Tag Archives: ITAM

Why is Change Management Critical for Software Asset Management?

Early in my career, I often traveled to work with our customers. I remember one trip that required me to visit several cities in just four days. Before embarking on that trip, I remember calling a travel agent to make a change to the first flight of that trip. The travel agent was inexperienced because he made the change exactly as I had instructed.

To my surprise, the change that the travel agent made to the first leg of my flight caused the airline to cancel the flights I had scheduled for the entire trip. Why, because on most airlines, a change to the first segment of a trip requires the entire trip to be cancelled, and then the tickets have to be re-issued. Unfortunately, I lost all the discounts from my original ticket because my discounts were based on a seven day advance purchase.

As a result, I had to find another airline with cheaper flights, rearrange several of my appointments, and stay an extra night in a hotel. An experienced travel agent would have advised me of the consequences of my change request if it were to be granted. If I had been advised properly, I would not have made the change based on the additional costs that were to be incurred. Although some changes seem simple, they can have unintended consequences without the required expertise.

When audited, many organizations are required to pay thousands, and in some cases millions of dollars for violating software license agreements. Configuration changes and software updates are often to blame when an organization is found to be out-of-compliance with their contracts. For that reason, it is important that organizations consider software license contracts as part of their change management process.

Change Management

IT changes made within an organization are typically done to improve performance, and ultimately to save money. However, IT changes can also have unintended consequences that have a reverse affect, resulting in additional expenses as did the change to my flight. Change management is important for IT because it formally manages ongoing transitions from a current configuration to a future configuration.

Gartner states that “Change management is the automated support for development, rollout, and maintenance of system components (i.e., intelligent regeneration, package versioning, state control, library control, configuration management, turnover management, and distributed impact sensitivity reporting).

A change management request first requires detailed information about the future configuration to be submitted, then the configuration details to be reviewed by a change advisory board.

Change Advisory Board (CAB)

A change advisory board (CAB) supports IT personnel or a “Change Management Team” by reviewing change requests that have been submitted. After reviewing a change request, the CAB will either approve or deny the request.

The CAB is generally a team of representatives from various departments as well as people that have a specific expertise.

Because a configuration change can have an effect on employees and/or business processes, many organizations require a CAB to review all change requests in order to protect cost, risk, and revenue.

Software License Management Challenges

According to Gartner, “Optimizing complex licenses manually is labor-intensive; it requires specialized knowledge and does not scale. Larger enterprises will need a SAM tool. A SAM tool can automate, accelerate, and improve manual processes. It can pay dividends over manual alternatives, and can often pay for itself.”

Software license contracts are difficult to understand. For example, IBM releases over 3,000 license changes a year and they have over 100 license metrics. Some IBM products have up to 5 or 6 different license metrics depending on what a customer has purchased. The challenge many organizations face when managing software licenses is that they do not have a good understanding of their software license contracts which is required when using a Software Asset Management (SAM) tool. For this reason, it is important that change management requests are reviewed by a software license expert.

In the scenario above, Sally makes a request for change (RFC) to add a new partition to a server. After the RFC is reviewed by the CAB, the change is approved and then scheduled.

Following the change, a software audit is performed and the organization is found to be out-of-compliance with their contract based on the new partition that was added to the server.

How did this get past the CAB?

The CAB did not have the proper expertise required to make an evaluation about how that change would impact the software license agreement.

Add a License Expert to the Change Advisory Board (CAB)

To avoid unnecessary costs resulting from a software audit, organizations need to have a software license expert on the CAB.

Many organizations struggle when it comes to finding the expertise required to evaluate software license impact. For this reason, it is important to consider hiring a third-party with the proper expertise for the CAB. Although this is an additional expense for an organization, it will help avoid additional costs that come from being out-of-compliance with a software license agreement.

Conclusion

A change management process that requires software license contracts to be considered for every change request can help organizations avoid unnecessary costs resulting from a software audit. However, much like an inexperienced travel agent incurred additional costs for my trip, an inexperienced license expert on the CAB might approve changes that could incur more costs simply because they do not understand their software license agreements and the impact of the RFC. Be sure to hire or partner with the expertise required for evaluating software license contracts.

-follow me on Twitter @marcelshaw

Five Reasons the Data Center needs Software License Optimization (Part-1)

Many years ago, I supported document management software used primarily by legal firms. The software provided attorneys with the ability to quickly access legal documents on the network. The software included intelligent searching capabilities, powerful reporting features, and version control for thousands of documents on a local area network. The capabilities we provided boosted the efficiency of legal departments and law firms all over world.

