Y2K brought the issue of IT assets to the executive table. To prevent the collapse of their operations when the clocks struck midnight on December 31, 1999, companies worked furiously to find out what computer hardware and software they were using, whether or not their systems were Y2K-compliant, and if they weren't, how to fix them.Five years later, companies are still struggling to get their arms around their infrastructures. Now, the Internet is ubiquitous and real-time system availability is expected. Multi-tired platforms with highly distributed IT assets are the norm-especially in larger companies. And, regulations-such as SOX, HIPAA, and Gramm-Leach-Bliley-are forcing executives to take personal responsibility for financial statements and customer privacy-information housed in their IT systems.
As a result, IT management in general-and IT asset management in particular-are becoming much more sophisticated.
In the 1990s, companies were exuberant with IT spending, says William Snyder, program director, operations strategies, at META Group Inc., a Needham, Mass.-based re-search and consulting company. Then in the early 2000s, there was a dearth in IT spending. Now, executives realize they need a sustainable path of IT spending, he says. "And you can't have a sustainable path of spending if you don't know what you need to sustain."
At lower levels
Even with this realization, the majority of IT asset management programs across industries (65%) still remain at the lower levels of maturity, says Snyder.
At these levels, three types of technologies may be employed:
- Automated discovery tools, which enable a company to determine what hardware and software it uses.
- Asset repositories, which contain data that isn't "discovered" with these tools, including license and contract information.
- Usage tools, which record not only what software is installed on machines, but who is using it and how often.
Fewer companies are at the higher levels of IT asset management maturity. But those that are have started to integrate these "traditional" IT asset management technologies with other systems across the enterprise to proactively manage their IT costs.
"Asset management used to be just an inventory problem-knowing who was using an asset, where it was located and what it looked like," says Patricia Adams, principal analyst at Stamford, Conn.-based Gartner Inc.
Now, it's becoming a strategic core discipline, which includes understanding the cost, depreciation and life cycle of physical assets-and integrating that data with procurement, contract management, and IT service management.
The endeavor is huge.
"All infrastructure managers have the significant problem of trying to constantly chase down, understand and manage their IT asset landscape," says David Carlson, vice president of IT service delivery at Allmerica Financial Corp., Worcester, Mass. "It's extremely organic in any company that has a sizeable infrastructure. It's a tremendous burden to keep up with that."
Change control
To help keep up with that, Allmerica is deploying an IT service configuration management tool that enables the company to have an up-to-date, real-time "map" of its servers, databases and applications that support mission-critical business processes.
Although the product it uses--from Relicore Inc., Burlington, Mass.--isn't technically an IT asset management tool, it is tangentially related to asset management, says Carslon. It enables the company to better understand the effect that software, hardware and network changes will have on its overall environment.
"We wanted to enhance our change control process and we wanted to understand the dependencies between applications, databases and physical infrastructure," he says. To do that, companies typically use Visio diagrams. "They go into change control meetings and do the best they can using all these manual inputs to figure out the impact of changes they want to make."
But Allmerica wanted to be more proactive, he says. "We want to go into change control much more educated about the impacts changes we're planning will have on the environment."
For example, he says, two people may be making a change to the same database. "Unless you can see that both of your changes are going to touch that same database server, you could 'step on each other' and cause a problem," he says.
Using Relicore's product, Allmerica will understand all the relationships between applications, databases, networks and servers to avoid these kinds of potential conflicts.
"Not only does Relicore show you the relationships of servers to databases," says Carlson. "It also shows software dependencies. It shows you every single relationship that exists within an application-what hardware it runs on, what network pipes it traverses, what databases it uses, and what messaging services it uses."
In a highly distributed IT environment that includes Windows, Unix and Linux, that's powerful information, Carlson notes. "Our infrastructure is like a big spider web," he says. "It's very difficult to understand those complexities using the manual method."
Initially, Allmerica is using Relicore for mission-critical policy administration and underwriting business processes.
It's a good fit in these environments because they involve many distributed servers, Carlson says. In addition, they are agent-facing applications, where system availability directly impacts new business.
Two key measures
Keeping systems available and service levels high are two key measures infrastructure managers watch, Carlson notes. Using the Relicore software, his staff will be able to watch for unauthorized software changes that can slow their systems down.
"We wanted to cut the mean time to resolve problems by having a better radar screen to detect where a software change was made rather than fishing around for it," he says. "We have a very disciplined change control process, and we don't want any changes going on outside our change control windows."
