The Provocative Convergence: FINOPS and ITAM Revolutionize IT Consumption Management

In the rapidly evolving world of technology and finance, two powerhouses are converging to reshape the business landscape. Financial Operations (FINOPS), specifically focused on cloud cost management, and IT Asset Management (ITAM) are joining forces, sparking a revolutionary alliance that challenges norms and unlocks unparalleled success. Get ready to delve into this audacious convergence as we explore its provocative implications for businesses.

Unveiling the Potential: FINOPS and ITAM:

Imagine a tech visionary and a financial maestro locking eyes, recognizing the untapped potential between them. FINOPS, the driving force behind cloud cost optimization, budgeting, and compliance, now unites with ITAM, the meticulous guardian of technology assets. Together, they forge an indomitable partnership that unleashes efficiency, cost savings, and strategic advantage.

Unleashing Synergy: A Game-Changing Union:

FINOPS and ITAM have long danced on the periphery, unaware of the extraordinary synergy awaiting their union. In an era where cloud technology fuels business growth, FINOPS emerges as the financial savior. Armed with granular insights, FINOPS empowers organizations to make informed decisions about their cloud investments and optimize costs.

Meanwhile, ITAM steps onto the stage, armed with its treasure trove of knowledge about cloud resources, usage patterns, and governance. Its meticulous tracking and management of assets running in the cloud offer the perfect complement to FINOPS’ financial prowess. Together, they unlock a force that not only saves companies money but also enhances operational efficiency and reduces risk in the cloud.

The Resilience Factor: Future-Proofing Cloud Operations:

In an era of digital transformation, the convergence of FINOPS and ITAM becomes even more crucial. By combining their expertise, businesses can future-proof their cloud operations, seamlessly managing the lifecycle of cloud assets while optimizing financial outcomes.

From cloud adoption to retirement, FINOPS and ITAM work hand in hand to ensure cloud resources are utilized optimally, costs are controlled, and compliance is maintained throughout. This unified approach transforms the perception of cloud technology from a mere expense to a strategic asset, providing organizations with a competitive edge in an ever-evolving landscape.

The Compliance Conundrum: A Bold Solution:

Commercial license compliance has been a persistent challenge for businesses operating in the cloud. Enter FINOPS and ITAM, the dynamic duo that fearlessly tackles the compliance conundrum. By leveraging their combined strengths, organizations gain comprehensive visibility into their cloud ecosystem, enabling streamlined audits, minimized risks, and adherence to industry regulations.

FINOPS sheds light on the financial implications of compliance requirements in the cloud, while ITAM delivers granular insights necessary to monitor usage and track licenses. Together, they dismantle compliance obstacles, allowing businesses to focus on growth and innovation with confidence.

Embracing the New Frontier: Automation and AI:

The convergence of FINOPS and ITAM not only combines expertise but also invites the exploration of automation and artificial intelligence (AI). By harnessing the power of technology, organizations can supercharge their financial and asset management processes, freeing up valuable human resources and eliminating costly errors.

Automation streamlines repetitive cloud cost management tasks, such as resource provisioning and rightsizing, empowering teams to focus on strategic initiatives. AI-driven analytics reveal hidden patterns and trends, providing decision-makers with real-time insights for proactive financial planning and optimized cloud resource allocation.

Conclusion:

As FINOPS and ITAM converge in a daring alliance, traditional boundaries between finance and technology dissolve, giving birth to a new era of efficiency, resilience, and cost optimization in the cloud. Businesses that embrace this provocative convergence will gain a significant advantage, transforming their cloud operations and fueling their journey towards unparalleled success.

Permanent link to this article: https://demystifyit.com/the-provocative-convergence-finops-and-itam-revolutionize-it-consumption-management/

What is IT Asset Management (ITAM)?

IT asset management is the practice of managing and tracking the hardware, software, and other IT assets within an organization. It involves the entire lifecycle of an asset, from procurement to disposal, and includes activities such as inventory management, license management, and asset utilization.

Effective IT asset management can help organizations reduce costs, optimize the use of their assets, and ensure compliance with various regulations and policies. It can also improve security, as IT asset management helps to identify and track potential vulnerabilities in an organization’s IT infrastructure.