Although we provided a great software package that supported legal departments everywhere, the software alone was useless without the expertise of a legal expert or an attorney. When organizations need legal expertise, they hire legal experts. They don’t rely on legal software alone to handle legal matters.

Hire the Right Experts

When taxes are due, tax accountants are hired or subcontracted versus relying solely on a tax software solution. Software vendors that audit their customers typically employ software license experts along with software tools to perform the audit.

Regarding software license management, I am amazed how many organizations still do not employ or contract with  software license experts in addition to software optimization tools for software license management in the datacenter.

Software audits are on the rise because software vendors are realizing that audits can generate revenue, and that customers are not investing in software license management solutions or experts.

As long as there are organizations that are non-compliant with their software license agreements because of poor license management, software vendors will continue to find software audits to be profitable.  

In a gated Gartner report published May 28, 2014. Gartner claimed: “Tracking license entitlement has become a priority for many organizations as a means to alleviate the anxiety caused by annual software vendor audit. Gartner has seen an exponential increase in the number of contracts it has received from customers looking to purchase an SLOE tool during the past nine months. We don’t expect this trend to slow down…”

It is not practical to rely on IT managers to manage software licenses in the data center unless they have licensing expertise. This would be like having an accountant with very little legal expertise represent the organization in a lawsuit accusing executives of misappropriating funds. Although the accountant could provide the information required to defend against the accusation, the accountant would not have the required expertise to handle legal process, legal negotiation and most importantly, knowledge of local applicable laws.

Here are five good reason’s every organization should consider implementing an efficient software license optimization solution in the datacenter:

  1. Complex License Variations
  2. License vendors make changes which can affect licensing
  3. Technology alone is not able to correctly calculate most server licensing
  4. Market expertise required – Having the right people with the right knowledge
  5. Software Audit Protection

Part 2

In the second installment of this two part series, I will discuss complex license variations, market expertise, software audit protection, and how software licensing can be affected when configuration changes are made in the datacenter.

 

-follow me on Twitter @marcelshaw

Rise of the Chief Data Officer (CDO) and the Impact to ITSM

Within the IT organization, different entities often fight for control and resources to support their objectives. For example, IT security personnel might ask for more control by taking away rights from end users, while IT support services objects to the request for fear of increased call volumes. Furthermore, with limited budgets, resources are limited, making it difficult to support IT projects for each department. However, executives have to make decisions, leaving some IT projects unfunded.

Unfortunately, too many executives make decisions based on intuition instead of readily available data. This endangers the future of many organizations. In a gated report, Gartner predicts “through 2020, over 95% of business leaders will continue to make decisions using intuition, instead of probability distributions, and will significantly underestimate risks as a result.”

Intuition can be dangerous to an organization. For example, the evolution of Netflix over the past decade was a result of a series of decisions that were made based on the available data as well as some predictive analytics. The data they analyzed indicated a decline in store rentals, an increase in future bandwidth capabilities, and a generation (Gen Z) that expected “instant gratification.” Those who ignored the data did not understand what customers wanted, what future customers would expect, and the technology that would be available to meet customer expectations.

Many companies used “intuition,” to project that people would not want to abandon the local store experience. Today, those companies are nowhere to be found.

Who is the CDO?

Many organizations are realizing the value of their data so they are beginning to treat their data as a company asset; hence, the rise of the Chief Data Officer (CDO). The new executive CDO role is responsible for exploring how to use the organization’s data for its benefit. The CDO role will require this executive to have market and industry knowledge with a “technical” understanding of the organization’s data.

Gartner claims that “the race to drive competitive advantage and improved efficiency through better use of information assets is leading to a sharp rise in the number of chief data officers (CDOs). As a result, Gartner predicts that 90 percent of large companies will have a CDO role by the end of 2019.”

CDO responsibilities will more than likely vary across different organizations; however, we should expect the role will include data governance, data analytics, and data technology. Data governance responsibilities include setting standards and consistent processes to ensure the consistency, accuracy, security, and availability of the data. Interpreting data using data analytics from business intelligence tools will be a critical part of the CDO role as well as choosing the best software tools that support the organization’s objectives.

How will the CDO impact IT Service Management?

