IT asset management is essential for getting the most out of available IT resources, reducing costs, and mitigating cyberthreats. Implementing a Software Bill of Materials and comprehensive lifecycle asset management is vital for monitoring assets and identifying vulnerabilities. Walt Szablowski, Founder and Executive Chairman of Eracent, calls attention to the financial, legal, and security risks when organizations fail to scrutinize the software supply chains built into their IT system infrastructure.
RIEGELSVILLE, Pa., July 18, 2023 /PRNewswire-PRWeb/ -- IT asset management (ITAM) utilizes financial, contractual, and inventory information to monitor and make strategic decisions regarding IT assets. Its primary goal is to ensure efficient and effective utilization of IT resources. By reducing the number of assets in use and extending their lifespan, ITAM helps to avoid expensive upgrades. Understanding the total cost of ownership and improving asset utilization are integral aspects of ITAM.(1) Walt Szablowski, Founder and Executive Chairman of Eracent, which has provided complete visibility into its large enterprise clients' networks for over two decades, advises, "ITAM is not a one-and-done; it is a continuous process that requires regular evaluation and adjustment to align with evolving business needs. It plays a crucial role in the broader cybersecurity strategy and should be seamlessly integrated into an organization's IT service management processes and risk management framework."
IT assets include hardware and software, such as operating systems, computers, and servers. Assets can be "tangible" (devices) or "intangible" (software). IT asset management involves identifying, tracking, and maintaining individual assets through regular updates, resolving functionality issues, providing subscription renewal reminders, and ensuring that IT assets are replaced or upgraded when they become obsolete and unable to receive security updates.(2)
Managing IT Software and hardware includes the identification and management of cyber vulnerabilities. All assets have cyber security vulnerabilities, so managing cyber threats is essential. A new process of identifying open-source software vulnerabilities associated with purchased software is contained within a Software Bill of Materials (SBOM) that is now part of the documentation supplied by software publishers.
A Software Bill of Materials (SBOM) is a comprehensive inventory of the components, libraries, and modules needed to construct a particular software and their respective supply chain relationships. Studies reveal that 37% of installed software goes unused. Removing unused software and hardware decreases vulnerabilities and prevents unnecessary expenditures. By reducing the attack surface, the overall security exposure is minimized.(3)
ITAM extends beyond asset inventory by leveraging captured data to increase business value. It reduces cost, eliminates waste, and improves efficiency by avoiding unnecessary asset acquisitions and optimizing current resources. ITAM enables faster and more precise migrations, upgrades, and changes, enhancing organizational agility.(4)
Open-source software (OSS) is widely used in modern application development. However, the 2023 Open Source Security and Risk Analysis (OSSRA) report, which examines the vulnerabilities and license conflicts found in roughly 1,700 codebases across 17 industries, reveals significant operational hazards. A concerning number of codebases contain dormant OSS components that have not received updates or development activity for at least two years. This indicates a lack of maintenance and leaves the software at risk. The report shows that a high percentage, 88% to 91%, of codebases are outdated, contain inactive components, or have received no recent development activity.(5)
Open-source software is subject to copyright laws, and using it in an application requires organizations to adhere to the associated license terms. To ensure compliance, many businesses have dedicated legal resources or staff knowledgeable in open-source matters. Using open-source software without complying with the license requirements can lead to legal infringements and liabilities. With open source comprising approximately 80% of modern applications, organizations must be cautious about undisclosed open-source usage. Copyright owners, as well as nonprofit organizations that support the open-source software movement, can actively pursue legal action against violations, which can cause financial and reputational damage.(6)
Open-source licenses come in two main types: permissive and copyleft. Permissive licenses require attribution to the original developer with minimal additional requirements, while copyleft licenses, like General Public License (GPL), promote code sharing but carry risks for commercial software. Organizations rely on SBOMs to navigate complex software supply chains, identify weaknesses, track open-source usage, and ensure license compliance. Including licenses in the SBOM helps organizations maintain a comprehensive inventory and reduce legal liabilities. Failure to comply with open-source licenses can result in legal disputes and loss of intellectual property rights. Including licenses in an SBOM helps organizations promote transparency, trust, and compliance within software supply chains.(7)
Open-source software has made supply chains more complex and less transparent, increasing the potential for cyberattacks. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced software supply chain attacks. It is important to maintain visibility into open-source software usage and promptly address any identified areas of vulnerability.(8) Software asset management teams should be part of and contributors to their cybersecurity teams. By breaking down these two silos, they become a cohesive risk management team. And when purchasing software or contracting someone to build it, they must secure an SBOM, which is a vital component of risk management and reduction.