There are several key components to effective IT asset management:

  1. Inventory management: Maintaining an accurate inventory of all IT assets is essential for effective asset management. This includes tracking the location, ownership, and status of each asset.
  2. License management: Properly managing software licenses is important to ensure compliance with vendor agreements and avoid costly fines for using unlicensed software.
  3. Asset utilization: IT asset management can help organizations optimize the use of their assets by identifying underutilized assets and reassigning them to other areas of the business where they are needed.
  4. Disposal: When an IT asset is no longer needed, it is important to dispose of it in an environmentally responsible way properly. IT asset management can help organizations to securely erase data and properly dispose of assets to prevent data breaches and protect sensitive information.

Effective IT asset management requires a systematic approach and specialized tools and software. These tools can help organizations automate many tasks associated with IT asset management, such as tracking asset information, generating reports, and managing licenses.

Implementing an effective IT asset management strategy can provide numerous benefits to organizations, including reduced costs, improved security, and enhanced compliance. By taking a proactive approach to managing and tracking their IT assets, organizations can ensure that their IT infrastructure is running smoothly and efficiently. Regenerate response

Permanent link to this article: https://demystifyit.com/what-is-the-it-asset-management/

Apply Apple’s brilliance to your business…

By every measure, Apple’s App Store is a huge success. Apple maintains complete control over the App Store, everything from the applications available to billing and delivery through its self-service portal. It is simple, direct, and ruthlessly efficient. 

Apple’s App Store has over 2 million applications available, and the App Store has racked up billions of dollars in sales since its inception in 2008. Children of all ages and even elderly adults have accessed the store to install applications on their devices without making a single call to a help desk.

Now, contrast the excellent user experience that Apple provides to the less than excellent experience of installing applications within your business. Most likely, the process is cumbersome, slow, and labor-intensive. Application installation requests usually will require an end-user to make numerous calls or to submit tickets to a help desk. Since installing an app on an iPhone is so quick and painless, does tying-up support with the mundane task of deploying applications even make sense? Imagine how streamlined life could be if you applied that same efficiency to the task of application deployments within your business.  

Of course, there is a stark difference between mobile applications and PC/Mac application deployment. Unlike mobile software, computer application licenses are quite a bit different. Most notably are the issues of OS compatibility and varied system resources. Software license costs are also far more expensive. Moreover, desktop license and usage rights further increase complexity with the need to track:

  • Available license inventory
  • Reclaim license when an application goes unused for months at a time, or when an employee leaves.
  • Role-based access control (users have access to only the applications they need)
  • Approval workflow for one-off license requests
  • Upgrade your entire enterprise to a new version or application – and be able to see the progress of the install/uninstall.
  • Bundle items needed for new hires based upon their role
  • Remove applications that you don’t want in your environment (Blacklist)

However, If you could address all of those challenges, then installing new applications would be immediate and frictionless. You would also achieve the welcome benefit of eliminating calls/tickets to the help desk. 

In this scenario, specialized application licenses are properly controlled, license inventories are accurate, unused licenses reclaimed, and role-based access controls are enforced. Business users would gain immediate access to needed applications without enlisting the help of a technical middle-man. Best of all, spiraling application costs would be constrained.

Since the benefits to this approach are obvious, ask yourself, why doesn’t something like this already exist? 

Well, you’ll be glad to know it does, the product is aptly named Universal Enterprise App Store, and it’s available from Flexera. Check it out; https://www.flexera.com/blog/application-readiness/2015/07/universal-enterprise-app-store-the-real-world-benifits/ 

You’ll be glad you did.

Permanent link to this article: https://demystifyit.com/apply-apples-brilliance-to-your-business/

You’ve just been hit with a vendor audit – now what?

If you don’t have your (bleep) together, a vendor license audit is painful. IT audits cause disruption to operations, are often complex and pose the risk of significant unplanned and unbudgeted spend.

Picture this all too familiar scenario; you receive notice that you are the target of an audit by one of your vendors. They provide you with some scripts to run. Then you run those scripts which spider your network collecting data. You then send the results back to the vendor, and you wait. A few days later, you open your inbox to find an e-mail summarizing the results of their findings. The news is not good; to your shock and surprise, you are shown to be out of compliance to the tune of millions of dollars.

