Most large organizations maintain some semblance of a configuration management database (CMDB) to track business resources, including IT hardware and software. Sadly, many are poorly maintained and out of date. This leads to missed opportunities and inefficiencies when using the data to make business decisions. It also creates challenges for cyber security.
A CMDB is a centralized database that stores information about business assets and their relationships. This generally includes both physical and virtual assets, as well as software, and even facilities. The CMDB also maintains relationships between the various assets and other entities it contains. For example, a server might have application software installed, while a laptop may have office automation tools. Both packages need to be tracked to ensure licensing doesn’t lapse. When assets are sparse, a simple spreadsheet might suffice. But, when scaled up to thousands of personal computers and servers with dozens or even hundreds of software packages installed on each asset, it becomes impossible to effectively track this data and the associated relationships manually.
Without strong governance and a healthy dose of automation, it is nearly impossible to maintain an accurate CMDB to any degree of usefulness. Automation comes in the form of discovery tools and agents that crawl the network and report back with findings. These tools are often agent based, installed on the very assets they are designed to track. This allows for a detailed view of usage and configuration on each asset. With a bit of configuration, this discovered data can flow into the CMDB on a regular basis.
Another form of automation within the CMDB comes in the form of business rules and workflow processes. When new assets are discovered, a process is needed to correctly onboard the asset, and ensure all necessary data is fully tracked and populated. Discovery tools can only go so far. For example, although a new asset may be discovered and programmatically created, the new record will be missing ownership and financial information such as which organization owns the asset and who is paying for it. Workflows can trigger automatically when new assets are discovered, to engage personnel to finish completing necessary data fields in the CMDB.
CMDB automation ensures asset data remains accurate. This is vital for exercises such as cost savings. For example, suppose the company decided to eliminate a relationship with a troublesome software vendor. The vendor has threatened to charge high fees if the software is not removed immediately. And, the software has an Internet based license check-in, so the vendor will know the moment a package is executed. It could take days or even weeks to manually find and remove all instances of the offending software. In the meantime, penalty costs might be adding up rapidly. Worse, if the CMDB is inaccurate, it could send teams off chasing ghosts that no longer exist, instead of spending time removing real software from live assets.
An accurate CMDB can also drive financial efficiencies. Knowing the exact age of assets can reduce unnecessary costs associated with replacing them too early, before their useful life is expired. It can also help to avoid replacing assets too late, when costly repair and extended warranty charges start to increase rapidly. And, on the software front, a CMDB can help to find and eliminate unused and unnecessary licenses. All of these can add up to big savings for companies with more than a few dozen assets to track.
It’s true that an accurate and well maintained CMDB can play a supporting role for business operations. But how does it support information security? The CMDB can aid the infosec team in several ways. First, if up to date, the CMDB can provide a quick reference to ensure all assets are covered by all security tools. Gaps in security coverage or visibility create a gateways for maliciousness and malware to propagate. Comparing tool coverage to the CMDB on a regular basis can quickly identify gaps that need to be remediated.
The CMDB is more than just an inventory database for infosec coverage. It can maintain ownership and usage records for IT assets, providing a quick way to identify contacts during a security incident if the asset needs to be disabled or rebuilt to mitigate a threat. It can also provide assistance during zero-day incidents, when vulnerabilities with known exploits in the wild are announced by vendors. An accurate CMDB will easily provide a list of impacted assets in moments to patch or disable the affected software.
A more advanced feature of a modern CMDB that can prove useful to security teams is the relationship information between assets. For example, a CMDB can show all related servers for a given application. It can also show the various ownership and support teams and other stakeholders involved. When lateral movement is expected because of an incident but not readily visible, these relationships can provide a starting point for infosec to search for illicit activity and spiral outward, rather than searching the entire enterprise out of the gate. It’s the difference between a narrowly focused top-down approach and a widely scoped bottom-up solution. Teams can focus precious security resources on a smaller set of assets, making better use of their time and tools.
Last, but certainly not least, a well maintained CMDB can help the business manage a variety of risks. Knowing asset ownership and support roles can ensure no asset goes unmanaged. Documented function and usage for an asset helps to quantify the business impact if the asset suffers a security incident. This can serve as a beacon for information security, allowing them to focus limited resources on the most important assets to maintain business operations and minimize downtime and outages during a critical incident response.
At this point, the benefits of implementing and maintaining a configuration management database should be abundantly clear. Mid-sized and larger companies without one are truly missing out, as are organizations where the CMDB is out of date or has fallen into disrepair. Making the effort to (re)implement and automate maintenance of a CMDB could drive improvements to a company on multiple fronts, resulting in significant return on investment.
