Enterprise IT Asset Management & SecOps
Written By:
Sid Roy sroy@scicominfra.com
Scicom Infrastructure Services, Inc.
The following article provides an overview around enterprise ITAM (IT Asset Management) practices and the intersection with core Information Security (InfoSec) Security Operational (SecOps) related processes.
Recent cyberattacks in 2021 have brought into focus the topic of critical systems secure lifecycle management. Some of the more newsworthy incidents include devastating and audacious attacks by various actors including nation state actors in addition to non-ethical and criminal hackers.
The SolarWinds attack struck right at the heart of government and enterprise IT operations who were victimized leveraging a tool that is used to manage systems and network health – hiding nefarious programmatic code and processes under the guise of high quality, enterprise ISV software.
The Pulse VPN attack impacted many organizations – similar in fashion as SolarWinds if not at the same scope of impact. Noteworthy victims from this incident include both civilian and non-civilian federal agencies:
The Colonial Pipeline incident- which is still occurring as of the time of the writing of this article demonstrated how virtual attacks have extreme real-world consequences such as impacting and partially disabling fuel distribution and supply chain systems across the southeastern United States.
Put another way, IT leaders are very focused on solidifying their posture as it relates to the practice of regular updates of core business systems to account for several business requirements including:
- Financial Lifecycle Management for Expensive Capital and Operational Expenditures for Technology Systems (including software and hardware systems)
- Feature and Performance Lifecycle Management for Enhancements and Stability of Technology Systems
- Security Lifecycle Management for Risk Avoidance, Mitigation and Management as it Relates to Information Security Threats and Vulnerabilities
One of the first steps in the journey to securing your enterprises most important and critical assets starts with a sound approach to IT asset management. IT asset management (also known as ITAM) is the process of ensuring an organization’s assets are accounted for, deployed, maintained, upgraded, and disposed of when the time comes. Put simply, it’s making sure that the valuable items, tangible and intangible, within your organization are tracked and being used.
Managing the full lifecycle of an IT asset is both a fundamental technical as well as business practice. It can be a complex process where accounting, security, technology operations and enterprise software all collide together with many stakeholders who have “ownership” or responsibility.
There are many depictions of the IT Asset Management Lifecycle, the below graphic provides a well-accepted model used by many organizations and vendor models:
The actual processes within each lifecycle stage align well to conventional wisdom and a common understanding of how an asset enters an organization and eventually is decommissioned. Typically, complexity lies in the stages before and in between acquisition and disposal. We provide a high-level overview the lifecycle stages below. The key lifecycle activities:
Plan
This phase is vital to ensure the effective utilization of organizational assets and alignment of expenditure to purpose. This phase involves the effective definition of the requirement of an asset and enabling the decision-makers to identify the need for the asset and what value it can add to the business which typically arises from mapping to a business requirement and then measuring the impact and value. This first stage of an asset’s life cycle is crucial for all stakeholders, from financial teams to operators. In many cases, the planning stage involves technical requirements analysis to ensure good alignment between the needs and the intrinsic features and functions of the target asset.
Develop & Acquire
After the analysis has been performed during the planning stage, and an asset has been identified and deleted- the next stage is to develop the onboarding plan for the asset and to commence the procurement process- or to purchase the asset. Developing the “business case” for the asset – if not completed earlier – needs to be completed now to coincide with the acquisition process. This includes ensuring budget alignment as well as quantitative measurements of the value drivers and contributors of the asset to understand overall Return on Investment and multiyear Total Cost of Ownership. Once the asset is acquired and deployed, it can then be tracked throughout its entire life cycle by using an asset management system.
Integrate
Once an asset has been acquired by the organization – various processes exist to integrate the asset within the environment. From an Information Technology standpoint- this typically involves installation and configuration exercises – which are heavily impactful from a SecOps standpoint further in the lifecycle. The asset must be integrated into the larger organizational environment and can range from simply making the asset available for usage to a more involved process including physical infrastructure activities including construction as well as physical and logical configurations / set up.
Maintain / Upgrade (Operate)
With the asset now installed and integrated into the business environment, the next stage is operation and maintenance; the lengthiest, costliest and most involved phase of an asset’s life cycle. This stage indicates the application, usage and management of the asset, including any maintenance and repair that may be needed.
