IT Asset Management (ITAM) ensures valuable items, both tangible and intangible, are being tracked and used within an organisation. These include such assets as hardware, software, or critical information that holds value to a business. In an IT department, some of the most important assets are the computers, software licenses and hosting servers.
According to Pamela Wheelwright, Senior Director Analyst at Gartner, “Most organisations do not have a formal IT asset management (ITAM) programme but recognise the need to implement one in support of their digital business objectives.” Awareness seems to be one thing, but implementation is quite another when it comes to ITAM and software asset management (SAM). As Deloitte’s Global ITAM survey report in 2021 showed, organisations are rethinking how they invest in governing IT assets and license their hardware and software.
Nerys Mutlow, Evangelist in the Chief Innovation Office at ServiceNow, states that the problem lies in manual working: “When software assets are tracked manually by using spreadsheets, for example, it can result in the inventory being incomplete, inaccurate and out of date. This makes it incredibly hard to challenge vendor audits, exposing businesses to compliance risk and significant fines. ITAM provides visibility and control over software assets, allowing organisations to get a complete view of IT resources across on-premises and cloud environments. Ultimately, this makes ITAM an important element in the strategic decision-making process, by providing valuable data to help businesses make good technology choices and improve their returns on investments over time.”
IT assets have a finite period that they can be used, so the lifecycle must be proactively managed at all stages. According to Atlassian, who develop software and collaboration tools, these stages usually include: planning, procurement, deployment, maintenance, and retirement. Having an overlying ITAM strategy is vital to understanding the total cost of ownership and optimising the use of assets.
IT departments must also be agile to deal with subscription-based software and employees' expectation to customise the tools they work with, which are typically accessed through app stores or marketplaces.
PwC insists that if an organisation has a considerable software spend, they may be spending too much or under-utilising these assets. They list these initiatives as the most common part of ITAM strategy:
- Optimise software costs
- Drive down software and infrastructure costs
- Increase procurement efficiency
- Improve compliance
- Increase asset and intellectual property security
- Reduce financial, contractual and reputation risk
- Decrease support costs
- Reduce resource requirements
The single source of truth
Believed to have been coined by Lionel Grealou of Tata Technologies, single source of truth (SSOT) is often bandied about in asset management circles, despite the full realisation of it being extremely difficult due to the multiple information systems, such as ERPs and CRMs, each of which needs access to data relating to the same entities (such as customers). Therefore "off-the-shelf" software from vendors is difficult to modify and a business can end up with many versions of common data or entities.
Despite the ‘ideal’ of SSOT being unrealistic for many, it is still regarded as a crucial tactic to help use the latest information when optimising budgets, supporting lifecycle management and determining the organisation's strategic approach as a whole. In order to reduce risk significantly, it is beneficial for systems to keep track of IT assets rather than humans, so they can focus on relationship building and strategic thinking.
According to Gartner in its report Prepare Your IT Asset Management for 2020, organisations are focusing on effective asset management to manage consumption of “on-demand services,” given over-reliance on platform and infrastructure services. Gartner suggests that with “increased control, visibility, and assigned responsibility, teams can reduce excess consumption including overprovisioning, and idle instances, avoiding unnecessary costs.”
Identity Asset Management
According to research by Omdia for IT security company Entrust, Identity Asset Management (IAM) is a big focus this year with the rise in a hybrid/distributed workforce. Jenn Markey, Product Marketing Director at Entrust, remarked: “This is making it the ideal time to examine the ‘bubblegum and duct tape’ that was needed by IT teams to keep their respective organisation’s functioning, and take stock of how to more robustly and securely manage their IT workforce going forward. This needs to be done before these temporary measures become permanent fixtures in the new working framework.”
When questioned on its IAM direction for 2021, nearly half (47%) of those interviewed by Omdia said they were looking to augment existing IAM implementations, and 42% also said they would be focusing on migrating to the cloud.
Markey believes that “without a centralised IAM solution to onboard and offboard users, IT teams are left having to manually manage parallel work streams and user access processes, adding cost, complexity, and risk”. A core component for Entrust is ironically around zero trust, the model that recognises that trust is a vulnerability. Market suggests that Entrust will use identity orchestration for a “seamless, secure experiences are achieved through the continual monitoring of user and device behaviour”. Such orchestration provides a “single pane view of protected resources, user identities, and access controls as well as a simple UI for integrating applications from the identity platform,” says Markey.
The Everywhere Workplace and the importance of patches
Coined by IT platform provider Ivanti, the Everywhere Workplace is where employees use myriad devices to access IT applications and data over various networks to stay productive, as they work from anywhere.
A critical area managed by Sri Mukkamala, Senior Vice President Security Products at Ivanti, is patch management, the process of distributing and applying updates to software. These patches are often necessary to correct errors in the software that make a whole organisation susceptible to a cyber-attack.
As Mukkamala remarks: “There are a few areas that will always need patches, which include, operating systems, applications, and embedded systems. When a vulnerability is detected after the release of a piece of software, a patch can be used to fix it. Doing so helps ensure that assets in your environment are not susceptible to exploitation. Ultimately, patch management can fix security flaws in software and protect an organisation's network.”
According to Ivanti’s report on patch management challenges, IT pros are spending a lot of time and resources on patching, with 57% of IT and security professionals stating that remote work has increased the complexity and scale of patch management. In terms of cash, 14% of respondents experienced a financial hit worth between $100,000 and $1 million to their businesses in the last 12 months that could have been avoided with better patch management.
“Patching doesn't just affect IT” says Mukkamala, as “60% said that patching causes workflow disruption to employees.”
Mukkamala is highly regarded in the area of ransomware, including predicting the WannaCry ransomware attack in May 2017, which encrypted an estimated 200,000 computers in 150 countries. He states that “most organisations do not have the bandwidth or resources to map active threats, such as those tied to ransomware, with the vulnerabilities they exploit and costs. All the while enterprises are slow to patch, cybercriminals accelerate vulnerability weaponisation efforts.”
There is hope of staying ahead of the cyber criminals, says Mukkamala, as “organisations can deploy automated solutions that combine risk-based vulnerability prioritisation and patch intelligence to bring to light any vulnerabilities that are being actively exploited. With unique patch reliability, IT and security teams can seamlessly deploy patches, and solve common challenges that are putting organisations at risk”.
What lies ahead for ITAM?
“The relationship between FinOps and ITAM is something fairly new to our world. We’re looking to expand on the benefits ITAM can bring to an organisation, collaborating with FinOps to optimise and save money in the Cloud whilst ensuring compliance from a licensing perspective” David Foxen, Consultant.