IT Asset Discovery - A Comprehensive Guide

IT Asset Discovery is the process of discovering, cataloging, and monitoring all IT assets in an organization. IT assets include hardware, installed software, SaaS software. Asset discovery is crucial for maintaining security and data integrity and for automating auditing and compliance tasks.

IT Asset Discovery is the process of discovering, cataloging, and monitoring all IT assets in an organization.

IT assets include hardware, installed software, SaaS software. Asset discovery is crucial for maintaining security and data integrity and for automating auditing and compliance tasks.

IT asset discovery is considered a part of IT asset management (ITAM), a larger discipline covering how enterprises manage the full lifecycle of all the IT assets in their portfolio. ITAM covers all steps in the lifecycle from asset procurement to employee onboarding, to patching and maintenance, to auditing and compliance, and, finally, to retirement. In asset discovery, IT teams put in place discovery processes through a number of means. This may include initially discovering and then rechecking physical devices by scanning barcodes or by using RFID or GPS tags that broadcast location data or installing software agents on assets to assist discovery by broadcasting location, status, network activity, and more. IT teams also discover software assets, cloud infrastructure assets, and SaaS assets through software agents, SSO or employee directory software, or endpoint management systems.

Solution Overview
Enterprise Technology Management Solution Overview
Learn more about Oomnitza’s approach to providing  a single pane view across your entire IT estate.

Asset discovery is a foundational IT security process and capability, covering the first two of the Center for Internet Security’s (CIS) Critical Security Controls (CSC):

CIS CSC 1 recommends organizations create and frequently update an inventory of authorized and unauthorized devices to manage proper device access and deny access to unauthorized or unmanaged assets that could be attack vectors against business-critical assets.

CIS CSC 2 recommends organizations create and frequently update an inventory of authorized and unauthorized software for the same reason stated above. Unauthorized software can be blocked from installing on authorized devices or on the enterprise’s networks.

Specifically, we will cover:

  • What is IT asset discovery?
  • The asset discovery process
  • The benefits 
  • Best practices
IT Asset Discovery

How the Asset Discovery Process Works

IT asset discovery, also known as ITAM, is a process that enables an enterprise to discover the location and status of its physical and non-physical assets. Physical assets are devices such as computers, servers, or laptops that need to be tracked for insurance purposes. Non-physical assets include software like cloud services and SaaS applications, which may not have any physical form but still need monitoring.

Until recently, IT the asset discovery process focused primarily on physical products or installed software. Today, because so much more infrastructure and functionality is now running in virtual realms – either cloud or SaaS – newer discovery systems include the capability to discover and monitor SaaS and cloud infrastructure. Asset discovery works differently for hardware and software products. It may use multiple layers of discovery, depending on the asset. Some asset discovery systems are “agentless.” They work by aggregating data from existing asset discovery systems to create a unified asset database that is more accurate and up-to-date.

Broadly speaking, there are two types of IT asset discovery systems – manual and automated. Automated  IT asset discovery systems pull in information broadcast automatically via software agents or asset tags. There is no need for the owner of these assets or IT staff to do anything. The assets automatically send out key telemetry detailing their location and status. A subset of automated IT asset discovery is internet asset discovery. Manual asset discovery systems rely on humans to scan or input data about an asset. Some systems combine active and passive mechanisms, depending on the activity or the input workflow.

Hardware Asset Discovery

In most cases, hardware asset discovery begins when an asset is entered into service by an enterprise. At this stage, an IT administrator might unbox the asset and then scan a barcode or MAC address on the asset prior to sending the device to a user or installing it for the user on-site. The asset is associated with a record of its purchase date, warranty information, and installed software. This is the starting point for discovery efforts.  More modern asset discovery systems are integrated with procurement systems and the shipping databases of large IT vendors like CDW or SHI. This integration allows a laptop, smartphone, server, or another piece of hardware to arrive with all information pre-populated in the enterprise purchaser’s database and a barcode or asset tag is already affixed. When the device is scanned after it is unboxed, this activates the now complete asset records and changes the status in the IT discovery system.