As the asset is now finally put to its intended use within the business, it is now improving operations and helping to generate revenue- it is also aging, incurring wear and tear and subject to obsolescence. Thus, the asset is now subject to and reacting to upgrades, patch fixes, licenses, and audits. Due to the generally complex nature of enterprise IT compute, the ever changing landscape of dangerous information security risks- assets will need to be regularly monitored and checked for any performance issues that could unexpectedly develop. This is when maintenance and repairs start to become a common occurrence and need to be sequenced into the regular operational cadence of the asset. The cadence can often become disruptive to the enterprise due to the structured nature of Change Management and the increased need for validation and regression testing to ensure non-negative impact to systems operations when applying patches or updates.
Maintenance approaches can vary from system to system and across industries. Approaches can vary from highly proactive and preventative in nature- generally the model adopted for information security. Other approaches can be more reactive and wait for events to occur before action is taken- often the case for technology refresh situations which are driven by end of support notices versus taking advantage of more modern technology. But each maintenance strategy works towards, including:
- Reducing downtime
- Minimizing emergency repair costs
- Increasing equipment uptime
- Prolonging asset life expectancy
Finally, at the end of an asset’s useful life – as a result of wear and tear, unacceptable security posture, obsolesces, lack of vendor support or simply a desire not to use the asset any longer – it is removed from service and either sold, re-purposed, or decommissioned and effectively end of life.
Despite not being obvious – this stage has tremendous business value around culling of “at risk” or “unneeded” or “obsolete” technology. This is a major value to the organization. Often, organizations are plagued with infrastructure and technology that have long exceeded their useful or safe lifespan and are still in operation. Oftentimes, they are still supporting core business functions.
Regular review of the asset lifecycle from the lens of ITAM and SecOps will ensure that assets which are targets for retirement are identified well in advance and replacement approaches are given enough runway to germinate. It also provides for the proper planning of the asset disposal including dismantling the asset piece by piece, or wiping it clear of data or complete destruction. Four fundamental practices in a modern IT operation focused on ITAM:
- Asset Management / Procurement Stakeholders Managing the Financial Aspects of the Asset
- Technology & Operations Stakeholders Managing the Lifecycle of the Technology Platform (Start of Life / End of Life)
- The ITSM Stakeholders – often your CMBD focused team members developing the enterprise configuration practice
- Information Security Stakeholders focused on managing enterprise vulnerabilities, business context, relevance/criticality of the system, ownership, patch management and overall systems hardening
Alignment across these groups is critical to avoid redundancy, risk, unneeded spend and enhanced inter organizational cooperation across this discipline which cuts across many practices, processes, procedures and work models which are fundamental to sound IT operations.
SecOps & IT Asset Management
The intersection of Security Operations functions (such as patch and vulnerability management) and ITIL practices- including Event, Incident, Problem, Security Configuration and Change Management is obvious and prevalent as Information Security and Technology Operations continue to merge in function, purpose and goals.
The diagram below provides a good summary of how Patch Management interfaces and has impact points with the various ITIL practices:
The above diagram demonstrates the relationship with a SecOps practices and foundational ITIL concepts. Yet, often times, the delineation between IT Asset Management and SecOps functions such as Patch Management can become confused or blurred within and organization.
When looking closer at the patch management lifecycle we see that it fundamental stage of the overall lifecycle of an asset – so a practice and function within the overall asset management lifecycle.
If we really drill into which lifecycle stage the Patch Management lifecycle would exist within – we find it is most appropriately aligned with the Maintain and Upgrade stage of the ITAM lifecycle. Please see diagram below:
Once an asset has been integrated into the environment and is now operational- it would be subject of normal organizational lifecycle activities- patch management being one of the most important one to ensure secure and efficient operation of the asset for the duration of its useful life.
When looking at patching at its more expansive level (e.g. rolling out a new operating system version or crucial hardware component) to the more incremental updates such as operating systems updates for application level updates- we find that these are activities are in line with managing and maintaining the usability, security and performance of the asset so that its operations and financial returns are in line with the planning stage when the asset was conceptualized, decided upon and acquired. We also consider the fact that many patch updates are not just focused on security and hardening- but also feature updates and enhancements to the product.
Thus, patch management is more than just a security practice, it is a complete operational process which contemplates the total usage of the asset and therefore need not be looked at as a silo (or island) of work simply for SecOps purposes.