ITAM Isn’t Sexy. But We Need It!

Kids love toys.

The main difference between children and adults is the cost of their toys. Young kids love a Hot Wheels car and it’s only $2.99. Older kids need a Transformer for $24.99. At 50, a new Tesla Roadster sets you back $109,000. But wow, what a car! Zero-to-sixty in 3.7 seconds, 288 HP, 200 ft. lbs of torque, a lithium ion battery, and no gasoline.

IT geeks have their own toys, and so many decisions to make. Do you get the new iPhone 6 or the 6s? Do you get the XBOX ONE or the Play station PS4? When it comes to IT management software, what kid says, “Hey, do you want Tivoli Asset Management, or LANDesk IT?”

At the bottom of the list, on the lowest rung on the ladder is IT Asset Management (ITAM). Everybody wants Docker. Inginx (Engine-X) is sexy. ITAM is decidedly not. While it’s not sexy, ITAM is critically important. Every unmanaged IT asset is a vulnerability, another potential access point for cyber criminals. You can’t protect what you don’t know. So if ITAM is so important, why is it so boring?

For starters, no really understands ITAM.

According to the International Association for IT Asset Management (IAITAM), ITAM is Software Asset Management (SAM), Hardware Asset Management (HAM), and Asset Portfolio Management (APM). No wonder ITAM is so confusing.

Is ITAM accounting software? Is it inventory software? Or is it both? I like to think of IT Asset Management as having two distinct aspects: owned and discovered. The owned aspect refers to the contracts, that is, the pieces of paper received from each vendor that tells you how much you bought and how much you paid for it. In ITAM terms, it’s what you are entitled to. The discovery aspect is how you know what you have. Special software (usually with agents) discovers the hardware and the software that is installed on it. This is the inventory aspect to ITAM. It tells you what you have and where you have it.

Generally_accepted_accounting_principles_GAAP

According to Generally Accepted Accounting Principles (GAAP), IT assets are fixed assets. However, they are distinctly different from chairs, desk, or tanks. (Seriously—once I had a DoD ITAM RFP that required inventorying tanks. With bar codes.) With fixed assets, there is a standard life cycle. You procure them, you receive them, you slap on a bar code, and then you distribute them. A year later, it’s inventory time, and you physically count the items so that accounting can update their inventory, depreciate the cost, or transfer items easily. While they have traditionally been part of IT, many organizations have stopped tracking monitors, keyboards, and mice as IT assets, and treat them as standard fixed assets, like chairs. This makes the job of ITAM much easier.

Why are IT assets so much more difficult to manage? When you buy software, it has to be installed. You can’t just put a bar code on the box and put it on a shelf (although that does happen, and when it does, it becomes shelfware). IT hardware is no simple matter either. Most organizations use the IMAC process—assets are Installed Moved Added or Changed. However, IT assets are constantly changing. The inventory should only be taken after hardware is configured, the software installed and the device deployed. Once it’s on the network, it is discoverable. Centralized software can reach out and perform the inventory. Doing an inventory this way ensures that you know where the hardware is, what software is installed, and if it’s being used.

Some people believe that standard accounting software or Enterprise Resource Planning (ERP) can handle IT assets. All you need are a few more fields in the database. But, that’s not really true. There are complex issues to be addressed that require special ITAM software.

One, there is not just one version of Microsoft Word. There is the version you bought standalone. The version you bought as part of MS Office. There is v2000, v2003, v2007, v2010, v2013 etc. Then there is the version you bought as part of an Enterprise License Agreement (ELA), which has a totally different SKU. ITAM software is specifically designed to understand and reconcile all these differences.

Two, most organizations have already purchased at least one tool that discovers and manages computers. This software typically performs an inventory, but has no knowledge of the entitlements. This inventory and management software or the discovered aspect must integrate with the SAM and APM software—the owned aspect.

