Effective IT Asset Discovery and Management is absolutely reliant on good data. Having the most up to date, cutting edge ITAM tool on the planet and a raft of experts poised and eager to take a hatchet to your software spend is all well and good, but without good knowledge on your IT estate, it’s all for naught. The data on IT assets may come from all manner of places, but one thing you will absolutely need, categorically and without question, is reliable data on your IT assets and the software deployed on them.
So, where to start? Well, a lot of organisations start by looking at the pros and cons of agent-lead and agentless discovery tools. As far as I’m concerned, the key difference is this. A device with an agent on it will reliably deliver discovery data so long as the agent is functioning properly and it connects to the network every once in a while, but you have to go to the effort of getting the agent on to the device in the first place. An agentless tool will deliver discovery data without you having to go through the rigmarole of deploying agents to end-points, so long as it is connected to the network when you run a scan.
Agent-lead vs. agentless IT asset discovery
Based on this simple fact alone I will confidently make an asset discovery tool recommendation to all and sundry. Which type of tool do you need? Simple. Both. This may seem like a belt and braces approach to asset discovery, but I think it’s important to bear in mind the strengths of the two solutions and how they can contribute to an organisation’s ultimate goal of current, reliable and detailed inventory data on all of their IT assets.
Which type of tool do you need? Simple. Both.
To get good data you’ll need to be confident you’re capturing data on all the assets in your organisation, and an agent-lead approach to asset discovery is unlikely to help with this. Agents only deliver data on the device they’re deployed on, so how will this data tell you what devices you’re missing? Simple, it probably won’t. In order to make sure you’re capturing data from all the devices in your environment you’ll need to cross reference a couple of different data sets and figure out where the gaps are. Using your Anti-Virus console or AD to provide a list of assets for comparison is an option, but these data sets can often only tell you what you’ve already told them. An agentless discovery tool, on the other hand, will flag up everything on the network when the scan is run. So choose a time when you’re confident you’re going to see a high number of devices on the network and have at it! You can then use this data to figure out how many assets you have, which ones you have consistent and reliable data for, and which ones you don’t. Then you can draw up a target list for improving your discovery data coverage.
Asset discovery you can count on
Once you know what your target list is, the best way of being sure you’re going to see a consistent feed of inventory data from a given asset is by deploying an agent-lead asset discovery tool on it. The agent will collect data on the asset and then upload it at regular intervals, or whenever the device connects to the network. This will give you the best picture of the current state of a given asset. With an agentless tool, if the asset isn’t on the network when you run the scan then you won’t get an updated snapshot of the device, and then you’ll either be working with old data on the asset, or possibly even no data at all.
Then all you’ll need to do is review the coverage of your agent-lead asset discovery tool at regular, pre-agreed intervals, using the other methods at your disposal. When you find a gap in the data you can work with the discovery tool owners to close them out, and everybody wins. Asset discovery tool owners hit their coverage targets and the ITAM team get a reliable data set they can put their confidence in.
Cover (almost) all bases with the right discovery tool
As far as the actual asset discovery tools you choose to use that’s very much up to an individual organisation, but there are a couple of things to be aware of. Make sure the tool will work across all of the platforms in the estate (or as many as possible anyway). If you’re using Wintel and Mac operating systems then bear that in mind when reviewing possible discovery tools. Also, think about the major publishers in use across the organisation. Many publishers will have a specific (usually in-house) tool which they will request you use to provide data under audit conditions, but they will also have a selection of other tools whose data they deem suitable. If the key publishers in an estate are Microsoft, Adobe and IBM then try to find a discovery tool that will render audit response suitable data for those three publishers. With both of the points above it may not be possible to cover all your bases, but at least you will know where the gaps are should any publishers come a-knocking.
