It is not uncommon for IT and management to be unaware of applications and devices until they are uncovered by a manufacturer’s audit or some vulnerability emerges. There are various reasons for this. For example, there are devices that are rarely logged into the network and therefore difficult to inventory, decommissioned systems that are still used by the department, or applications that users have installed themselves. This can only be solved by the complete and regular recording of the entire IT infrastructure as an inventory base. There are suitable procedures for each case, which must be selected and implemented individually.
The most important criterion for any company is that it has the choice between taking an inventory with or without an agent. In addition, a detection can be scheduled and start automatically, or manually ad hoc. Equipment type (mobile device, fixed workstation, peripheral devices) and area of application (office, home office, the field) also play an important role in the choice of method. With the appropriate mix of methods, companies significantly increase their IT security and guarantee compliance.
Inventory base for Assets in Virtual Worlds: Inventory via API
A major challenge for any business is licensing virtual environments because the licensing models are heterogeneous, technically difficult to capture, or sometimes unsuitable for virtual machines. The inventory of virtual assets can then lead to risks during an audit. This is where companies have to prove which physical host a virtual client or service is running on. This can be problematic if hardware components are no longer detected by virtualization technologies such as XenServer, Hyper-V or vSphere.
Therefore, the hosts are scanned remotely via the manufacturer API. The inventory base of virtual clients and services can be both agent-based and agentless. The connections between virtualization system and the host are fully documented in detail, thus demonstrating the connection between virtual assets and the physical hosts.
In the Case of Central Rights Management: Inventory via Services and Remote Access
For small and medium-sized enterprises, inventory via remote access and services are suitable. It is also suitable for large corporations that operate their IT in a decentralized way. The infrastructure can be operated in a virtual or hybrid manner. It is important that access rights are granted centrally – for example, through the Active Directory. In addition, the majority of the hardware should be firmly connected to the network and therefore easily accessible.
Based on the network infrastructure setup, the inventory solution distributes multiple services on the network. They remotely access the respective devices with administrative rights according to set schedules: For Windows devices via WMI and on Mac devices via system profilers. They then share the data collected about the hardware asset itself and any installed applications with the asset management database for storage. From there, they are then available for analysis.
One advantage of the agentless method is that the installation of third-party software on the network is no longer necessary. However, this method only captures systems that are accessible to the service at the time of inventory, in other words, they are logged on to the network. It is not ideal for infrastructures with a high percentage of mobile devices that are connected to the company network irregularly. In this case, companies should have all unknown devices listed via an automated IP scan. This allows them to be manually checked and added to the database. Alternatively, a combination of agent-based and agentless inventorisation is a good idea. Both variants avoid potential security risks posed by “shadow IT.”
For on the go: Inventorization agent-based or via script
Home office, sales, or customer service systems are not permanently logged into the corporate network. They often fall through the grid in the event of an agentless inventory. That’s why companies are well advised to control these devices with agent-based inventory. The agent-based method is also more suitable for terminal servers that are monitored for license management via Application Metering.
An agent is installed locally on the device and sends their inventory data to the database via the services as soon as the device logs onto the network. Inventory and data transfer can be started manually by the user or it can run automatically according to schedule. Scheduled inventory provides a higher level of security because the timing of the next periodic capture is dynamically calculated and automatically triggered. For devices that are never or rarely logged into the company network, a regular transfer of data via a Certificate SSL connection via the Internet is also recommended.
Another way to inventory poorly accessible systems is to use a script. This is provided either on the device itself or centrally via a release in hardware management. The inventory program is on a secured server and starts via script call or through defined group policies.
This can initiate the inventory of all devices in a group. An example of an application would be laptops in sales, all of which are to be inventoried the next time they log on to the network.
Inventory base for sensitive areas: Inventory offline
In security-sensitive industries such as banks, there are devices that never go on the network. Laptops used in wearers, for example, rarely connect to the company’s servers. In such cases, “offline” inventory is appropriate. The inventory tool is installed on a USB stick and launched directly on the respective computer. The collected data is cached in a mobile database on the stick. When later transferred to the asset management database, the data of existing devices is updated, and if necessary, the inventory solution automatically creates new devices.
Inventory base for Printers etc.: Inventory via SNMP
In addition to PCs, laptops and mobile devices, the IT infrastructure also includes peripheral devices such as telephone systems or printers. These active components should automatically capture an inventory solution through the Simple Network Management Protocol (SNMP). Passive components such as monitors or docking stations should be supplemented manually for a complete picture of all assets.
Security: Fully captured IT infrastructure
Many companies are still a long way from the complete inventory of their entire IT infrastructure. It is the basis for successful IT management in order to achieve the highest possible level of security for systems and compliance as well as an optimal cost-benefit ratio. With a fully inventoried IT infrastructure, companies address security risks. It is the basis for automatic analysis of version and patch status.
A Software Asset Management (SAM) solution should be able to cater to any installed applications with a security database on a daily basis as well as list the potential security risks. From this overview, software distribution or deinstallation should then be possible. This makes it possible to update outdated patches or remove unauthorized software directly, thus immediately closing potential vulnerabilities.
In addition to technical parameters, a SAM solution also provides commercially relevant information such as depreciation and service partners. These are necessary for planning and cost-specific recalculation of services. Combined with holistically integrated license management or application metering, companies identify which software and hardware assets are actually used and how frequently they are used. This means that devices and licenses that are rarely used or not used at all can be redistributed within the company or terminated. This reduces costs and keeps companies safe from unpleasant surprises during an audit.