Anyone questioning the importance of IT asset visibility in an organization’s security and compliance postures ought to review the EU’s General Data Protection Regulation (GDPR), which goes into effect next year.
With the severe requirements the GDPR places on how a business handles the personal data of EU residents, it’s clear a comprehensive IT asset inventory is a must for compliance.
Specifically, companies must know what personal data they hold on these individuals, where it’s stored, with whom they’re sharing it, how they’re protecting it, and for what purposes it’s being used.
In this second installment of our blog series on GDPR readiness, we’ll explain how organizations need full visibility into all hardware and software involved in the processing, transmission, analysis and storage of this personal data, so they’re able to protect it and account for it as required by the regulation.
As we’ve discussed in this blog series on automated IT asset inventory, having — or regaining — unobstructed visibility of your IT environment is key for a strong security and compliance posture.
We met Max, the CISO of a large manufacturer, whose organization progressively lost this visibility, as it adopted cloud computing, mobility, virtualization, IoT and other digital transformation technologies.
With the company’s IT environment upended and its network perimeter blurred, Max and the InfoSec team recovered control with a cloud-based, automated IT asset inventory system. This successful solution featured six key elements. In the previous posts, we addressed the first three:
Asset management and scanning complement and reinforce each other. It’s a case where the whole is greater than the sum of the parts.
Scanning tools can deliver an accurate, automated inventory of assets in near real-time as a side effect of their scans. Likewise, a complete inventory of assets provides insight into their metadata and organization, which leads to better security decisions. Newly added features in QualysGuard extend its asset management capabilities to include both statically and dynamically categorized assets. These new features make it easier to get precise views into the security posture of different aspects of a complex IT environment, and they give IT managers consistently up-to-date data about the systems in their environments.
Why Asset Management Is Important
Asset management is key to security because of the number, variety and dynamic nature of assets. A company with 5,000 employees may have more than 20,000 IT assets. Mobile devices, laptops, and other BYOD devices configured by end-users may not comply with corporate configuration policies. Mobile devices, cloud-based applications, virtualization, and remote workers add complexity and volatility. Inventory and configuration snapshots of these devices in an organization can quickly become obsolete. With more and more employees using multiple IT assets, it is easy to see how inventories can change and grow quickly and in unexpected ways. Adding to this is the geographical distribution of buildings, offices and data centers across the globe. And to have a complete picture of assets requires an understanding of business ownership, including the structure of the organization and who owns the assets or has access to them, all the way down to details like what are their configurations, their status and their serial numbers.
Only with a clear view of assets can they be managed and secured.
So where does tagging fit in? If the scan is already collecting the configuration data from the systems, why do you need tagging?
Simple answer: Tagging gives you flexibility to organize your assets in multiple ways simultaneously.
Many aspects of an asset, both technical and nontechnical, need to be easily visible to the organization of your assets. Entering and tracking such information manually on each asset will not scale in large enterprise environments. What is needed is a more flexible labeling or tagging system that has the ability to understand and apply one or more tags as labels to assets in an automated manner using rules. We refer to labels as tags and they can be used to organize, search and prioritize assets across all QualysGuard solutions such as Vulnerability Management, Web Application Scanning, Policy Compliance and Malware Detection Service.
The hierarchical tag organization can be understood best as a set of folders and subfolders, like you may have seen many times in a Windows folder “tree” structure. One of the big differences is that an asset may have many tags on it, which (using the folder analogy) means an asset can be in several folders at once. If your business has two or three or ten ways to group its assets, you don’t have to pick one, you can have all 10 at once.
Since tags can be nested inside other tags, the manual work of managing rollup groups is eliminated. This association is very useful when managing large sets of assets, and provides a cohesive, common foundation for other solutions such as compliance scans. Avoiding manual work when altering the groupings is another benefit: a simple reorganization of the tags (using drag & drop) is all you need to create new or altered groupings of your assets.
In the simplest case, tags are applied manually to assets. A simple tag may be placed manually on an asset to reflect almost any description.
A more powerful and automated set of tag rules can be placed on assets that check for certain criteria. This could be IP address, operating system, software installed, etc.
Finally, for more advanced users, logic can be applied to the rules which can zero in very accurately. For example, you may want to identify all assets in a selected IP range running Windows 2000, based in Asia and having an Adobe product installed; or all Windows clients in your call centers; or all mail servers. All of these rules will save a huge amount of manual operations and give the organization more confidence concerning the accuracy of their asset inventory and overall compliance posture.
When you scan the next time, tags are re-evaluated and updated automatically to reflect the latest scan data.
A rule-based tagging capability enables the assets to reflect the true organizational structure across businesses, geographies and technologies in an automated way. Static, dynamic and advanced rules can be applied to very specific assets in an accurate manner. Some of the more advanced users can even use a scripting language (Groovy Scripts) to pinpoint specific assets for action.
For example, you may want to know whether a host has been scanned for the first time, i.e. if it is newly discovered. A Groovy scriptlet could be written to evaluate this case and automatically tag those assets.
Extending Tags Beyond Scans
Once the automatic rules are in place, the Asset Management and Dynamic Tagging module becomes a powerful platform to empower other solutions. For example, we can launch a scan targeting specific tags such as operating systems. A vulnerability report can be run against hosts with specific software installed. Searches can be performed which locate web applications with specific vulnerabilities. The real power of a highly automated and accurate a Asset Management and Dynamic Tagging module is tight integration with other security and compliance solutions. The Asset Management and Dynamic Tagging functionality is built into the very core of the QualysGuard Cloud Suite, and is integrated into each of the solutions it provides for a common, integrated approach.
Operating at Scale
In the real world, a key success factor is the ability to operate at scale in rapidly changing environments. The fundamentals of the QualysGuard scanning architecture are critical for operating at scale.
The QualysGuard Asset Management and Dynamic Tagging Cloud Platform has been specifically architected to scale across millions of assets. The module takes advantage of the rich data collected by the Vulnerability Management scan to build a near real time comprehensive asset database. These assets are then assigned tags to allow better organization and enable other solutions.
Unless you have a scaleable scanning architecture with a cloud-based management infrastructure separated from the physical scanning resources, scanning all hosts can take weeks if not months.
Built correctly, a network scanning platform can be an ideal vehicle to perform discovery of IT assets, web applications and network infrastructure. A more sophisticated authenticated scan of your assets can access and store a wealth of useful information; just a few examples being: inventory of software installed, detailed hardware specifications, local configuration settings, security policies, registry settings and more.
QualysGuard uses agentless scanning, where no software needs to be installed and maintained on target (scanned) systems in the environment. It’s very scalable, and can provide inventory scans of thousands of assets in a short time period. It’s also a good way to catch new assets as they enter the environment.
A scanning program that works at scale is the foundation. Not only does it provide security information such as vulnerabilities or variance from configuration standards, but it can also collect detailed information about these assets.
The Asset Management solution of the future is able to keep a continuous inventory of assets from many different internal and external sources, tag them and organize them into well-defined groupings (which, for example, could represent business units, geographies and technologies, or all of the above) in one central place. Although scanning using the QualysGuard Cloud Suite provides good visibility and inventory of the assets in your business, there will be other more direct sources that can provide asset information. This could be an Active Directory Service (Microsoft), APIs from leading virtualization systems such as VMware, or the cloud APIs from Amazon EC2, or 3rd-party asset repositories or tracking software. Regardless of the source, they would all come together to be reconciled, organized and managed in one place. This would form the foundation of a powerful platform that is able to service multiple security and compliance solutions, and flex to the needs of many teams across the enterprise.