Your guide to IT asset inventory management

Only 45% of organizations have mature asset management programs. Instead, most collect asset information in spreadsheets for endpoint lifecycle management. Excel and Google Sheet are the easy first step to track asset data from IT environments. Unfortunately, spreadsheets fail as an asset management solution.

The spreadsheet “asset management system”

Spreadsheets adapt to numerous use cases because they handle all sorts of data. The data dexterity makes them less than ideal for IT asset management.

Here’s why:

• Inconsistent attributes: Security cares about listening ports. IT cares about warranty expiration. Discrepancies on what to collect exist among departments and individuals.
• Manual collection: Spreadsheets need time-consuming manual asset data updates. Without automation, they are often out of date.
• Lack of detail: Humans dislike repetitive, manual work. Due to the two points above, a spreadsheet never has enough detail.
• Inconsistent age: An asset record might be a week old while another is a year old. It all depends on when someone bothered to update them.
• Incomplete, managed-only: You can’t update a spreadsheet with assets you don’t know about.
• Hard to share: Sharing is not built into Excel. Sharing Excel sheets linked to other dependencies also causes all sorts of problems.
• No version control: With Excel, sharing automatically creates a copy. With Google Sheets, anyone who can edit can make a copy. These copies can take on a life of their own with various states of inaccuracy.
• No audit trail: It’s difficult to go back in time and know who updated which asset in whose copy of which version of the spreadsheet.

So what are the consequences of these problems?

• Hard to summarize: Summarizing works best with normalized data over the same time ranges. You want to compare apples from the same month to other apples within the same month. Manual spreadsheets do not support this use case.
• Hard to automate: Software works best on normalized data. Denormalized data requires more complex code. The more denormalized, the more complex. The more complex, the more bugs.
• Not trustworthy: Which copy of the spreadsheet is right? Which version of the asset inventory is up to date? When you do not trust your system of record, it is hard to make decisions with confidence.

The promise of IT asset management

Though spreadsheets pose problems, they remain popular. Searching for “asset inventory spreadsheet template” on Google returns many hits. Just download and get started. Even CIS offers a template, which is ironic since CIS Control 1 requires organizations to accurately know the “totality of assets.”

There are two reasons why you might be using spreadsheets:

1. You’ve never had an asset inventory tool.
2. You need to work around your asset inventory tool.

In an ideal world:

• The CMDB records all hardware assets including mobile devices, laptops, and desktops to streamline incident management.
• IT asset management software provides asset tracking functionality from procurement to recycle.
• The service desk uses configuration management to detect drift in operating system settings.
• Staff can tag an RFID or scan a barcode on new assets arriving at the data center.
• IT service teams can upgrade a workstation with an automation workflow.
• The tracking system maintains warranty dates and software licenses.
• Finance can calculate asset depreciation in real-time.
• IT is maximizing efficiency while reducing budgets.
• Dashboards speed up vendor audits.

Achilles Heel of IT infrastructure: the unmanaged

The achilles heel of any asset inventory program is unmanaged devices. A Deloitte research report that 32% of organizations believe “Shadow IT” assets are the greatest challenge for ITAM and only 18% of organizations are considering non-active or repurposed IT assets.

Here are just some of the problems they pose:

• Audit violations
• Cannot be patched
• Cannot be upgraded
• Cannot be automated
• Cannot be turned off
  • Because you are not sure if it is important
  • Because you know it’s important but its been unmanaged for so long that no one wants to breathe near it

Finding unmanaged assets

Unmanaged asset discovery saves you from having to use spreadsheets. According to a Deloitte report, most discovery tools require agents or authenticated scans. If you can put an agent on an asset, then you already manage it. The same is true if you have the credentials to authenticate to an asset. An agentless discovery approach that scans without authentication works well. We won’t dig into the details here, you can learn more from our article on IT discovery tools.

In the next sections, we discuss two specific types of unmanaged assets.

Rogue devices

Rogue devices are assets on your network without permission. Employees, third-party vendors, and shadow IT install them and they pose security risks. These devices don’t have standard security controls like EDR agents. Even if the installer had good intentions, these assets are easy targets for the adversary. Wireless access points are of particular concern. Uncontrolled hotspots connecting to the card data network and sensitive data violate PCI-DSS. (PCI-DSS 11.1)

Orphaned devices

Orphaned assets are those who lost their owner either because that person left the company or changed roles. Device warranty and service contracts often lapse since no one remembered to include the asset in a renewal. The asset becomes unstable over time though it serves a critical purpose. When there is the inevitable service outage, IT engineers are left without vendor support. These devices may also miss patch updates over time. They also become easy targets for the adversary and pose a security risk.

Want to take runZero for a spin?

Sign up for a free trial and build your asset inventory in minutes.

Get started