The CDO will play a large role in how the IT service management organization and software is structured and integrated with other software tools. Analytics and metrics provided by ITSM reports will provide critical information that will help the CDO determine risk to the organization when new software tools, new processes, and new policies are implemented.

The data provided from the ITSM tools and reports is important when setting IT strategy and defining IT architecture. ITSM reports help organizations make informed decisions when choosing software and hardware to support the objectives of the organization.

For example, if an organization decided to change from PCs to tablets on a project supporting one of the business units, a pilot program would ensure the objectives of the project are met. ITSM reports and metrics are important when analyzing data to determine the costs required to support the proposed solution.

ITSM reports and metrics will provide CDOs with the information they need in order to make informed decisions, avoiding the need to guess or use intuition to set objectives for future IT strategy and related IT projects.

Summary

Data provided from IT service management reports and metrics will be vital information for the CDO as he/she defines strategy for new technology, process, policy, security, and IT architecture. ITSM managers should expect the CDO role to have a direct impact on how IT service management will be implemented, delivered, measured, and most importantly, integrated with other IT solutions within the organization.

-follow me on Twitter @marcelshaw

Five Future Technologies to Watch for IT Service Management

As technology advances at such a rapid pace, many IT solutions become outdated very quickly. If organizations want to stay competitive and up-to-date with current technology, they need to stay informed about future technologies or their current solutions become quickly outdated . With regards to IT service management (ITSM), here are five technologies to watch that impact ITSM solutions in the future:

    1. Internet of Things (IoT)
    2. Security and Compliance
    3. Security Broker Authentication
    4. Predictive Analysis
    5. Virtual Reality

 

Internet of Things (IoT)

We will see an impact to ITSM solutions from IoT in two areas, CMDB and ITAM. To support IoT, ITSM processes and tools need the ability to integrate into IoT APIs.

Network systems and applications are typically provided access with Identity and Access Management (IAM) technology; however, IAM would be overwhelmed with the relationship and access demands required by IoT. Therefore, the Identity of Things (IDoT), which is an extension of IAM applies a unique identifier (UID) to IoT devices. This allows you to control relationships and access between the IoT and other entities inside and outside of your organization.

Gartner says, “IT asset management (ITAM) and software asset management (SAM) systems have traditionally managed IT and software assets of all types. The IDoT will assume some functional characteristics of ITAM and SAM within or integrated with IAM architecture, or be linked to ITAM as attribute stores.”

Without proper tracking of IoT devices and their configurations, it is difficult to apply security policies. ITAM and a CMDB will be critical for tracking the influx of IoT devices that are expected to hit company networks over the next several years.

Security and Compliance

Security is the number one priority in most organizations; however, not all organizations have integrated their security with IT service management processes. ITIL security management defines best practices when planning, controlling, analyzing, and maintaining security policies and processes to protect sensitive data.

A solid padlock securing the data paths of a circuit board. White Background.

It is important to build processes that integrate security management into change management processes if organizations are looking to minimize risk in the future. Over the next few years, IT organizations should expect to see more integration capabilities from their ITSM solution providers, which will allow them to integrate their security tools.

Security Broker Authentication

As IT solutions move into the cloud, many organizations will implement a cloud access security broker for authentication.

2016-09-16_8-08-31

Cloud Access Security Brokers (CASBs) can be on-premises or cloud-based. CASBs enforce security policies prior to allowing access to cloud resources.

Gartner says, “By 2018, 50 percent of enterprises with more than 1,000 users will use cloud access security broker products to monitor and manage their use of SaaS and other forms of public cloud.”

IT service management need to be prepared to support those having difficulty accessing the organization’s cloud solutions using CASBs

Predictive Analysis

In order to make informed decisions, it is important to understand current network service impact and costs. This is accomplished when current data as well as historical metrics are analyzed in order to predict future behaviors or to understand unknown events.

Predictive Analysis helps IT service organizations distribute workloads based on data from multiple sources.

Many ITSM software solutions are expected to add predictive analytics capabilities to their service management solution; however, these features are not useful if the IT organization does not have the expertise required to understand the data provided by these tools. IT organizations should consider employing a data scientist if they want to take full advantage of all the data and metrics that IT service management tools will soon deliver.

Virtual Reality

Virtual Reality (VR) solutions could soon work their way into the IT business environment. Knowledge management is a challenge for many organizations. In the near future, don’t be surprised to see IT organizations flirt with VR technology as they advance their employee training services.

