IT Asset Management (ITAM) and IT security are compatible functional areas; sharers of information, mutual defenders of data, and participants in activities to reduce risks through increased controls, accountability and reportability. The IT department that fosters cooperation between these groups benefits from more accurate information about the use of IT and ultimately to improved goal achievement.
The importance of that cooperation is growing because IT trends are profoundly impacting IT security. Adoption of cloud-based applications and platforms and increased accessibility via mobile devices are some of the trends escalating the scope and requirements for IT security. Of course, these same trends generally influence how work is conducted within the organization including ITAM, but in addition to incorporating these trends into IT Asset Management processes, The IT Asset Management team needs to be aware of the issues facing IT security.
Shifting Security Focus
Until recently, organizations have focused on IT security measures to block intruders from gaining access to their network and data. With that goal, organizations invested in perimeter firewalls, network security and limiting errant access via identity management. Communication outside of and within the organization relied upon cryptographic protocols such as TLS (Transport Layer Security) and SSL (Secure Socket Layer). However, incorporating these security elements is difficult, expensive and requires continual investment in updates and improvements. Organizations have failed to consistently keep up with the security technology and processes, highlighted by the fact that 99.9% of data breaches in 2014 occurred even though Common Vulnerabilities and Exposure (CVE) patches were available for a year or more before the incidents. It is no surprise that surveys show a lack of trust in security measures. The constant barrage of reported hacks at well-known organizations doesn’t help raise the confidence level.
While organizations struggle to secure data and environments, intrusions continue to increase in sophistication, raising the bar by defeating protections and using security technology like encryption to help invade the organization. Another hint at the sophistication of the attacks is that one study found that in 70% of the malware attacks were a motive for the attack was known, there was a secondary victim.
The overall concern is that the static security controls are too easy to jump over. The current situation seems to foster fragmented security processes leading to mistakes like the partial application of a CVE patch and an overwhelming number of alerts that obscure real problems.
For 2015, the security team and the organization’s executives have two clear objectives:
- Improve the efficacy of existing security functions
- Change from a perimeter-only approach to offensive security
Improving Existing Security
There is certainly more value to be derived from the existing investment in security processes and technology. For example, security might commit to a methodical application of patches rather than using the fire drill approach. Or, the organization could invest in improved identity management. Fundamentally, the security team needs to focus on reducing the risks to the organization by reducing the opportunity for some problems to occur and identifying the problems that do occur more quickly. The following list of actions may be part of the security team’s plan:
- Educating the security team on risk trends: The risks facing the organization change over time and the team may make assumptions about what to look for or do when something happens. For instance, a study revealed that the staff struggled to detect and correct compromised security certificates or keys because they trusted the capabilities of the keys and certificates to protect the organization. The survey found that 78 percent of respondents conducted only a partial remediation because of that belief
- Ensure old technology is removed from the environment: The first thought with older technology is the possibility of exposure of data when these devices are lost or stolen. IT Asset Management disposal management is essential to reducing this risk. However, there are other security risks associated with older technology such as flaws in the hardware or software bringing back old security problems or introducing risks because the current security configuration is no longer configured for the older technology
- Standardizing identity management across systems: When people have many user names and passwords, they write them down, put them in a file on their computer marked “passwords” or use the same passwords again. Using automation to manage identities is a good way to limit a breach from casual and risky behavior with passwords
This list above is powerful in that it suggests three distinct areas where additional scrutiny would add value, namely the people, the inventory processes and the automation. Of specific interest to IT Asset Management is the importance of inventory processes. Along with the retirement process highlighted above, IT Asset Management is needed to build and maintain all of the inventory processes that limit the chaos and unknowns in the environment including the cloud extensions of the environment.
More than Perimeter
Existing automated solutions that have been helping to reduce risk for years will continue to improve and have an important role in securing the environment. However, the rise in purposeful attacks using our own security measures as camouflage such as compromised keys and certificates, encrypted malware, etc. means that no matter how good existing security measures become, the organization needs to re-prioritize to include the detection and elimination of compromises. Organizational efforts to detect compromises are failing, with the gap between time-to-compromise (attacker successful) and time-to-detect-that-compromise (defender successful) is growing according to the Verizon data base investigation report (DBIR) for 2015. The concentration on perimeter security as the end game is over. An already sophisticated and complex set of responsibilities and automation are going to become labyrinthine.
The refocus on detection includes the automation category of security information and event management (SIEM) tools. SIEM tools use information such as log management to detect threats. However, others suggest that SIEM does not go far enough. Some vendors talk about security intelligence rather than information and that it should include:
“…security and network device logs, vulnerabilities, configuration data, network traffic telemetry, packet captures, application events and activities, user identities, assets, geo-location, and application content.”
The thought is that though this approach would produce enormous amounts of data and constant alerts, automation will make this diligence possible. One might worry about the fragmentation and overhead in security management especially considering the complexity incumbent with cloud computing and multiple access points.
Exponential growth in security concerns is part of the adoption of cloud computing strategies and no discussion of security trends is complete without highlighting the cloud. These concerns may have slowed adoption but certainly not stopped it. According to this article, IDC is forecasting that public cloud services will represent half of the global spending growth for software, servers, and storage by 2018.
Data is the major concern; in transit, at rest in the cloud and in use within an application that is cloud-based. The characteristics of cloud options that deliver the biggest advantages are also the ones that make it very difficult to impossible to track the data. The responsibility for protecting the organization’s data will obviously still include the organization, with the cloud provider’s contribution and share of the responsibility set in the contract. Even if the cloud provider is delivering security services, the organization’s responsibilities for governance will require information for monitoring, reporting and auditing.
The security team’s data-centric tools for the cloud include encryption and tokenization, starting before the data leaves the organization’s hands. Success will require key management and the implementation of a consistent policy across cloud services.
Mobile asset management is an important part of securing the organization’s data and includes the physical device as well as the storage in the cloud. IT Asset Management’s familiar tools of policies and processes are essential to reducing risks from the expanding use of mobile devices.
The bottom line for IT Asset Management is that the better the information is about the IT assets within the organization and in the cloud, the better security will be able to fine tune their detection processes. IT Asset Managers participating in cloud management have to take a leadership role in the contractual, financial and inventory management of cloud usage. Additionally, IT Asset Management needs to take an active role in governance information gathering and reporting across the IT resources in use, working with security to reduce risks to the organization.