IT Asset Management (ITAM) and Configuration Management Database (CMDB) Approaches to Asset Discovery.

While IT Asset Management (ITAM) and Configuration Management Database (CMDB) platforms are frequently used to maintain asset inventories, they often don’t contain sufficient and accurate data to help security teams. Unlike ITAM and CMDB platforms, Axonius automatically aggregates and correlates asset data — regardless of asset type — to deliver a comprehensive and credible asset inventory for security, IT, and risk teams.

What’s IT Asset Management (ITAM)?

IT Asset Management (ITAM) looks at IT assets through the lens of financial or business-related implications. This is done to reduce costs of assets throughout their lifecycle and to minimize business risk. Personnel leading ITAM initiatives often look at financial, inventory, contractual, and broad risk considerations for software and hardware assets across an organization. 

What’s IT Service Management (ITSM)?

IT Service Management (ITSM) encompasses the tasks required to design, manage, and deliver IT services to employees and customers. These include policies, processes, technologies, and procedures. This often means establishing an IT service desk to provide a single point of communication to support customers and employees. ITSM subfunctions include asset management, change management, and knowledge management. 

What are the Common Technologies Used for ITAM & ITSM?

Configuration Management Databases (CMDBs)

CMDBs store information about hardware and software assets, which are commonly referred to as configuration items (CIs). A CMDB looks at IT assets from an operational or support perspective. At a high level, CMDBs help organizations understand their critical assets, track configurations, and map dependencies. In the event of IT outages or security incidents, CMDBs are used to assess the full scope of the event. 

• Common Vendors: ServiceNow, Cherwell, Ivanti

ITAM Platforms

ITAM platforms help organizations compile an accurate IT asset inventory. An accurate IT asset inventory helps organizations assess their IT asset lifecycle, identify cybersecurity risks, determine whether they might be overspending, find software and hardware redundancies, and more.

An ITAM platform primarily focuses on IT assets from a financial or lifecycle perspective. It gathers available information on most software and hardware assets  tied to the business, including ownership, cost, contracts, warranty, etc. 

• Common Vendors: Atlassian, ServiceNow, Flexera

How are CMDB & ITAM Platforms Used for Asset Discovery?

Network-based Scanning

CMDBs and ITAM platforms often rely on network scanning to retrieve and compile the updated asset data. Network scans are done on a routine basis and are often scheduled to happen in daily, weekly, or monthly increments. Information is collected about virtual machines and networks, hardware and software on a network, and the interconnectedness or relationships between assets. This can all be used to inform and update the CMDBs and ITAM tools.

Agent-based Scanning

Agent-based scanning requires an agent be deployed on each machine to obtain an asset profile for the device. The agent-based approach can provide rich context and deep insights into the device and the device characteristics. 

A wide range of details can be obtained, including: 

• IP and MAC addresses
• Open ports
• Installed software
  Operating systems and versions 
• Patches
• Users
• Security vulnerabilities 

What are the Limitations of CMDB & ITAMs?

Relying solely on agents for cybersecurity asset management has its limitations: 

1. Asset Discovery & Visibility: CMDB and ITAM solutions rely heavily on both network and agent-based scanning to collect data. It’s difficult to employ scanning everywhere, especially for mobile and remote workforces, and  highly segmented networks that require multiple scanners. Scanning-based approaches, therefore, lead to incomplete visibility for all assets.
   
   Some ITAM solutions also require the deployment of agents to discover assets. Agents can only be deployed on known devices, meaning visibility is only as good as where agents are deployed. On devices with agents installed, there could be disruptions or agents disabled, resulting in a visibility gap.
   
   
2. Solution Management: Data structures change and evolve over time, making it difficult and expensive to constantly update CMDBs and ITAM tools to collect the right data. The initial setup is  labor-intensive and time-consuming, making the time to value suffer greatly.
   
   
3. Data Correlation & Integrations: CMDB and ITAM tools often lack direct integrations to all the tools you use, requiring in-house resources to build custom integrations. There’s no easy way to aggregate, correlate, and compare asset data with other valuable asset data sources, leaving you forced to make decisions based on incomplete, outdated, and inaccurate data.

Why it’s Best to Combine CMDB & ITAMs With Other Data Sources 

• Some assets can’t be found from another source: For example, some mobile devices may never be scanned or have an agent. Relying on another source here will lead to incomplete asset inventories.
• You can’t identify gaps without comparing two or more data sources: For instance, to find a device missing antivirus, you have to compare a source that knows about devices with a source that knows about all antivirus deployments — and that’s just one example. To find other gaps, you need numerous data sources. While CMDB and ITAM platforms sometimes have other data inputs, they often lack sufficient data to answer all of your questions.
• More data sources leads to stronger data integrity: The more data sources overlap, the stronger correlation can occur to give you a single source of truth into any one asset.