IT Asset Discovery is the process of discovering, cataloging, and monitoring all IT assets in an organization. IT assets include hardware, installed software, SaaS software. Asset discovery is crucial for maintaining security and data integrity and for automating auditing and compliance tasks.
IT assets include hardware, installed software, SaaS software. Asset discovery is crucial for maintaining security and data integrity and for automating auditing and compliance tasks.
IT asset discovery is considered a part of IT asset management (ITAM), a larger discipline covering how enterprises manage the full lifecycle of all the IT assets in their portfolio. ITAM covers all steps in the lifecycle from asset procurement to employee onboarding, to patching and maintenance, to auditing and compliance, and, finally, to retirement. In asset discovery, IT teams put in place discovery processes through a number of means. This may include initially discovering and then rechecking physical devices by scanning barcodes or by using RFID or GPS tags that broadcast location data or installing software agents on assets to assist discovery by broadcasting location, status, network activity, and more. IT teams also discover software assets, cloud infrastructure assets, and SaaS assets through software agents, SSO or employee directory software, or endpoint management systems.
Asset discovery is a foundational IT security process and capability, covering the first two of the Center for Internet Security’s (CIS) Critical Security Controls (CSC):
CIS CSC 1 recommends organizations create and frequently update an inventory of authorized and unauthorized devices to manage proper device access and deny access to unauthorized or unmanaged assets that could be attack vectors against business-critical assets.
CIS CSC 2 recommends organizations create and frequently update an inventory of authorized and unauthorized software for the same reason stated above. Unauthorized software can be blocked from installing on authorized devices or on the enterprise’s networks.
Specifically, we will cover:
IT asset discovery, also known as ITAM, is a process that enables an enterprise to discover the location and status of its physical and non-physical assets. Physical assets are devices such as computers, servers, or laptops that need to be tracked for insurance purposes. Non-physical assets include software like cloud services and SaaS applications, which may not have any physical form but still need monitoring.
Until recently, IT the asset discovery process focused primarily on physical products or installed software. Today, because so much more infrastructure and functionality is now running in virtual realms – either cloud or SaaS – newer discovery systems include the capability to discover and monitor SaaS and cloud infrastructure. Asset discovery works differently for hardware and software products. It may use multiple layers of discovery, depending on the asset. Some asset discovery systems are “agentless.” They work by aggregating data from existing asset discovery systems to create a unified asset database that is more accurate and up-to-date.
Broadly speaking, there are two types of IT asset discovery systems – manual and automated. Automated IT asset discovery systems pull in information broadcast automatically via software agents or asset tags. There is no need for the owner of these assets or IT staff to do anything. The assets automatically send out key telemetry detailing their location and status. A subset of automated IT asset discovery is internet asset discovery. Manual asset discovery systems rely on humans to scan or input data about an asset. Some systems combine active and passive mechanisms, depending on the activity or the input workflow.
In most cases, hardware asset discovery begins when an asset is entered into service by an enterprise. At this stage, an IT administrator might unbox the asset and then scan a barcode or MAC address on the asset prior to sending the device to a user or installing it for the user on-site. The asset is associated with a record of its purchase date, warranty information, and installed software. This is the starting point for discovery efforts. More modern asset discovery systems are integrated with procurement systems and the shipping databases of large IT vendors like CDW or SHI. This integration allows a laptop, smartphone, server, or another piece of hardware to arrive with all information pre-populated in the enterprise purchaser’s database and a barcode or asset tag is already affixed. When the device is scanned after it is unboxed, this activates the now complete asset records and changes the status in the IT discovery system.
On more costly hardware like laptops, servers, and smartphones, IT asset discovery leverages software agents installed on the asset. These agents may send data back to the IT team about whether the laptop is encrypted and patched and its location based on IP address usage. As asset discovery has overlapped more and more with IT auditing and compliance, this discovery capability has simplified life for compliance and auditing teams. In most cases, the laptop is associated with a specific user via the enterprises’ employee directory or HR system. This allows security teams to quickly discover assets that might be subject to a security risk and warn the asset owner.
In many cases, a third IT asset discovery system is deployed to monitor cloud infrastructure, virtual servers and databases, cloud applications, and SaaS assets. This system usually leverages a passive software agent that automates capture of usage, location, and security data for virtual assets. Virtual assets are a fast-growing category, including cloud servers running either in private or public clouds or cloud assets running on VPCs or other hosted servers not owned by the enterprise. SaaS products include the growing array of services for graphics and creativity (Marketo, Sketch), office productivity (Office365 or SharePoint), or financial functions (Expensify for expense discovery). For SaaS licenses, asset discovery systems pull information from single-sign-on systems or other authentication systems. For cloud infrastructure assets (servers running applications), discovery is conducted by pulling information from agents included in the standard builds of all cloud servers. This is crucial for cloud servers that are frequently shut down and relaunched. Older ITAMs or SAMs set up only for physical assets cannot discover and monitor high-velocity, permanently ephemeral cloud infrastructure.
For traditional licensed software, asset discovery is usually included in a category of products called Software Asset Managers (SAM). IT asset discovery systems for software can also be manual or automated. Many SAMs include software agents that scan device contents to discover running software and the license number of that software. By cross-checking against the assets’ contract terms in the SAM or ITAM, a team can ascertain whether the software asset is properly licensed and whether that user is out of compliance. Identifying overages in licenses used or when licenses expire is important to avoid violations that can result in expensive software “speeding tickets.” Also, in the age of Shadow IT, understanding what assets may be running on a device that was not authorized or purchased by IT is equally important to maintaining security and compliance and protecting sensitive data running on enterprise applications.
There are many, many strong benefits of asset discovery. Some specific benefits include:
Modern asset discovery systems make it simple to create a single, accurate and frequently updated database of all discoverable IT assets. This both improves confidence in data and enhances its usability. This single source of truth can power analytical dashboards, automated multi-step workflows using other IT and non-IT systems, and automated compliance and auditing processes. This single source of accurate truth can dramatically reduce the time-to-resolution of support tickets as well.
Asset discovery systems can detect anomalous behavior or conditions in software, hardware, or virtual assets. This can include out-of-compliance with security policies (encryption, patches, endpoint protection, or antivirus), location detection (for devices showing up in unexpected places indicating theft or spoofing), to license and software or SaaS overages that could result in penalties. Scheduled discovery scans the entire asset portfolio with an automated asset discovery tool that can spot anomalies and surface issues for faster resolution and reduced risk.
Data gathered by an automated asset discovery tool can be used to build rich and customizable visualizations of asset usage and location sliced by any parameter, including geography, type, business unit, and job function (marketing, engineering, etc.). These visualizations can be used to populate IT asset dashboards for any stakeholder or for different teams inside of the IT organization. This same data can power automated reporting on anomalies or asset status and allow IT teams, CIOs, CISOs and CFOs to analyze asset usage trends to identify areas for improvement.
The prominent Gartner consultancy in a report titled How Redefining IT Asset Management Will Enable Business Transformation for the Digital Age recommended that, “…IT asset managers should proactively work within the IT strategy planning process to identify what will be acquired, why it will be used, its anticipated useful life, and how it will be secured, monitored and maintained.” A crucial part of this planning process is selecting and validating the right asset discovery tools and deploying asset discovery as an integrated part of the ITAM process.