As we’ve discussed in this blog series on automated IT asset inventory, having — or regaining — unobstructed visibility of your IT environment is key for a strong security and compliance posture.
We met Max, the CISO of a large manufacturer, whose organization progressively lost this visibility, as it adopted cloud computing, mobility, virtualization, IoT and other digital transformation technologies.
With the company’s IT environment upended and its network perimeter blurred, Max and the InfoSec team recovered control with a cloud-based, automated IT asset inventory system. This successful solution featured five key elements. In the previous posts, we addressed the first three:
- Complete visibility of your IT environment
- Deep visibility into assets, wherever they reside
- Continuous and automatic updates
This means that you need a complete and continuously updated list of IT assets, as well as granular security, compliance and system details on each one.
In this final post, we’ll explain the last two requirements for an effective cloud-based IT asset inventorying system:
- Asset criticality rankings
- Dashboarding and reporting
Asset Criticality Rankings
With a complete and continuously updated inventory that includes IT and security details for each item, now you need the system to help you highlight and rank the criticality of assets. The reason: In the same way that not every vulnerability is created equal, not all assets carry the same weight in your IT environment.
Criteria for establishing the criticality of an asset includes:
- Who are its users, and what are their roles and importance in the organization?
- What type of data does the asset handle, transmit and store, and how sensitive is that information, such as confidential intellectual property and private consumer data
- To what regulatory and internal compliance requirements is the asset and the data it handles subject to?
- How essential is the asset to the successful operation of the business?
- How attractive is the asset to hackers, how vulnerable is it and how exposed is it to the Internet?
To aid you in establishing criticality, the system should support tagging, so you can slap labels on assets and, for example, identify those that fall within the scope of PCI DSS (Payment Card Industry Data Security Standard) compliance.
You should be able to apply tags manually or configure rules and parameters so the system can also automatically stamp labels on assets.
With this categorization data added to the inventory, an asset’s criticality can then be calculated based on all the system, security and compliance information collected about it, and on the established hierarchies and priorities, all aggregated and consolidated in the system’s cloud-based repository.
Dashboarding and Reporting
An interactive, customizable dashboard is essential for visualizing the security, configuration and compliance status of IT assets.
We previously discussed the importance of having an inventory system with a powerful search engine that lets you fire off complex ad-hoc search queries against the asset database. The system should build upon this search functionality and allow you to turn queries that you run frequently into dashboard widgets.
That way, you’ll have a constantly updated answer to that query displayed permanently on your dashboard, without having to manually run the same search over and over. To further help you further monitor the status of these assets, the system should display the queried data in various visual ways using graphs, tables and charts.
You also should be able to set certain thresholds, and have the system alert you when they’ve been crossed by, say, changing the widget’s background color from green to red. The system should also let you create different dashboards tailored for various purposes and users, such as InfoSec pros, compliance / risk managers, and CxOs.
Aim for the Cloud
An IT asset inventory system that gives you the five key elements discussed in this blog series sets a solid foundation for your entire InfoSec and compliance posture by giving you full visibility into your IT environment.
As we’ve tried to explain throughout this series, the system should have a cloud-based architecture in order to be truly effective. Legacy, on-premises IT asset inventory systems sufficed when network perimeters were well-defined and fixed, and IT departments had tight control over the IT environment. But the norm is now hybrid IT environments with assets on premises, in cloud instances, and on mobile endpoints. Legacy systems fall short because they may be unable to peek into cloud platforms, and their data collection tools may only work in a narrow set of assets.
The ideal option is a centralized, automated and cloud-based inventory system that collects detailed information continuously from all your IT assets, wherever they reside. That kind of system collects all the security, IT and compliance data you need from each asset, stores it in a single, uniform repository, and updates it continuously and automatically. It has a central dashboard with a report generation function and a search engine that’s able to highlight critical assets and resolve complex queries in seconds. And it is hosted and maintained by its vendor, so it can scale to meet your needs as your organization grows.
Start a free trial of Qualys AssetView, the cloud-based asset inventory service that provides visibility and actionable data on global IT assets within your organization.