Double exposure of man wearing virtual reality headset

Research and Markets believes that the industry will see over 60% growth every year for the next five years, transforming it from a fringe technology enjoyed by the techy few into a major medium for gaming, entertainment, and business.

VR could one day become a component of your Knowledge Management offering if the technology is retrofitted and accessible via an ITSM self-service portal.

-follow me on Twitter @marcelshaw

Three Keys to an Efficient ITSM Self-Service Portal

Traveling can be quite stressful, especially when visiting unfamiliar places. Many years ago, when I rented a car, I would ask for a map and directions. Even though I had a map, I always seemed to get lost in unfamiliar places. Sometimes I misunderstood the directions I was provided, and sometimes I was given poor directions.

GPS technology simplifies the process of getting you to your destination because it has the ability to pinpoint your location. With GPS technology, it is almost impossible to get lost, even in the most unfamiliar places.

When IT Service Management organizations design efficient self-service capabilities for their customers, it is much like providing GPS capabilities to someone who is looking for directions. When customers are provided the ability to solve their own IT problems, or to make a request without soliciting the help of another person, they will have a better experience. Self-service improves customer satisfaction while reducing IT service management costs.

When building self-service capabilities for incident resolution and request fulfillment capabilities, it is important to have three key building blocks for an efficient ITSM self-service portal.

  1. Knowledge
  2. Automation
  3. Asset Management

Knowledge

Empowering your customers with relevant information in a self-service portal is critical. If customers do not trust the knowledge provided, they will not use the self-service portal. An app using GPS technology not only provides directions, it provides additional relevant information about surroundings such as restaurants, gas stations, and hotels. Like a GPS, a self-service portal needs to display relevant information to the customer through the self-service portal.

Knowledge provided to customers in the self-service portal should include the ability to search for an answer to a question. Known issues should be easily obtainable along with instructions for a resolution.

Self Service Portal1

Create a ‘How-to’ section on the portal. How-to knowledge will reduce support calls. If customers are calling to ask the same question about a specific task, create a ‘How-to’ knowledge document. For example, if customers often call support to have someone assist them through the task of connecting their phone to the wireless network, create a ‘How-to’ document and post it in the ‘How-to’ section of the self-service portal. Use pictures where possible to show the customer what to do.

Consider adding a social media component to your self-service portal. Much of the information we get today comes through social media. As customers learn tips and tricks, they will post their findings for other customers to see.

Be sure to monitor the knowledge information provided to keep it fresh. If the knowledge provided by the self-service portal is not helpful to the customers, they will not trust the content. If they don’t trust the content, they will not use the knowledge database. The result will be more calls to the support analysts.

Automation

Automating redundant tasks will reduce costs and minimize errors. Analyze your incidents to find the most common issues.

Self Service Portal 4

If possible, create an automated process to resolve common issues such as a password reset. For example, when someone forgets their password, have an automated task verify the person’s identity, then allow that person to reset the password. Meanwhile, the process can log an incident as opened then resolved without intervention from an analyst.

Self Service Portal 5

When providing catalog services to your customers, automate request fulfillment through the self-service portal. For example, a request for software that requires a license might need a manager’s approval. The request process can be automated to notify the manager of the request. When approved, the software will automatically install to the customer PC.

Asset Management

Automation in conjunction with asset management will enable your self-service portal to manage and track IT assets that are requested by the customers. For example, if a customer requests a laptop, integration with an asset management database allows you to verify if the asset is currently available.

Self Service Portal 2

Connect self-service hardware requests to IT asset management procurement processes, if possible. If an asset is not available, automated processes can facilitate a purchase request with minimal intervention from the analysts.

For software, create automated processes that will facilitate the automatic delivery and installation of the software package. Use asset management to track the software license. Map the software license to the customer in addition to the location of the device. Software license tracking will insure the organization is prepared in case of a software audit.

-follow me on Twitter @marcelshaw

Three ITSM Projects for Your Five-Year Plan (Part 3 of 5): Asset Management

When I call my bank for assistance, an automated recording helps direct me to the right person. Recently, I have noticed an increase in ‘intelligent’ automated telephone assistance where the system tries to resolve my issue without ever sending me to an actual person. In my opinion this is more annoying than it is helpful. I usually end up saying “operator” over and over until I can speak with a person.

