Developing operational controls through an ACM practice
In my last entry I talked about the need to have a sound Asset and Configuration Management (ACM) practice as the foundation for an effective Cyber Security strategy. So what does this start to look like? As simple as it may sound, designing, setting up and managing an ACM practice is actually a complex endeavor.
Why? ACM faces multiple ongoing and evolving challenges. Here are a few
- Proliferation of IT devices and form factors- both fixed and mobile
- Product vendors running varied licensing models for software product
- Multiple asset "owners"- almost every operational entity has an interest in the device - e.g.- Audit, Access Control, Information Security, Network Operations, Change Management & Facilities
- Focus on one-time 'catchup efforts' at inventory vs an ongoing accounting and reconciliation based systems approach.
- Multi-sourced operational vendors begin their own ACM silos for contractual and service level needs which makes it hard to see a single picture across the organization
- Emphasis on asset depreciation and cost amortization resulting in a 'we don't care, as long as finance has it depreciated on the books' view
Will going to the cloud make all these challenges go away? - Or even better will cloud make the need for an ACM practice go away? Hardly! Just ask IT Security or even better the External Auditor. As ACM evolves within major Fortune 500 organizations, so will the need for the cloud vendors to support the customer's ACM efforts through sound management, accurate reporting and alerting.
So what does an organization need? The below is an attempt to list down the key components that will comprise an effective ACM practice
- Discovery capabilities for internal environments
- Service Provider discovery feeds for outsourced environments
- Any other manual feeds- e.g. data from a facilities walkthrough
- Direct asset input/output system feeds from procurement and asset disposal
- Automated Standardization Engine
- System for device normalization and accurate identification
- Reconciliation rules for comparisons between overlapping feeds, comparison between auto discovery and feeds
- A dedicated Asset Management database (AMDB)- this is asset information for a distinct set of stakeholders ( procurement, IT planning and finance, DC Facilities, Asset receiving and Asset disposal)
- A dedicated Configuration Management database (CMDB) tracking asset and attribute relationships and for requirements of specific stakeholders (Change management, Release management, Information Security, Software license management, incident and problem management, capacity management, application support, enterprise architecture)
- Automated business service modeling tool
- Asset analytics platform for standard and advanced reporting
- Integration with change management module
- Release management module integration
- Business as usual processes and governance mechanisms
Bringing these components together requires dedicated investment, time and resources but when done, dramatically improve the overall level of control that the organization has over its IT investments. Let's explore how that is achieved in my next note..