The company also is benefiting from a feature of the software that enables IT staff to conduct analysis of the configuration of servers. "You can identify a gold standard (for configuration) and compare your servers to make sure all of them-in a Web environment, for example-are identically configured," Carlson explains.
At press time, Allmerica had synchronized servers in some of its mission-critical processes, which resolved some persistent problems, he says.
In addition, the company was setting up its "radar screen" to monitor for unauthorized IT changes. In the future, Allmerica plans to integrate Relicore with its existing IT asset management repository.
"We'd love to get to the point where we can auto-discover assets on the network and drop them right into our asset database," says Carlson. "That's all manually done now, and it's very difficult to maintain the discipline to keep that up-to-date.
Indeed, a synergy exists between IT asset management and configuration management, says META Group's Snyder. "IT organizations want configuration management; and asset management is one way for technologists to get there," he says.
Overall, Snyder says, a shift is occurring. "Asset management programs tended to be built in a parochial way. For instance, 'I need to do help desk.' 'I need to do mainframe software asset management.' 'I need to do lease return.' They were myopic in their approach." he says. "Now, I'm seeing a more cohesive, across-the-enterprise view of how to do this."
That's what Prudential Financial Inc. is doing with its 10-year old IT asset management program. The company is already using several asset management tools, including inventory databases and auto-discovery. Now, it is implementing an asset management center that will function as a centralized directory for asset data dispersed across different platforms.
Enterprise view
"Four inventory systems will feed into our asset center; our cost codes are coming out of our general ledger; and our locations are coming out of our problem, change, and service ticketing system," says David Quinn, director of information systems at the Newark, N.J.-based financial services firm.
Prudential's asset management center will also incorporate contract and licensing information from the compay's legal system, as well as asset data from its procurement system.
"Asset management isn't new at Prudential. It's something we've been doing for quite awhile," says Ken Tyminski, Prudential's chief information security officer. "What we're trying to do now is to get to a single, consistent platform across the enterprise so we can leverage some of the new features and functions that are available."
Those features and functions include automated workflow, including automatically accessing relevant databases to validate authorized users or hardware changes.
"On our desktop platform, a pop-up appears on users' screens once a month to make sure they're still using their machines," says Tyminski. That information is then cross-checked against other databases to ensure those users have system IDs. Similarly, he says, "if we have a machine that we haven't heard from in awhile, we want to find out what happened to it."
Finding the 'unknowns'
Currently, reconciling that kind of information is a time-consuming effort. "Dave (Quinn) does a lot of manual processing," says Tyminski.
"For instance, if a PC was in the inventory last month, and it's not showing up in this month, he needs to find out if there was a change ticket to remove that PC from the network or to upgrade it. We want to reconcile that because obviously we want to know what happened to that asset."
Prudential is also upgrading an automated discovery tool it has been using for several years. "We've been scanning the network for about three years," says Tyminski "We started to do that out of the security group because we wanted to know what was on the network and what our vulnerabilities were."
Now, Tyminski and Quinn are working closely to funnel that discovery data into the asset management initiative. "Dave lined up our information with everything he already knew, and we were able to identify devices we call the 'unknowns,'" says Tyminski. "They weren't showing up anywhere, but they were on the network." As a result, Prudential has reduced its 'unknowns,' he says. "We have very, very few devices on the network now that we don't know about."
The primary reason Prudential is developing this centralized asset management hub is to manage its IT assets proactively, according to Tyminski. "We're going to know everything that's connected to our network. Does it meet our policy? Is it being managed appropriately from a financial perspective and from a software perspective? Is it being supported appropriately."
But the visibility the technology provides into the company's assets will also be leveraged to improve security, he says.
"We're also going to make sure there are no vulnerabilities on our network. And, if we find something and we don't know what it is, we're going to take steps to quarantine that device until we can install the right management controls on it."
Prudential also is taking steps to address asset management issues by line of business. "We're going to establish a consistent naming convention for our problem, change and service system; our operational console, which has line-of-business views; and our asset management system," says Quinn.
This way, Prudential will be able to go into the asset center and pull asset-related information based on an application name, for example.
"We'll be able to do a lot of management with that information," says Tyminski. For example, when a new Windows patch has to be applied, the company will know what devices need the patch and which businesses are affected. "We can then work with the business people and help them understand what's going on in their world," he says. "It shows the value we bring to the table-because now we can talk to the business people in terms they understand-how it impacts their business."
And therein lies the huge potential of sophisticated asset management programs, according to sources: to manage IT as a business, which can clearly define its cost and value to the business.
"What we see when companies get to the (highest) level of asset management is a fairly good understanding that the costs incurred in an IT organization are driven by the projects done by business units-or funded by business units," says META Group's Snyder.
