As we’ve discussed in this blog series on automated IT asset inventory, having — or regaining — unobstructed visibility of your IT environment is key for a strong security and compliance posture.
We met Max, the CISO of a large manufacturer, whose organization progressively lost this visibility, as it adopted cloud computing, mobility, virtualization, IoT and other digital transformation technologies.
With the company’s IT environment upended and its network perimeter blurred, Max and the InfoSec team recovered control with a cloud-based, automated IT asset inventory system. This successful solution featured six key elements. In the previous posts, we addressed the first three:
- Complete visibility of your IT environment
- Deep visibility into assets, wherever they reside
- Continuous and automatic updates
This means that you need a complete and continuously updated list of IT assets, as well as granular security, compliance and system details on each one.
In this post, we’ll explain the next two requirements for an effective cloud-based IT asset inventorying system:
- Asset criticality rankings
- Dashboarding and reporting
Asset Criticality Rankings
With a complete and continuously updated inventory that includes IT and security details for each item, now you need the system to help you highlight and rank the criticality of assets. The reason: In the same way that not every vulnerability is created equal, not all assets carry the same weight in your IT environment.
Criteria for establishing the criticality of an asset includes:
- Who are its users, and what are their roles and importance in the organization?
- What type of data does the asset handle, transmit and store, and how sensitive is that information, such as confidential intellectual property and private consumer data
- To what regulatory and internal compliance requirements is the asset and the data it handles subject to?
- How essential is the asset to the successful operation of the business?
- How attractive is the asset to hackers, how vulnerable is it and how exposed is it to the Internet?
To aid you in establishing criticality, the system should support tagging, so you can slap labels on assets and, for example, identify those that fall within the scope of PCI DSS (Payment Card Industry Data Security Standard) compliance.
You should be able to apply tags manually or configure rules and parameters so the system can also automatically stamp labels on assets.
With this categorization data added to the inventory, an asset’s criticality can then be calculated based on all the system, security and compliance information collected about it, and on the established hierarchies and priorities, all aggregated and consolidated in the system’s cloud-based repository.
Dashboarding and Reporting
An interactive, customizable dashboard is essential for visualizing the security, configuration and compliance status of IT assets.
We previously discussed the importance of having an inventory system with a powerful search engine that lets you fire off complex ad-hoc search queries against the asset database. The system should build upon this search functionality and allow you to turn queries that you run frequently into dashboard widgets.
That way, you’ll have a constantly updated answer to that query displayed permanently on your dashboard, without having to manually run the same search over and over. To further help you further monitor the status of these assets, the system should display the queried data in various visual ways using graphs, tables and charts.
You also should be able to set certain thresholds, and have the system alert you when they’ve been crossed by, say, changing the widget’s background color from green to red. The system should also let you create different dashboards tailored for various purposes and users, such as InfoSec pros, compliance / risk managers, and CxOs.
In our next post, we’ll close out the series with a discussion about one more essential element of cloud-based asset inventory: integration with your CMDB.
Learn more in our new whitepaper, “Cloud-Based IT Asset Inventory: A Solid Foundation for InfoSec Infrastructure“.
Start a free trial of Qualys AssetView, the cloud-based asset inventory service that provides visibility and actionable data on global IT assets within your organization.