Three, there isn’t just one kind of IT asset. Once I was called into a CIO’s office with my peers to report on our IT assets. The help desk manager put down his report. “So this is all our IT assets?” the CIO asked. “Yes, all of the desktops” the manager replied. Slightly perturbed, the CIO asked, “Who has the server list?” The data center manager put down her report. The CIO asked, “So this is all our IT assets?” The data center manager replied, “Well, this doesn’t include the routers, switches, or firewalls.” The CIO was getting irritated. “Who has that list?” The data center manager replied, “I think Tom can run a report on our network management software and get that. But it won’t have the mainframe or any of the telecom equipment.” The CIO, now clearly unhappy, said “And what about our virtual servers?” The data center manager replied, “I think we can get that from our server admin.” Now the CIO was very irritated. “So, what I’m hearing is that we don’t have an inventory of our IT Assets. I thought the CMDB was supposed to have everything in it?”

That CIO found out the hard way that the CMDB is not an inventory of all the IT assets, and his agency had no single inventory of all its IT assets. But what was worse is that he only had the “discovered” conversation. He never found out that the “owned” aspect was not reconciled with the discovered. He had no way of knowing what he really had and if he was in compliance with what he was entitled to.

To implement ITAM is a big pain, so why do it?

One, managing IT assets is indeed complicated, but they are still fixed assets, and by Generally Accepted Accounting Principles and by law, organizations are required to produce a balance sheet that includes all their assets.

Two, the most important reason is Cybersecurity. ITAM is the foundation, the corner stone, the essential piece of the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program. Essentially, if you don’t know what you have, you can’t protect it. Every device that is not managed is not patched and that is a vulnerability or way in for a cyber criminal.

Three, there is the issue of operational efficiency. Something that every government agency is concerned about in today’s world of flat or declining budgets.

ITAM provides a way to reconcile the “owned” with the “discovered.” Essentially, this means two things. 1) If you bought 100 copies of Microsoft Word, and are only using 80, you have over bought and are wasting resources. 2) If you bought 100 copies of Microsoft Word and are using 200, then you are out of compliance and you WILL be getting a letter from Microsoft. And it probably won’t be pretty. In addition to having to buy 100 additional copies, you will also be liable for fines.

If your manager gave you a choice between going to a conference on Docker and Kubernetes and ITAM, which one would you choose? Docker is hot, and Kubernetes is probably the coolest thing since the cloud. So the choice is easy. Docker is sexy. ITAM is not.

walmart huggies

A Walmart Super Center has 142,000 items, but they know exactly how many packs of diapers they have on the shelf. Not only do they know how many are on the shelf, they know how many are in the warehouse, in the truck, and how many they will sell next week. So why is it that in IT we don’t know how many PCs we have or even where they are? We don’t know how much software we have, or if it’s being used.

The world is changing. Gas doesn’t cost $.50 / gallon, and gas stations don’t pump it for you anymore. I can’t even remember the last time someone washed my windshield. Cybersecurity isn’t the same anymore either. No longer do we worry about the inconvenience of a virus on floppy disk. Today foreign nationals exploit our networks many times per second. Unmanaged PCs represent the largest threat to our national security. Firewalls alone simply can’t protect our networks.

 

If it were 10:00 pm on a Wednesday evening, you would absolutely know where your 15-year-old daughter was. PCs are also like teenagers. They don’t know enough not to get in trouble. The only way to protect them is to provide firm guidance and rules. To protect your PCs, you need policies. You need consistency. ITAM may not be sexy, but it is the new imperative.

It’s 10:00 pm--do you know where your IT assets are?

Nathaniel Crocker

CIO and Co-founder at Crocker Institute
Nathaniel (Rushfinn) Crocker is the CIO and co-founder of the Crocker Institute, a benefit corporation in South Carolina dedicated to helping organizations meet their mission through Enterprise Architecture and Program Evaluation. He is passionate about cybersecurity and protecting our online identities. You can reach him at Nathaniel@CrockerInstitute.org
About Nathaniel Crocker

Nathaniel (Rushfinn) Crocker is the CIO and co-founder of the Crocker Institute, a benefit corporation in South Carolina dedicated to helping organizations meet their mission through Enterprise Architecture and Program Evaluation. He is passionate about cybersecurity and protecting our online identities. You can reach him at Nathaniel@CrockerInstitute.org

Leave a Reply