What I believe to be most helpful is when I call for assistance and the automated system recognizes me by my phone number. When IT service management solutions are able to map IT devices to their owners, service analysts can quickly determine what devices the customer has within seconds. Furthermore, integration tools can be implemented giving the analyst the tools to resolve issues remotely.

To properly map IT assets, make IT asset management one of your ITSM projects. All organizations that are dependent on technology should have IT asset management. Be sure to use ITAM principles when defining your requirements.

Also, it is important to understand there are two components to managing IT assets, Configuration Management (CMDB) and IT Asset Management (ITAM). Gartner defines the difference in a report titled ‘Configuration and ITAM Intersect in the IT Service View CMDB’.

2015-12-07_22-40-42

A CMDB is an important component of an ITSM solution; however, I am assuming that most organizations are using a CMDB. If not, then it might be a good time to start.

ITIL defines service management processes while ITAM defines asset management processes. Good ITIL practices suggest that you build a CMDB to track and manage configuration settings on IT assets that you support. Use ITAM processes to manage and track the lifecycle of IT assets.

Three Reasons to Build an ITAM Solution into ITSM

  1. IT Asset Mapping
  2. Request Fulfillment
  3. IoT

IT Asset Mapping

ITSM solutions can benefit by saving time and money when asset information is easily available to the analysts supporting their customers.

An ITSM solution should be able to tell you what your customer is using when they call for support. A verbal discovery process wastes valuable time. By mapping the IT assets to the person using the asset, the analyst will immediately be able to see hardware IT assets, software assets, software version, accounts, and warranty expirations.

Request Fulfillment

Many IT organizations are working towards automating tasks and processes that are redundant, such as ordering and assigning IT assets. For example, if somebody needs specific software to accomplish a task, an automated request and automated software delivery process can eliminate the need for an analyst to spend time fulfilling the software request. IT asset management would be required to properly track the software entitlement in order to protect the organization from allocating more licenses than it owns.

IoT

Support will be required for non-traditional IT technology in the near future; however, there is not an immediate IoT project needed for ITSM solutions because IoT is not a mature technology yet.

In a post by Forbes, they wrote that ‘Gartner indicates that the providers of Internet of Things platforms are fragmented today, and would benefit greatly from cobbling together a better ecosystem where data is shared more broadly. This issue will persist through 2018, and IT departments will likely procure more one-off solutions as opposed to integrated webs of solutions that would serve them better. As IT leaders clamor for a better way, the change will come, says Gartner.

As IoT matures, there will be a natural progression towards using ITSM solutions to support IoT solutions.

Asset Projects 1

In this example, smart technology in a lightbulb at face value might seem trivial for IT to support. However, what happens when there are 1,000 smart lightbulbs attached to a central circuit with software that is able to turn lights on and off depending on when people are in the room?

Who will support the IoT software when it fails? I believe initial responsibility will be given to the IT service organization.

A good way to prepare for IoT as it matures is to build an ITAM infrastructure that can document and track IT assets.

Summary 

IT asset management is a project that many organizations have neglected to properly define and fund. With the influx of IT assets coming into the market, it is hard to imagine controlling inventory, software licenses, and ultimately security without a proper IT asset management system in place.

BrightTALK

On November 18th 2015, I gave a presentation via webcast on this topic for BrightTalk.

In part 4, I will discuss ITSM integration and automation.

-follow me on Twitter @marcelshaw

The Good, the Bad, and the Ugly ITAM & ITSM Reports – Can you tell the Difference?

I remember getting my report cards as a child. Report cards could be either good or bad, and sometimes they were just ugly. From an IT perspective, good reports, bad reports, and ugly reports are defined much differently.

At face value, a report can appear to be a good report. It might contain beautiful graphics in 3-D with beautiful colors highlighting important data relevant to the non-IT business managers throughout an organization. However, if the data in the report is inaccurate, irrelevant, or skewed, then you might not have a good report.

Reports are a way for ITSM and ITAM managers to add value to an organization. Reports should contain unbiased data that reveals a summary of IT’s performance and how that information translates into the non-IT business units. How can you differentiate the good reports from the bad reports? Are you creating ugly reports that need a makeover?

Good ITAM & ITSM Reports 

Do unfavorable results displayed in a report make it a bad report?

