Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

IT Asset Inventory Systems and CMDBs: A Marriage Made in InfoSec Heaven


A key capability of an IT asset inventory system is being able to exchange data with CMDBs (Configuration Management Databases). In fact, a common misconception is that organizations with CMDBs don’t need an IT asset inventory system because their functions overlap. While they have similar roles, each one plays a different and important part, and they complement each other.

Similar But Not the Same

Asset Inventory System

Theasset inventory is a complete, detailed list of all the hardware and software in an organization on premises, in the cloud or in mobile endpoints. A cloud-based, automated system continually updates the inventory data, giving IT departments an uninterrupted and always current view of their assets.

IT Asset Inventory Systems and CMDBs: A Marriage Made in InfoSec Heaven
Having this unimpeded visibility across the entire IT environment is a basic requirement for an effective security and compliance posture.In fact, the Center for Internet Security puts these two atop its 20 Critical Security Controls list: Inventory of Authorized and Unauthorized Devices; and Inventory of Authorized and Unauthorized Software.

Years ago, fulfilling this basic requirement was simpler. With well-defined network perimeters, it was straightforward to account for and monitor all hardware, software and networking elements.

Unfortunately, many organizations today struggle with IT inventory blind spots created by their adoption of cloud computing, mobility, virtualization, IoT and other digital transformation technologies.

As we all know, the IT assets that pose the highest risk are the ones that you don’t know are there.


Meanwhile, the CMDB, a key element in ITIL processes for IT service management (ITSM), stores the attributes of these assets also called “configuration items” in CMDB parlance ― and maps their relationships , so that the organization can understand what is involved in the provision of all of its IT services, such as corporate email.

IT departments perform configuration management to have “a record of your systems, what’s happened to those items and the details of the relationships between the items on your list,” Richard Josey, a consultant from IT services provider The Thebes Group, wrote recently .

“In IT, a configuration management database (CMDB) could include details of servers, code modules, applications, etc. and how are they connected,” he added in the post, which was published in the blog of Axelos, a joint venture between the U.K. government and outsourcer Capita that manages ITIL.

Kevin Holland, an IT service management consultant and ITIL expert, calls configuration management systems which contain one or more CMDBs “the bedrock of IT service management.”

“They provide the tools and databases to hold and manage all the necessary information about the assets used to deliver IT services hardware, software, network equipment, processes, services including all the information ITSM practitioners need to do their jobs,” he wrote in a post that was also published on the Axelos blog.

Creating long lists of assets using discovery tools isn’t configuration management, according to Holland.

“True CM is about adding structure and context to data for use in analysis and in making informed decisions. That requires understanding and recording information including what every item is used for, what it is dependent on, what is part of it, and, in turn, what it is part of. That can then be used to support analysis and the making of informed decisions,” he wrote.

As explained in the book “CMDB Systems: Making Change Work in the Age of Cloud and Agile,” authored by three leaders of IT analyst and consulting firm Enterprise Management Associates (EMA), a CMDB is not an asset management system, and practitioners must resist the urge to “find, label, and document every asset in the IT infrastructure within the CMDB.”

“The CMDB project must discover and bring CIs (configuration items) under change management control ― not explode into an asset management exercise. There is a difference between assets and CIs,” the authors wrote.

The confusion has a historical root, according to the book “The CMDB Imperative: How to Realize the Dream and Avoid the Nightmares.”

“Throughout much of the history of IT, what is now called the CMDB was known by various other terms, the most common being an asset database,” wrote authors Carlos Casanova and Glenn O’Donnell .

“An asset database represents a limited subset of a CMDB, but an important one. It is often the initial phase of a CMDB journey,” they wrote.

The Problem

Still, in many organizations the CMDBs also act as IT asset inventories, which causes their information to be outdated, especially if they need to be manually updated by overworked staffers.

CMDBs’ native discovery tools are designed for compiling initial inventories but not for capturing subsequent changes, which is a core feature of cloud-based automated IT asset inventory systems.

Thus, if you link them up, the IT asset inventory system can continuously feed the CMDB fresh, detailed system, security and compliance data on new and changed assets across your IT environment.

When its information is always current and comprehensive, a CMDB can illustrate the relationships, connections, hierarchies and dependencies among IT assets.

This allows IT departments to be more effective at a variety of critical tasks, such as change management, service requests, incident response, system repair, disaster recovery planning and impact analysis.

In fact, it’s advisable to establish a federated model with automated ways of discovering and exchanging this data among multiple sources, using the CMDB as the main information repository.

The Qualys/ServiceNow Integration

To see a real world illustration of this, check out the integration between Qualys and ServiceNow : A certified application that automatically synchronizes data from Qualys AssetView with the ServiceNow Configuration Management system.

Leveraging Qualys’ highly distributed and cloud-oriented architecture, as well as a variety of data collection methods and technologies, including Qualys’ groundbreaking Cloud Agents, AssetView compiles and continually updates a full inventory of an organization’s IT assets, whether they’re on premises, in the cloud or in mobile endpoints.

The information can include hardware data such as manufacturer, model, CPU, memory and disk space as well as software inventory data such as software name, version and vendor. Changes made on a device are immediately transmitted to the Qualys Cloud Platform and then synchronized with ServiceNow.

For customers, this means an end to unidentified and misclassified assets, and to data update delays, all of which increase the c

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles

Latest Images