Barcodes and Stickers - The Old World
I'm old. When I began my career, IT asset management (ITAM) meant going around, from computer to computer, and putting stickers with barcodes and numbers on every piece of hardware. Assets were clearly defined as servers, desktops, monitors, and occasionally, if you travelled a lot, a laptop. Tracking these systems meant keeping a spreadsheet of details mapping owner to asset and tracking the changing data over time.
Today things are very different. CMDB (Configuration Management Database) and ITSM (Information Technology Service Management) have superseded the old school barcode and excel way of tracking assets. We now track assets and configuration models as software defined items that provide some kind of value to the business. The concept of what an asset is has changed drastically over the last 20 years to now include nearly everything you can draw a box around, adding new cloud specific asset classes, and tracking connectivity between assets automatically and continuously. The CMDB world will never be the same.
A New World of Cyber Assets
Over the years, enterprises have built up huge databases of assets, generally tied to IP addresses and device configuration details, making it nearly impossible to maintain and update the information. While the data provides significant value to the business, without the ability to continuously ensure that all of the data is accurate, most of the time customers find themselves asking questions that can not be answered. Additionally, it's more difficult than ever to keep asset data up to date in a cloud native world where assets are ephemeral and transient. Driving asset management based on IP address is antiquated and doomed to failure.
Relationships Bring Context
At a broader level, traditional asset management technologies were not designed to analyze the relationships between assets. This analysis of connectivity is where the true value resides in a modern cyber asset driven infrastructure and security program. The ability to ask your management systems questions that get to the heart of what you need to know necessitates the ability to understand the relationships between all of your assets. What really matters are the verbs that describe these relationships. Verbs such as "has", "owns", "accesses", and more, are how you find important information. As a mental exercise, try to ask a question of your infrastructure or security systems and see if you can do it without using a verb. It's nearly impossible.
API and Cloud Driven Change
We must change how cyber assets are considered. In the modern world both the security and infrastructure toolchains are completely accessible via APIs. This is a very important distinction. When traditional asset management systems were designed, data collection had to be done in a much more manual or semi-automated manner. Since API driven development models took over, we have been given the opportunity to collect so much more information and data in a completely automated way, it is changing how we build our technology management solutions.
The move to cloud changed the definition of asset faster than anyone could have imagined. Adding new classes such as cloud workloads, CSP configuration, datastores and data buckets, cloud identities, and much more require a more detailed and continuous view into the state of your assets. Over the last couple of years the speed and pace of innovation has grown dramatically, pushing us faster and faster into this cloud native environment. Companies born in the last few years have almost exclusively been cloud-native, cloud-first designs.
Cyber Asset Management - Growth for the Future
CMDB and ITSM systems aren't going anywhere, but they are being displaced by Cyber Asset Management. CMDB is the meat and potatoes of your infrastructure and should be the driving force behind many of the technical decisions you and your team make every single day. It's going to stay that way for a long time, but it makes sense to broaden your definition of what a good CMDB is and to include asset classes and systems that are designed for cloud native technologies and the relationships between them. Long live cyber asset management!