CCPA – The California Consumer Privacy Act adds another layer of complexity to compliance related to risk mitigation. The associated requirements can trigger a shift in internal processes and/or policies related to CCPA oversight, such as new integrations between customer databases and data processing infrastructure (including off-site data), dealing with consumer rights across a broad array of IT-enabled channels, and staying ahead of the complexities and repriorizations associated with a data breach. This requires keeping track of all assets as they transition through their lifecycle, tying together asset data from siloed systems to gain a more holistic perspective, and creating a logical connection between the device and its associated user (to manage risk profiles) in order to accelerate investigations and reme-diation. Connecting users to assets across their lifecycle is another of Oomnitza’s core differentiators; we are one of the few companies that offers this capability.
CMDB – Configuration Management Database. A CMDB is a central data repository for information about your IT environment and how the different assets in your IT environment are configured. This is essential for providing IT teams with the visibility they need to properly manage, patch, update and secure all assets in their portfolio. A CMDB consolidates all the siloed data across the enterprise into one source of truth for configuration and status. CMBD is a sub-component of the IT asset management discipline.
CPRA – California Privacy Rights Act – CPRA enshrines more privacy provisions in California state law, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses’ usage of “sensitive personal information”, which includes precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information. It’s essentially the sharp end of the CCPA stick.
CSB – Cloud Services Broker. A CSB is an entity (real or virtual) that manages the use, performance and delivery of cloud services. A CSB also enables the relationships between cloud compute and services providers and cloud consumers. A CSB is critical in addressing “Shadow IT” by allowing for broader enablement of cloud services to make IT teams more agile and responsive while providing cloud consumers more choices.
ETM – Enterprise Technology Management ETM is the brain that rides above all IT management and asset tracking systems. ETM acquires, integrates, normalizes and validates all data from the various sub-systems to create a single integrated view that delivers a unified perspective on the entire technology portfolio of an enterprise. Unlike CMDB or ITAM, ETM is agentless, acquiring data from existing agents rather than adding another device agent requirement. ETM collects data from hardware, software, mobile, Single-Sign-On and Employee Directory systems. A still more expansive version of ETM includes accounting for the lifecycle and orchestration of cloud infrastructure, as well as SaaS licenses and usage. ETM capabilities are an essential part of effectively and efficiently managing enterprise IT. CIO’s that put in place robust ETM capabilities can leverage insights and intelligence to provide strategic value to their organizations.
GDPR – General Data Protection Regulation – is particularly relevant for ITAM practitioners as it affects consumer data security across the entire asset lifecycle, and particularly during disposition at the end of life stage. Any asset with data needs to be reimaged prior to either donation or disposal; the penalties for improper disposal and exposure of personal information are steep (the larger of $22 million dollars, or 4% of global revenues). GDPR treats assets that are being disposed of no differently than assets in use, so compliance is a constant in any IT asset orchestration process. To avoid this, maintaining chain of custody of the asset as it progress-es through its lifecycle is incredibly important, and is one of Oomnitza’s strongest value-adds.
GRC – Governance, Risk, and Compliance frameworks are an organizational strategy and a set of tools for better addressing managing IT governance, controlling risks, and enforcing compliance. GRC today includes software and SaaS capabilities for implementing and managing an enterprise GRC program. Modern GRC includes a set of practices and metrics for properly aligning IT activities with enterprise business objectives. Properly deployed GRC helps enterprises reduce costs, comply with regulations and laws, reduce security risks, and manage their IT portfolio.
HIPAA – Health Insurance Portability and Accountability Act – focuses on tracking and maintaining information on any device that stores or can access electronic protected health information (ePHI). The HIPAA Security Rule requires that organizations keep precise track of assets (hardware and/or electronic media), as well as the person associated with that asset. This implies running internal audits on the device and associated user, specific to access of ePHI, and in addition, organizations are expected to keep track of where data is stored, maintained, received, transmitted, as well as the actual physical location. When a HIPAA audit occurs, the Office of Civil Rights will focus on the data, associated assets, and any movement or exact location information related to both. This is another instance of tracking devices or assets through their entire lifecycle, and ensuring the asset is clearly associated with a user, which is Oomnitza’s core value-add.
