The 2015 revision of the SWID tagging standard has been in development for a number of years. The primary focus was threefold – first, ensure that SWID tag data could be interpreted and used efficiently by software purchasing organizations and tools. Second, to ensure that software publishers are able to create SWID tags in a scalable manner that works with as many different software environments as could be imagined. Finally, with the full expectation that software will change over time, to make the standard as flexible as possible to enable extended information from software publishers as required.
The revision to the standard was published on Oct 1 and even prior to the publication, tools were already supporting the revision (WiX, which is a Windows installation utility supported by FireGiant, in particular seems to be focused on their customer – the software publisher and the benefits of standards as they apply to their customer).
This revision is in-line with the changes being made to the software entitlement standard (19770-3) which should be published in the relatively near future. Everyone in the industry is looking forward to a time when software asset management can be handled in a much more automated manner and both the SWID and Software Entitlement standards are focused on that effort. Anyone who’s looking to integrate tools into their IT infrastructure will benefit if they validate that their vendors fully support these ISO standards.
To get a copy of the standard, go to the ISO webstore (http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=65666), or to your local national standards body to review the abstract and to buy a copy.
The Trusted Network Connect (TNC) is an open architecture for Network Access Control as defined by a working group of the Trusted Computing Group (TCG). On the 3rd of August, 2015, TCG published the document, “SWID Message and Attributes for IF-M”. The description of this as written on the TCG/TNC blog –
The Trusted Network Connect (TNC) Work Group defines an open solution architecture that enables network operators to enforce policies regarding endpoint integrity when granting access to a network infrastructure. Software Identification tags (SWID tags) are XML documents that identify a specific software product.
Organizations interested in learning more about how SWID tags are used within the TNC architecture can go here to get more information – http://www.trustedcomputinggroup.org/resources/tnc_swid_messages_and_attributes_for_ifm_specification
NIST is working on an internal report (NISTIR) focused on the guidelines for the creation of interoperable Software Identification (SWID) Tags. This publication is focused on how SWID tags will be used from an operational perspective and provides a number of use cases focused on end-user scenarios. The overarching goal is to ensure that publishers understand end-user requirements to ensure SWID tags can provide the data required to automate IT Administrative processes that today are largely manual.
The report is focused on both Cybersecurity and Software Asset Management requirements.
The report can be found here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060
NIST is looking for your help! Please review the document and provide your feedback on how these requirements meet your operational needs, or if there are requirements or scenarios that are not yet defined that should be added to the document – let them know!
Comments should be sent to NISTIR8060firstname.lastname@example.org – with the subject “Comments Draft NISTIR 8060”. Comments should be provided by August 7, 2015.
The ISO/IEC 19770-2 standard that defines the structure of SWID tags has taken a major step forward. The document went through its final review with all the participating countries and achieved unanimous approval.
With such strong country and organizational support behind the revision, the document has moved forward to the publication phase. At this point, ISO editors take over and ensure that t’s are crossed, i’s are dotted and that the document meets the editorial requirements specified by ISO/IEC.
The revision is a relative major revision and addresses scalability issues that limited software vendors from fully embracing the 2009 version. The way the scalability issues were addressed, it also improves the ability for tool vendors to consume and interpret the data.
Additionally, changes were made to the location where SWID tags are installed. These changes made it easier for software vendors to integrate tags into their solution regardless of the installation model they choose. The revised standard indicates that the SWID tag will be located in a directory named “swidtag” that is in the same directory tree as the products installation directory. This allows copy installs, web component and other sandboxed software installs and installations by systems that otherwise might be restricted from writing into the common system locations that were specified in the 2009 revision.
You can download and review the XSD for this revision from ISO – http://standards.iso.org/iso/19770/-2/2015-current/schema.xsd.
You may also be able to download a NIST document that discusses usage scenarios and guidelines for creating SWID tags here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060. Be aware, however that the NIST document is currently available for public review and may be removed while the document is going through an editing process. If the link does not work, search for NIST-IR-8060.
NIST has release NIST-IR-8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags for public comment. The following is the abstract from the document:
This guidance provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As instantiated in the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable.
