ITAM vs CMDB – adversaries or a team?

Ruslan Rakhmetov, Security Vision

Each of us is, to one degree or another, an organizer of the asset management process: we keep warranty cards for TVs, remember the date of purchase of smartphones and know which charging cable fits which device. On a personal scale, this is easy, but if you imagine a company with 10,000 employees, each of whom has a laptop, a phone, multiple software subscriptions and access to dozens of cloud services - this is no longer a simple list, but a complex, interconnected and chaotic digital ecosystem. It is in this area of problems that IT management systems work.

In this article, we'll look at asset management processes as two critical but different "think tanks" work: IT Asset Management (ITAM) and Configuration Management Database (CMDB). The former, like a meticulous financial controller, knows the cost and life cycle of each element, while the latter is a chief systems engineer who has a complete diagram of how all these elements are connected and work together.

The idea of tracking valuables is as old as civilization itself. We can trace the history of asset management back to From the ancient Egyptians who kept records of grain harvests in warehouses and statues of gods in temples, to medieval Italian bankers like the Medici family who managed wealth with ledgers, asset management is a fundamental business practice, important to any government, business, or household.

In the past, assets were more isolated and static, whereas today, with the advent of cloud, microservices, and SaaS applications, everything is connected to everything. This creates a non-linear increase in complexity, where managing 100 assets is not only twice as difficult as managing 50, but also twice as complex. As a company adopts more cloud and interconnected technologies, the value of a single control center grows exponentially, which is key for strategic planning.

IT Asset Management (IT Asset ITAM (Asset Management) is a business practice of managing assets throughout their entire lifecycle, from planning and procurement to decommissioning and disposal. This process helps to maximize the value of assets, control costs, and support strategic decision-making by tracking various data. Moreover, many SGRC processes, such as risk management or business continuity, work truly effectively in conjunction with the company's IT landscape map, which is built through AM work.

Imagine a large city library. The librarian's job (the ITAM process) is to manage the entire collection of books (the books in this example are assets). She knows what books are in stock (inventory), when each book was purchased, how many times it has been borrowed, whether it needs repair, and when it is time to write it off due to wear and tear (asset life cycle management), and she understands the difference between fiction and encyclopedias (classification, putting assets "on the shelves").

Configuration Management Database (Configuration Management Database (CMDB) is a repository that acts as a store of data about configuration items (Configuration Items (CI), i.e. components such as servers, applications, and network devices that need to be managed to deliver IT services. It also manages the relationships and dependencies between them, providing a logical model of the IT infrastructure to support operational processes such as incident, problem, and change management.

Now imagine the chief engineer of a complex power system whose blueprint (the CMDB) not only lists all the transformers and transmission lines (these are assets, like books in a library), but also shows how they are all connected. It shows which power plant serves which areas, how power is rerouted during an outage, and how adding a new plant to the grid will affect all the other customers. Configuration management (CI) has a narrower focus: A server is both an asset (the librarian tracks its cost and warranty) and CI (the engineer maps its connections to the network and applications). However, an office desk or a massage chair, while an asset, are not CI because they have no technical configurations or dependencies that impact IT services. This simple rule perfectly separates the responsibilities of the two processes.

In company terms, a laptop is an ITAM -managed asset, but its operating system, installed software, and connection to the corporate network are all configuration items that are managed within the CMDB.

Let's fast forward to the 90s, when personal computer revolution flooded businesses with a new type of asset, digital devices. At first, simple spreadsheets were used for accounting, but as the amount of hardware, software, and networks grew, these manual systems became ineffective, leading to “ghost assets” (assets listed on the balance sheet but not physically present) and general chaos. These pressures led to the formation of a formal asset management discipline and the development of specialized software to automate the process.

At the same time, another problem was brewing: IT services were becoming business-critical, but they were also unstable. A small, undocumented change on one server could cause an entire application to crash. To address this problem, the UK government developed The Information Technology Infrastructure Library (ITIL) had as its core concept configuration management, and its cornerstone the CMDB, a central repository designed to track not just assets but their configurations and relationships to bring order and control to IT operations. The CMDB was thus born out of a need for operational, rather than financial, control.

The separate historical paths of ITAM (which grew out of finance and inventory) and CMDB (which grew out of IT operations and engineering) explain why today they are often managed by different teams, have different key performance indicators (KPIs), and why conflicts sometimes arise between them:

   - ITAM is primarily focused on cost savings (financial goal);

   - The CMDB is focused on uptime (operational goal).

Historically, ITAM teams reported to the CFO, accounting, or CIO, focusing on budget, while CMDB teams reported to the operations manager, focusing on service availability. This disconnect created two different cultures and value systems within IT.

Let's look at the five stages of an asset's life using a real-world example, such as a fleet of corporate laptops:

   1) planning, or deciding on a standard laptop model for the sales department;

   2) purchasing, negotiating a wholesale discount with the supplier;

   3) deployment, i.e. issuing laptops to new employees and tracking them in the system;

   4) maintenance, warranty monitoring and repair planning;

   5) decommissioning, including secure data erasure and recycling of old laptops, possibly with subsequent sale for partial reimbursement of cost.

ITAM tools prevent both overlicensing (buying too many laptops) and underlicensing (risking huge fines during audits) by tracking installed software and matching it with purchase records to ensure software license management (SLM) and track the impact on the bottom line (ROI).

Organizations that systematically manage the lifecycle of their IT assets, cut costs per asset by 30% during the first year and 5-10% annually over the next five years. Companies can reduce their SaaS costs by 25%, or save an average of over $20,000 per year on the software contract alone. Almost 50% of installed software is not used, which represents a huge drain on budget funds.

The CMDB goes far beyond a simple inventory list, discovering servers, databases, and applications and showing their dependencies. For example, Application A runs on Server X, uses Database Y, and connects via Switch Z. This can be represented as a visual dependency diagram (in the SV asset management AM – in the form of interactive connection graphs).

When a change is proposed to Server X, the CMDB can instantly show that Application A will be affected. This allows teams to plan for downtime or abandon the change if the risk is too high.

So, asset management provides financial information about assets, while the CMDB provides technical and operational analytics. These are two different but equally important sources of data, which, taken separately, are incomplete. A decision based on just one of them would be made blind: for example, ITAM knows that a server is out of warranty next month, but the CMDB knows that that server is running a mission-critical customer application.

Without ITAM data, the operations team may not prioritize replacing a server until it fails, causing a major outage.

Without CMDB data, the finance department may decide not to renew an expensive warranty to save money, without realizing the catastrophic consequences to the business if that particular server fails.