There are different types of IT resources or IT assets. For example: servers, PCs, laptops, tablets and smartphones. But also the software that is used or made available on them and cloud services in which information is stored. In general, these IT assets are divided into the following categories:
- Hardware: hardware refers to all physical devices within an organization such as servers, PCs and mobile devices, but also printers and copiers. Within the Hardware Asset Management (HAM) subdiscipline, the life cycle of these physical devices (and information about it) is managed, controlled and optimized. Within more mature ITAM programs, network equipment, operational technology (OT) and, for example, Internet-of-Things devices also fall within the scope of HAM.
- Software: software refers to the operating systems, user software and design software used by an organization, purchased and/or installed on hardware. Software Asset Management (SAM) is a rather complex and comprehensive sub-discipline of IT Asset Management. This not only relates to the software itself, but also, for example, to changing requirements regarding licenses and the ability to demonstrate license compliance that goes along with this.
- Cloud: nowadays, many organizations work in one way or another (partialy) in the cloud. Employees work in it, store documents and information and download or use (online) software. Cloud Asset Management (CAM) is concerned with managing an organization’s cloud environment and the IT assets contained within it. FinOps also has an important role inthis, which focuses specifically on allocating and optimizing cloud-related costs and added value.
The life cycle of IT resources is not set in stone, different organizations can design and interpret the IT life cycle differently. Common phases of the IT lifecycle include selecting, acquiring, deploying, using, maintaining, withdrawing, removing and disposing of IT assets. The asset life cycle therefore starts with selecting the right software or hardware. Which IT assets meet our needs, which functionalities do they have and which costs and risks are associated with them? After the right IT assets have been selected, they are contracted, purchased and/or installed, after which they are put into use by the intended user. In the phase in which IT assets are put into use to achieve the intended purpose and fulfill its function, it is important that they are properly maintained. Maintenance is preventive, proactive and repressive. Think, for example, of performing updates so that IT assets can continue to be used safely, but also of resolving unwanted issues. The final stage of the asset lifecycle starts when IT assets are no longer needed. At this moment, these are being taken out of use and if necessary disposed (or removed in the case of software). When selecting a replacement IT asset, a new life cycle starts.
Proper organization of IT Asset Management within organizations brings several advantages. The most important are:
- Reducing costs: by mapping the life cycle of IT assets, the organization obtains a clear overview of the IT assets that are (and are not) present in the organization and which are (and are not) used. IT Asset Management prevents the unnecessary purchase of new IT assets and paying for unused or unnecessary software licenses. In this way, organizations save considerable costs with ITAM.
- Increasing efficiency: with IT Asset Management, organizations gain insight into the lifecycle of IT assets used by the organization. Therefore, ITAM enables the organization to increase the uptime of IT assets and to provide employees with the right IT assets in a timely manner, which benefits productivity and efficiency within the organization, for example when onboarding new employees.
- Improving IT security: IT Asset Management ensures that organizations have a clear overview of all IT assets within the organization and their state. ITAM therefore fulfills a fundamental role for IT security. With ITAM in place, organizations can identify the possible security risks associated with IT assets and ensure that they remain up-to-date and do not contain vulnerabilities. Within IT security, a common philosophy is that you can’t protect what you don’t know about; ITAM plays an important role in determining what needs to be protected.
- Comply with legislation: ITAM helps in keeping a clear overview of the obligations in the field of legislation, regulations and concluded contracts. IT Asset Management saves time spent on licensing audits performed by software manufacturers (as part of their compliance audit right), avoids high fines, and even allows licensing audits to be avoided altogether. However, the added value of ITAM is also more fundamental and more general in nature: every organization in the Netherlands is (for several reasons) required by law to keep sound and verifiable records, at least with regard to income and expenditure, but certainly also with regard to (balance sheet) value of assets. With the ever-increasing digitization of organizations, IT nowadays forms a significant part of the total budget and therefore an important aspect in the legal administration and accounting obligation.
FinOps, a contraction of “Finance” and “DevOps”, is a discipline focused on financial management on cloud spending. The goal of this discipline is collaboration within organizations to maximize value and minimize costs. This is closely related to IT Asset Management, which makes ITAM and FinOps a valuable combination within organizations. They are two seemingly different disciplines, with the same goal; maximizing value at minimum cost and risk. Which cloud assets are we dealing with? What costs are associated with them? How can we optimize this? Questions that form the basis for both ITAM and FinOps. FinOps focuses on the Cloud in this respect, ITAM focuses on all IT assets of the organization.
Both IT Asset Management (ITAM) and Identity & Access Management (IAM) support organizations in achieving cost savings and the efficient use of IT resources within organizations. However, the relationship between IT Asset Management and Identity & Access Management is two-sided; ITAM is of great value to IAM within organizations, but also vice versa.
First of all, IAM is very valuable for ITAM. IAM enables organizations to manage their digital identities and IT assets; when, for how long and how often have which IT users within the organization access to which software and IT resources. With this, Identity & Access Management maps an important part of the IT landscape of the organization. An insight that IT Asset Management gratefully uses. The insight that IAM offers here makes it easier to answer the question: are unnecessary costs incurred for unused IT resources and software licenses? For example because employees still have IT resources and access rights associated with a previous function. And how can these costs – and the associated risks – be mitigated?
In addition, ITAM is also very valuable for IAM. With IT Asset Management, overview and consistency are created within the organization. Especially in the selection phase of the IT life cycle, we look at which software and hardware is available in the market and which of these is best suited for the organization. When the selection phase has been completed, step two is to get these IT resources to the employees. Anyone who needs this software application for their work should have access to it. And if that person no longer needs access to the software application after a period of time, this license must be revoked immediately. IAM makes it possible to give the right people quick, easy and secure access to the right applications. But no longer than necessary.
IT Asset Management plays an important role in the field of IT security. A role that is widely recognized and reflected in several information security standards/frameworks. That is why we like to explain the relationship between IT Asset Management and IT security on the basis of three of these standards/frameworks:
- ISO/IEC 27001: in the ISO/IEC 27001 standard, IT Asset Management is described as an important requirement for securing information (Annex 8: Asset Management). This standard indicates that all assets connected to information and its processing throughout their lifecycle must be identified and managed up-to-date and consistently. All information must be classified to ensure that assets can be properly and proportionately protected.
- National Institute of Standards and Technology (NIST): within the NIST framework, all cybersecurity capabilities, projects, processes and activities are grouped into five categories: identify, protect, detect, respond and recover. Especially in this first category – identify – IT Asset Management is of great importance. This is where the foundation is laid for an effective cybersecurity policy that focuses on all IT within (and outside) the organization. In order to gain and maintain focus as an organization and to set priorities, this category provides insight into what you have as an organization – including IT and software assets – their importance and what risks are associated with them. With ‘respond’ and ‘recover’ it is also important to have access (at the touch of a button) to get information about IT assets. Where are they, who uses and/or manages them and what business processes are they connected to? Without that information, responding to and recovering from cybersecurity incidents is a labour-intensive and time-consuming activity.
- SANS20 Critical Security Controls (nowadays CIS18): in this prioritized list of recommendations that support organizations in minimizing risks and threats, Hardware and Software Asset Management rank 1 and 2. New and unprotected IT assets are usually targeted by hackers and malicious parties. Therefore, in Critical Control 1, companies are advised to make an inventory of all devices in the IT infrastructure. In Critical Control 2 it is advised to also include all software in this inventory. This inventory makes it possible to secure these IT assets in the right way. IT Asset Management can compile and maintain this inventory for organizations in a clear and efficient manner.