Several years ago, Max, the CISO of a large manufacturer, realized that his organization’s formerly homogeneous, self-contained IT environment had lost its clearly delineated perimeter. Instead, it had become a hybrid environment with blurred borders, made up of a mix of legacy on-premises systems, new cloud workloads, and a variety of mobile endpoints.
The transformation had been subtle, progressing organically and responding to both deliberate and spontaneous initiatives originating at every level — from the CEO down to rank-and-file employees. The underlying motivation in every case was a simple one: An eagerness to help the business operate faster and more nimbly, efficiently, innovatively, and flexibly.
Here are some of the changes that contributed to the metamorphosis of the IT environment:
- After a few on-premises office productivity applications were successfully replaced with software-as-a-service (SaaS) collaboration suites, more and more critical business software got moved to the cloud.
- Business functions previously sheltered within the internal network were exposed to the internet and made available via web apps to employees, customers and partners. Devices such as printers were connected to the network via Wi-Fi, and industrial systems were equipped with internet of things (IoT) sensors.
- Mobility took hold. Staffers were allowed to use their own smartphones for work, tablets were issued for certain employees, and most corporate desktops were progressively replaced by laptops.
- Somewhere along the way, line-of-business leaders began routinely bypassing the IT department and signing up their teams for cloud-based enterprise messaging and file-sharing apps. Employees themselves also started using unapproved consumer web apps for work functions.
- The CEO and the board caught “digital transformation” anxiety, and, afraid of losing the competitive edge to more digitally savvy rivals, started banging the drum for the accelerated adoption of these types of emerging technologies.
It all amounted to a tectonic shift for the company’s IT environment, and it created alarming blind spots for Max and his team. Their legacy enterprise security tools couldn’t properly monitor this morphed IT environment.
Max and his team embarked on a project to automate their asset inventory process, and managed to regain the visibility they’d lost.
If you find yourself in the position of Max, our fictional CISO, this blog series that starts today is for you, because we’ll describe six key elements of cloud-based automated asset inventory.
- Complete visibility of your IT environment
- Deep visibility into assets, wherever they reside
- Continuous and automatic updates
- Asset criticality rankings
- Dashboarding and reporting
- Integration with your CMDB
Complete visibility of your IT environment
Unimpeded visibility into all of your organization’s IT assets — both hardware and software — is a must for securing your IT environment. You can’t protect what you don’t know exists.
This means accounting for on-premises, cloud and mobile assets, a broad scope of discovery that requires a variety of data collection sensors, such as:
- Physical appliances that scan IT assets located on your premises
- Virtual appliances that remotely scan your private cloud and virtualized environments
- Cloud appliances that remotely scan your internet-as-a-service (IaaS) and platform-as-a-service (PaaS) instances in commercial cloud computing platforms
- Lightweight, all-purpose agents installed on IT assets that continuously monitor them
- Passive scanners that sniff network devices and traffic, and detect unauthorized devices and suspicious activity
This set of sensors should continuously and proactively collect system, compliance, and security data from the IT assets, and feed it to a common, extensible, and central cloud platform, where this information is aggregated, indexed, correlated, and analyzed.
You want to avoid an asset inventory system with a narrow scope because it will not detect all of your hardware and software. You also want to steer clear of a system whose scan processes need to be triggered manually on demand. Another no-no: a system that requires its own complex infrastructure that must be deployed and maintained on the premises.
Of tremendous importance is being able to search through the data collected with both simple and complex queries that are resolved in a matter of seconds.
That way, you will be able to get instant answers to questions like:
- How many PCs from a particular manufacturer do you have in your environment?
- Which IT assets are impacted by a specific vulnerability?
- Which servers are running an operating system that its vendor recently stopped supporting?
- Which IT assets have a particular piece of software installed?
You should also be able to run a query with a combination of multiple criteria to zero in more narrowly on a search, and find out, for example: How many Lenovo laptops running the latest version of Windows 10 and located in my India office have a particular vulnerability?
This continuous process of data collection and discovery is the first step towards having an automated process for IT asset inventory that yields a full, always-updated view of your IT environment.
Next week, we’ll discuss the level of information depth that you should have for each IT asset, as well as the importance of keeping all data continuously and automatically updated.
Learn more in our new whitepaper, “Cloud-Based IT Asset Inventory: A Solid Foundation for InfoSec Infrastructure“.
Start a free trial of Qualys AssetView, a cloud-based asset inventory service that provides visibility and actionable data on global IT assets within your organization.