ISO 27001 – Defines an information security management system (ISMS) that covers policies and procedures for legal, physical, and technical controls with respect to risk management. It covers IT asset orchestration, but also extends well beyond. The specification includes defining your security policies, the scope of the ISMS, the need to conduct a risk assessment and then manage the identified risks, set controls and objectives and deliver a statement of applicability. Given that most IT-based risk surfaces when technology enters or exits the process ecosystem, having an ETM solution that covers the entirety of the digital estate with a strong emphasis on security during the on and off-boarding process is critical to accelerating time to value.
ITAM – Information Technology Asset Management. Gartner defines this way: “IT asset management (ITAM) provides an accurate account of technology asset lifecycle costs and risks to maximize the business value of technology strategy, architecture, funding, contractual and sourcing decisions.” ITAM is deployed by IT teams. Holistic, integrated ITAM — often referred to as enterprise technology management (ETM) solutions — extends workflows and data flows via API into other organizations like legal, HR, security and finance. This automates many repetitive tasks and breaks down silos between disconnected systems. Bi-directional data flows and enables multi-step tasks to be automated and made programmatic. ITAM quarterbacks many IT functions, including: receiving and imaging of devices; ticketing and help desk; device and software maintenance; license and warranty monitoring; equipment refresh planning; security incident response; employee onboarding and offboarding; IT audit data collection, deduplication, and normalization. ITAM plays a crucial role in service delivery, compliance, and audit for necessary certifications (SOC2, ISO 2700, HIPAA). The scope of integrated ITAM software (which has evolved to Enterprise Technology Management) has grown, now covering hardware and software and cloud infrastructure and SaaS. Sub-functions of ITAM have been stove piped into their software solution categories, including Software Asset Management (SAM), Mobile Device Management (MDM), Configuration Management Database (CMDB), Cloud Service Brokerage (CAM), and Universal Endpoint Management (UEM).
ITIL – formerly Information Technology Infrastructure Library. According to Wikipedia, “ITIL is a set of detailed practices for IT activities such as IT service management (ITSM) and IT asset management (ITAM) that focus on aligning IT services with the needs of business. ITIL lays out the processes, procedures, tasks, and checklists that are applied by an organization toward strategy, delivering value, and maintaining a minimum level of competency in IT management disciplines.
ITOM – Information Technology Operations Management. ITOM comprises the administration and operations of all technology components and dependent applications for an enterprise. ITOM includes but is not limited to: procuring and provisioning IT infrastructure; infrastructure capacity management and cost-control; IT system performance monitoring; and IT operations security management and availability management for all IT infrastructure and assets. The ITOM process is well described in the IT Operations Control book of ITIL 2011 and is crucial for organizations that follow the ITIL® framework for best practices of IT Service Management (ITSM). ITOM’s objective is to control, monitor and secure IT services and infrastructure and handle all processes and tasks required for operational support of services, applications and hardware or cloud infrastructure components.
ITSM – Information Technology Service Management. ITSM is the discipline of managing the end-to-end delivery of IT services to customers in enterprises. ITSM is made up of all the processes and activities required to design, create, deliver, and support IT services. ITSM consists of managing the process of securing IT services from a customer requesting a new device or piece of software through procurement or ticketing through installation through updating and patching through end-of-life or license and device repatriation. ITSM is closely integrated with service delivery systems and ticketing tools. ITSM solutions tend to integrate closely with ITAM and ETM solutions to deliver useful data on IT services to those higher level systems.
