Ghost assets are scarier than you might think: Part 1
This post is part of a three-part series on ghost assets.
The vast majority of IT environments are haunted. Large-scale infrastructures, by virtue of their operational requirements, value high capacity and high availability over asset management. This inevitably means there are ghost assets lurking in most environments — devices whose purpose withered and passed on some time ago, but were not removed or repurposed. Still plugged in and probably connected to a network, they serve no material business purpose. They simply absorb space, power, and resources. A recent article on InfoWorld rightly points out that decommissioning ghost servers saves money on utility bills and datacenter space. However, these wraiths also embody a much more serious risk: software and regulatory compliance exposure.
Ghost in the machine
This post will refer to ghost assets rather than just servers. This term encompasses hardware, software, maintenance value, as well as any supporting systems that might be needlessly consumed by assets that no longer make a meaningful contribution to an IT environment. Power management, facilities maintenance, middleware, storage, backup, and disaster recovery are all secondary resources consumed by a ghost that add to its overall cost. But when ghost assets negatively impact compliance, the cost they represent increases exponentially.
These eidolons generate a wide variety of financial risks to an organization, such as:
1. Manufacturer compliance risk
Licenses that originally covered ghost assets might have been reallocated to other systems under the mistaken impression that the ghost assets are no longer in use. But in an audit, there is no exemption for ghost assets. Large enterprises usually have volume licensing contracts containing specific terms that override the normal end-user license agreements. These agreements might have restrictions on the usage and redeployment of existing licenses that wouldn’t be apparent prima facie. Risk is compounded in this case, as multiple products from multiple manufacturers are not only over-deployed, they are deployed in violation of use rights.
2. Overspending risk
Nearly as undesirable as being under-licensed, ghost assets can just as easily trigger overspending on software. Since organizations forget about these assets, they make new purchases when they could have just as easily repurposed existing assets.
3. State and federal regulatory risk
In some verticals, these phantoms can have a substantial effect on regulatory compliance with governing structures like the SEC and HIPAA, and the fines imposed for non-compliance are considerable. For example, ghost assets that don’t receive the appropriate software patches, security updates, virus definitions, firmware upgrades, etc. might violate regulatory requirements related to the privacy and security of personal information. If a ghost asset could be used to circumvent security measures and access sensitive data, it constitutes a significant–and completely unknown–regulatory risk.
4. Security and vulnerability risks
From a security perspective, these devices risk exposure in many ways. Are they Internet accessible? Are they behind the same firewalls and network security layers as the rest of the environment? Is sensitive data accessible through them? Could a ghost asset also be a back door to the underworld? These factors could cause serious security risks for any organization.
5. Accounting and company valuation
Ghost assets and the value of the software on them can significantly affect the accuracy of calculations related to Sarbanes-Oxley compliance, insurance valuation, and tax reporting. Ghost assets represent significant financial value; enough of them will skew company valuations, making them appear to be worth less than they are. Many organizations with ghost assets have discovered they haven’t acquired sufficient insurance, filed inaccurate tax returns, etc.
These are just some of the risks organizations face when allowing phantoms to live within their IT departments. Make sure to check back for the second part of this series, which will discuss the most common ways these apparitions arise.