ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille

1. The ITAM Review UK Conference 2017 Managing ITAM Risks in the Cloud Era Eric Chiu and Ian Scille

2. The ITAM Review UK Conference 2017 Agenda •  Presenter Introduction •  What does “Cloud” meant for ITAM •  Licence Compliance Risks •  Other ITAM Risks •  Three Causes of “Cloud Risks” •  Approaching ITAM Risk Management •  ISO 19770 in the Cloud-Era •  Q&A

3. The ITAM Review UK Conference 2017 Eric Chiu Director – Fisher IT Asset Consulting •  Part of H W Fisher & Company, top 25 firm based in London; •  10+ years experience in software licensing, contract compliance and IT risk advisory; •  Managed compliance programmes for Tier 1 vendors; •  Part of ISO Working Group 21 for ITAM Standards;

4. The ITAM Review UK Conference 2017 Ian Scille Independent ITAM Practitioner •  Independent ITAM Practitioner with broad range of experience across the job sectors spanning 16 years •  Currently working with NFU Mutual delivering SAM Service Improvements

5. The ITAM Review UK Conference 2017 About this workshop We plan to •  Share observations on a number of ITAM risks in the Cloud era •  Trigger thoughts, discussions and debates •  Explore risk management approaches We do NOT plan to •  Perform a full ITAM risk mapping for Cloud •  Provide prescriptive risk management solution(s), even if there is one!

6. The ITAM Review UK Conference 2017 Cloud & ITAM

7. The ITAM Review UK Conference 2017 The business case for Cloud The ‘Cloud’ movement shifts power from traditional IT to business and end-users. •  Accessible – lower entry cost and committed spend •  Agile – rapid launch of applications, services and capacity •  Automated – simpler configuration, often more user friendly •  Available – less downtime, often better QoS But what does this mean to risk-aware IT Asset Managers?

8. The ITAM Review UK Conference 2017 Shifting IT Assets to the Cloud IaaS PaaS SaaS

9. The ITAM Review UK Conference 2017 Over-Spending IP / Open Source Compliance GDPR Other ITAM Risks Asset Ownership and Management Responsibility Data Quality & Accessibility Supply Chain ITAM Readiness Excess Deployment Virtualisation Incompliance User Access & Roles In-Direct Access Version Compliance Shadow Assets Real-time Exposure Usage Authorization Licence Compliance Risks OrganicInherited Cloud-era ITAM Risks and Causes

10. The ITAM Review UK Conference 2017 Licence Compliance Risks

11. The ITAM Review UK Conference 2017 Excess Deployment Example Licence Metric •  Instance / Install •  Device / Computer Traditional Risk Management Methods •  Endpoint Lock Down •  Automated Software Discovery Implementation Additional Risk Considerations •  Control over personal / third-party devices •  Compatibility and integration of sw-discovery in PaaS/IaaS

12. The ITAM Review UK Conference 2017 Virtualization Example Licence Metric •  CPU / Core / Processor •  Core Factor, Processor Value Units Traditional Risk Management Methods •  Automated Hardware Discovery Implementation •  CI Relationship Recording / CMDB Integration Additional Risk Considerations •  Eligible virtualization technology and architecture •  Consumption measurement variations •  Compatibility and integration of hw-discovery in PaaS/IaaS

13. The ITAM Review UK Conference 2017 User Access & Licensed Roles Example Licence Metric •  Administrator / Standard / Professional / Limited Traditional Risk Management Methods •  Role-based access control •  Licensing server •  Access & usage review Additional Risk Considerations •  ID sharing •  Consumed-first / soft-cap model •  Complex SaaS metrics and reporting

14. The ITAM Review UK Conference 2017 In-Direct Access Example Licence Metric •  Authorized User / Named User / Employee Traditional Risk Management Methods •  Very limited Additional Risk Considerations •  Definition of ‘access’ in EULA / CSAs •  Visibility of system and access architecture, identifying multi- plexed / concentrated usage •  On-premier application service accounts linking to Cloud- based users

15. The ITAM Review UK Conference 2017 Version Compliance SaaS often advocates a continuously updating principle, either via technical delivery (i.e. hosted apps) or via licensing agreement restrictions •  Microsoft Office 365 downgrade restrictions •  Compatibility restrictions with legacy systems

16. The ITAM Review UK Conference 2017 Access Authorization Mobility vs. Authorised Access examples: •  Authorised Geos •  Authorised Devices (Corporate / BYOD) •  Authorised Business Units / Departments •  Authorised Access Time & Frequency Is your ITAM practice monitoring / tracking these restrictions?

17. The ITAM Review UK Conference 2017 Shadow Assets It is now a lot easier for end-user or departments to by- pass rigorous IT controls: •  Credit-card sign-ups and click-through agreements •  Management of Test/Dev environments (e.g. AWS/Azure) •  Adobe Cloud – shared usernames •  Personal Cloud subscriptions

18. The ITAM Review UK Conference 2017 Real-time Compliance Exposure True-up vs. Pay now •  It may no longer be an annual true-up or an ad-hoc •  Usage, including accidental / unintentional usage, is fully recorded and often billed regularly upon consumption •  Complex billing often not understood and hard to ‘crack down’

19. The ITAM Review UK Conference 2017 Other ITAM Risks

20. The ITAM Review UK Conference 2017 Overspending You can easily spend more than planned •  Microsoft CRM dynamics - no hard restrictions •  Office 365 overspending: regulatory obligations to keep certain period of time / starters or leavers •  SAP: Multiple level / type of licences (buy higher types) Total cost of software licence ownership > 3 years?

