4 Critical Steps for a Complete ITAM & SAM Discovery & Inventory
The ability to perform comprehensive network discovery to identify everything on your network is vital. You need to discover all your network devices and ensure that all valuable assets that represent a cost to the business are identified. This is necessary in understanding potential compliance risks due to software licensing issues and is a crucial first step in establishing your SAM process, if an accurate position on your software licensing is ever to be attained.
Without this 100% discovery, your inventory and any subsequent SAM work are compromised. We have spoken to organizations who tell us that they are 100% discovered. But, when we ask how they can be so sure, their reply is that it is more of a gut feel! Furthermore, when we apply our technology to their network and perform an advanced network discovery (not just an inventory of already known devices), we discover that their visibility can be as low as 80% of the true estate.
This carries implications from security to software licensing exposure and the haemorrhaging value of business assets. Its major cause is using a discovery tool that only discovers in one way, let me explain.
Firstly, you need to use a number of different protocols to efficiently scan your network to locate all devices and collect as much information as possible about them without the need to have an agent installed. The information collected as part of the discovery is a vital component, providing the check and balance of what is active and inactive on the network.
The Need for Multiple Feeds via Connectors
Now, having confidence in this data is crucial, the ability to cross check and validate what you have pulled from a wide range of sources will provide just that. By taking multiple feeds, via connectors, it will provide an easy way to identify what’s ‘missing’ and give you the confidence that you are tracking everything.
These connectors should work ‘out-of-the-box’ of your discovery tool so that you can install, configure and deploy the tool to large and complex environments with minimal impact on resources.
The connectors that different organizations require varies so below are some examples of the key ones to look for:
- Microsoft Active Directory
- VMWare – vCenter + vSphere
- Citrix XenServer
- SAP
- IBM – ILMT
- Amazon Web Services
- Oracle database
Don’t just Depend on Microsoft Active Directory
This two-pronged approach is vital in ensuring all network information is collected and inventoried. We have come across tools that just use agents, but unless you know the device is there, how can you put the agent on it in the first place?
Some tools use Microsoft Active Directory Group Policy to notify them of new additions to the network, so that they can deploy their agent to them. This sounds good in theory but you need to consider what is not picked up by Active Directory, such as:
- Linux/UNIX boxes
- DMZ
- Mac
- Anything in a workgroup or other domains
Which could potentially leave a big hole in your discovery and subsequent inventory.
Network Discovery: Three-Tier Platform to Discover Everything
The way around this is not to rely totally on 3rd party feeds (like Active Directory) for the collection of inventory from client devices (Agent or Agent-less). The success and efficiency of the deployment is often directly linked to the connectors and network discovery. All of the required information to successfully target a client device is already collected through the connectors and network discovery so the most efficient method of deployment can be utilized. Furthermore, all operating system platforms need to be targeted, not just Windows – Mac, UNIX, Linux, etc.
We took all of this into account when designing the Certero technology. They provide complete visibility of all hardware and software on your network, removing the guesswork. It uses a 3-tier platform consisting of a single Application server, one or more endpoint servers and agent or agent-less clients.
All administration, reporting and discovery data is accessed via a Web application hosted on the application server. The endpoint servers gather data from agent-less or agent-based clients and push it up to the Application server. Multiple Endpoint servers are used to provide a distributed model and to improve scalability.
Enhanced Network Discovery
The discovery process can either be agent-based, agent-less or a combination of the two depending on your specific requirements. This allows you to pick between the two methods, using whichever works best within your environment.
During the discovery phase, an asset is given a unique identity within the Certero database. This helps when reconciling existing inventory data with newly discovered data to avoid duplication after repeated discovery or re-imaging of assets.
Another element of the discovery phase will read asset tag values that have been recorded in a computer BIOS. This will be gathered automatically if populated and associated with the asset. There are manual methods to record physical asset tag information including using a user-defined field or uploading a scanned image of the physical asset tag and associating it with the asset.
One important fact is that the agent is modular and will be automatically assigned by the client dependent on the environment. For example, in an IBM environment, the IBM product will be switched on, in a SAP the SAP one, and so-on. This is in marked contrast to many other products that require a different and separately deployed agent for each and every environment.
If you have a question on asset and network discovery, please get in touch.
