Taking Inventories to the Next Level - Reconciliation and Triangulation
We know it is important to have good inventories across all of the assets we care about in an enterprise. For security purposes this is, of course, essentially everything.
You should constantly reconcile the inventory (what you expect) with reality (what you have). Even if your inventory approach is to mostly discover assets (in which case it will match because you just "discovered" your reality) you will still want some additional basis or system of record to know whether what is discovered is good or not - that could be your first reconciliation.
There is much we can learn from other professions who have to deal with making sure representations of reality match actual reality, for example: product warehousing, accounting, financial risk management, supply chain management and so on.
It’s one thing to have and use your inventories to keep matters under control. But the real strategic value of inventories, directories, ledgers or other systems of record is what to do when you have several of them and make them work together. That is, you can reconcile between them, and the benefits of such reconciliations scale super-linearly the more inventories you bring into play. Let's discuss what we mean by reconciliation (although I suspect it might be obvious). In the worlds of accounting, stock and other management it is important to reconcile or compare key fields and counts between inventories to spot discrepancies. Such discrepancies could be sources of error in one or more of the inventories / systems of record which could be a signal of broken processes, human error or more malevolent causes.
The typical way to do this (and I'm simplifying a lot) is for some process that sits between two systems of record to work through and cross-check various reference fields and counts. Think about reconciling the record of your bank transactions (on-line or manual) with your actual bank account, checking warehouse inventory versus stock records, or manufacturing component counts to product output and product specifications.
Some disciplines call this triangulation because the reconciliation is done in a third system. That third system may reconcile between more than two systems of record at a time. The implementation of this could be as simple as a business intelligence analytic system through to more complex scenarios developed in large-scale data warehouses or custom-built systems.
Now, imagine doing this at scale across all the inventories you have: you can assert some conditions or ask some interesting questions. Even the very simple ones shown below can yield some interesting results.
If the answers to these questions are surprising in any way then you’ve got multiple lines of inquiry to follow that span both sides of the reconciliation. Let's use the example of "Applications must run on known systems or be contained in authorised container registries". A discrepancy here could be applications that don’t run on systems in your inventory. In which case where are they running? What’s wrong with your system inventory? You can also look for the reverse. Are there any systems that aren’t running anything that is in your application inventory? In which case what is running on them? If nothing, why aren't they decommissioned? The root causes here could be dubious data quality of one or both of the inventories, a race condition caused by different frequencies of update, a mismatch in the semantics of the reference fields, or it could be an actual problem of unmanaged systems or applications hosted in places your infrastructure doesn’t know about. Whatever it is you'll want to know and to then fix it.
Finally, as we all progressively move to a world of infrastructure as code where reality is delivered according to policy, then you could legitimately ask the question, do we need inventories and reconciliation? In one sense, maybe not, because you just “printed” that infrastructure and all the associated configuration and if you’ve done it well you have high assurance that what is in your environment is what you stipulated it to be. However, I’d argue that you absolutely should still do this for the reasons that you need a check and balance on your control plane and you need to monitor for the consequences of attacks against the run-time, but that might be another article for another day.
Bottom line: inventories are critical, but to get strategic value from them you need to connect them together through an n-way reconciliation process. Then you can start to ask some really interesting questions.