At some point in every organization’s security journey, the problem of asset management inevitably comes up. Solutions are often cosmetic and don’t tackle fundamental issues or provide real visibility. As more organizations chart their Zero Trust course, the asset management problem comes up a lot more, as you cannot mediate what you do not know, but technology and security leaders alike predictably roll their eyes or yawn when the topic is brought up, as traditional methods like configuration management databases (CMDBs) or a vichyssoise of Excel sheets that veer more verbose are often mediocre. Asset management has historically been a difficult beast to tame, and this has made security leaders cynical and complacent.
Organizations experience the following challenges with asset management:
- Lift-and-shift cloud migrations preserve legacy errors. Cloud computing has been shown to provide significant productivity and cost benefits, and organizations have been moving more workloads to the cloud. There is a tendency, however, to attempt a copy-paste of on-premises technology management strategies (which are often not all that great), and these typically fail. The ease with which technology assets can be easily deployed creates cloud sprawl, which inevitably creates unmanaged assets.
- Shadow IT is alive and kicking. Low-code, no-code, AI, and their cousins make it possible for business functions to deploy their own resources without needing to involve IT or security. Business functions with sufficient budgets and purchasing authority can procure their own platforms and service providers, completely bypassing IT. These deployments predictably do not comply with established configuration baselines and will be unmanaged. Unmanaged assets develop into vulnerable assets, and it’s only a matter of time before they are exploited.
- Poor and unreliable asset data lacks integrity. Integrity is one of the cornerstones of security, but according to Forrester’s Modern Technology Operations Survey, 2022, over half of those surveyed do not trust their CMDB. If the tools used to manage your environment cannot be trusted, then that needs to be addressed. Asset databases are often updated as part of a compliance activity or yearly, and that is being optimistic. Keeping records updated is an all-too-familiar problem for security leaders.
- Technology lifecycle management left the chat a long time ago. Over half of surveyed digital and IT professionals have assets that they do not understand the purpose of, according to Forrester’s Modern Technology Operations Survey, 2022. And the evolution of technology environments will only get faster. With little to no change management, assets take on lives of their own and develop ambiguous attributes that may or may not be business-critical. These “shot in the dark” strategies will lead to the creation of obsolete assets and costlier management.
Start by asking what parties need access to your resources and classify them. Understand the reasons behind requested access. Your improved grasp of the business context also bolsters your credibility when building your business case. The report, Use Asset Management To Build Zero Trust, provides next steps with practical tactical and strategic recommendations to help security leaders tackle the tricky twist of asset management and progress on their Zero Trust journey. The methods discussed will guide organizations toward better asset management practices while keeping in mind business realities. Forrester clients can read the complete report here.