From an IT perspective, the report is only bad if it is inaccurate or irrelevant. For example, from an IT perspective, my bad report card would be a good report if the data is accurate. Unfavorable results often lead to positive change and progress. Good reports should point out areas for improvement.

Good ITAM and ITSM reports can show you favorable information which confirms that you are making the right business decisions, or unfavorable information that helps you identify areas for improvements. The key factors that make a good report includes data that is accurate, complete, and easy to interpret and understand.

Good reports can also build trust between IT managers and non-IT managers. If you provide just one bad report, you might lose trust from your non-IT business managers and from their perspective, all your reports will be bad reports. Trust is not easily gained and can be lost with a single bad report.

With good ITAM and ITSM reports, business executives will be able to make informed decisions regarding IT purchases and organizational structure. They will also see where investment is needed with regard to software and hardware tools, or employee training that might be required to reduce service calls.

Bad ITAM & ITSM Reports

Bad reports cannot be trusted. They either contain inaccurate data or they omit relevant data; therefore, giving you inconclusive or inaccurate results. To turn a bad report into a good one, the data in the database has to be analyzed. The database has to be normalized and contain the information needed to produce the results for the report.

Are the right people getting the right reports?

Bad reports might only be bad because they contain data that is irrelevant to the non-IT business manager receiving the report. Be sure to understand the objectives of different business managers within the organization. Align the reports to their objectives.

Are you biased?

Omitting relevant information or presenting it in such a way that the results are skewed or easily misinterpreted, results in bad reports. Be sure you are not trying to persuade the organization’s policy or decisions with skewed reports because of personal opinion or agendas.

For example, the helpdesk manager might not be meeting the SLAs that have been contracted by the organization, so he/she determines that more analysts are needed. However, a report might show the problem is something else, such as inadequate software tools or lack of training. Let the reports show the results without a personal agenda based on personal opinion. You might not like what the reports are showing, but that doesn’t make them bad reports. Skewed results make bad reports.

Bad ITAM and ITSM reports can lead to bad executive decisions. For example, if ITSM reports are not indicating why SLAs are not met, the decision makers might not be able to address the problem. Not addressing areas of improvement or success can lead to poor decisions which will cost an organization money.

Ugly ITAM & ITSM Reports 

Ugly reports are reports that have a problem communicating the message you want to convey. They might contain irrelevant data, unnecessary charts, data that needs to be interpreted, or too much data that clouds the message. The good news is that ugly reports can be modified. If you have the right tools, ugly reports can be turned into good reports.

Do you have to explain the report?

Ugly ITAM and ITSM reports are difficult for non-IT business managers to understand. For example, an ITAM software report might indicate that the organization purchased too many licenses of a software package based on a software usage report that shows only 10% of the employees are using the software. Although an executive might find this information to be troubling, the executive might not apply the appropriate urgency to the issue without a dollar amount included in the report. Showing cost, revenue, and risk to executives can turn an ugly report into a good report.

If you have to explain or interpret the results in your report to the non-IT business managers, you have an ugly report.

Suggestions for Creating Good Reports

  • Add data intelligence tools to your IT portfolio that allow you to normalize IT data and map IT data contained in your databases. This will help ensure the data you are providing to the reporting tools is accurate and relevant.
  • Choose the right reporting tools. The software tools you are using should never be an obstacle in creating a good and meaningful report. If the reporting tool is difficult to use, find something else.
  • Choose reporting tools that allow you to report from multiple databases so that you can cross reference your findings. Reporting tools designed to report on one software solution or database are not sufficient when creating Business Value Dashboards (BVDs).
  • Choose reporting tools that allow you to create meaningful dashboards; however, don’t overdo it. Avoid using animation or unnecessary graphics. Too much information makes an ugly report.

How To Choose a Chart

Summary

My advice for identifying good reports is as follows:

Some good reports are bad, some bad reports are good, and some reports are just plain ugly. So how do you determine the good, from the bad, from the ugly? As mothers have said for many generations, “It’s what’s on the inside that really counts.”

-follow me on Twitter @marcelshaw

Three Reasons You Need ITAM for the Internet of Things (IoT)

It was 1984, and I was off to the only movie theater in the town where I lived. The movie was called Terminator and although it was science fiction, the story line had an eerie ring of truth. It was about intelligent computers rising up and rebelling against its human progenitors . This movie introduced many of us to the concept of the internet 10 years before it started to become part of our lives.