Lifecycle management tracks every aspect of asset and license ownership, from acquisition to disposal. IT Service Management (ITSM) tools, configuration management databases (CMDBs), and software asset management (SAM) tools are not sufficient for comprehensive lifecycle management. These solutions lack the necessary detail and will result in incomplete ownership summaries, limiting the ability to maximize asset value and minimize costs. To achieve effective lifecycle management, organizations must track all assets and licenses in their IT environment. By maintaining a dedicated repository, they establish a reliable baseline for every asset and license.(9)
Eracent's ITMC Lifecycle™ provides comprehensive lifecycle asset management for all assets and licenses, providing continuous tracking from planning and acquisition through refresh and disposition. The data captured in ITMC Lifecycle provides a foundation for many activities, including end-user requests, procurement, SAM, hardware lifecycle management, ITSM, network and endpoint security, automated workflows, budgeting, planning, and more. Additionally, the system facilitates tracking, reporting, and automatic alerts for contracts, agreements, and financial transactions.
Szablowski notes, "It's like the wild west out there, from an IT asset management perspective. There's a subversive element. The thinking is that if the software came from a source like Microsoft, it must be good to go. But there can be something in there that may be a ticking time bomb from a security standpoint. And if your internal application development team or a vendor that you hired uses the wrong license type, your company will pay a high price. It's a real Pandora's Box. But, in this case, you actually have to look under the lid."
Walt Szablowski is the Founder and Executive Chairman of Eracent and serves as Chair of Eracent's subsidiaries (Eracent SP ZOO, Warsaw, Poland; Eracent Private LTD in Bangalore, India, and Eracent Brazil). Eracent helps its customers meet the challenges of managing IT network assets, software licenses, and cybersecurity in today's complex and evolving IT environments. Eracent's enterprise clients save significantly on their annual software spend, reduce their audit and security risks, and establish more efficient asset management processes. Eracent's client base includes some of the world's largest corporate and government networks and IT environments. Dozens of Fortune 500 companies rely on Eracent solutions to manage and protect their networks. To learn more, visit https://eracent.com/.
1. What is it asset management (ITAM)?. IBM. (n.d.). https://www.ibm.com/cloud/blog/it-asset-management
2. Trovato, S. (2022, December 28). What is it asset management?. Forbes. https://www.forbes.com/advisor/business/it-asset-management/
3. Eracent. (2018, June 19). The linkage between cybersecurity and Itam. Eracent. https://eracent.com/the-linkage-between-cybersecurity-and-itam/
4. Chouffani, R., Holak, B., McLaughlin, E. (2022, April 18). What is it asset management (ITAM)?. CIO. https://www.techtarget.com/searchcio/definition/IT-asset-management-information-technology-asset-management
5. [analyst report] open source security and analysis report. Synopsys. (n.d.). https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html?intcmp=sig-blog-sctrust
6. 08, B. T. M. J., Authors, Micro; Research, T., Trend Micro, Research, Us, C., Subscribe. (2021, July 8). How to navigate open source licensing risks. Trend Micro. https://www.trendmicro.com/en_us/research/21/g/navigating-open-source-licensing-risk.html
7. Interlynk. (2023, June 12). Open source licenses in sboms. Medium. https://medium.com/@interlynkblog/open-source-licenses-in-sboms-9ee6f6dc1941
8. Callinan, M. (2022, August 31). Establishing Trust in your software supply chain with an SBOM. ITAM Channel. https://itamchannel.com/establishing-trust-in-your-software-supply-chain-with-an-sbom/
9. AppStorePlus PG1 final LR - eracent. (n.d.). https://eracent.com/wp-content/uploads/2020/09/ITMCLifecycle-data-sheet-0820-IAITAM2020.pdf
Karla Jo Helms, JOTO PR™, 727-777-4619, [email protected]