There has been significant emphasis on corporate data and IT asset vulnerability in recent years due to the increase in cyber security threats. Some industries have regulations requiring companies to know what IT assets they have as well as track what they connect to in the effort to better protect critical infrastructures. However, to really improve security and remediate vulnerabilities, companies need to better understand and implement a comprehensive Asset Lifecycle Management system because for it be fully effective, it needs to consist of far more than the “bean counting” exercise that many organizations currently believe is sufficient.
Learning the hard way
A large energy industry customer asked BMC whether we could help them with an asset management problem they had encountered. They had BMC’s Discovery product deployed, were feeding data into the Atrium CMDB and were producing reports on the composition of their asset estate. Our first thought was that they were not discovering all that they could. But, it turned out that they had just failed an audit because of the data quality. The audit results showed that only 19% of the asset records had the asset owner field filled out. While they knew what assets they had, they had no idea who owned them, who to call if there was an issue and what the asset status was. They were in urgent need of an Asset Lifecycle Management process and system in order to repair their regulatory position.
An ounce of prevention beats a pound of cure
As the customer scenario illustrates, asset management is no longer just about “bean counting” (i.e., being able to know how many servers, desktops you have). There are other elements that a fully rounded Asset Lifecycle Management process and system should have—especially to stay ahead of regulatory shifts. During BMC’s customer engagements, we have established three key pathways which need to be considered when discussing asset management:
- Asset Discovery – complete and comprehensive discovery across all assets which are discoverable
- Asset Vulnerability – identifying threats and effective remediation
- Asset Capacity – forecasting and matching the correct capacity to meet the cycles of business demand
For our customer, we first helped them to establish an end-to-end asset lifecycle management process and to initiate a layer of governance to monitor and control the responsibilities and accountabilities throughout the different phases of the process. BMC’s Digital Transformation Consulting team assessed the current state of play, identified the issues and the gaps, and built out a complete process framework – with all the supporting processes included and integrated. We also identified the necessary skills across the needed roles and put in place an education and training plan. At the end of the engagement, 95% of the assets had an identified owner and the customer’s asset management team was actively chasing the missing set.
Next, we focused on application modelling as when they had an issue with an asset, they had no idea of the upstream and downstream impacts that issue was having on their business services and their users. They wanted to evolve from collecting data about single assets to starting to model them beneath their business services. The goal was to build out the relationships and dependencies so that their service desk and support teams could quickly identify the impact and proactively notify users of any service degradation and outage. Our consultants identified a critical set of business services and quickly modelled them out, building them on top of the models that BMC Discovery had created. As they were creating the models, the customer asked how they could also include the network and database components. This meant an extension of Discovery into those domains, where currently the customer had multiple systems of record. This required a consolidation and rationalization of those deployed capabilities which we did to make it possible for Discovery to extend into the network and database components. Lastly, due to recent hacking attempts, vulnerability management also will be addressed going forward.
Asset management requires constant “gardening”
As you can see, embedding an Asset Lifecycle Management process and system is not always a sequential set of activities. A customer may be extremely mature in the discovery area, and want to focus on vulnerability management. Alternatively, their focus may be on being able to flex IT asset capacity. The journey that a customer takes and which areas they will focus on depends on their maturity and the issues they are facing currently. In most cases, customers will have discovery capabilities and will be looking to rationalize and extend them. This is especially true as their businesses transition more and more of their services into the cloud. As companies evolve their cloud services, their processes will need to be refined and embedded across the multiple supporting groups which now form part of the eco-system. Additionally, there are increasingly complex sets of compliance and regulatory requirements which need to be addressed and met. Furthermore, they cannot lose sight of security which will need to encompass the “plugging” of all the vulnerabilities in code, infrastructure, and access that will regularly crop up as systems are linked across multiple environments and through complex integrations.
If you need help developing or improving your Asset Management domain, BMC’s Asset and Configuration Management consulting offering can help—be it optimizing the use of current capabilities, deploying new ones, or streamlining supporting processes and operations. If you would like us to give you a call to discuss how we can help you address these challenges, please fill out our form.