Suddenly, you feel like you’re sitting in a casino, playing against the house with the odds heavily stacked against you. After uttering a few choice words, many thoughts start racing through your head; How can this be true? Where will you get the money? How will you message this to Finance? Will this unplanned spend put important projects at risk? Should you accept the vendor’s claim and settle?  

My first piece of advice: don’t panic. Formulate a solid game plan and make some quick difficult decisions. The first decision is to either accept or challenge the vendor’s findings

The difference between the vendor’s findings and your findings will likely be significant. In the extreme, this difference could mean that you might not be out of compliance at all.

 The difference between the vendor’s findings and your findings will likely be significant. In the extreme, this difference could mean that you might not be out of compliance at all. Here are several reasons why:

You’ll most likely receive a call from the vendor’s sales rep, offering you a sweetheart deal to make the “problem quickly go away.” I strongly advise against it. ALWAY’S verify a vendor’s findings. Here is why, even though your vendor has the results from collected data, they are missing the complete picture. You need to fill in the incomplete data before deciding on an appropriate course of action. 

  1. Vendors seek to maximize, not minimize your compliance obligations.
  2. Most vendor’s records of your purchases over the years are likely just as disorganized as your records are.
  3. Vendor’s terms and conditions may have been different during the time of sale than they are today, but the original terms still apply today.
  4. How and where you deployed software matters for compliance and often does not factor into audit findings

To challenge the vendor’s findings, you’ll need to collect and correlate information across multiple dimensions; including the following:

  1. The software you have licensed
  2. The software you have installed
  3. The hardware specifications of the machines where the software installed.
  4. The current software usage.
  5. The percentage of the software is in use.
  6. How the software is being used: 
    • Development
    • Production
    • Disaster Recovery
    • Hot Standby
    • Cold Standby

Once you collect, correlate, and normalize this information, you can move towards adhering to a more optimized license position. It’s complicated, confusing, and time-consuming work to arrive at a precise count, let alone an optimized position, but thankfully, there is a better way. Software exists that will do this hard work for you, and help you maintain a continuous optimized state not only for this one vendor but for all of your vendors. 

Instead of placing your casino bets with the odds stacked against you and hoping for a favorable outcome, you can use a more scientific approach by applying a rigorous and intelligent technology to the practice of managing your IT business.    

Flexera is THE leader in helping businesses optimize IT spend for Software, Cloud, SaaS. Collectively, we have helped our customers save over a billion dollars in vendor licensing costs. If you would like some help tackling an audit, or optimizing your IT license position, we’re here to help.

Permanent link to this article: https://demystifyit.com/youve-just-been-hit-with-a-vendor-audit-now-what/

Solving this Rubik’s cube is worth millions.

Full disclosure, I never enjoyed trying to solve a Rubik’s cube, and to me, it always seemed like a ridiculous waste of time. Although, if someone told me that solving the puzzle would net me millions of dollars, I would work at mastering it. It’s pretty safe to assume that no one is going to pay me millions to solve the Rubik’s cube. However, if you are the CIO or CFO of a business that spends millions a year on IT, you’ll be happy to know that there is an equivalent puzzle that, once solved, can net you millions.

So, what’s the puzzle? Much like the Rubik’s cube, it’s making sense of information across six different dimensions. However, instead of colors, the dimensions are:

  1. What you have purchased
  2. What you have installed
  3. Information about servers
  4. Information/Data regarding Usage
  5. Software as a Service Spend
  6. Cloud use

Sounds simple? Well, just like the Rubik’s cube, it seems simple until you try to solve it. Unlike the Rubik’s cube that can be mastered in time, the complexity of IT licensing is considerably more complicated. Each of the six dimensions spawns new dimensions. To illustrate, let’s walk through one example: You buy from many vendors such as Oracle, IBM, Microsoft, Amazon, etc. Each vendor has many products, each product has different terms of use, and each contract may contain one-off exceptions to standard conditions. Also, the programs your business has installed vs. the programs in use can differ significantly, and thanks to Moore’s Law, hardware capacity is also continuously evolving.

Businesses license SaaS applications, but sometimes employees purchase a license and expense it. Also, moving on-premise applications to the cloud introduces new complex factors; virtual utilization, API access, network throughput, and data backups introduce new pricing challenges. Given all the permutations and changes, it’s no wonder why IT often throws their hands up in despair.

