The ability to perform comprehensive network discovery to identify everything on your network is vital. You need to discover all your network devices and ensure that all valuable assets that represent a cost to the business are identified. This is necessary in understanding potential compliance risks due to software licensing issues and is a crucial first step in establishing your SAM process, if an accurate position on your software licensing is ever to be attained.
Do you really have 100 per cent network discovery?
Without this 100 per cent discovery, your inventory, and any subsequent SAM work are compromised. We have spoken to organisations who tell us that they are 100 per cent discovered. But, when we ask how they can be so sure, their reply is that it is more of a gut feel! Furthermore, when we apply our technology to their network and perform an advanced network discovery (not just an inventory of already known devices), we discover that their visibility can be as low as 80 per cent of the true estate.
This carries implications from security to software licensing exposure and the haemorrhaging value of business assets. Its major cause is using a discovery tool that only discovers in one way.
Firstly, you need to use a number of different protocols to efficiently scan your network to locate all devices and collect as much information as possible about them without the need to have an agent installed. The information collected as part of the discovery is a vital component, providing the check and balance of what is active and inactive on the network.
The need for multiple feeds via connectors
Now, having confidence in this data is crucial, the ability to cross check and validate what you have pulled from a wide range of sources will provide just that. By taking multiple feeds, via connectors, it will provide an easy way to identify what’s ‘missing’ and give you the confidence that you are tracking everything.
These connectors should work ‘out-of-the-box’ of your discovery tool so that you can install, configure and deploy the tool to large and complex environments with minimal impact on resources.
The connectors that different organisations require varies so below are some examples of the key ones to look for:
- Microsoft Active Directory
- VMWare – vCenter + vSphere
- Citrix XenServer
- IBM - ILMT
- Amazon Web Services
- Oracle database
Don’t just depend on Microsoft Active Directory
This two-pronged approach is vital in ensuring all network information is collected and inventoried. We have come across tools that just use agents, but unless you know the device is there, how can you put the agent on it in the first place?
Some tools use Microsoft Active Directory Group Policy to notify them of new additions to the network, so that they can deploy their agent to them. This sounds good in theory but you need to consider what is not picked up by Active Directory, such as:
- Linux/UNIX boxes
- Anything in a workgroup or other domains
Which could potentially leave a big hole in your discovery and subsequent inventory.
3 tier platform to discover everything
The way around this is not to rely totally on 3rd party feeds (like Active Directory) for the collection of inventory from client devices (Agent or Agentless). The success and efficiency of the deployment is often directly linked to the connectors and network discovery. All of the required information to successfully target a client device is already collected through the connectors and network discovery so the most efficient method of deployment can be utilised. Furthermore, all operating system platforms need to be targeted, not just Windows - look at Mac, UNIX, Linux, etc.
The discovery process can either be agent-based, agentless, or a combination of the two depending on your specific requirements. This allows you to pick between the two methods, using whichever works best within your environment.
Russell Fry at Certero