Soon after we started connecting personal computers and laptops to the internet, smartphone and tablet technology took root and were mainstream by 2010. Today we are witnessing another major shift in technology with the Internet of Things (IoT).

Gartner forecasts that 4.9 billion connected things will be in use in 2015, up 30% from 2014, and is expected to reach 25 billion by 2020.

How do you choose what to manage and what not to manage for IoT?

With the increased amount of smart devices coming online, the question becomes what smart devices do we track and how do we track them? Many organizations are still figuring out how to implement ITAM with BYOD. Therefore, an ITAM solution for IoT might not be on the radar for many organizations; however, a strategy should be considered for the following reasons:

  • To control inventory
  • To control access
  • To provide security

Control Inventory

When assets are tracked, information about purchase dates, warranty, and lifecycle states help to control the inventory of the assets. Organizations have to decide which smart devices should be tracked using an ITAM solution. For example, should the ITAM solution track a smart light bulb? It might not make sense to track just one, but it could make sense to know how many smart light bulbs are owned and where they are installed.

Furthermore, if there is a software package that controls smart light bulbs, a relationship could be created linking the application to the light bulbs and to an associated software entitlement license. For IoT, I believe it is more practical to manage the contracts, licenses, and vendor information in the ITAM database versus tracking each smart device individually.

One could also argue that smart light bulbs are not considered IT assets and should be managed by facilities’ systems. However, the line between facilities and IT becomes blurred when smart light bulbs are controlled by an application that requires a software license.

Gartner states, “the IoT is not only about the introduction of different forms of networked devices into digital business moments; it is a transformational approach to viewing and implementing processing, analytics, storage and communications.”

Control Access

Relationship management is an important part of an ITAM strategy. Relationships are also very important in the context of IoT. Not only does an organization need to know which devices to connect to their systems, they need to control access between IoT devices and other IoT entities, IT assets, applications, and people.

 IOT

Access to systems and applications is provided using Identity and Access Management (IAM). However, traditional IAM solutions are not capable of dealing with the relationship and access requirements that come with IoT. Therefore, the Identity of Things (IDoT) is an extension of IAM that applies a unique identifier (UID) to IoT devices/objects, which allows you to control relationships and access between IoT and other entities inside and outside of your organization.

Gartner says that “IT asset management (ITAM) and software asset management (SAM) systems have traditionally managed IT and software assets of all types. The IDoT will assume some functional characteristics of ITAM and SAM within or integrated with IAM architecture, or be linked to ITAM as attribute stores.

Provide Security

The National Cybersecurity Center of Excellence (NCCoE) is addressing IT asset management for the financial services sector.

“An effective IT asset management (ITAM) solution can tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets are being used. ITAM will enhance visibility for security analysts, which will lead to better asset utilization and security.”

IoT security is an evolving endeavor to provide security to all devices connected to the internet. Security experts have warned of the potential risk of large numbers of unsecured devices connecting to the Internet since the IoT concept was first proposed in the late 1990s

Smart light bulbs in the home are a great way to save energy, and smart vacation settings turn lights on and off in different rooms to make it appear someone is home. Smart criminals, such as organized crime or cyber-criminals, could hack your system and learn your vacation programs, thus alerting them that you are on vacation. They could then sell that information to street criminals informing them of who might be out of town in that criminal’s area. From this example, it is clear that organizations need to apply security to IoT devices so that access is denied to unauthorized users, devices, and malware.

According to Proofpoint, more than 25 percent of the botnet was made up of devices other than computers, including smart TVs, a refrigerator, and other household appliances.

ITAM will provide inventory information to a security system. Without the inventory information, an organization might not be aware of existing connected IoT entities and their potential security risk. If you don’t have an inventory of all devices connected to the internet, then you don’t have a complete security solution. In my opinion, the lines between ITAM and security will continue to disappear; meaning, that one day, complete security solutions will not exist without an ITAM solution in place.

Conclusion

The good news so far is that Skynet is not yet self-aware which, if you are familiar with the movie Terminator, signaled the beginning of the rebellion against humans. We might not be facing a threat from intelligent interconnected computers waging war on the human race; however, we do face threats from other countries, criminals, and terrorist factions. Computer systems as well as all their connected devices could be used against us if compromised by someone with malicious intent. IoT will force a fundamental change in how security is implemented by making inventory control and knowledge about the presence of connected entities a priority security requirement.

 

-follow me on Twitter @marcelshaw