Take the case of obsoleting a hard drive to ensure no proprietary data is left intact. Smart IT shops follow U.S. Department of Defense (DoD) regulations to ensure they are wiped clean, says Thom Bailey, director of product management for Symantec's infrastructure management solutions group. The DoD rules call for "sanitizing" the drive by degaussing, or completely demagnetizing, and/or overwriting the drive with random characters on seven separate passes.
But Patricia Cicala, CEO of Cicala and Associates, a Hoboken, N.J., consultancy that helps enterprises manage and secure their IT assets, has one customer who takes a more creative approach to the problem: He drills holes in hard drives before throwing them into the scrap heap.
The customer, who she will not identify, is simply not comfortable relying on third-party services that claim to totally wipe a drive's contents, she says. He is worried about a working drive with protected data being redistributed, "especially offshore," Cicala says. (In truth, the DoD guidelines also recommend physically incapacitating old drives by disintegrating, melting or some other destructive method.)As effective as physically mutilating a drive may be in making it useless, it may not be practical or cost-effective, says Symantec's Bailey. For instance, an enterprise that leases thousands of notebooks could not destroy the machines' drives without incurring significant expenses, both in the cost of the drives and time to demolish them.
Cicala notes that "double-camping" -- in which an employee with authorized access to restricted areas, such as personal financial data or patient records, uses those credentials on multiple systems simultaneously -- is an asset-management problem few IT shops are prepared to handle. Double-camping is particularly difficult to discover with typically available asset-management tools, she says.
But by exposing supposedly protected data to any unauthorized personnel with physical access to the unattended machine, double-camping poses a significant security risk, one many enterprises cannot afford to take, Cicala adds. It would, of course, violate Sarbanes-Oxley or Health Insurance Portability and Accountability Act (HIPAA) compliance regulations, among others.
What to do about this type of asset-management dilemma?
"You have to have practices in place for auto-discovery" to track when and how network resources are used, she says. Those procedures compare who is using a network asset against a database of user IDs and pass codes.
Even then, catching double-camping and other similar kinds of asset-related security breaches depends on "how often you reconcile your database to ensure you don't have double-camping," Cicala explains. "You have to have the ability to tie software usage to hardware usage."
Those two issues point out the disparate and highly complex nature of securely managing information technology assets. What once was a fairly trivial matter -- knowing the when/where/why of an enterprise's IT assets -- now concerns not only the IT domain, but financial and compliance departments as well.
IT personnel must identify and deal with the physical (i.e., hardware and software) aspects of managing an enterprise's computing resources, including PCs, routers, switches and whatnot. Not only does this make good business sense, a variety of governmental agencies, from the Internal Revenue Service (IRS) to the Securities and Exchange Commission (SEC), have an interest in knowing what assets an enterprise owns.
There is a second part of the problem, however. IT departments have an even more difficult task in identifying what one might call logical assets. These include software licenses as well as the processes and procedures that link hardware, software and users together into a cohesive network infrastructure.
Those intangibles are areas where asset-related security breaches are likely to occur, says Tony Thomas, a product manager with the business unit of Intuit Information Technology Solutions.
"Asset management goes well beyond just finding a particular device on the network," he says. "You have to analyze those devices to determine whether they're compliant, or how they map out to corporate IT security policies. If you know exactly what's out there, then you can reduce the risk of security vulnerabilities."
IT personnel "must look at security from a holistic point of view" when managing their assets securely, says Rich Baich, a managing director for consultancy PricewaterhouseCoopers.
"The first thing you have to do is understand what your assets are. Once you've identified those, the next logical step is labeling whether those assets are vulnerable, and to classify whether they pose a low, medium or high risk," he adds. "Then you can build proper security protection around them based on the level of risk your organization is willing to accept, and you don't over- or underestimate the security controls you need."
He uses a database housing personal information, such as Social Security or credit card numbers, as an example. "If the database has large amounts of personal data in it, rather than spending large amounts of money to protect that asset, you need to change it. That is, perhaps you don't store the Social Security numbers in it. In other words, you change the protection profile of that asset," Baich adds. "Asset management is the starting point for that."
Enterprises must also manage the relationship of devices and services on their systems, says Matt Franch, director of product marketing for Altiris, a patch- and asset-management software vendor. This includes managing the configuration of devices and how that configuration relates to other resources.
"Within an email system, you'd want to understand which devices -- routers, servers, laptops and desktops -- are connected to the email server," he says.
Then, when IT receives a call complaining about poor service, it is in a better position to resolve the issue because "it can determine exactly what assets are involved."
Franch recommends maintaining a "configuration database" that allows IT departments to better understand the relationship of the assets on their network. Such a database is key to keeping IT assets up-to-date as well, he says, because it can help determine whether the asset is at risk to the vulnerabilities that software patches mitigate.
It can, for instance, point out the existence of Windows 95 PCs on a network. This can pose a "huge" threat to network security because Windows 95 PCs cannot be patched to protect them against the types of threats making the rounds now, notes Jose Negron, technical director for Layton Technology.
Enterprises are also coping with employee use (or rather, abuse) of internet access rights and the handling of removable and mobile media such as USB drives, MP3 players, PDAs and hybrid PDA/cell phones, says Negron. Both pose asset-management threats, he believes.
As such, enterprises need tools that allow discovering which types of mobile devices are connecting to corporate resources, he says. Those tools should also give IT personnel the ability to control access to network assets, such as databases or other back-end resources such as a storage area network (SAN), from those types of devices.
After all, only when IT personnel have a complete grasp of all their infrastructure assets -- from hard drives to software to processes and procedures -- can they fully manage and protect them from the wide range of vulnerabilities enterprises face on a daily basis.
Jim Carr is an Aptos, Calif.-based freelance business and technology writer. He can be reached at [email protected]
Protecting desktops: Taking the right steps
Effective desktop security starts with effective asset management. Here are five key considerations for a more secure desktop environment:
A comprehensive inventory of IT assets is a crucial first step in securing IT assets. Companies must know what they have in order to adequately (and accurately) account for, maintain, patch and update elements of their IT infrastructure.
Standard configurations help to ensure conformity with corporate policies regarding desktop security applications. Prior to deployment, install standardized desktop protection solutions including anti-spyware/adware and antivirus applications.
Armed with a comprehensive asset inventory, standardized configurations and desktop protection software, companies can deploy and manage assets more intelligently and execute required changes rapidly throughout the organization in a consistent and policy-based fashion.
Process-centric patch management enables organizations to identify patch targets and ensures that the right patch is applied based on an asset's configuration criteria. Faced with a growing number of increasingly sophisticated security threats, companies should be mindful of how effectively they deploy critical system updates and security patches.
Auditing and reporting
A consistent and continuous process of monitoring, reviewing and reporting is crucial in determining the efficacy of existing security processes. Ongoing auditing operations are crucial to ensuring business and IT alignment, managing desktop costs and reducing operational and security threats to business operations.
-- Michael Walker, director of product marketing, business service optimization unit, Computer Associates