How are businesses managing this today? The answer is not particularly well. That’s where the payoff of solving this puzzle comes in. Gartner estimates that 25 – 35% of IT spend is wasted. Translation, for most businesses, solving this puzzle can save millions. The real challenge arises because solving this puzzle is not just a one-and-done proposition. To maintain efficiency, you’ll need to continuously monitor and update this puzzle. As employees come and go, you refresh hardware, you make new purchases, or you introduce new services.

Imagine you’re working on solving the Rubik’s cube, and someone comes along, rips the cube from your hand, and rejumbles the puzzle. Besides wanting to throw the cube at them, are you prepared to handle that?

The fastest recorded time of an individual manually solving a Rubik’s cube, on their best day, is 5.25 seconds. In contrast, a computerized robot has been tuned to consistently achieve the same results in just under .38 seconds (if you blink you’ll miss it). Grab the cube, jumble it up, and bam, in less than a second, the computer/robot solves again, each time, every interval, always right, and always efficient. This same relentless efficiency can be applied to solve the business challenges of complex IT environments. Only, instead of seeing the panels of coordinated colors on a Rubik’s cube, you enjoy reduced risk, eliminated budgetary waste, and optimized IT spend. Now, aren’t those benefits worth solving the puzzle?

Permanent link to this article: https://demystifyit.com/solve-this-rubiks-cube-and-make-millions/

What can you do to maximize the data exhaust your enterprise gives off every day?

The machinery of a business is much like the physical machinery of an automobile.  In an automobile, a physical engine powers the automobile whereas the metaphorical equivalent within business is people, process and technology.   In an automobile, how fast or slow you go and where you go depend upon a variety of factors; – fuel, the condition of the machinery, road conditions, engine capacity, weather, etc.  For a business, it’s talent, manpower, innovation, market acceptance, resource utilization, capacity, marketing and sales, and competitive positioning.  

Your combustible automobile takes in fuel, processes that fuel to generate energy, and expels the processed fuel through the muffler.   In business, people, computers, equipment, devices, and people undertake efforts every day and those activities are expelled in the form of data.   The big difference between a physical machine like an automobile or the distributed power of a business is that the spent energy is consolidated and extruded through a centralized point, namely the muffler.  Whereas, in business, this data is locked up in lots of silos throughout the enterprise. 

Collecting, aggregating, and correlating this data as it’s generated is extremely valuable.  Why?  Because this data will provide you with crucial technical and business insights to a) get way out in front of problems before they become large and b) allow you to make more informed (while relevant) business decisions.  Here are just a few examples of the types of things you can do with this data:

  • Search Information Across your Distributed Enterprise
    • What systems are running a compromised version of Java and need to be patched?
    • What is the oldest version of Linux running in your environment?
  • Security Information Event Management
    • What notable security activity has occurred across your environment requiring further investigation? 
    • Are hackers targeting specific machines in your network or cloud environments?
    • Who accessed what information when?
  • Application Performance Monitoring
    • Why did an application fail?
    • Why is an application running slowly?
  • Sentiment Analysis
    • What are consumers saying about your business across social media platforms?
    • Are expressed views about your business trending up or down?
  • Supply Chain
    • Is your Just In Time manufacturing process in jeopardy of stalling from supplier latency or too little inventory on hand?
    • Can you fulfill a new order in time with materials on hand?
    • What trucks are on the road? Where are they located? What are they carrying?

To successfully pull this off at scale you need three things:

  1. A highly scalable platform to aggregate, analyze, search and visualize this data. Elastic – with over 100 million downloads, proven performance record and a massive install base is both a safe and cost-effective platform for this type of undertaking.
  2. Required storage to handle the aggregated/indexed data.
  3. Skilled resources to manage the solution – Administrators need a basic understanding or REST/JSON and API’s. End Users simply need to learn the basics of Search.

While there is incredible value in just simply aggregating and storing this data, it’s best to start with a measurable end goal for delivering tangible business benefits in mind and work backward.  Although you may start by tackling just one business issue, the opportunities to leverage this same data for exponential operational improvement will snowball over time. 

Go start your engines!

Permanent link to this article: https://demystifyit.com/data-exhaust/

What you don’t know about SSH can hurt you.

