Balaji Ramadoss has more than 8,000 IP assets to account for, but, unlike most of his peers, keeping track is literally a matter of life and death.
IT asset management, or ITAM, is a critical task in most large organizations. Administrators need a way to account for every piece of hardware on their network, ensure that all software is properly licensed, identify rogue devices and applications, and address potential security vulnerabilities.
ITAM applications can alleviate the burden of these tasks, but most ITAM applications adversely affect network performance when they are doing their census. And sluggish performance is simply not acceptable when the network in question is responsible for maintaining life-saving equipment at peak operating efficiency.
As the director for IT and standards at Tampa General Hospital, Ramadoss is responsible for ensuring that every piece of hardware is properly accounted for, as well as in compliance with regulations such as HIPAA (Health Insurance Portability and Accountability Act).
All 120 members of Ramadoss’ team are also responsible for security-something he was shocked to discover is not the case with his peers. “Everyone [in IT] has to be responsible for security,” he said.
Ramadoss and his team identified the need for an ITAM solution, but decided to go with an agentless system that would not be a drain on the network.
They ultimately decided on SecureFusion, an agentless IT application suite from Gideon Technologies. Ramadoss began implementing SecureFusion across the rest of his network in July 2008 as part of a phased implementation process that will encompass hardware and software asset discovery, network drive security, policy enforcement, configuration management, and vulnerability management.
The hospital runs Dell equipment in a Windows environment and is investing heavily in virtualization technology from VMware.
Getting Buy-in
Getting Buy-in
Many large-scale IT projects founder, running up against turf battles and budget cuts. Ramadoss ensured himself organizationwide buy-in, and the budgetary freedom he needed, by defining the project’s overarching goals and framework.
“Setting up a strategy is a first step,” he told eWEEK.
Ramadoss then listed the tools that were needed to meet that framework and did an inventory of the tools already being used.
The hospital was using bar-coded equipment and SMS to get updates-clearly not a sophisticated enough solution to track 8,000 IP assets and handheld devices serving 950 beds and 5,000 employees, let alone compliant with stringent regulations such as HIPAA.
Ramadoss said he looked for a standard to adopt as a framework-either ISO (International Organization for Standardization) or NIST (National Institute of Standards and Technology). The fact that he picked NIST Standard 800-53 is incidental, but the act of using an accepted standard as the framework for the project allowed him to get buy-in for the entire scope of his project. Every resource he uses and every expenditure he makes are predicated on attaining a level of compliance that has been vetted by senior management.
Ramadoss also plans to co-opt current management practices in later implementation stages of SecureFusion. Currently, director-level managers meet to review Web-based vulnerabilities and report back on their remediation steps during subsequent meetings.
When Ramadoss implements the vulnerability assessment portion of the SecureFusion application, those managers will have access to a portal that will produce reports customized for each department and will incorporate findings from those reports into their security meetings.
Ramadoss still isn’t taking any chances-he won’t apply the tool to the subnet serving those assets until he’s finished testing the impact SecureFusion has on biomedical devices in laboratory conditions.
What You Dont Know Can Hurt You
What You Don’t Know Can Hurt You
In the meantime, though, the agentless characteristic of the SecureFusion application suite appealed to Ramadoss for several reasons. It has a minimal impact on the network and, said Ramadoss, it allows him to discover assets he otherwise wouldn’t know exist, such as rogue devices and improperly licensed or risky software.
“It goes and pings the box itself and finds standard MAC [media access control] addresses,” he said.
SecureFusion also allows Ramadoss to blacklist certain IP ranges (those corresponding to the biomedical devices) to protect the network until he’s certain that the process won’t impact performance.
Including biomedical equipment in the asset discovery process will be the second phase of the SecureFusion implementation; next, his team will use SecureFusion to identify and remediate security vulnerabilities, followed by policy and process management.
To cost-justify the expenditure, Ramadoss argues that SecureFusion software management tools will help the hospital reduce licensing costs, and that the product itself is less expensive than a battery of point solutions “that are not completely configured.”
His trump card, though, is that “I’m staying in business by being HIPAA-compliant.”
Do you have a Real-World Road Map you’d like to share with eWEEK? Contact Deb Donston at ddonston@eweek.com.