On more costly hardware like laptops, servers, and smartphones, IT asset discovery leverages software agents installed on the asset. These agents may send data back to the IT team about whether the laptop is encrypted and patched and its location based on IP address usage. As asset discovery has overlapped more and more with IT auditing and compliance, this discovery capability has simplified life for compliance and auditing teams. In most cases, the laptop is associated with a specific user via the enterprises’ employee directory or HR system. This allows security teams to quickly discover assets that might be subject to a security risk and warn the asset owner.

Cloud Asset Discovery and SaaS Asset Discovery

In many cases, a third IT asset discovery system is deployed to monitor cloud infrastructure, virtual servers and databases, cloud applications, and SaaS assets. This system usually leverages a passive software agent that automates capture of usage, location, and security data for virtual assets. Virtual assets are a fast-growing category, including cloud servers running either in private or public clouds or cloud assets running on VPCs or other hosted servers not owned by the enterprise. SaaS products include the growing array of services for graphics and creativity (Marketo, Sketch), office productivity (Office365 or SharePoint), or financial functions (Expensify for expense discovery). For SaaS licenses, asset discovery systems pull information from single-sign-on systems or other authentication systems. For cloud infrastructure assets (servers running applications), discovery is conducted by pulling information from agents included in the standard builds of all cloud servers. This is crucial for cloud servers that are frequently shut down and relaunched. Older ITAMs or SAMs set up only for physical assets cannot discover and monitor high-velocity, permanently ephemeral cloud infrastructure.

Software Asset Discovery

For traditional licensed software, asset discovery is usually included in a category of products called Software Asset Managers (SAM). IT asset discovery systems for software can also be manual or automated. Many SAMs include software agents that scan device contents to discover running software and the license number of that software. By cross-checking against the assets’ contract terms in the SAM or ITAM, a team can ascertain whether the software asset is properly licensed and whether that user is out of compliance. Identifying overages in licenses used or when licenses expire is important to avoid violations that can result in expensive software “speeding tickets.” Also, in the age of Shadow IT, understanding what assets may be running on a device that was not authorized or purchased by IT is equally important to maintaining security and compliance and protecting sensitive data running on enterprise applications.

Benefits of IT Asset Discovery

There are many, many strong benefits of asset discovery. Some specific benefits include:

Automates and streamlines process of IT asset cataloging and creating asset inventories

A modern asset discovery tool eliminates the need to manually tag all your IT assets, including laptops, smartphones, tablets, and monitors. After a software agent is installed on an asset, the agent will then communicate all relevant discovery information over the network, connecting with different systems, including your ITAM. This process can be run whenever the IT team wants to gather information for support, security, compliance, or productivity enhancement. Because humans are not involved, asset discovery is far more accurate and reliable. Agentless asset discovery systems can aggregate all information from existing asset discovery systems and other data sources such as SSO, employee directory, and on-device or on-asset sensors.

Modern asset discovery systems make it simple to create a single, accurate and frequently updated database of all discoverable IT assets. This both improves confidence in data and enhances its usability. This single source of truth can power analytical dashboards, automated multi-step workflows using other IT and non-IT systems, and automated compliance and auditing processes. This single source of accurate truth can dramatically reduce the time-to-resolution of support tickets as well.

Creates a single source of truth for all IT assets

Proactively Identifies anomalies in assets and asset behavior

Asset discovery systems can detect anomalous behavior or conditions in software, hardware, or virtual assets. This can include out-of-compliance with security policies (encryption, patches, endpoint protection, or antivirus), location detection (for devices showing up in unexpected places indicating theft or spoofing), to license and software or SaaS overages that could result in penalties. Scheduled discovery scans the entire asset portfolio with an automated asset discovery tool that can spot anomalies and surface issues for faster resolution and reduced risk.

Data gathered by an automated asset discovery tool can be used to build rich and customizable visualizations of asset usage and location sliced by any parameter, including geography, type, business unit, and job function (marketing, engineering, etc.). These visualizations can be used to populate IT asset dashboards for any stakeholder or for different teams inside of the IT organization. This same data can power automated reporting on anomalies or asset status and allow IT teams, CIOs, CISOs and CFOs to analyze asset usage trends to identify areas for improvement.

