IT Asset Management Best Practices - Changes in Response to Coronavirus
Introduction
Working remotely or tele-commuting was limited to a relatively small number of workers.
Computer applications used to be installed onto a computer’s hard drive, and the devices were issued by the employer.
Configuration uniformity was the norm - often assured, and security was found behind the corporate firewall.
In the first quarter of 2020 all that changed.
With enforced social distancing, office and plant closures and an exponential growth in the number of employees working remotely,
a new ITAM best practices profile will need to emerge. In the new working environment companies will need to be able to:
- Implement secure remote communications technologies
- Ensure uniformity on devices that connect to their networks
- Utilize technology to determine license compliance
- Inventory remote systems to identify and remediate potential vulnerabilities
- Be able to respond to software audit inquiries
- Continue to provide help-desk support to remote users
- Rapidly deploy technology to remote workers when hardware fails
NIST Security Recommendations
The US National Institute of Standards and Technology has issued several whitepapers and guidelines regarding the best practices regarding working remotely. The agency’s focus is on network and device security and includes recommendations regarding networking technologies and techniques. NIST standards for tele-working include:
- Developing and enforcing a telework security policy, such as having tiered levels of remote access
- Requiring multi-factor authentication for enterprise
- Using validated encryption technologies to protect communications and data stored on the client devices
- Ensuring that remote servers and cloud servers are secured effectively and kept fully patched
- Securing all types of telework client devices—including desktop and laptop computers, smartphones, and tablets—against common threats
(See this NIST article for more details )
The last two points affect ITAM best practices. In order to determine that remote devices, particularly employee-owned devices, are patched and free of vulnerabilities, the enterprise will need an ITAM that can scan each device connected to the network. That ITAM system will need to:
- Scan remote devices without the use of agents
- Be easily deployed across the enterprise, ideally from the cloud
- Work across a wide range of devices - e.g. PCs, Macs, tablets, cell phones
- Inventory software down to the patch level
- Report on unpatched systems
- Identify hardware vulnerabilities
- Enforce the use of anti-malware software on each device
Software Uniformity
Employee-owned devices often lack the software uniformity found across company-issued devices. If a firm adopts a broad work-at-home practice, it will need to ensure a common set of software tools are4in use and that they are all properly licensed and that the most current version is in use. The evolving ITAM best practices will need to include:
- Broad adoption of cloud-based productivity tools (e.g. Windows 365 or the Google toolset) and cloud-based device security tools (e.g. CCleaner, Malwarebytes)
- Central licensing and distribution of the cloud software
- An ITAM tool that performs reconciliation of cloud software licenses
- Automated inventory and reporting of remote software
Audit Response
Regardless of the computing and work environments, software publishers will continue to want to determine if their customers are properly licensed. Likewise, those licensees will want to know if they are over-licensed. In a cloud-based software environment the company will need to provide purchase orders for the software and provide an accurate count of the number of users covered by the license. They will also need to identify any software added by the end user on a company owned, remotely used device. To collect the necessary information the ITAM practice will need to:
- Accurately count the number of licensed users covered under the cloud agreement, compare it to the actual number of licensed users and report any discrepancies or overages
- Be able to recognize cloud-based software
- Identify and report any software not licensed by the corporation to facilitate management inquires
- Provide on-demand software reconciliation reports as needed by IT management
- Be certified that the reports it generates are accepted as accurate by auditing agencies
Help Desk Support
Remote workers will continue to require help desk support. However, in an increasingly remote-work environment, often based on employee-owned devices, the help desk will need to obtain real-time information about the overall configuration. In that case future ITAM practices will need to include:
- The ability to scan the device on-demand
- The capability of accessing a database of existing device configurations
- Reports that can identify non-standard, non-compliant or configurations with known problems or vulnerabilities
Just as the general computing environment continues to evolve, and as it is impacted by external forces, ITAM best practice will also need to evolve. Selection of a automated ITAM tool today needs to take these new best practices into consideration.