Wednesday, June 11, 2014

Asset Inventory 101 - Myths and Realities

This post is the result of trying to explain IT inventory to multiple people, multiple times, and them still not "getting it".  Rather than wear myself out, which I will probably still do anyway, I plan on pointing them here to read my thoughts on it, and I can then go back to babbling incoherently to myself.  I promised to post a "tech-oriented" article soon, but this is borderline, so nanny-nanny-boo-boo, I'm counting it as tech-oriented.

If you ask me about Inventory, I will ask if you read this article.  If you say "no", I will tell you to read this article and walk away, probably while laughing.  If you say "yes", I will say "go back and read it again", and laugh even louder.

What is Inventory?

Definition...

(noun):  A complete list of the things in a place".

(verb):  the act or process of making a complete list of the things that are in a place : the act or process of making an inventory". - Merriam-Webster's Dictionary

Go back and read that again.  Got it memorized? Okay, let's look at the noun side...

Inventory Science 101

What is "inventory" really?  Basically, it's supposed to be about tracking and reporting what you own, or what you have, and where it's located.  But there's usually a lot more to it than that.  Who's using it.  What it's used for.  Who bought it.  Who pays for it.  How it is configured.  What it's related to, or associated with.

There's also the Manufacturer. Model. Part Number.  Serial Number.  Contract number(s). Department/Division/Sector/Group/Team/Project names and numbers. And let's not forget the abstracts like category, type, family, class, species, and all that.

The goal of inventory, and inventory tracking efforts is, or should be, to confirm existence, disposition and ownership of assets.  The real goal being a financial implication of course.  What do you own?  Where is it?  Who is using it?  What is it used for?  Who's paying for it?  When does it "expire"?

The most common method for gathering and tracking inventory is what is commonly referred to as "input-output differential".  Capture what comes in (purchase order, or birth certificate), what goes out (inventory record audit, or death certificate) and finding the gaps.  The gaps are where the fun really begins.

What happened to it?  Lost? Stolen?  Transgender operation?  Was it really the property of the organization, or was it loaned to them for temporary use?  Was it a demo from a vendor?  The list goes on and on.

Just as a Census tries to verify you're still among the living, breathing creatures, who are paying taxes and adding to landfills... so are the aims of products like Microsoft System Center Configuration Manager, Solarwinds, Tivoli, Kaseya, LabTech, and (cough-cough) several products I've developed in the past as well.

So, in addition to what came in the door, and what is known to have departed, there is now a third status of "what's it doing now?"  Things that can be poked at to verify where and what an asset is, include Active Directory, network monitoring systems, PING, and so on.  An "Asset Manager" job title can often involve a lot of legwork.

What Constitutes "Things" and "Places"?

If we use YOU as a metaphor, then a human being is an inventory asset or item.  The place would be (or could be), your home address.  It could also be your employer's address, or your car (VIN or license plate).

Now, think of all the "things" that pertain to labeling YOU as an entity.  Your birth certificate.  Driver's license.  Voter registration.  Tax bills.  Credit cards.  Bank accounts.  On and on.

Do any of those things GUARANTEE your existence?  No.  Do they confirm you are still among the "living" (I'll leave that for you to decide on the definition)?  No.  They are simply artifacts that help SUPPORT the assertion that you exist.

Metaphorically Speaking:  Computers

Now that we've strolled off into metaphor-land, let's bring it back to the meat-and-potatoes: Computer assets.  Desktops, laptops, tablets, smartphones, appliances, routers, hubs, switches, printers, power supplies, storage units, MODEM's, peripherals of all kinds, you name it.

What is the birth date of a computer?  The date it was purchased?  The vendor warranty start date?  The OS installation date?  The technician-installation date?  If you base it on the OS install date, and you reinstall the operating system, what happens to the birth date then?  Does it fall back to something else?

If you purchase it, and it takes a while to get from the warehouse, to the workbench, to the truck, to the technician to being delivered and setup, which event date are you picking as the "start" or "birth" date of that asset?  Have you consulted your Finance folks about this?  Your attorneys?  You should.

