all my ITAM data?
  2. If the CMDB stores ITAM data, would asset reports improve since they are coming from a single database?
  3. Would it be more efficient to use a single database versus two separate databases to manage IT assets?

redblue gloves

To answer these questions I faced-off with Patricia Adams, a recognized ITAM industry expert, so that we could provide two different perspectives for each question.

Can I use the CMDB to store all my ITAM data?

 Red Glove

Marcel Shaw:

The answer is yes, considering most ITSM solutions available today can be configured to store all IT asset data in the CMDB. Be aware that extensive modifications would be required to meet ITAM requirements. Asset properties that ITAM requires would need to be added to the CMDB. The CMDB does not provide discovery capabilities, so be sure to build connectors or integration to external IT asset discovery tools so that IT asset configuration information is discovered and current in the CMDB database. Also, you would need to create IT asset manager roles in the ITSM solution, with appropriate rights to the CMDB for the ITAM administrators. Managing ITAM data in the ITSM solution could make it easier to build and manage request fulfilment processes.

Blue Glove

Patricia Adams:

Data Overload or Data Overlord?

Putting too much data into a CMDB, that might be unrelated to the business problem you are trying to solve or customize. For example, mapping a business service  into the CMDB, could eventually lead to a costly and massive database. The greater the depth of information that is stored , the greater the complexity to manage the data; in other words, going into the weeds on the data will require more time, effort, and human resources in order to maintain the integrity of the data. It can’t be a trusted source if it isn’t accurate. With many people maintaining and making changes to the data, there is a risk that unapproved changes will happen and it might be to business critical CI’s. Limiting the amount of data will also limit the number of people that can make changes to the data, thereby maintaining the integrity.

 If the CMDB stores ITAM data, would asset reports improve since they are coming from a single database?

Red Glove

Marcel Shaw:

Adding detailed IT asset information to the CMDB allows for comprehensive reporting. Creating reports using a single database could make it easier to build IT asset reports. A CMDB offers IT asset relationship information such as configuration, change risk, and impact analysis, whereas a typical ITAM solution generally focuses on peer, parent, and child relationships of an IT asset. If the CMDB stores and manages all ITIL and ITAM asset relationship information, building reports that show IT asset relationships from a single source may be easier and less expensive than building reports using multiple databases. Building reports from multiple data sources can be difficult and may require additional knowledge and training. However, as I stated in my previous answer, extensive modifications to the CMDB would be required to achieve such a goal.

Blue Glove

Patricia Adams:

Reporting Overload! There is a natural tendency to want to consolidate information as much as possible. Nobody wants to log into multiple tools to get an answer to a simple question. However, when there is too much data stored in a CMDB, it becomes difficult to report, sort, and interpret the data. If you wanted to create a constituency of people that look at the same data, an extract would need to be created. This extract might be an XLS file or a mini data mart, depending upon the number of configuration items (CIs) in your CMDB. When running a report, take into account the last time the database was updated with current changes to ensure there isn’t any latency in the data. By putting too much data that might be irrelevant to relationships or business services, you risk overloading the viewers or users of the data with unnecessary information.

Would it be more efficient to use a single database versus two separate databases to manage IT assets?

Red Glove

Marcel Shaw:

Depending on the size of the organization and the amount of ITAM processes that need to be configured, the CMDB can be a cost effective alternative, providing a simplistic asset management solution. Customization would need to be added to the CMDB, which may be expensive. After applying ITAM capabilities to the CMDB, it would be unlikely that an organization would have a complete ITAM solution. This type of IT asset management may be sufficient for a smaller organization; however, the CMDB would need to be modified so it could handle contract, financial, and lifecycle information. Furthermore, ITSM processes would need to be modified or added to provide ITAM process functionality. Adopting this strategy could benefit an organization because they would not have to purchase a separate software solution nor would they have to train employees how to manage an additional product.

Blue Glove

Patricia Adams:

Use the Right Tool for the Job

Many organizations want to centralize their information in a single, source of truth, but that source might not be the best place to store the data. For example, some organizations want to put contracts, process guidebooks, and policies into their CMDB. By keeping data in a tool that specializes in that function, you can ensure that the functionality is designed to store attributes of information about that item in a reasonable form.

Contracts should be stored in a database that allows you to image them, pull out key dates, create workflows, and associate them with cost centers or groups. This would be either an IT asset management tool or a contract management system. CMDBs are not designed to support this level of detail without extensive customization. Selecting the correct domain tool for the data and then linking or integrating it to the CMDB can ensure that you are not trading off functionality for centralized convenience.

Summary

IT organizations tend to agree that IT asset management is critical for success; however, the way assets are managed varies along with the management tools that are used. Most people I speak with seem to agree on one point; we can do better when it comes to IT asset management. Patricia and I would love to know how your organization manages IT assets. If your organization is either limiting or not limiting the data that goes into a CMDB, please contribute a comment and tell us your approach to configuration and asset management.

Contributors to this Blog:

Co-Authored by Patricia Adams

Graphic by Nicole Shaw @nshaw1991 (copyright)

Edits by Carrie Shaw @carrieshaw and Chase Christensen @chasechris8 >> THANK YOU!!

Five Steps to Build an Efficient ITAM Process

Sixteen years ago, I took my first business trip to Europe. After two weeks of customer visits I returned home and proceeded to do my expense report. Back then, I had to itemize my expenses using a spreadsheet and then submit all the original receipts, along with the spreadsheet, to our office administrator. She would then mail them to our headquarters located 2,000 miles away. Typically, within two weeks I would receive a check in the mail reimbursing me for business expenses.

