Securely Provision of IT resources has many important elements. Some of these were previously covered, such as architecture in Chapter 3 and supply chain management in Chapter 1. This section addresses asset inventory and configuration management.
Asset Inventory
Any organization needs, as a foundation to its security and compliance programs, effective tools and processes to track its asset inventory. The asset inventory includes all physical and virtual assets, which includes hardware, software, firmware, and more.
Having a current and complete inventory is the absolute bedrock for implementing and monitoring technical security controls.
Robust asset inventory tools and processes will also inform the organization of unauthorized assets. In addition to knowing what to protect, of course we also want to know what doesn’t belong, so any unwanted assets can be removed or isolated as soon as possible.
Inventory Tool/System of Record
Because of the size, complexity, and frequency of the task, an organization should use automated tools to assist in creating and maintaining the asset inventory. The tools should have awareness of all assets in the organization’s enterprise and the ability to dis- cover new assets introduced to the environment that have not been properly documented in the inventory. This data comes from either an asset management agent or a client installed on each asset or “baked in” to each system image, through integrations with various scanner and sensor tools, or, in the case of hosted or cloud assets, from a data feed or recurring report from the vendor (which may or may not be shared with clients, depending on the contract).
An asset inventory tool should have a way to distinguish authorized devices and applications from unauthorized and the ability to send alerts when the latter are discovered.
The tool should also collect and track individual asset details necessary for reporting, audits, risk management, and incident management. These details need to cover technical specifications, such as the following:
-
Hardware
- Manufacturer
- Model number
- Serial number
- Physical location
- Number and type of processors
- Memory size
- Network interfaces and their MACs and IPs
- Hostname
- Hypervisor, operating systems, containers, virtual images running on this device
- Purchase date, warranty information
- Last update dates (firmware, hypervisor, )
- Asset usage metrics
-
Software
- Publisher
- Version number, service pack/hotfix number
- License information
- Purchase date
- Install date
In addition, of securely provision resources in operational security details should be collected, such as the type of data stored and processed on the asset, the asset classification and special handling requirements, the business processes or missions it supports, and the owner and administrators and their contact information.
There are, of course, many tools available that do these tasks or portions of these tasks.
Most organizations already own many such tools. Consider the following:
- An Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) server can provide a large portion of this information.
- Vulnerability scanners, configuration scanners, and network mapping tools can find and provide basic information about all the hosts in the organization’s IP ranges.
- Tools that manage/track software licenses can perform a large portion of this task.
- As was mentioned in the previous section, DLP solutions typically have a discovery capability that can serve this purpose.
For gaps in their available tools, organizations can and do compensate with manual efforts, spreadsheets, and scripting to pull and tabulate asset data. Dedicated asset inventory tools usually provide this functionality and preclude the need for manual data pulls and tool integration.
Regardless of the tool or combination of tools used, there should be one the organization deems authoritative and final so that it can be referenced throughout the organization. The information in this tool needs to be definitive. This is the data source to trust if there is conflict between what other tools are reporting. This should also be the source used for official reports and other data requests, such as part of an audit.
Process Considerations
Now that we’ve discussed the tools needed, we will discuss inventory management best practices. First, the organization must define the authoritative inventory list or system of record and the frequency with which the inventory should be refreshed or updated.
In addition to the regular interval inventory updates, it is also a good practice to manually notify the inventory tool administrator when an asset is installed or removed or when the components are updated/changed in a significant way, just to verify that those changes were captured by the inventory tools.
This can be accomplished in a different way for environments that make heavy use of virtualized components, including managed cloud service implementations. In these cases, use of automated tools to seek out, tabulate, and securely provision resources assets is often preferable; popular brands include Puppet, Chef, and Ansible.
For on-premises assets, it is often helpful to augment the inventory process with the use of geolocation information/geotags or the use of Radio-Frequency Identification (RFID) inventory tags. This can increase the speed and accuracy of locating an asset, especially during an incident, when time is critical.