SSH is a powerful access protocol that was developed some 20 years ago by Tatu Ylonen of Finland.  The protocol’s primary function is to provide trusted access and encrypt communication in transit to prevent man-in-the-middle attacks.  Once a connection is established, SSH effectively creates an encrypted tunnel to facilitate secure communication between two points.  Since it’s development, the SSH protocol has grown so much in popularity that SSH now comes pre-installed in every Unix, Linux, Mainframe, Mac, and most Network Devices.

The Responsibility Gap

Since SSH comes pre-installed on servers and devices most organizations do not have any group or individual responsible for monitoring SSH activities.  In fact, most businesses make the leap that SSH = Encryption and Encryption = Security.  In this day and age, who doesn’t want more encryption and security?  The premise that encryption alone negates the need for vigilance and oversight of SSH use is dangerously flawed.  Here is why, SSH does encrypt communication but the real formula of SSH is best represented by a more accurate equation of SSH = Access.  SSH access comes in two variants: 1. Interactive (Human to Machine) and 2. Non-Interactive (Machine to Machine).  Furthermore, access to critical resources and data needs to be managed, monitored and controlled.  Thus, closing the SSH responsibility gap should be a Tier 1 priority for an enterprise.

Knowing the Risks

SSH functions by establishing key pairs consisting of a private and public key.  To understand the function of these keys it’s best to use an analogy: A public key is similar to a lock on a door, whereas a private key is similar to a physical key you keep in your pocket.  Presenting a matching private key to a public key grants establishes an encrypted connection.

  • Keys are Self-Provisioned – How comfortable would you be allowing any employee or consultant access to critical applications?
  • SSH Keys Don’t Expire – A key pair created some 20 years ago still work today.
  • SSH Encryption bypass security controls – Those security tools you spent millions of dollars on, yeah they don’t work on SSH encrypted traffic effectively creating a security blind spot.
  • SSH Tunneling – (just what the name implies) enables traffic to traverse routers and avoid being blocked.
  • SSH Keys Are Passed Around – SSH keys are often copied and shard, preventing you from knowing who did what when.
  • Root Level Access:  SSH can provide root (command) level access to systems and data

In short, in the wrong hands, SSH can present the ultimate doomsday scenario for any business.  Which is, providing bad actors with the ability to do all sorts of nefarious things beyond detection within this security blind spot created through SSH.  Fortunately, SSH Communications Security, the inventors of the protocol have developed commercial solutions to help you mitigate these risks.

Permanent link to this article: https://demystifyit.com/what-you-dont-know-about-ssh-can-hurt-you/

Who should be responsible for SSH?

In my job at SSH, I meet with IT executives in many large businesses and government agencies.  Aside from their initial surprise that there is an actual company behind SSH, there is one question comes up most often, namely which functional group within IT should own SSH?  The reason that this is such a struggle is that unlike other IT investments, Open SSH comes pre-installed on servers, networking, and storage gear.  By default, it’s just there to be used, which administrators and application developers use extensively.

Some background, SSH is a protocol that is used by both system administrators and application owners to securely communicate, control machines or to facilitate secure file transfers.  SSH works remarkably well, and the encryption is extremely effective at preventing man in the middle eavesdropping attacks.  However, in the wrong hands, this same SSH encryption can be leveraged to circumvent security controls.  SSH use requires the creation of matching public and private key pairs for authentication.  The public key is primarily used for automation and sometimes by system administrators for single sign-on is placed on the target machines and the private key is either placed on a connecting server (for machine-to-machine use) or is given to a user to facilitate human-to-machine interaction.

There is a notion that the PKI management team should also manage SSH access.  Some vendors add to this belief by claiming that SSH keys are similar to managing certificates.  However, comparing certificates to SSH keys is actually more akin to comparing apples with coconuts, they both provide authentication but the similarities end there.  Unlike certificates, SSH keys are easily copied, easily shared, and by default aren’t set to expire.  Moreover, unlike certificates, SSH is also used extensively for machine-to-machine interaction.  For all these reasons, we do not believe that SSH aligns to the function of PKI and would advise against assigning the responsibility of SSH within this group.

