In a rapidly changing IT landscape where digital business initiatives are being adopted, it is an imperative that IT domains break down silos and collaborate. When it comes to IT Security, preventing financial and reputational loss is a requirement of every employee’s job. When it comes to an IT and Software Asset Management (ITAM/SAM) discipline, it can be another attack prong to assist the Security Operations team in its mission, while simultaneously increasing the visibility of SAM. Maintaining information about the organization’s technology assets uniquely positions the ITAM program to assist with securing business assets and most importantly, data.
Collaborating with an over-burdened Security team requires the SAM manager proactively reach out to the CISO or Security Operations, and provide data about potential risks that range from inefficient employee on/off-boarding to open source software embedded code to SaaS applications, procured by a department or business unit, that may not meet the organization’s security guidelines.
The oft used ITAM aphorism, “you can’t manage, what you don’t know about” illustrates that applying inventory management, along with license compliance, can’t be done effectively without visibility into all the assets. This maxim also applies to securing assets, which is the primary reason that ITAM/SAM teams must view Security as part of its function, or at a very minimum, share data.
Employee On/Off- Boarding
Employee on and off-boarding, is a standard business function that is fundamental to every corporate business. Yet, you may be surprised at how many companies don’t have this “human resources meets IT” process standardized. Over the past couple of years, there have been numerous examples of employees who left the organization and still had network access or access to SaaS applications exposing company data. Especially as these applications may have been purchased by a business unit, aka ShadowIT, and not managed by the technology asset management team.
Having a standard process for recovering corporate assets may involve several different teams depending upon the IT department’s resources, or if there is a triggering event such as a reduction in force. Typically, IT service and support management (ITSSM) handles the deployment and return of all the assets allocated to an employee. As organizational structures evolve to support digital transformation efforts, this responsibility may shift to the client support team, depending upon Infrastructure and Operations (I&O) maturity.
Discontinuing access to a SaaS application or automatic renewal of one, such as Adobe Creative Cloud, Slack, Box or Concur, is an action that may not happen in the off-boarding process. According to Gartner, the SaaS market is experiencing rapid growth and generating $72.2 B in revenue in 2018 (https://www.gartner.com/en/newsroom/press-releases/2018-09-12-gartner-forecasts-worldwide-public-cloud-revenue-to-grow-17-percent-in-2019). So, it is easy to see why this step might be overlooked, especially if it the app isn’t accessible through single sign on (SSO) or identity and access management.
ShadowIT: The Risks Are Becoming Greater
Giving employees flexibility to get their job done as efficiently as possible has become a hallmark of digital transformation efforts. Access to cloud and virtual instances and SaaS apps allows employees to bypass legacy IT bottlenecks and be more efficient, but it can create new risks. If employees aren’t using the standard catalog or the apps they want aren’t included in it, they might be introducing security risks by accessing SaaS that haven’t been properly vetted or using cloud instances that haven’t been properly configured.
One asset manager, who I recently spoke with at an industry event, indicated that they knew about 150 different SaaS apps that were being utilized by employees. They had at least three different ways of discovering SaaS, but were losing sleep over what they still didn’t know about. Not knowing SaaS utilization can lead to recurring overspend and poses a greater security risk.
Overcoming the challenges that digital business initiatives present to technology asset management, requires that ITAM/SAM teams proactively raise awareness with synergistic IT teams, especially Security Operations, and expand collaboration so the value of the data is recognized. It may not happen right away, but hopefully it will happen before a major breach causes brand damage and lost revenue. With new attack vectors consistently making the news, it is critical to take the necessary steps to minimize as many potential risks as possible. And if technology asset management can achieve savings at the same time, they will spread the happiness.
If these problems resonate within your organization and you would like to learn more about how Flexera can help, let’s get you in touch with one of our specialists today.
Author Patricia Adams is a former Gartner Research Director and IT Asset Management evangelist