On this particular occasion, our headquarters claimed they did not receive my expense report. Was it lost in the mail? I know I gave it to the administrator and she claims she sent it to our headquarters. My company quickly resolved the matter by sending me a check; however, the missing expense report was a mystery for quite some time.

A year later, I received a large check in the mail for business expenses. After looking at my records, I realized the amount of the check was the same amount I had received the previous year from my trip to Europe. The new office administrator found the lost expense report that had fallen behind a desk, so she submitted the expense report through the normal process. The accounting department at headquarters processed the expense request, unaware they had already paid for these expenses the previous year.

Why did this process fail?

  • The process was manual
  • The office administrator had been replaced
  • The expense process did not plan for exceptions, so accounting had no method in place to be alerted of a duplicate expense request

An important part of ITAM is the process that manages the lifecycle of an IT asset. The objective is to track an IT asset from the time it is purchased until it is retired. Patricia Adams, a Research Director for Gartner once stated “ITAM depends on robust processes, with tools to automate manual processes. This data then enables organizations to effectively manage IT assets, vendors and a software and hardware asset portfolio from requisition through retirement, thus monitoring the asset’s performance throughout its life cycle.”

In a blog I wrote last year, I defined a three-tiered approach to asset management. I defined ITAM process management to be the third tier in an IT asset management solution. Be sure to understand tier one and tier two before taking on tier three. You will find that discovery and data intelligence are required for to build effective ITAM processes. When built properly, automated ITAM processes will enforce your IT asset management procedures and policies.

Gartner defines an ITAM process as follows:

“IT asset management (ITAM) entails collecting inventory, financial and contractual data to manage the IT asset throughout its life cycle. ITAM depends on robust processes, with tools to automate manual processes. Capturing and integrating auto-discovery/inventory, financial and contractual data in a central repository for all IT assets enables the functions to effectively manage vendors and a software and hardware asset portfolio from requisition through retirement, thus monitoring the asset’s performance throughout its life cycle.”

5 Step Process

To build an efficient ITAM process, I recommend 5 steps in the following order.

  1. Understand the procurement process
  2. Define the lifecycle
  3. Solicit input and feedback from each department
  4. Define and build the process
  5. Test and adjust the process

Understand the Procurement Process

IT asset management begins when the asset is purchased. Many organizations do not begin to track an asset until it hits the network. This is poor asset management. IT assets should be documented in an ITAM database as soon as they are purchased. Do you purchase from resellers, direct, or even from the local store? How do you pay? Do you finance, use a credit card, or make an electronic payment? Do you purchase from an existing contract? To build an efficient ITAM process that tracks an asset from the time it is purchased, you need to know from whom you purchase and how you purchase all your IT assets.

Define the Lifecycle

An IT asset will go through different stages in its lifecycle. For example, a laptop might be purchased, shipped, received, available, assigned, and retired.

Laptop Lifecycle

To build an efficient ITAM process, define the different stages of the lifecycle according to the asset and have the process change the lifecycle property when needed. For example, when a laptop is assigned to a user, have the process change the state of the asset from ‘available’ to ‘assigned.’ This will help to identify where the assets are in the process at any time.

Solicit Input and Feedback from Each Department

DO NOT force automated processes on employees outside of the IT department without their feedback and suggestions if you wish to be successful with your automated ITAM processes.

Nicole2

Unlike other IT projects, IT asset management touches everyone in the organization. Typically the people in IT evaluate, recommend, and purchase IT solutions with little input from other departments; however, ITAM processes will affect all departments such as HR, Legal, Finance, Sales, etc. It is important to solicit input from each department when designing your ITAM processes, especially if you will be automating any of their manual tasks.

Define and Build the Process

To define the ITAM process, use a whiteboard or a tool such as Visio to outline your process. Define ‘users’, ‘groups’, and ‘roles’ that will be assigned tasks in the process. For example, a purchase request for an IT asset may need to be authorized. Define a role or group with the power to ‘authorize’ in the process. Avoid assigning users to any task within a process since users often change their roles. Only assign users to ‘groups’ or ‘roles’ when building an ITAM process.

Choose an ITAM software solution that will help you meet your automation objectives. Be sure the solution can integrate with other databases including your ITSM solution. Furthermore, choose an ITAM solution that enables you to build B2B connectors so that you can directly connect and build automated processes with external partners.

Finally, prepare and plan to manage exceptions in your ITAM processes. For example, if someone purchases an IT asset on a credit card, instead of using the request portal, how do you plan to bring that laptop into the existing ITAM lifecycle process?

Test and Adjust the Process

Always test the process before soliciting feedback from each department. Make adjustments based on the feedback, then retest as needed. In large organizations, it is recommended a pilot group be created with representatives from each department. Test and retest with the pilot group before rolling out the processes to the entire organization. Be sure to properly train anyone who might be assigned a task from the process. For example, someone who authorizes the purchase of IT equipment needs to be comfortable performing that task prior to rolling the ITAM processes out to everyone.

Summary

The time it takes to actually build an ITAM process using available software solutions is minimal compared to the time it takes to understand and design the ITAM process. Be sure to dedicate resources and time during the design phase. Keep processes simple in the beginning to ensure success. Most importantly, measure ROI after implementing ITAM processes by showing before and after data analytics. ITAM processes will save your organization a lot of money; however, this is only evident if measured and reported.