Another group often considered to manage SSH is Cryptography.  It’s easy to see why that’s the case since SSH provides encryption – it seems reasonable that the encryption team should own it.  While this is true, SSH also enables remote interactive command and control of machines extending well beyond the purview of just cryptography.   Instead, it’s our view that the most logical group to own SSH is the identity and access management team.  Why?  Well, SSH Keys = Access.  Therefore, granting, monitoring and revoking access to resources via SSH should adhere to the same, if not more process and rigor used to grant system access for employees, contractors, partners, and suppliers.

The inherent challenge to SSH is that unlike identity and access management that applies to humans, there typically is no on-boarding and off-boarding of SSH Key access, which is something we strongly advocate.  Given all the complexities, providing safe and secure access via SSH we feel that three things are needed:  1. Well defined policies and procedures related to SSH 2. Training and education for key employees and 3. Continuous system monitoring and enterprise software to enforce that the issuance, monitoring, and revocation of SSH access is adhered to.

In conclusion, the SSH protocol is a vital technology that is used extensively throughout every business and government agency the world over which makes protecting and managing SSH access a Tier 1 security concern.  In fact, if you investigate the core of most major breaches that a. exfiltrated large sums of data undetected b. installed software or disabled systems or c. occurred over an extended period of time undetected, it’s likely an indication that SSH had been leveraged by the hackers.

SSH protocol – the inventor of the Secure Shell protocol have developed several thoughtful and purpose-built solutions that address the unique complex security and compliance requirements of SSH to compliment your existing security investments.  To learn more, or to schedule an SSH security risk assessment please feel free to contact me by filling out the contact form within this website.

Permanent link to this article: https://demystifyit.com/who-should-be-responsible-for-ssh/

Beware the Invisible Man Using SSH

Permanent link to this article: https://demystifyit.com/beware-the-invisible-man-using-ssh/

A theory on the 1 billion account hack – and what you should do to avoid being Yahoo’d

how-yahoo-got-hacked
Yahoo has been making a lot of news lately and not for good reason. Marisa Myers failed attempt to turn the company around which resulted in the sale of the company to Verizon for 4.8 Billion has been placed in jeopardy due to its inability to protect and secure its users data.

In September of this year, Yahoo had announced that information pertaining to 500 Million user e-mail accounts had been stolen dating back to 2014. It had taken them two years to discover and report on this loss,

In the immediate aftermath of this announcement, some US senators demanded to know what was learned of the first breach and called for hearings on the matter. But, as the news faded from the media spotlight, so too did the pressure to understand just what happened, and who knew what information when. Fast forward to December, with Yahoo announcing a second data breach, that eclipses the first breach, both in sheer scale over 1 Billion User Accounts, and elapsed time – the breach occurred in 2013.

Horrifically, it’s been reported that the information collected is being sold to hacker groups within the Dark Web and fetching upwards of $300,000 for the information. The information was turned over to US Authorities by an unnamed third party, which upon further investigation deemed it to be credible and formally notified Yahoo. Unfortunately, the downstream effects of this stolen information will be felt for years as hackers seek to exploit this data for financial gain. Therefore, I would urge every yahoo account holder reading this article to do two things right now: 1. Change your password and security questions. 2. Use multi-factor authentication on every web based account you have – bank, credit card, amazon, etc. Do yourself a huge favor, and do that right now.

Back to the important question, just how was someone able to steal user account information for over 1 billion accounts completely undetected? My guess, without having any inside knowledge is that it has all the markings of exploiting SSH Key Access, which is precisely how Snowden, and later Martin stole troves of data from the NSA and how the Government of North Korea stole every bit of sensitive information they could get their hands on from Sony.

SSH creates and encrypted channel that can’t be monitored. That’s what makes SSH so powerful and effective when used for good. However, if used for bad, all those fantastic capabilities render all your security tools – SIEM, DLP tools, etc. ineffective. Which is why we (as the inventors of SSH) strongly advocate that customers implement stronger controls over the entire SSH lifecycle, and recommend the immediate remediation of any SSH Key Access issues within your own company.

If you’d like to learn more about what can and should be done about SSH in your company, please feel free to contact me – I’m happy to help, or at least point you in the right direction.

Permanent link to this article: https://demystifyit.com/a-theory-on-the-1-billion-account-hack-and-what-you-should-do-to-avoid-being-yahood/