Cloud asset management and ITAM: Top 3 considerations for integration
The $80-million fine levied against Capital One underscores the importance of integrating cloud asset management into broader IT asset management (ITAM) efforts.
An $80-million fine is enough to get any CIO's attention. And that’s precisely what financial services provider Capital One got whacked with August, 2020 after the U.S. Office of the Comptroller of the Currency levied in the wake of a massive data leak propagated against the company’s Cloud infrastructure. “The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public Cloud environment and the bank's failure to correct the deficiencies in a timely manner,” wrote the OCC in the press release. The fine was the penalty for a 2019 incident where a former Amazon Web Service (AWS) employee leaked a treasure trove of sensitive customer data online after Capital One failed to properly secure an AWS S3 storage bucket holding millions of credit card applications.
Integrating cloud asset management into ITAM efforts gives IT managers and security operations teams a complete picture of their IT estates. Integration of cloud asset management with ITAM views for IT teams is no longer optional. The price of failure is steep and the risks are growing as attackers focus more energy on public Cloud as an easy-to-access attack vector.
All of this said, integrating Cloud asset management into ITAM efforts requires consideration and thought, since Cloud is such a diverse and varied environment. Each organization has its own unique Cloud characteristics and ways of setting up workloads and infrastructure. Here are three core considerations for any organization looking to more tightly integrate management of Cloud assets with existing asset and configuration management systems like ITAM, CMBD, UEM, and SAM.
Why integrate Cloud into IT asset management?
Asking this question helps you determine what the goals of your integration project will be and what potential outputs or workflows might be required. For example, if your compliance team needs to get a better handle on Cloud usage, then your ITAM integration with Cloud infrastructure assets will need to check all the compliance boxes for SOC2, ISO27001, GDPR, and CCPA/CPRA. If your Cloud ITAM integration is necessary for onboarding new employees and providing them the ability to spin up new Cloud instances or create development environments, then Cloud infrastructure will need to be integrated with SSO or authentication, HR and software development or engineering workflows in the ITAM. If your security team wants a single integrated view for viewing the status of all IT assets and understanding potential risks, then you will want to integrate Cloud into ITAM and also build an additional integration into their security platforms (SIEM, SOAR, VM, etc).
Key Step: To determine these goals, gather all key stakeholders and get their inputs on what information about your IT estate they would like to have to make their jobs better.
How will you build a complete/accurate census of all your Cloud infrastructure?
Without a way to acquire accurate and complete data about Cloud infrastructure, any ITAM integration starts from a major disadvantage. Many ITAMs actually struggle to integrate and include data from the physical world of laptops, mobiles and boxed software running on servers and laptops. Introducing Cloud brings in a whole new set of complications and challenges to integration because Cloud infrastructure is ephemeral, constantly moving, and not necessarily tied to a physical device (even if it is tied to an IP address). So you need to understand what the potential integration paths might be for Cloud. A good starting point is determining whether your ITAM already has good Cloud infrastructure data acquisition capabilities. In most cases, this will require an agentless architecture. This tends to be more flexible and allows a more agile approach to adding Cloud infrastructure data sources from public Clouds like AWS and Microsoft Azure, and public PAAS providers like Heroku or RedHat.
Key Step: Answering this question logically requires due diligence on what is possible with existing systems and what capabilities an integrated ITAM has or can be augmented with for improved information capture. Once you have a good idea of what is status quo and what is possible, then the implementation team should construct detailed flow diagrams laying out a visual map of the data acquisition process. Make sure that these maps support the desired use cases and goals for integrating Cloud IT assets into the broader ITAM platform. Make sure to consider future Cloud infrastructure possibilities to avoid product lock-in.
How can you leverage this new integration for more strategic and business value?
By creating a unified view of your entire IT estate that can drive improved security and productivity workflows for IT, security, finance, and HR, integrated ITAM can be a major unlock for strategic value. This is particularly true for integrating Cloud infrastructure, which is the fastest growing portion of the IT estate in terms of costs and deployments. In fact, a budding area of expertise in this area is FinOps, which is a short-hand for Cloud Financial Management. FinOps brings a DevOps mentality to the financial aspects of Cloud deployments and tries to create the same types of automations and workflows for Cloud infrastructure as we see in standard DevOps CI/CD processes. The goal is more proactive management of Cloud infrastructure but also viewing Cloud as a lens through which key business decisions can be objectively assessed by viewing consumption patterns and customer use cases. This is just one example but there are likely many that pop up once Cloud becomes integrated with ITAM and, by extension, exposed to other business systems like ERP (finance), HRIS (HR) and SIEM (security).
Conclusion: ITAM for Cloud and Beyond
Beyond these three considerations lies a whole new universe of use cases for organizations that truly embrace integrated ITAM as strategic single-source-of-truth for the IT estate. Add bi-directonal syncing to ITAM-Cloud integrations and you have created a powerful near-real-time compliance and auditing tool that can replace expensive standalone Cloud auditing products or radically streamline painful processes like SOC2 audits. In addition, Cloud is morphing into actual functions with services like AWS Lambda, that are even smaller IT components. This means that IT’s responsibility to manage Cloud assets will only grow more complicated so IT teams will need to consider, sooner rather than later, how to unify their IT estate in a single system to make their lives easier and project strategic value.