When do we know if our inventory is complete?

A question I’m often asked by customers is

“How do I know if I’ve inventoried all the relevant assets on our network?”. 

The answer, somewhat frustratingly, is “it depends!”.

It’s not the nicest answer to have to give, but it’s a fair once, since determining whether you’ve inventoried all the IT assets on a network actually requires both a number of steps and a conscious decision on what’s an acceptable ‘hit rate’.

That’s not to say it’s a question best not asked.  Far from it.  Relying on an incomplete picture of hardware and software assets can lead to some bad decision making and potential risks (in terms of financial, compliance and security).

So, although a tricky question, it’s also an essential one. My advice to organizations is that in order to find the answer, they need to address the three key requirements highlighted below:

• Create a definitive list of all relevant systems and platforms to be included in the inventory
• Verify that all the assets identified above are being inventoried in some way (not necessarily all the same way)
• Check that the number of assets being reported on each platform matches the expectation of what should be there

To look at each of these points in a little more detail:

• Definitive asset list In large organizations, different systems will be the responsibility of multiple stakeholders.  It is important the SAM manager both identifies and ‘befriends’ these stakeholders so that he or she can consolidate many different systems into a single asset repository. Some systems might be considered ‘out of scope’ for a given project, and where this is the case it should be recorded as part of the SAM project management plan.  
• Verify assets are being inventoried Multi-platform networks introduce greater challenges when it comes to inventory, as different clients and scanning technologies will be required according to what types of platform are in use.  For example, the client agent sat on a Windows PC isn’t going to work on a Linux server – and many inventory solutions are incapable of accurately auditing virtualized assets. As such, it is important to map all the platforms identified in step 1 against an appropriate inventory or audit technology.  Some audit solutions like Snow Inventory offer a range of clients designed to capture information from a wide variety of platforms and operating systems.  Others are not so flexible and so it is not uncommon for organizations to require multiple audit solutions. Where multiple inventory solutions are used, thought must be given to how to consolidate the data from these disparate systems into a single asset repository (something solutions like Snow License Manager do very well – normalizing all software audit data along the way).   
• Check everything is being audited This is potentially the most difficult stage.  As the old saying goes “you don’t know what you don’t know!”.  If your inventory solution tells you it has audited 856 devices in a given location, how do you know if that’s ALL the machines in that location or whether any have been missed? There are, of course, a number of ways to ascertain whether the audit is complete.  Historically, organizations may have had to go as far as to conduct a ‘walk round’ audit, physically counting the number of machines in each location and then cross-checking this against the reported inventory information.   It’s a slow and expensive solution. A more cost effective way would be to cross-check the inventory against a second source of data.  To address this, Snow recently introduced ‘Active Directory Discovery’ into its Snow License Manager solution. 

Given that Active Directory should (in a well-maintain network, at least!) contain a list of all the devices on a given domain, it should provide a highly accurate reference point for the inventory information.

Where a device identified in Active Directory is not present in an inventory, it suggests that perhaps not every device on the domain has had a client deployed to it, or perhaps that client is not able to successfully report back to the inventory server, or even the machine may have been retired without Active Directory being updated. 

Whatever the cause, it needs investigation. Where a machine is discovered by the inventory solution but not included in the Active Directory system, well that suggests the Active Discovery information isn’t being well maintained and that’s a discussion for another day and another blog post!

Ultimately, the point at which an organization says ‘we’ve got everything’ is actually something of a judgment call and should ideally be included in the parameters of the SAM project plan (we often see plans with a target coverage rate of 95-98% of total devices, for example).

That said, by following the three steps highlighted above, there is no reason that even organizations with complex IT infrastructures should not have confidence that their inventory repository is as accurate as could be realistically expected.