Are you using a Configuration Management Database (CMDB) as your organization's single source of truth? The truth is that it's not enough to cover all your bases. In fact, it may create more challenges than it actually solves.
We've all heard it before, but it bears repeating: you can’t maintain or secure what you don’t know exists. A comprehensive asset inventory is key for building that knowledge. As a result, many organizations turn to a configuration management database (CMDB) in hopes of finding a solution that can act as a repository for their network and asset data. A CMDB is a crucial part of the ITIL framework that enables you to manage, control, configure, and discover assets across the organization. Its goal is to help you streamline operational decisions and confidently evaluate the potential impact of changes to your services and infrastructure.
The promise is compelling, but the reality is that if you are using a CMDB for asset inventory, you're likely not getting the information you need from it.
From the high costs of deployment to data quality issues, CMDBs are a major investment of time and resources for it not to deliver on its full promise. According to Gartner, only 25% of organizations are achieving meaningful value with their CMDBs. So, what can you do to improve asset inventory and get more value from your CMDB?
Why your CMDB isn't enough for asset inventory #
Let's get this out of the way: a CMDB isn't a replacement for an asset inventory solution. A CMDB can be a powerful data warehouse that can aid in day-to-day IT operations, as well as security management and compliance. In theory, a CMDB would align IT and security functions by providing a shared repository of network and asset data. However, more often than not, IT teams are struggling to keep the CMDB up-to-date, while security teams are saying that they need better data than their CMDB can provide them.
If you have a CMDB, the misconception is that you don't need additional capabilities for asset discovery. You'd rely on the CMDB's discovery module and leverage existing sources to populate the CMDB with data. This approach is only effective if you only care about managed IT assets, and you actually trust the data sources you're using. Unfortunately, for most organizations, nearly ⅓ of CMDB challenges stem from inconsistent data quality and incomplete asset inventory. Let's dig into these two challenges.
CMDB challenge #1: Inconsistent data quality #
If you are relying on your CMDB to be the single source of truth, you need to be able to trust the information in it. The data in a CMDB will only be as good as its sources.
CMDBs struggle with data quality because of how data is put into the system. There are a few methods of input, but the most commonly used are manual entry and authenticated active scanning. While authenticated active scans are relatively accurate for managed IT devices, they often misidentify the hardware.
Manual entry, on the other hand, does not scale and is prone to error. In fact, considering that 60% of data manually input by employees is inaccurate, it's not a huge surprise that CMDBs struggle to consistently get reliable and good quality data. So, what can you do about it?
CMDB challenge #2: Incomplete asset inventory #
Most CMDBs have some type of discovery module that can perform authenticated scans against known assets and automatically update records. These discovery scans can cover a wide range of devices across your IT infrastructure–including virtual machines, servers, and storage systems. This approach is fine if you only care about managed IT assets, but what about the unknowns, like unmanaged assets? What about IoT and OT devices?
Security teams often tell us how much more useful CMDBs would be if they included unmanaged assets, as well as IoT and OT devices. These teams frequently find compromised assets that aren't listed in their CMDB, so they lack the context and details they need to act quickly when faced with critical security issues.
These days, you're likely dealing with a hybrid or fully remote workforce. The need for a comprehensive view of all assets–managed and unmanaged–is now more critical than ever if you ever hope to secure and manage them. CMDB-based discovery alone will not be enough to get you there. Active scanning on its own will miss devices that are not on your corporate network. You need a complete approach that leverages unauthenticated active scans as well as API integrations.
Trust the data in your CMDB #
The good news: these challenges with data quality and completeness aren’t insurmountable. Since most CMDBs can ingest data from third-party vendors, it's just a matter of integrating with the right solution that can solve these challenges.
It's clear that the discovery capabilities native to CMDBs are not delivering the depth and breadth of information required. CMDBs rely on credentialed-based discovery, which can only identify managed assets. On top of that, supplying credentials to internal systems introduces unwanted security risks.
So, what can you do to uncover the gaps in your CMDB, while also enriching the assets you already know about? You can deploy a solution that combines API integrations with unauthenticated active discovery for a complete approach: this is most effective approach for finding unmanaged assets and accurately fingerprinting assets. By leveraging additional discovery capabilities alongside your CMDB, you can ensure that you're covering your bases across managed and unmanaged assets. Managed assets get the benefit of being enriched with additional attributes, while unmanaged assets are identified and fingerprinted.
How runZero can bolster CMDB data quality and completeness #
runZero is a cyber asset management solution that can help you build complete, comprehensive asset inventories of your managed and unmanaged assets on any type of network–corporate, cloud, or home–and in any type of infrastructure, IT or OT. Since runZero combines APIs with active scanning, doesn't require credentials, and has extensive fingerprinting capabilities, it can discover and identify a wider breadth of assets with much more depth. You can integrate runZero seamlessly with CMDBs, like ServiceNow, to enrich their data, or you can leverage runZero as a standalone asset inventory solution.
