ISO SAM Standard Talking Points

Exec Summary:

The 19770 family of standards provide new way of addressing existing critical problems in IT management, where they enable the creation and management of lean, rightsized and effective infrastructures, and cybersecurity, where they enable accurate hardware and software inventory to be taken and up-to-date patch status to be managed and maintained.

These standards may, or may not be appreciated by current SAM tool vendors because they flatten  the playing field when it comes to software recognition, handling vendor licensing entitlements and tracking usage.  No longer will proprietary data be required.

Likewise, these standards may, or may not be  embraced by software vendors.  In most cases, allowing customers to buy right, easily true up and to immediately and automatically know their license position is beneficial to keeping customer satisfaction rates high.  However, some software vendors prefer to manage license management through a more audit-centric approach.

In both cases, customers documenting requirements to support the SAM standards will cause the industry to move towards their utilization.

The following are a few high-level talking points for organizations looking to understand how the SAM standards can benefit their organization.

Discussion Points:

There are 3 core scenarios covered below.  Obviously, there is some overlap between these scenarios and there are quite a few additional scenarios that would benefit from the use of the ISO SAM standards.

Software Asset Management (SAM)

  • Organizations need to know what software products are installed where (including at what revision/version/patch level) etc., to manage these assets. Software ID (SWID) Tags (19770-2) provide identification of what software products are found on a computer or device, including their relationship to other software components, who the publisher is, etc.
  • Organizations must be able to work with normalized data that is consistent across any IT tools used within the organization. Currently, most inventory and discovery tools use their own proprietary recognition catalogs to normalize to details that work for their tools, but are not generally usable by other tools.  By having vendors provide canonical details for software products, all IT tools will be working with the same exact data and data can be shared and utilized across different toolsets.
  • Utilization monitoring, reporting, and management (not just what is installed but how much it is being used or not used) is aided by Software ID (SWID) Tags (19770-2) and Resource Utilization Measurement (RUM) tags (19770-4). This enables scenarios such as right sizing licensing, ensuring effective utilization of resources, and “pay by use” licensing scenarios.
  • Patch management is aided by knowing what endpoints have what software product (SWID tags) on them, identifying potential needed patches or updates. This can include feature updates but also critical security updates. SWID Tags paired with RUM data can provide unique identification for each asset, which could allow for automated patch management in scenarios where that is appropriate.

License Management / Reconciliation

  • SWID Tags (19770-2) identify what software is running on what endpoints.
  • Entitlement information structured according to the standard schema (19770-3) used in conjuncture with SWID Tags help organizations “true up” what organizations are licensed to use, vs. what they are actually using (either surplus against licensed, or deficit).
  • Helps greatly in audit/compliance, which can be extremely manual and time consuming

Cybersecurity endpoint threat monitoring

  • SWID tags (19770-2) augmented with authoritative file manifests from the publisher provide a more complete picture of not only THAT a software product is installed on a computer or device (network endpoint) but also WHAT that product contains in sufficient detail to aid in threat assessment.
  • Publishers can associate SWID Tags with their provided full file manifest (including file hashes for integrity verification) of the files which should be present.
  • This helps in security endpoint monitoring, as the “known good” files list can significantly shrink the full list of files found on an endpoint which need to be analyzed for potential vulnerability.
  • This also enables critical security patch management scenarios.