The fast pace of digitization has brought issues such as data privacy, security, and regulatory compliance to the forefront of enterprise decision-making. Regulators around the world are tightening requirements around how consumer data is used, stored, transmitted, and shared, to provide individuals with greater protections. From the General Data Protection Regulation (GDPR), which was passed in 2018, to the California Privacy Rights Act, which took effect in 2023, regulators are signaling that organizations need to evolve advertising, marketing, and other business practices to be privacy-first and centered around consumer consent.
So, how does this affect data center management? Quite a bit, as it turns out. Data centers house IT devices that support applications and business processes that use consumer data. As a result, being able to pinpoint which devices enable key processes, where that data is stored, and how it is used is invaluable information that can be used for regulatory compliance.
Modern configuration management databases (CMDBs) provide automated IT discovery and dependency mapping, helping internal teams streamline regulatory compliance processes. CMDBs provide current and historical picture of all hardware, software, and virtualized assets, showing when they were deployed, what they support, and any changes and configurations that were made to them. This information, along with classification data, owners, and other variables such as custom meta-data tagging, is captured as configuration items (CIs). CIs are the building blocks of CMDBs and provide the granular insights organizations need to meet internal auditing, customer, and IT compliance requirements.
Understanding Regulatory Compliance Requirements
Enterprises are often global, digital, and vertically aligned. As such, they need to meet regional regulations in the geographic areas they serve, as well as industry regulations that impact either business units or the entire organization.
Common regulations in the U.S. and European Union include the:
- General Data Protection Regulation (GDPR), which governs the use, processing, and storage of data of residents of the European Union and European Economic Area.
To ensure GDPR compliance, organizations audit their own practices to ensure they are transparent and have a lawful basis, ensure the security of consumer data that is used, provide accountability and governance, and protect individuals’ privacy rights.
- Health Insurance Portability and Accountability Act (HIPAA), which controls how organizations collect and use information in all forms and hold and transfer electronic data.
To abide by HIPAA compliance requirements, covered entities must abide by its Privacy Rule and Required Disclosures. In addition, these organizations must “maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.”
- Payment Card Industry Data Security Standard (PCI DSS), which states its goal is “to protect cardholder data and sensitive authentication data wherever it is processed, stored, or transmitted.”
To ensure PCI-DSS compliance, credit and debit card payment processors must meet 12 requirements to ensure the compliance of their data security programs.
In a recent blog, we did a deep dive on compliance standards, analyzing how next-generation CMDBs help enterprises meet a wide range of regulatory requirements and industry best practices. These standards include CIS Critical Security Controls, Federal Information Processing Standard Publication (140-2) (FIPS 140-2), Federal Risk and Authorization Management Program (FedRAMP®) , and International Organization for Standardization (ISO) 27001, as well as GDPR, HIPAA, and PCI DSS. That blog cautions on risks to watch out for as well as best practices to adopt.
In this blog, we will cover how automated IT discovery for compliance can streamline critical processes, protecting enterprises from regulator censure and fines, data breaches, and negative media, all of which can harm customer relationships and revenues.
Implementing and Managing a CMDB: Security and Compliance Considerations
The Interdependent Relationship Between IT Discovery and Compliance
As businesses, networks, and regulations grow, teams are using automated IT discovery to identify, monitor, and manage all devices. There frankly is no other way to meet these requirements, given the fast pace of change. New devices are constantly being deployed across hybrid cloud infrastructures, and global teams are frequently changing and configuring them.
CMDBs that provide automated IT discovery capabilities can help enterprises meet all of their compliance risk management requirements. They provide high-integrity data and current monitoring and compliance reporting capabilities. Teams that use CMDBs document all processes and gain time- and date-stamp changes that create trust with internal audit teams, regulators, and other decision makers.
As the chart from Navex below depicts, only one-third of organizations currently have a mature risk and compliance function, with 21% of these leaders saying they are managing it well, while 17% say they are optimizing it. As a result, many teams would benefit from using a CMDB to rapidly evolve compliance monitoring and reporting capabilities, providing insights into IT management practices and device and process risks that teams can proactively address.
Exceptional regulatory compliance capabilities can become a source of strength. Compliance risk management maturity can be used by enterprises to win new customers and partners, protect the business, and avoid debilitating regulatory fines. GDPR, for example, fines organizations up to four percent of annual turnover for significant compliance violations. Thus far, regulatory authorities have issued fines totalling €2.34 billion, including €746 million assessed against Amazon and €405 million and €390 million assessed against Meta. Leaders know that avoiding fines of this nature is critical to protecting and growing their businesses.
7 IT Discovery Best Practices for Compliance
So, how can you move forward with implementing IT discovery and what challenges do you need to overcome to be successful?
- Commit to automation: If you use manual processes, such as spreadsheets, to track asset data it’s likely time to trade up to a CMDB like Device42 that provides both automated IT discovery and dependency mapping. Discovery of devices alone isn’t enough, as only automated dependency mapping traces upstream business processes and downstream data flows. In addition, automated dependency mapping can also be used to streamline other key processes, such as IT operations and IT service management (ITSM), providing added value for your investment.
- Get buy-in at all levels: When you deploy a CMDB, you’re not just implementing a tool, you’re changing business processes. You’ll want to gain executive sponsorship for purchasing a CMDB and cross-functional commitment to keeping data fresh and accurate, as CMDB data will be used by IT, ITSM, security, audit and compliance teams, and others. You can increase buy-in by linking CMDB data to other processes, such as IT asset management (ITAM), data center infrastructure management (DCIM), ITSM, and security information and event management (SIEM) platforms, and others. By benchmarking processes pre- and post-deployment, you can demonstrate how your new CMDB is adding value to business operations by ensuring software and regulatory compliance,business continuity, disaster recovery, finance and procurement and streamlining IT operations, improving incident management, and reducing security threats, among other gains.
