Why Software Identification is Critical for Software Automation – A TagVault.org Webinar Series
Everyone today struggles with their software portfolio. Organizations must deal with shifting priorities, ever changing organizational structures, and changing platform requirements while being attentive to security, compliance and logistics management to support the organization. This can make IT Management difficult and costly.
For your software portfolio, the solution is for authoritative and standardized self-identifying data to be provided to IT groups for all software titles and tools that manage the portfolio. The benefit to your software portfolio is that it is easier to manage across the board, saving an organization time and money allowing management to better support IT staff on prioritize core IT operations.
This webinar will explore the value of a standards-based approach to improve software identification and outline industry efforts to align on a consistent implementation of standards to accelerate the benefits to the market. These efforts will increase the automation capabilities for security, compliance, and logistics requirements, among other IT operations and how it benefits your organization. If you work as a software publisher, reseller, tool provider, or are in an IT position where software management and IT automation is important, this webinar is meaningful to you. Don’t miss out on this important global effort to ensure all products and publishers are providing SWID tags for all platforms including virtual and cloud-based environments and why you should get in at the ground floor.
To watch the replay of the webinar, click here.
FAQ’s from the Webinar:
1) The standards was released in 2009, why has it taken so long to have tags start to make inroads with these large publishers?
There is always a chicken and egg problem with standards that are followed by one organization and utilized by another – who takes the first step? In this case, quite a few tool providers realized that SWID tags would improve their accuracy as well as lower their resource costs as they attempt to keep their catalogs up-to-date.
Once the tools provided support for SWID tags, software publishers needed to understand the value to them for implementation. Some vendors heard from their customers that support for SWID tags is a necessity, some looked in-house and were able to justify the change due to the fact that it would actually save them money.
Many large software publishers seem to have unlimited resources when viewed from the outside in. The reality is that large publishers have a tremendous number of items on the priority list that must be scheduled into their development cycles. Those items with the highest priority based on customer need, ability to sell more product, ability to sell into different markets, etc are the items that end up above the cut-off line for development. It has taken take time and a lot of energy to help publishers understand the cost/benefit of SWID tags, then see the hero’s in those publishers work with management to effect change in the organization. The more information software publishers have from customers saying that this type of authoritative data is required for them to do an effective job of managing software, the higher the priority for inclusion into the publishers work stream.
2) When do you expect certification requirements for SWID tags to be in place?
The expectation from TagVault.org is that we’ll have a document specifying the SWID Tag Interoperability Requirements (basically, the certification guide) completed by the time the revision to the 19770-2 standard is published. Since TagVault.org will be working with other organizations such as member organization AnglePoint, to provide the certification process, the implementation of certification procedures are likely to be finalized by April of 2015. However, once the Interoperability Requirements document is complete, customers can use that as a requirement for their publishers to follow when creating and managing SWID tags for delivery with their products.
3) What is the governments interest in tags and why are they involved?
The US Government has an even more difficult time with software management than commercial industries do. This is because each and every separate government agency is effectively its own business with its own processes and tool implementations that are unique to that agency. Further, many of the tools purchased by the Federal Government are purchased based on a set of requirements specified with the purchased tool being the lowest cost bidder. This results in numerous tools being used throughout the wide scope of the government and no ability to reconcile the data coming from all the tools since each tool reports software discovery data slightly differently and with a variable results.
Adding to the system challenges the US Government has, the security requirements and the attack surface they need to keep secure are simply a daunting task and likely much more difficult to manage than commercial organizations, simply due to the variety of approaches used in the different agencies.
Basically, the US Government has recognized that they absolutely require automation of their IT management systems if they are going to lower their IT costs and keep their systems secure. The first step in this process is to know exactly what software is installed on devices and work with software producers to get them to support real-time and active communications that allow for automated validation of issues such as patch installation.
Finally, the US Government has a tremendous amount of data available on configuration issues that cause software to be vulnerable to attack (the details are held in the security content automation protocol databases – SCAP for short). This data is extremely useful to improve the security posture for both governmental and commercial organizations, however, it cannot easily be linked to software discovered on devices since there is no existing standard that ensures that authoritative data is coming from publishers and that the data is normalized. With SWID tags, the data from any discovery engine can be linked to information found in the SCAP databases to allow both government and commercial organizations to increase security without a huge increase in IT resource costs.
4) How long will it take for tool vendors to recognize the needs for using SWID tags?
They already have and most Tier 2 vendors already support the tags in some form or fashion. Many Tier 1 vendors like HP, Microsoft and IBM either already support SWID tags, or will in the near future.
5) Which IT management tools support SWID tags today?
Let’s leave this one off for the time being… I think we’ll work some marketing $’s around these efforts instead of giving the information out for free. Ideas being developed now, will get you some details in a couple of weeks.