Qualys Blog

www.qualys.com

IT Asset Inventory Systems and CMDBs: A Marriage Made in InfoSec Heaven

A key capability of an IT asset inventory system is being able to exchange data with CMDBs (Configuration Management Databases). In fact, a common misconception is that organizations with CMDBs don’t need an IT asset inventory system because their functions overlap. While they have similar roles, each one plays a different and important part, and they complement each other.

Similar But Not the Same

Asset Inventory System

The asset inventory is a complete, detailed list of all the hardware and software in an organization – on premises, in the cloud or in mobile endpoints. A cloud-based, automated system continually updates the inventory data, giving IT departments an uninterrupted and always current view of their assets.

 IT Asset Inventory Systems and CMDB - A Marriage Made in InfoSec HeavenHaving this unimpeded visibility across the entire IT environment is a basic requirement for an effective security and compliance posture. In fact, the Center for Internet Security puts these two atop its 20 Critical Security Controls list: Inventory of Authorized and Unauthorized Devices; and Inventory of Authorized and Unauthorized Software.

Years ago, fulfilling this basic requirement was simpler. With well-defined network perimeters, it was straightforward to account for and monitor all hardware, software and networking elements.

Unfortunately, many organizations today struggle with IT inventory blind spots created by their adoption of cloud computing, mobility, virtualization, IoT and other digital transformation technologies.

As we all know, the IT assets that pose the highest risk are the ones that you don’t know are there.

CMDBs

Meanwhile, the CMDB, a key element in ITIL processes for IT service management (ITSM), stores the attributes of these assets – also called “configuration items” in CMDB parlance — and maps their relationships, so that the organization can understand what is involved in the provision of all of its IT services, such as corporate email.

IT departments perform configuration management to have “a record of your systems, what’s happened to those items and the details of the relationships between the items on your list,” Richard Josey, a consultant from IT services provider The Thebes Group, wrote recently.

“In IT, a configuration management database (CMDB) could include details of servers, code modules, applications, etc. and how are they connected,” he added in the post, which was published in the blog of Axelos, a joint venture between the U.K. government and outsourcer Capita that manages ITIL.

Kevin Holland, an IT service management consultant and ITIL expert, calls configuration management systems – which contain one or more CMDBs – “the bedrock of IT service management.”

“They provide the tools and databases to hold and manage all the necessary information about the assets used to deliver IT services – hardware, software, network equipment, processes, services – including all the information ITSM practitioners need to do their jobs,” he wrote in a post that was also published on the Axelos blog.

Creating long lists of assets using discovery tools isn’t configuration management, according to Holland.

“True CM is about adding structure and context to data for use in analysis and in making informed decisions. That requires understanding and recording information including what every item is used for, what it is dependent on, what is part of it, and, in turn, what it is part of. That can then be used to support analysis and the making of informed decisions,” he wrote.

As explained in the book “CMDB Systems: Making Change Work in the Age of Cloud and Agile,” authored by three leaders of IT analyst and consulting firm Enterprise Management Associates (EMA), a CMDB is not an asset management system, and practitioners must resist the urge to “find, label, and document every asset in the IT infrastructure within the CMDB.”

“The CMDB project must discover and bring CIs (configuration items) under change management control — not explode into an asset management exercise. There is a difference between assets and CIs,” the authors wrote.

The confusion has a historical root, according to the book “The CMDB Imperative: How to Realize the Dream and Avoid the Nightmares.”

“Throughout much of the history of IT, what is now called the CMDB was known by various other terms, the most common being an asset database,” wrote authors Carlos Casanova and Glenn O’Donnell.

“An asset database represents a limited subset of a CMDB, but an important one. It is often the initial phase of a CMDB journey,” they wrote.

The Problem

Still, in many organizations the CMDBs also act as IT asset inventories, which causes their information to be outdated, especially if they need to be manually updated by overworked staffers.

CMDBs’ native discovery tools are designed for compiling initial inventories but not for capturing subsequent changes, which is a core feature of cloud-based automated IT asset inventory systems.

Thus, if you link them up, the IT asset inventory system can continuously feed the CMDB fresh, detailed system, security and compliance data on new and changed assets across your IT environment.

When its information is always current and comprehensive, a CMDB can illustrate the relationships, connections, hierarchies and dependencies among IT assets.

This allows IT departments to be more effective at a variety of critical tasks, such as change management, service requests, incident response, system repair, disaster recovery planning and impact analysis.

In fact, it’s advisable to establish a federated model with automated ways of discovering and exchanging this data among multiple sources, using the CMDB as the main information repository.

The Qualys/ServiceNow Integration

To see a real world illustration of this, check out the integration between Qualys and ServiceNow: A certified application that automatically synchronizes data from Qualys AssetView with the ServiceNow Configuration Management system.

Leveraging Qualys’ highly distributed and cloud-oriented architecture, as well as a variety of data collection methods and technologies, including Qualys’ groundbreaking Cloud Agents, AssetView compiles and continually updates a full inventory of an organization’s IT assets, whether they’re on premises, in the cloud or in mobile endpoints.

The information can include hardware data such as manufacturer, model, CPU, memory and disk space as well as software inventory data such as software name, version and vendor. Changes made on a device are immediately transmitted to the Qualys Cloud Platform and then synchronized with ServiceNow.

For customers, this means an end to unidentified and misclassified assets, and to data update delays, all of which increase the chances of security breaches. Instead, they get real-time, comprehensive visibility into their IT asset inventory so they can flag security and compliance risks immediately.

Aim for the Cloud

An IT asset inventory system that gives you the six key elements discussed in this blog series sets a solid foundation for your entire InfoSec and compliance posture by giving you full visibility into your IT environment.

As we’ve tried to explain throughout this series, the system should have a cloud-based architecture in order to be truly effective. Legacy, on-premises IT asset inventory systems sufficed when network perimeters were well-defined and fixed, and IT departments had tight control over the IT environment. But the norm is now hybrid IT environments with assets on premises, in cloud instances, and on mobile endpoints. Legacy systems fall short because they may be unable to peek into cloud platforms, and their data collection tools may only work in a narrow set of assets.

The ideal option is a centralized, automated and cloud-based inventory system that collects detailed information continuously from all your IT assets, wherever they reside. That kind of system collects all the security, IT and compliance data you need from each asset, stores it in a single, uniform repository, and updates it continuously and automatically. It has a central dashboard with a report generation function and a search engine that’s able to highlight critical assets and resolve complex queries in seconds. And it is hosted and maintained by its vendor, so it can scale to meet your needs as your organization grows.


Learn more in our new whitepaper, “Cloud-Based IT Asset Inventory: A Solid Foundation for InfoSec Infrastructure“.

Start a free trial of Qualys AssetView, the cloud-based asset inventory service that provides visibility and actionable data on global IT assets within your organization.

Leave a Reply