Subscribe

Whose asset is it anyway?

IT asset management deals with IT assets, right? And information is an IT asset, right? Or wrong?

Samantha Perry
By Samantha Perry, co-founder of WomeninTechZA
Johannesburg, 25 May 2009

IT asset management to date has, broadly, dealt with the procurement, utilisation, management and disposal of IT assets. You get a PC, you use, you break, you fix, you dispose of. Done. Then you get the information on the PC, and that falls under information life cycle management (ILM), right? Wrong.

Says Magix Integration director Amir Lubashevsky: “People are realising that IT assets are more difficult to control and broader than they thought. It's the information in your databases, on PCs, it's the information that goes in and out of your organisation via e-mail all the time.”

And, as FrontRange Solutions product manager Scott Johnson notes: “It is an irony of modern business that, despite investing huge amounts of financial and human capital into IT, organisations often have less interest in effectively tracking and managing those assets than they do in maintaining the company car.”

That's not news to anyone, of course. But it is worrying, given how well publicised information losses usually are, that companies still don't see a serious need to protect the most valuable corporate asset of all - data.

Says Gartner*: “A series of high-profile data-loss events continues to focus intense enterprise attention on data security. Data losses are occurring with increasing frequency and with increasingly significant fraud-related financial losses. Public awareness of this issue has grown because of disclosure laws that require enterprises to notify their customers of data breaches, and payment processors in particular are being forced to improve data security by compliance requirements, such as those of the Payment Card Industry (PCI) initiative. Enterprises are also being driven to consider data security issues more closely by privacy and financial-transparency regulations in place worldwide. Data security is also important as a means of protecting business-critical information assets and intellectual property against malicious or unintentional disclosure.”

In or out?

In the midst of the data security problem is another outsourcing trend. The insource, outsource, insource roundabout has swung due hosting provider, managed services provider and outsourcer, yet again. And along with IT assets - from hardware to humans - goes corporate data.

The difference in this particular cycle is the extent to which some companies are relying on outside parties to keep their data and assets safe.

Says MWeb Business' Herman Jansen van Rensburg of the company's software as a service (SaaS) offering: “Almost all of the airlines are customers of ours. They're very e-commerce-enabled, and hosting-focused, which means they don't have to invest in infrastructure. We see companies at the bottom end of the scale [in terms of size] and the airlines doing the same thing in terms of IT equipment, software and application usage. We offer everything from CRM to e-mail, and customers rent the service per user per month. We guarantee 99.9% up-time, ensure we do backups, and that the server is online, secure, firewalled and so on. It gives the customer the benefit of the application without the headache of the infrastructure.”

It also puts corporate data onto service provider servers, something that has traditionally been a major sticking point as far as outsourcing is concerned. With SaaS, outsourcing to virtualised data centres (a la Vodacom Business' offering) and the imminent arrival of cloud computing offerings, this is an issue that will need to be resolved sooner rather than later.

On the other hand, comments Rob Gilmour, MD of RSA Web: “From a governance perspective, some threats are higher when things are on site. Take data in server rooms or data centre, for example. Conditions are often not suitable for data storage or as good as that in a centre run by a service provider whose business is dependent on that infrastructure. A lot of these are perceived issues. Companies like to have their data on site where they have physical security and such in place. But a hosted environment is often better, for the aforementioned reason. From a protection perspective, most locations and servers are subjected to similar threats. Internet threats are Internet threats, irrespective of whether the server is co-located or connected to an ISP via a line from your office. There is a big perception issue that needs to be addressed.”

Careless whisper

The problem, ultimately, is that people don't particularly care, and they also don't consider IT assets to be assets, as such. “You don't buy IT equipment to have, you buy it to use; it becomes a tool,” says Lubashevsky. “And you use it to move business assets (information); the problem comes in because people do not look at them as the same thing.”

Organisations often have less interest in tracking and managing assets than they do in maintaining the company car.

Scott Johnson, product manager, FrontRange

This thing is, of course, a valuable corporate asset, whether it is a spreadsheet on a memory stick or the contact list on your cellphone.

“The question this raises,” he adds, “is do you know what assets you have? Do you know all of the invisible places you keep assets? Do you know where your assets are, up to and including the long-forgotten server dry-walled into a corner of the server room? And are you sure what your DBA is doing when he/she goes in or out of that room, helping themselves to all sort of goodies?”

Further, Johnson says: “Look at the organisation holistically. When it comes to budgeting and so on, how can you accurately budget (for maintenance or replacement or...) if you do not know what you have. How can you value it or manage it?”

New world order

And that's the million-dollar, probably more these days, question. As Gartner* puts it: “Vulnerability management - the work of protecting enterprise data and applications from external and internal threats - is becoming increasingly challenging.

During the next five years, this mission-critical security task will be complicated further by the increasing adoption of alternative delivery models and the growing use of consumer-grade applications and end-user owned devices. Most enterprises will have a mix of IT functions consumed as a service, and applications implemented on their own IT infrastructures.

Enterprise data may be stored on shared infrastructure, potentially exposed to service providers' privileged users, and enterprises' own data-centre-based IT assets will be exposed to devices that are not under the control of their IT organisations.”

Managing IT assets, particularly the intangible kind, just got a whole lot more interesting.

* Key issues for Data Vulnerability, Application and Endpoint Infrastructure Protection, 2009, Adam Hills, 13 March 2009, courtesy of Gartner.

Share