- Use both agentless and agent-based discovery: While you’ll likely use agentless discovery to capture information on the majority of your assets, there are times when only agent-based discovery will do. For example, you’ll want to use agent-based discovery to find devices that aren’t connected to the internet; are highly secured; or are remotely deployed, such as laptops. Using both processes will make sure you are auto-discovering all devices, even ephemeral cloud assets. You’ll also want to review all data to ensure it’s accurate.
- Build your CMDB from the ground up: In a recent blog, we highlighted how to discover devices with Device42, providing a set sequence for automatic IT discovery that teams should follow to identify all devices. We also recommended that you select a CMDB that uses multiple techniques to discover assets, including ephemeral cloud-native tools. Device42 uses 12 different automated discovery techniques to all resources and their current condition.
Device42 also provides an advanced device matching algorithm that correlates and deduplicates information, ensuring you don’t end up with multiple entries for the same CI.
- Keep data fresh: You’ll want to keep your CMDB data fresh by establishing a set-and-forget schedule for IT discovery. Many enterprise teams will likely choose to run agentless discovery processes multiple times a day and then add agent-based processes, as needed, such as after business hours, to minimize performance impacts. And note that many jobs can be based off IP or CIDR ranges and when devices are added, removed,or transferred, the data is captured automatically.
- Assign risk owners: A common practice with risk management is to assign risk owners who assume responsibility for a business process and approve all decisions related to it.
A CMDB makes this simple. You can easily assign risk owners in the CMDB, so that these key point people can be contacted to make important decisions, such as whether to renew software licenses, purchase new devices to increase capacity, retire devices, and other more.
- Create custom dashboards: Device42 enables your teams to create custom dashboards, which is incredibly useful for compliance purposes, as they provide a lens for just the data that is needed for one or more regulations. Run reports on all of the devices in a region that support customer data flows covered by GDPR or see which devices enable transactions covered by PCI-DSS. Make collaboration easier with cross-functional teams by giving everyone the data they need to make critical decisions related to compliance.
- Secure your CMDB: In another blog, we offer five best practices to use to improve your CMDB security. CMDBs offer the keys to the kingdom, with a single view of all devices and their condition, so it is important to control their access and usage. You can do so by changing all default credentials, practicing good password hygiene, restricting access using role-based controls and least-privilege-granted practices, obfuscating access to the appliance, and making other security improvements.
If you follow these steps, you’ll avoid common mistakes with IT discovery, including failing to keep data fresh, limiting data visibility to IT teams, or failing to transform internal processes with relevant insights.
Compliance Case Studies: Learn From Leaders
So, how are companies leveraging CMDBs to help solve compliance challenges? Let’s take a closer look:
- Ensuring compliance for trading operations: An international financial services company that services both US and overseas markets uses Device42 to provide a single, centralized tool for managing all assets and meeting its IT compliance obligations.
Previously, the company had used a company Wiki, Visio, and Microsoft Excel to collect asset data, but the information quickly became inaccurate because changes were not captured accurately.
The financial services company deployed Device42 to provide asset tracking and inventory management, service and support resolution, IP address management; and infrastructure moves, adds, and change capabilities. All of this data supported the company’s regulatory compliance efforts as well.
When asked to describe the solution and implementation processes, the CIO said, “For IT inventory tracking, there is no better solution. We were not able to find any other applications that fit into this space with all the features of Device42.”
The CIO continued,”The setup process was virtually non-existent since the application is provided on a VM customized for a hypervisor of our choice. From there, auto-discovery tools were used to identify and import devices and all their configuration details.”
- Meeting FDIC requirements: A leading financial institution leverages Device42 to meet U.S. Federal Deposit Insurance Corporation (FDIC) requirements, documenting all network assets, their locations, connections, and how they interact.
“From an FDIC perspective, they want to know where personally identifiable information (PII), credit card, and other sensitive data lives,” said the manager of technology operations at the bank. “Now I can easily generate a report from Device42 with all the assets that are tagged with critical information.”
- Addressing CIS Security Control requirements: CIS Security Controls are not a regulation, but enable organizations to demonstrate compliance with best practices that many regulations require.
AppDirect, a cloud service commerce company, uses Device42 to meet CIS Security Controls, providing regulators and customers with the assurance that they have a security-first mindset when it comes to running their business and handling organization and consumer data.The company set up Device42 and begin auto-discovering assets within one hour and had a full inventory of all devices within just three days of installation. With that visibility, AppDirect can make important business, customer, compliance, and security decisions.
“Security is not only important when someone is asking for the results or auditing you, but should be taken into account every day, with everything you do. Implement a tool that satisfies security requirements from the beginning so you don’t find yourself in a bad place, failing an audit, or worse,” says an AppDirect company representative.
Strengthen Compliance Monitoring and Reporting with a CMDB
If you’re an IT, risk, or compliance leader seeking to evolve your program’s maturity with better monitoring and reporting capabilities, there’s no time like the present to deploy a modern CMDB.
Device42 will provide you with the holistic visibility, deep insights, and digital workflows you need to make IT compliance a source of competitive advantage for your firm. And with automated IT discovery capabilities available on-demand, you can use device data to continually improve IT operations, security, risk management, and compliance processes: protecting consumers, business customers, and your own organization as your business grows and transforms.
Author: Rick Johnston