MDM – Mobile Device Management. MDMs are solutions for monitoring, managing and securing mobile devices, such as smartphones and tablets, for enterprises. MDMs empower IT and security teams to distribute, update and control security policies as well as security software to all the mobile devices that are accessing sensitive corporate data or accessing corporate networks connected to mission critical systems. As the smartphone has become ubiquitous and more widely used in enterprises, MDM has become more critical to maintaining proper security stance and blocking attempts to compromise enterprise systems.
With more and more employees using one or all of these devices, organizations across all shapes and sizes are now turning to mobile device management for enhanced data and network security and improved employee productivity. MDM solutions enable IT admins to configure enterprise-grade security policies on mobile devices, making them corporate ready.
SAM – Software Asset Management A software asset management (SAM) solution is designed to manage installed, on-premises software. These have historically been large, complex systems that manage thousands of instances that are connected to huge databases, etc. The issue with SAM is that it focuses on on-premise instantiations, and nearly everything is migrating to the Cloud, which offers significant advantages on multiple levels. In terms of what Oomnitza offers, SAM is a subset of ITAM, since it is one of the many categories of assets we track.
SAM compared to Enterprise Technology Management focuses on a more specific set of requirements that IT needs to manage. This can include items like discovery of software licenses, upgrades and updates, controlling the cost of phantom licenses, etc. It is effectively the software corollary to a CMDB, keeping in mind that software is significantly different than hardware in terms of how the asset is provisioned, managed during its lifecycle, and eventually pushed through end-of-life processing.
SOC2 – Systems and Organization Control There are multiple versions of SOC (SOC 1, 2, 3 and Cybersecurity) compliance that focus on different facets of business operations. For IT purposes, the relevant version is SOC-2, which covers Security, Availability, Processing Integrity, Confidentiality and Privacy. This pertains primarily to the data being processed, and how it is handled, either by the entity being regulated, or by any entity they choose to outsource to, such as a cloud services provider. As in most instances, security is the first filter (get this right and everything else flows smoothly), so ensuring a strong security posture for orchestration of technology is critical. By correlating devices to specific users, Oomnitza is able to create a timely and actionable security profile that addresses compliance and audit requirements.
SSO – Single Sign-On. SSO is an authentication scheme that enables a user to log into one or more related but independent software systems using a single ID and password or authentication token. Real SSO allows the user to log in once and then access different services without re-entering authentication factors or requiring a token refresh. This is different than same sign-on (using a directory server) which uses LDAP (Lightweight Directory Access Protocol) and directory servers. To accommodate different applications supporting different authentication mechanisms. SSO stores credentials used for initial authentication and translates or reformates them into credentials that align with the different mechanisms. There are several shared and open authentication schemas and standards, most notably the Oauth / OpenID stack. SSO is a key part of properly managing and securing IT assets. It is also a helpful mechanism to collect usage trend data and to also control access across multiple enterprise systems from a single control point for onboarding and offboarding of employees and contractors.
SOX – Sarbanes Oxley focuses on financial transparency and internal operational control and reporting as a means of mitigating fraud risk. In terms of IT Asset Management (section 404 – Management Assessment of Internal Controls), the focus is on proper accounting of fixed and mobile IT assets. Compliance with SOX requires knowing (with high confidence) where specific assets are at any time, knowing whether there are ghost assets (on your books but no longer physically there), the levels of write-offs required due to lost or misplaced assets, and (most annoying) are you paying taxes on assets that you no longer have? Oomnitza’s focus is tracking all IT assets as they move through their lifecycle, supporting an automated, integrated and holistic view, specifically to deal with associated financial compliance requirements.
UEM – Unified Endpoint Management. UEM is a technology solution that allows IT and security organizations to manage and secure enterprise applications on any device across the entire organization. UEM is a key component of safely connecting devices to mission critical applications; UEM ensures that all connected endpoints are properly secured and encrypted prior to connecting to key enterprise systems. UEM is one of the most important tools for IT departments in securing their technology portfolios across all device types including mobile, desktop/laptop, and IoT. UEM solutions lower costs, reduce risks and simply device and endpoint management by consolidating all core capabilities for management into a single solution or single integrated view.