As a result, Snyder sees IT asset management progressing toward a "charge-back" approach, in which costs are aligned with the businesses driving them.
"When you talk about 'charge-backs,' the discussion is very political in most organizations," he says. "But the reality is: Even if you're not going to charge back to the business units, you still to have to operate an IT organization under the auspices of a charge-back methodology-because if you don't know who's driving your costs, you can't control your costs-and you never will."
Companies Throw Money Away With Their Old Assets
IT asset management comprises the entire lifecycle of hardware and software-from requisition to deployment and management to retirement and disposal. But some companies fail to harvest the value that remains in their assets at the back-end of that life cycle, industry sources say.
"Typically, companies use their assets for about four years," says Patricia Adams, principal analyst with Stamford, Conn.-based Gartner Inc. "When they retire them, they'll sometimes stick them in a closet rather than pay someone to take them off their hands." As a result, companies are essentially throwing money away, by neglecting to recover reusable software, by paying for storage space they don't need, and, in some states, by paying property taxes on equipment they no longer use.
In addition, companies often don't recover the full value of their IT assets when they dispose of them, according to Paul Baum, CEO and founder of PlanITROI Inc., a Denville, N.J.-based firm that specializes in IT asset retirement.
PlanITROI has written checks in the amount of $100,000 to $2 million to the CEOs and CFOs of Fortune 500 companies that have used the company's asset retirement services. The company is able to do this because the value of the assets often exceeds the cost of the retirement services.
In addition, Baum notes, the insurance industry has an additional incentive to pay more attention to how it disposes of its IT assets-namely, laws such as the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley, which require the companies to protect personal information stored on hard drives and to document that disposal.
Baum advises insurers to make sure they receive detailed reports from their asset retirement firm-reports that list serial numbers along with how and where each device was retired. "Most corporations--I would say 60% to 70%--do not receive a report from their recycler, independent contractor or OEM that says 'this asset was dealt with in this way,'" Baum says.
In addition, when a hard drive is erased by a firm such as PlanITROI, Baum says it's also important for insurers to receive a map from their service provider showing the data on each drive before it was removed as well as after. "Before a disk is wiped clean, it has a distinct map of all the information on it," he says. "After you wipe it clean, that map is the same for all disks that are erased to the Department of Defense Level 7 standards," he says.
Compliance Issues Surfacing In IT Asset Management Discussions
When companies invest in IT asset management tools, the primary reasons are to keep systems available and service levels high, according to industry sources. But another concern is beginning to surface in asset management discussions.
"In the age of Sarbanes-Oxley (SOX), one of the major issues is the auditability of your assets, and that includes IT assets," says Craig Macdonald, vice president of product marketing at Peregrine Systems Inc., a San Diego-based IT asset management and IT service management company.
According to recent research, Peregrine found 70% of companies across industries are in the "chaos" stage of IT asset management, meaning they have no solid understanding of what they have or where it is located.
In addition, Macdonald notes, SOX requires companies to be in compliance with all their contractual agreements. "And a lot of companies struggle with making sure they're in compliance with their software agreements," he says.
Fireman's Fund Insurance Co. has thousands of agreements with outside vendors, including those with software companies, and most of those agreements were negotiated before the company implemented a contract management system last year.
"We had multiple contracts with the same external providers," says Robert Neuhard, director of contracts at the Novato, Calif.-based insurance company. "So we had no way to get our hands around them. And, even if we could get our hands around them, we needed a way to manage all the data we were going to collect."
Now, using a contract management system from Redwood City, Calif.-based Nextance, Fireman's Fund easily tracks its licenses and agreements with suppliers, according to Neuhard.
"Software has so many unique restrictions about where you can move it or if you're allowed to use it in a disaster recovery environment, a production environment or a testing environment," he says. "We're tracking those nuances now."
When Peregrine customers use software usage tools to find out if they are in compliance with contracts, they often find they're not, says Macdonald. "But more often than that, they discover that they have massively over-purchased their software licenses," he says.
In fact, this is a common problem. When companies with no IT asset management program in place begin using tools and processes, they typically save up to 30% in management costs per asset in the first year, says Patricia Adams, principal analyst, at Stamford, Conn.-based Gartner Inc.
The savings decline over the next four years to 10% to 15%, she says. But there's no question that IT asset management can reduce IT costs.
"If your company purchased 1,000 licenses of Visio, you want to make sure those 1,000 licenses are installed and being used," she says. "You may only need 400 licenses. Asset management helps companies gain visibility into how their hardware and software are being used."
