What exactly is an asset?
By definition, an asset is property owned by a person or company, regarded as having value, and available to meet debts and commitments.
I’ve heard a whole gamut of responses when asking customers and prospects to apply this definition to a computer asset inventory. Some keep their list to only physical devices. Others include virtual machines.
The vast majority of people initially agree that a computer asset is anything with an IP address. Some demur when it comes to licensing and cost, attempting to narrow the scope to only managed devices.
In the end, the final answer to the question really boils down to what a particular individual (or company) defines as valuable.
Let’s examine some of the possibilities together.
One set of assets we can safely agree to are networking devices — like routers, switches, firewalls, load balancers, and wireless access points.
But what happens when networking devices are virtualized in cloud platforms like AWS and Microsoft Azure? DNS, NAT gateways, firewalls, and load balancers are completely virtual in AWS and often overlooked or dismissed as assets by customers. However, they serve critical functions and ultimately have a cost to the customer.
Remember when every single computer purchased by your company came to the “computer room” upon delivery? Those computers each got a physical asset tag with an imprinted number.
Wait, maybe I’ve given too many clues to my age! Perhaps some of you don’t even remember this!
Nonetheless, many companies still track purchased devices with an intake process. Much is done electronically, but some companies still use sticky barcode labels and hand scanners…
Desktops, laptops, and servers certainly count as assets. (We’re all in agreement with this… yes? No?) But when we get into the slippery world of virtual, we end up in a nuanced discussion about what should and shouldn’t count. Some might argue a virtual desktop is simply too ephemeral to count as an asset, but would consider the virtual desktop infrastructure platform an asset.
Today, most customers agree that virtual servers spun up in VMware, Hyper-V, and other platforms are also assets. The same applies to EC2 instances in the cloud.
Even more nuanced than virtual machines are the rapidly adopted containers, both on-prem and in the cloud. Containers share all the same qualities as a typical physical computer, housing executables, binary code, libraries, and configuration files, and have memory and processor resources assigned to them. But the fact is they’re workload carve-outs from the aforementioned virtual machines. While they typically live for short periods of time, they’re assets with specific computing characteristics.
I know, I know… the term “unmanaged” is a big bucket. But carving it up into smaller pieces means we’d both be here for quite some today. So for today, let’s only look at authorized unmanaged devices. This is still a large pool, encompassing everything from printers and copiers, to handheld wireless scanners and CCTV cameras.
There’s also a spirited discussion about which of the above (and others) really should be counted as assets. The biggest debate typically lands on cameras. (I’d like to point out that failing to track these devices has regulatory impacts for U.S.-based companies).
Internet of Things (IoT)
The emerging trend of IoT causes consternation and bewilderment about what is and what is not an asset. IoT devices make up an increasingly large share of the connected devices in corporate networks. Personal cameras, audio systems, Raspberry Pis, electronic door locks, card access systems, smartwatches, gaming consoles — you name it, I’ve seen it within corporate networks. While many companies don’t think of these as assets, it’s just a matter of time before an internet-connected Peloton bike on the corporate network becomes a threat vector.
A significant, extremely high value, often under secured set of assets exists in code repositories, like GitHub, SourceForge, and Bitbucket. Furthermore, cloud providers like AWS let you run code without provisioning or managing servers by leveraging AWS Lambda.
Today, more companies realize the asset value of their source code both in terms of tracking the access to and security of the platform itself. These assets are also finding their way onto financial balance sheets and are trackable assets in an inventory.
No one thinks about the storage bucket as a device or an asset. That is, not until their company ends up on the Krebs on Security blog. How often do we hear about the loss of customer data via an unsecured, public facing Amazon S3 bucket? The fact is, valuable resources and information resides in these virtual storage entities.
DBaaS, a cloud computing service model, lets users set up and use databases without the hassle of worrying about hardware, software, or database management. AWS now offers managed Relational Database Service for MySQL, PostgreSQL, MariaDB, Oracle BYOL, SQL Server, Keyspaces for Apache Cassandra, and DynamoDB — along with providing data warehouse service in the cloud.
These services turn into deep data repositories for critical information that feeds workflows and applications. We can certainly consider these as assets.
An identity? A user? How can these be considered assets? Tracking user identities is a critical part of a Zero Trust strategy, and for understanding compliance and security risks inside an organization. These are critical assets because they provide access to sensitive devices, applications and information, and are the cloak that attackers often use to move laterally in the network. Billions of dollars are spent annually on SSO, MFA, Privileged Identity Management, and Privileged Access Management solutions to protect these high value assets.
As you can see, the list can be never-ending, as there are emerging classes of virtual devices and services that we might classify as assets. Ultimately organizations need to spend more time thinking about the dimensions of their computing resources, and expand their traditional concepts of the “asset”.