CMDB discovery tools alone aren't the answer
CMDB discovery tools have been around for quite a long time because their need is pretty obvious.
Organizations are generally understaffed to do the daily work. Many just do not staff to continuously validate the IT environment they support. So this makes for an ideal climate to promote and hype the capabilities of the silver bullet to everyone’s problems: the installation of the almighty and all knowing configuration management database (CMDB) discovery tool. The problem with this, of course, is that it is not the solution to all your problems. It can in fact cause even greater problems if you’re not careful and instead blindly buy into the trifold glossy literature.
Value and danger
CMDB discovery tools can provide lots of value. Arriving at the wrong destination faster is also possible, if your goal is not clearly understood or the wrong tool is implemented. Imagine purchasing a vehicle for a race that you weren’t told the exact details of. Your purchase of a brand-new, top-of-the-line street racing automobile will be ineffective if it is an off-road desert course. This revelation doesn’t diminish the capabilities and engineering of the top-line street racer, but it virtually ensures that you have nearly no chance to win the race you are entering.
The same holds true for asset discovery technologies. You have to have the right tool for the job you’re trying to accomplish. You also need to fully comprehend what it can and cannot do. Also vital to your success is to understand what it really provides you. Installing and then setting free a CMDB discovery tool to just collect every piece of data it sees in the environment is not your objective. You already have volumes of data that you don’t know what to do with. Adding more data to your confused mess is not going to help your organization grow and prosper.
Awareness
Your action or non-action to this new volume is important. You need to remember that the data coming from these technologies is not verified. The technology is simply performing a collection activity as requested and sometimes there is corruption midstream. There is no way in real time to truly detect and/or identify this. The discovery tool generates and updates data without manual intervention or analysis. If this data is overwriting your “gold” CMDB copies, you could potentially corrupt all your operational data in a matter of minutes and nobody would know.
The corrupted data will be consumed and disseminated without awareness. It could be hours, days or even weeks before anyone becomes aware of it. The average duration before a security breach is detected is nearly eight months, according to Matt Loeb from ISACA. It is reasonable to assume that corrupted data could exist for months as well. How many business decisions could be made during this time frame?
Verification
You need to recognize that the technologies can only tell you what “it is”. They cannot tell you “what it should be”. CMDB discovery will report an unauthorized change to a router security settings as is. It will then update the data records and continue on its way. There is no awareness or notification that the updated data originated as an unauthorized change. Without a manual or automated mechanism in place to detect this, you are making your organization vulnerable to a breach. The duration of your vulnerability is unknown. This whole time, your environment may have been breached while you continued on with your normal daily activities thinking that everything is secured.
The point I’m trying to make is that there is value in CMDB discovery technologies, but you must be smart. It is a tool that you can and should use to help solve some challenges. It is not, however, a silver bullet that will solve problems for you. Use this and other tools like it to enhance your capabilities, not shirk your responsibilities. It’s your responsibility to get the complete and accurate IT estate data to those in need, whether you use discovery or not. Don’t blame the tool for a decision you made in using it. Be sure to put processes, procedures, and governance in place to support these technologies if you want to succeed.