IT asset portfolio analysis, reporting and visualization

IT Asset Discovery Best Practices

The prominent Gartner consultancy in a report titled How Redefining IT Asset Management Will Enable Business Transformation for the Digital Age recommended that, “…IT asset managers should proactively work within the IT strategy planning process to identify what will be acquired, why it will be used, its anticipated useful life, and how it will be secured, monitored and maintained.” A crucial part of this planning process is selecting and validating the right asset discovery tools and deploying asset discovery as an integrated part of the ITAM process.

1. Identify the problems you want to solve with IT asset discovery

Do you want to help your IT team work more efficiently and eliminate repetitive tasks? Improve your security team’s response times and anomaly detection? Reduce the amount of time required to complete IT audits? Various IT asset tracking products have different features and strengths for each of these questions. Catalog the problems in the rank of importance and use that to build selection criteria.

2. Perform a comprehensive audit of types of assets you will need to discover.

This will inform your product selection and implementation. Figure out whether you want to discover hardware, software, cloud, SaaS, or peripherals - or all of the above. Not all asset discovery tools can handle all types equally well. Knowing your needs here will improve your asset discovery process and product selection and save you time and heartache down the road.

3. Identify integration requirements.

To maximize the benefits of any asset discovery system, it must be tightly integrated with other systems. These may include IT ticketing (Jira, Zendesk, ServiceNow), security and response (Palo Alto Networks), endpoint management (Tanium), SSOs, and employee directory services (Okta, ActiveDirectory, G Suite), and ERP tools (Oracle, NetSuite). Knowing where you want to integrate will ensure that you can design a solution for best practices.

4. Build Selection Criteria and Analyze Asset Discovery Tools

Asset discovery tools come in many shapes and sizes. Use your answers to the previous questions and the suggested questions below to build screening criteria.

  • Is it cloud-based or on-premise? Many older discovery tools are on-premise. While they query via networks, they tend to have higher requirements for backup and business continuity. They also are generally unable to catalog virtual and cloud assets.

  • When was the original code written? Older discovery tools are written with code that is hard to modify and customize. These tools may struggle to adapt to your business use cases, in particular as IT continues to evolve.

  • What types of assets does the tool cover? Many organizations run multiple discovery tools, with each focused on a different asset type. It is hard to build a discovery tool that is equally adept at discovery for all four asset classes. For this reason, an agentless discovery tool that combines data with more specialized asset discovery is often a good option.

  • Does your security team already have a viable tool? There is considerable overlap between discovery for IT purposes and network scanning for security purposes. Check with your security team to see what they are using and what their experience has been.

  • Does the tool require new or additional software installs? Adding new things can be complicated and time-consuming. You may not need to if you select the right discovery tool.

  • Is it part of a larger piece of ITAM or ITSM platform? Modules of larger platforms can be very easy to launch but they are also generally hard to customize. Usually, the ITAM or ITSM vendor will charge to customize and will charge an annual maintenance fee. This can add up quickly, depending on your customization needs.

  • What types of integrations do you need to do? With these criteria, narrow your selections down to those that fit and make an initial decision.

5. Socialize a Plan with Stakeholders.

As with any major project, change management is key. Identify stakeholders you will need to include. Bring them into the discussions about how to launch the discovery process and take their feedback. Make sure that they are OK with your logic and initial decision on product selection. Hear their concerns and identify champions for rollout and adoption.

6. Build a POC or Lightweight / Partial Deployment.

Use this stage to validate your assumptions, identify needs and requirements that you might have missed, and collect real feedback from users. For POCs, Identify a particularly friendly unit or an easy use case to test out your new asset discovery process and tooling. If it flies there, then you are cleared for a broader project.

7. Normalize the Data

Normalize discovered data to ensure accuracy. We often see hardware or software assets change how they report their asset information to inventory databases. For example, a Microsoft application could potentially report its vendor ID as “MS” “Microsoft,” or “Microsoft Inc.” Inconsistent naming conventions make it difficult to build IT asset reports; therefore, it is important to ensure consistency by implementing asset normalization processes. Asset normalization can be accomplished using database scripts or normalization software tools.