I.T organizations are responsible for many types of assets. This includes servers, both physical and virtual, network devices, storage infrastructure, or security devices such as firewalls or intrusion prevention. An accurate inventory must be maintained before any type of successful management program can exist.
In my past experience, I’ve seen this inventory kept in many different ways. One of the most common methods is to use a spreadsheet. In other places, I have seen homegrown systems that essentially use a forms-based web frontend with a database behind it. Unfortunately, I’ve also been in places where an inventory didn’t exist at all.
Thankfully, with most of the audits that companies are required to undergo now, a complete inventory is one of the core requirements. In my experience, the audits do not focus on the system used to maintain the inventory, but instead, accuracy is key. However, the previously mentioned methods for holding inventory data typically aren’t the most accurate. That is because it requires manual processes to get the data entered and each person in the I.T. department has to have a strict discipline to maintain its completeness and accuracy. When humans are part of the equation, it is always subject to error and when they make up all of it – then it is sure to be error-prone.
A better approach is to use a system that allows for both manual and automatic inputs. The automation is typically functionality contained in the inventory system to scan the network on a regular schedule. The scanners run on a reoccurring schedule to scan for devices on a network. The scanners are pre-configured with credentials to use for logging in, anytime a new device is discovered on the network. Once the scanner is able to authenticate, details are extracted from the Operating System to identify key properties of the device and then stored into the asset management system.
Once an asset is in a centralized system, it becomes the basis of all other systems to build upon. Consider a vulnerability management system used to track vulnerabilities of a system. As new vulnerabilities are discovered, an asset is associated with open vulnerabilities. Another example is a helpdesk application, as a ticket is created, it is associated with the particular asset and allows tracking over its lifespan. The system holding a centralized inventory becomes the single source of truth, which is at the center of everything else.
After the asset is created in a system, it typically exists even after it is taken out of service. There is will be a field used for the current status. If the asset is marked as out of service vs deleting it – all of history remains to allow for future reference. The asset can be excluded from currently installed reports using simple filters.
Common fields associated with a device are:
- Status (In Service, Retired, etc)
- Install Date
- Associated Application
- IP Address(es)
- Warranty Information
- Serial Number
- Operating System information
- Installed Software (if applicable)
- and much, much more
Many systems exist that can get you started with asset management, both commercially and Open Source. Most if not all modern-day systems allow for both manual input and automatic discovery, which is very important to make sure you always have an accurate inventory. It is also possible for these systems to integrate with virtual infrastructure to extract VM information directly from a virtual management center.
The assets in this system should also provide an inventory for every other system you have. Consider a patch management system that needs to be fed an inventory of servers in order to deploy necessary patches. The inventory would typically come directly from the asset management system each time it was needed, in order to make sure the most up-to-date information was gathered. Ideally, the inventory would be extracted using a systems application programming interface (API).
If you are building any type I.T. program and are installing necessary systems to support it, be sure a system for holding the information of all technology assets is done in the beginning. Trying to implement a system to solve I.T. needs will be much harder if you don’t first have a robust system in place that stores information about your assets.