21. The ITAM Review UK Conference 2017 IP / Open-source Compliance Does your in-house developed code comply with Open Source licence agreements? •  Modern application development relies heavily on third-party / Open-source code (e.g. Ruby-on-Rails, Ngnix, MongoDB); •  Open-source does not mean free: •  Requirement to release source code; •  Permission to modify; •  Permission to re/distribute; •  Agile development means faster release cycles yet lesser planning and control over code; •  Source-code often stored in the Cloud (e.g. GitHub) – ITAM often does not have access to;

22. The ITAM Review UK Conference 2017 GDPR & ITAM "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Restrictions on data transfer outside of EU •  What data am I collecting for ITAM? •  Where are my servers and back-ups? •  Where are my Cloud Service provider’s servers? •  Where can user access my data?

23. The ITAM Review UK Conference 2017 Any Other ITAM Risks Impacted by Cloud? The ITAM Review UK Conference 2016

24. The ITAM Review UK Conference 2017 Three Causes of “Cloud Risks”

25. The ITAM Review UK Conference 2017 IT Asset Ownership and Management Responsibility Under a hybrid ownership of IT Assets, the management and reporting responsibility boundaries are often inadequately defined between companies and their ISP/CSPs: •  Software contract management and review •  Access provisioning •  Application deployment and change •  Hardware deployment and change “ITAM obligation definitions are often within a small paragraph, or at best a single-page within a multi-million pound IT Outsourcing / Cloud Service Agreement”

26. The ITAM Review UK Conference 2017 Data Quality & Accessibility Now that the infrastructure and other moving parts are hosted by someone else, do you still have access to good quality data that is needed for effective ITAM? •  What kind of access do you have to data •  Data owner may not allow full access to data as it can be shared with other clients •  For the parts of data that you have access to, do they satisfy your ITAM requirements?

27. The ITAM Review UK Conference 2017 Supply Chain ITAM Readiness ISP/CSPs often do not process the adequate level of ITAM maturity •  ISP/CSPs’ typical one-size-fit-all delivery model •  Responsibilities split between multiple ISP/CSPs, lack of ownership •  Lack of access to organization's internal data required for ITAM

28. The ITAM Review UK Conference 2017 In other words … Why ITAM can be trickier in the Cloud era •  Some assets are yours and some are not; You do not always know what you need to manage and what should be managed by your ISP/CSPs; •  If you attempt to take on ITAM on your own, you may not have access to the required data at the required quality; •  If your ISP/CSPs attempt to deliver ITAM for you on their own, they may not process the required ITAM maturity nor data access

29. The ITAM Review UK Conference 2017 Approaching ITAM Risks

30. The ITAM Review UK Conference 2017 ITAM Risk Management Strategy ISO/IEC 27005 IT Risk Management Methodology Context establishment Risk assessment Risk treatment Risk acceptance Monitoring & Review Communication

31. The ITAM Review UK Conference 2017 ITAM RM 1: Context Establishment Articulate the ITAM Business Case: •  Interfaces to latest legal / regulatory requirements •  Identify business value for addressing risks •  Who are stakeholders, and what are their expectations

32. The ITAM Review UK Conference 2017 ITAM RM 2: Risk Assessment Identify, estimate and evaluate risk: •  Data availability assessment (what data?) •  “Old school” licence compliance internal audit / baseline •  CSP/ISP contract review

33. The ITAM Review UK Conference 2017 ITAM RM 3: Treatment / Acceptance Reduce / Avoid / Transfer / Acceptance of risk: •  Re-define the scope of ITAM •  Evaluate the Change Requirements for risk reduction / avoidance: •  Process People / Knowledge •  Data •  Technology •  Can you transfer ITAM risks to ISP/CSP? •  Can you, or will you accept ITAM risks?

34. The ITAM Review UK Conference 2017 ITAM RM 4: Monitoring, Review & Communication Ongoing management of risks: •  Fire-fight vs. continuous monitoring •  Is ITAM Risk part of your IT Risk Management Plan? •  Communicate results to maintain stakeholder buy-in

35. The ITAM Review UK Conference 2017 ITAM Risk Psychology Just received a $10M penalty This is not fair, we should negotiate this down Our ISP causes the problem We need stronger controls & better ITAM Should have probably read the contract

36. The ITAM Review UK Conference 2017 ISO 19770 in the Cloud Era

37. The ITAM Review UK Conference 2017 ISO WG21 Activities New Study Group Initiatives •  ITAM in a Continually Updated Endpoint Environment (“ICUE”) •  ITAM in a Cloud-Enabled Environment (“ICEE”) New Standard •  ISO 19770-4 Resource Utilisation Tag – to be published soon; Proposed Standard •  ISO 19770-6 Device Management – to address increasingly challenging device and device relationships in Cloud / IoT

38. The ITAM Review UK Conference 2017 Questions? The ITAM Review UK Conference 2016

39. The ITAM Review UK Conference 2017 Thank You

ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille

You are reading a preview.

Check these out next

ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille

More Related Content

Slideshows for you (20)

Similar to ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille (20)

More from Martin Thompson (20)

Recently uploaded (20)