When you record the purchase and deployment of this asset, what then?  Do you track it during the rest of its life?  Do you track the retirement and disposal of it too?  Some places do.  Some don't.  Some are required by law to track some, or all of this.  Which are you required to track?

Just because you "Can", does that mean you "Should"?

If you are an IT person working for someone else (i.e. not self-employed), and you haven't sat down (or consulted with) someone in a legal and/or financial role in your organization, I strongly recommend you do so before embarking on any effort to track and report inventory of any kind.  I cannot stress that enough.

Even if you are self-employed, talk to an accountant or legal advisor about whether you need to track thigns, and what to track.

Some questions to ask:

  • What are the tax implications?  
  • What are the support contract and cost implications?  
  • What are the regulatory compliance implications?  
  • What are the IT support implications?  
Did you notice I put IT last in the list?

From my experiences, most businesses track more than they need to, and ignore things they shouldn't ignore as well.

Ah, Yes:  Software

Just when the folks feel good about their grasp of tangible hardware inventory, we open the gates and let the starving lions and alligators into the arena:  software licensing.

Definition:  Software = "the programs that run on a computer and perform certain functions" - Merriam-Webster's Dictionary

What does that mean?  What is a program?  Is that Microsoft Word?  Is that the Snipping Tool or Narrator feature?  Is that .NET Framework 4.5?  Is that Java Runtime?  Is that a DLL or COM file?  Is it a locally stored App-V or ThinApp reference?  Is that a shortcut to a MED-V or remote VDI resource (desktop or application)?  Is that a URL to a web application?  What is it?

What does that mean?

If you query a computer for what software it has installed, where do you begin?  Does it all exist in the Control "Add or Remove Programs" list?  Usually.  But not always.  How about crawling through that icky Registry?  More stuff, sure, but is it easy to parse and understand?  Hmm.  How about crawling the good old file system and parsing through EVERY SINGLE FILE that is known to have an executable capability?

The answer is yes.

Configuration Manager, and products similar to it, often dissect a computer from many angles.

This includes files, folders, the Registry, and my personal favorite: WMI.  Slithering through the various CIM repository stacks can yield all sorts of juicy bits of data about hardware and software.

But... Is this really what you're after?

So you have a product installed.  Now what?  Does that constitute a 'license'?  What is a license?  What kind of license is it?  Per-machine?  Per-user?  Per-CPU?  Per-network?  Per-domain or site?  Per-company?  Open Source?  What?  And what about FlexLM type licensing, where the node doesn't matter as much as the total, concurrent usage limit?

If you have the option to use floating/network licensing for groups of similar products, I always recommend that option if you can afford it.

Software Licensing Audits

If you've ever witnessed a license audit from an external investigation, it's not fun.  They tend to come in one of two flavors:  Vendor and BSA.  If the vendor audits you, that's good.  They want to keep your business, so they will try to negotiate terms to help avoid losing your business, if possible.  If the BSA, or another third-party entity, comes knocking, swallow whatever pills you have left and take a deep breath.  It may very well be an unpleasant experience, as they are paid by levied penalties and have no need to retain your business.

So, while you can get sloppy about hardware inventory, I would not recommend you take the same light-hearted approach to software inventory.  I've seen "settlements" applied that nearly ended a business due to the costs, but thankfully, in none of those situations was I aware or implicated of the neglect prior to the doors getting kicked down.  Don't be one of those businesses.

Okay, so that covers a bit of hardware and software.

Simple as multivariate Calculus and molecular bonding, and clear as mud.

Are you starting to drink yet?  You will.

Summary

If anyone says there is, or should be, "one inventory source" to answer all of these questions, they are brain damaged or stupid.  The desire is noble.  The reality is clear: a singular source of "authoritative" inventory data is impossible.  It has to be derived and reconciled from multiple angles.

Think about that every time you're walking through CostCo, Sam's Club or BJ's and you see a clerk scanning shelves to do "spot check inventory".  If there was one system to track and verify all of it, that wouldn't be required.

Every time I sit in a meeting where some vendor comes in to pitch some magical product to report all of their inventory without any outside help, I look at my shoes, smile and think about my next alcoholic beverage, saying to myself "here we go again..."




Post a Comment