Download the document here – http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060
The document will go through numerous rounds of public review, and this particular review period closes June 15th, 2015. I would encourage anyone who’s interested in learning about SWID tags, or knowing more about some of the usage scenarios, to download and read this document – if you find issues, please provide feedback to NIST.
TagVault.org is also working to develop a SWID Tag Interoperability Requirements document that will work in concert with the NIST-IR to make the development of SWID tags easier and more automated for software vendors while providing the data required in the NIST-IR. TagVault.org member organizations can be involved in the development efforts to create the document which will be publically available and which will form the requirements for any future certification requirements (note certification will be optional and will generally be of interest to large software vendors who automate their software release process).
The Trusted Computing Group (TCG) has developed a number of standards around the Trusted Network Computing (TNC) architecture. The latest of these standards that’s open for public review is the SWID Message and Attributes specification. The review window is open until May 31, 2015
This is a fairly vertically focused specification and will be primarily of interest if you understand, use, or develop products around the TNC architecture. The specification accommodates both the 2009 as well as the soon to be published 2015 revisions of the ISO/IEC 19770-2 SWID specification.
SWID tags are gaining significant traction in the industry as IBM now deploys all their non-mainframe software with SWID tags, and Microsoft, Symantec and other large commercial entities are also deploying SWID tags with their software titles. SWID tags allow significantly more automation of organizational IT Asset Management, Security and Logistics processes, and will make these processes significantly more accurate and less costly to manage.
The web page provided above gives the details on how to download the specification and report any issues/problems you discover.
If your organization is using Trusted Computing Group (TCG) standards – especially those related to endpoint security standards, the TCG has published a new standard that defines how SWID tags will be used for endpoint protection.
The review period is open until May 31st, 2015. Download the standard provide your feedback to TCG.
Scalable Software, Inc.
Overview of Company and Product
Scalable Software, founded in 2008 provides, a unified, customizable product-set that aggregates information from a variety of sources to present a coherent view of an organizations investment in IT; including actionable intelligence, supported by industry expertise, to optimize that investment.
Hundreds of enterprise-class organizations worldwide rely on Scalable Software to optimize IT expenditure. Our customers’ changing needs inspire and challenge us; our employees’ and partners’ agility in meeting those needs is unparalleled.
Category of Software Supporting SWID Tags
Software Tools that create, manage and use SWID Tags
- Inventory and discovery tools
Product Name: Asset Vision
Server Operating Systems
- OS X
Client Operating Systems
- SQL Server, Oracle
- Client Operating Systems
- iOS, Windows, OS X, Linux
High Level Overview of Product
Asset Vision is purpose-built to help customers meet the cost optimization challenges of next-generation IT asset management, which stretch from mobile devices to the Cloud. Asset Vision is a tightly integrated modular SaaS products-suite, with integrated Business Intelligence capability, which focuses on measurable outcomes. Information is enriched with such data elements as location data and end of life dates, and backed by a team of Scalable data researchers who ensure unprecedented data quality.
Asset Vision® Registry™ is designed to be the single source of truth for IT Assets. Integrate data from common sources of information such as SCCM, AD and ILMT and Asset Vision’s own integrated, class-leading discovery capabilities. Easily correlate the discovered information with imported procurement data such as Warranties, and Invoices.
Asset Vision® License Manager™ enables IT to prepare an accurate picture of license compliance. Asset Vision License Manager maintains license information imported from many sources. An upgrade-processing engine ensures all entitlements and use rights are correctly captured to ensure the maximum license position is used as the basis of license allocation and compliance reporting.
Asset Vision® – Optimize™ is the ultimate in software usage metering technology. It offers forensic-level usage analysis of traditional and virtual applications, virtual desktops, web/SaaS applications, and high-value server resources such as Oracle and SQL Server databases. Asset Vision Optimize can dramatically drive down IT costs by rapidly identifying those hardware and software assets that can be reconfigured, recycled, or retired.
A number of US Government agencies held a security automation conference in August to work through a variety of issues that are limiting the ability for agencies to track and compare how well they are handling security issues. The minutes from this meeting, though long, are worth a read as they detail quite a few areas where SWID tags will help support security automation efforts. Download the minutes and have a read.