ITAM: Back to Basics
The start of a new year always provides the impetus to take stock of the previous year and assess what’s been working and what has not in your IT environment. And, that review should include your IT asset management practice, guidelines, and definitions.
If you looked back at your last year of IT asset activity, how many of these would you say yes to?
- Missed opportunities to reduce spend or alter licensing models at asset renewal and vendor negotiations
- Insufficient trusted asset data or single source of truth leaving you exposed across IT disciplines
- Unable to provide instant status of software that you have purchased installed and used
- Repeated internal and external audits without a framework that enabled rinse and repeat
- Cost reduction initiatives that hit asset management budgets
- Lost key ITAM personnel reducing available resources
Did you answer yes to two or more of the above? Then it’s time to ring in the changes.
With ITAM data increasingly used to support other IT disciplines such as security controls and service management end user support, it’s even more critical to review last year’s wins, losses, and risks, then plan to mitigate them in the year ahead with new or refreshed programs, ITAM policies, and strategies based on changes in your environment over the past year.
But it’s easy to forget the basics, so here are a few reminders to kick start your activity.
Decide what ITAM data you need
When it comes to your ITAM data, start with the end in mind. Rather than collecting every piece of data because you can or realizing you don’t have sufficient data or the right type of data, pinpoint the data you need in order to make informed decisions that map to your business outcomes and then work backwards.
Implement policy that ensures ongoing data accuracy
After defining the data you want to collect, you need to ensure that in six months, a year, or two years, you are still extracting accurate data and have access in a timely manner. Instigating an effective policy will help you stay on track.
Establish asset criteria
Not every asset is created equal, by which I mean some assets are business critical, more valuable, or pose a greater security risk than others. Not all assets should be managed in the same manner, in fact not all assets require stringent management and will avoid you boiling the ocean. Establish your asset criteria to determine which to manage. But there is no room for complacency. Once established, the criteria should be reviewed regularly, as your business and IT environments are constantly changing.
Manage the complete lifecycle of your assets
From purchase through to usage and then disposal, managing asset lifecycles is a real no brainer but sometimes forgotten in the haste of pushing assets out the door. It allows you to better optimize usage of those assets and helps expose risks such as how an asset is disposed of, not forgetting the data that resides on that asset.
Conduct regular portfolio reviews
This one activity alone could provide considerable cost savings. You’ll be in a better position to reign in or altogether avoid uncontrolled asset usage. Undertaken regularly, your reviews will assist you in seeking out opportunities for portfolio rationalization, ridding your program of asset duplication and reducing asset overlap.
Determine an audit process
There’s no avoiding some audits, but a little preparation goes a long way. Rather than running around with your hair on fire when an audit does come your way, follow established processes to reduce the pain, time taken, risk, and potential costs involved with audits. If you don’t have an audit process in place, it’s time to bring your stakeholders together and develop one that everyone agrees to and then communicate it out.
Implement robust software reclamation processes and policies
Your software asset management strategy needs to include the ability to review software usage data that enables you to automatically reclaim unused software and redeploy it to waiting end users. This should also give you the teeth you need when renegotiating with vendors at the time of renewal if the level of usage has dropped. And, let’s not forget the importance of reclaiming software or shutting off access as end users leave your organization to give you an accurate count of usage as well as the obvious need to prevent ex-employees accessing your data.
Consider automation of asset processes
Automating your asset processes will give you true bang for your buck. From slashing the burden on already stretched IT personnel and your budget to reducing human error and exposure to risk, automation saves everyone a headache. If your asset management is a manual, time intensive discipline that doesn’t allow you to perform some of the activities outlined above, it’s time to take action.
Take some time to consider the above reminders to put yourself in a stronger IT Asset Management position. A little time now will help you control your costs, mitigate your risks, and deliver the assets your end users and the business needs at the time they are needed. And of course, it goes without saying, we’re here to help should you need any advice, guidance, or software and hardware tools to assist you in your review.
And check out Ivanti free IT Asset Management resources to move beyond basic discovery and optimize your hardware and software performance.
Popular coding advice doesn’t necessarily equal secure coding advice
Stack Overflow is a hugely popular online forum/Q&A site that many programmers and software developers use to find answers to particular programming problems.
Unfortunately, researchers recently found that a considerable portion of the information/code provided by many contributors contains exploitable security vulnerabilities. And since less knowledgeable users are unlikely to spot those, the question is: can they rely on the site’s user community to help them differentiate secure from insecure choices?
According to more recent research by a group of researchers from Virginia Tech, TU Munich and the University of Texas at San Antonio, the answer is “no.”
The researchers conducted a study on security-related Stack Overflow posts and contrasted secure and insecure advice with the community-given content evaluation. To ensure a fair comparison between secure and insecure suggestions, they focused on the discussion threads related to Java security.
“We compiled 953 different groups of similar security-related code examples and labeled their security, identifying 785 secure answer posts and 644 insecure answer posts,” they explained.
“Compared with secure suggestions, insecure ones had higher view counts (36,508 vs. 18,713), received a higher score (14 vs. 5), and had significantly more duplicates (3.8 vs. 3.0) on average. 34% of the posts provided by highly reputable so-called trusted users were insecure.”
The results of the research made it obvious that the site’s voting system fails to identify and reward secure answers.
Also, its reputation mechanism fails to point out trustworthy users with respect to security questions.
The users who provided secure answers have a significantly higher reputation than the providers of insecure answers, but the difference in magnitude is negligible, the researchers noted, so users can’t rely on the reputation mechanism to identify secure answers.
Additional findings findings include:
- Accepted answers and snippet repetitiveness are also not a reliable way for users to identify secure coding suggestions.
- Insecure answers dominate in the SSL/TLS category (70%). Secure answers dominate the other categories (94% in Asymmetric, 71% in Hash, 54% in Symmetric, 52% in Random).
- Duplicated answers were created because users asked similar or related questions and some users blindly copied and pasted code to answer more questions and earn points. The good news is that researchers didn’t identify any user that intentionally misled people by posting insecure answers.
Recommendations for improvement
“It is worrisome to learn that SO users cannot rely on either the reputation mechanism or voting system to infer an answer’s security property,” the researchers noted, and pointed out that a recent Meta Exchange discussion thread showed the frustration of Stack Overflow developers to keep outdated security answers up to date.
Their advice for tool builders is to test the code and explore approaches to detect and fix security bugs, preferably in an semi-automated or automated way, and for Stack Overflow developers to:
- Integrate static checkers to scan existing posts and posts under submission
- Automatically add warning messages or special tags to any post that has vulnerable code
- Encourage moderators or trusted users to exploit clone detection technologies to detect and remove both duplicated questions and answers.
- Switch from a using a single reputation score for each user to using one score for each tag reflecting frequently asked/answered questions, so that their expertise can be better characterized.
Stack Overflow’s gamification approach for incentivizing users is also ineffective when it comes to improving the security properties of distributed code examples. In fact, since answering more questions leads to improved reputation, contributors are effectively encouraged to provide duplicated, less useful, or insecure coding suggestions.