Keeping track of all your IT assets in a company can be an overwhelming task. It includes laptop computers, desktop computers, mobile phones, cloud services, and much more. In this blog post, we will give you an introduction to what asset management is and a hands-on guide on how to get started with IT asset management in your company.
In short, IT asset management is a system used for keeping track of which IT assets are included in your company. This includes the computers you have connected, the software applications are installed on them, and the cloud services you are using. This also makes it possible to ensure that only approved services and applications will be used on company-owned computers. It is important to point out that IT asset management doesn’t involve the employees’ use of these assets, but only whether or not they are connected. Thus, it would be possible to see if the employee has e.g. Microsoft Word installed, but if the employee is using this application. If you are interested in such a system, you should have a log management system instead.
Before proceeding to the implementation of IT asset management, I will cover why this initiative should be prioritized:
Having discussed these reasons, let’s proceed and look at the implementation of IT asset management and which role a system like this could play in your IT security setup.
Which one should you then have? Fortunately, you don’t have to choose between them because they complement each other quite well.
In our experience working with log management, we have found that it was very useful to start by implementing IT asset management because this is where you find out which sources you want to log data form. Without IT asset management, you run the risk of overlooking some of the sources you want to log data from and not log all the relevant data. Log management can enrich IT asset management in the same way, as the implementation of log management can help to identify the different cloud services that should be registered as assets.
Now we know that IT asset management can help keep track of both your physical and digital IT assets. But what does it take? In short, it only takes time. Different systems exist for this task, and we will show you the one we use for ourselves. Best of all, it’s free!
Before you get started implementing the IT asset management, it is a good idea to create an initial overview for yourself over which online services your company is using, as the system cannot scan these automatically.
After that, the first step in this process is of course to create a user on the system we will be recommending in this blog post, Spiceworks Inventory.
This system needs a server to run on, which naturally you may have to handle yourself. If you want to avoid this, Spiceworks has a cloud solution, where they take care of setting up a server. If you have different locations, these can be set up as ‘Remote Sites’, which is necessary to run the scannings that we will be addressing later in this blog post.
The agent should be installed on the asset, but from there on you can follow the asset outside of your working environment. This means that it is a good idea to install an agent on mobile devices such as a laptop computer that the employee might take home. You can download the agent from Spiceworks and install it on the different assets. When the agent is installed on the device, it will review the applications installed on the computer drive and then add these applications to the Spiceworks system. Unfortunately, Spiceworks’ agent only exists for Windows machines, so Mac or Ubuntu machines should be registered using scanning instead.
Scanning works quite simply through your network at your workplace. Because of this, it can cover all the assets that do not leave the workplace and those not fit for having an agent installed. This process covers what cannot be registered through an agent. Naturally, this type of registration requires less administration, since agents should not be installed on individual devices. However, it takes more work identifying the different devices correctly.
The registration of online assets is a bit more challenging than the registration of applications already installed. Installed applications register automatically by either the agent or the scanning reviewing the computer drive and thereby registering everything installed on it.
Finding out which services are being accessed happens by scanning the browser history for URL’s that you can define yourself. If I know for example, that we use Office365 in our organisation, then I can ask the system to look for part of the URL which contains ‘Office’. After this, I will be able to see if the different assets have visited such a URL. This works great, but it would also be hard to tell if my organisation’s assets are accessing a service that I have not put the URL in Spiceworks. This illustrates one of the advantages of having both IT asset management and log management.
In a case like this, you would be able to see in the log management system, that the unregistered cloud service had been accessed. Then you use the asset management to look for this and thereby see which devices have accessed the service.
When you have registered all of your company’s assets and registered which cloud services to look for as well, you should have an overview of both your companies’ physical as well as digital IT assets. From here on, as mentioned earlier, you will have a nice, transparent overview of whether or not your colleagues are using applications or services that have not been security approved. In the future the maintenance of the system will only consist of installing new agents on new assets as well as registering new cloud services, that you choose to use.
I hope this blog has made Asset management seem like a doable task, can be implemented in your organisation. Often it can be a ”low hanging ” fruit in a way, due to the resource demand being so low, and because you build up an overview through the implementation process, which should be a part of any strong IT security setup anyway.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.