Talk to anyone in IT who has to deal with software discovery and identification issues and you will quickly discover a number of things:
- Accurate software identification information is difficult to impossible to collect
- Many IT processes rely on accurate identification information to function properly
- When an organization has more than one discovery tool (and most do), reconciliation between tools is difficult, expensive and time consuming
Another issue that regularly comes up:
- IT managers are frustrated by the expectations put on them for security and compliance processes when they don’t have the data they require to do the job properly
Imagine being asked to go into a china shop blindfolded and being asked to find a particular model of a plate from a particular manufacturer, count all the inventory of that particular model, and bring eight of them up to the front counter – this is the same type of position IT managers are placed in on a regular basis.
If you don’t believe there is a problem with existing tools, take a look at this whitepaper that analyzes the problem with a specific focus on current and very popular software titles.
Enter the Normalized SWID tag
Now imagine that you can go into that same china shop without the blindfold. You can see the hanging from the ceiling identifying the various sections for different manufacturers. You can see the plate models placed in alphabetical order, you can identify the plates that are stacked as well as those still in their boxes. This is what SWID tags do for software inventory – they change an opaque or even obscured view into actionable data.
SWID tags provide numerous benefits to everyone in the software market – from the ISV’s that create and sell the software, to organizations providing services to the end-user organization.
By allowing the publisher to define an authoritative name for a software product along with the various other artifacts that can be included with a SWID tag, every system that touches the software after it is delivered from the development team benefits.
- Tag Producers
- ISV’s will have a more consistent method of relating the software released with – software entitlement, help desk, software catalogs, and more.
- Tag Service providers will have a repository of names and values that can be utilized for all other SWID tags they may create.
- More accurate and consistent communications with partners, customers and 3rd party tool providers
- Consistency in product detail between different development teams
- Ability to provide immediate supply side security benefits to customers (knowing exactly which files were provided by the publisher)
- For publishers, providing the ability to automatically incorporate the data required by the US Federal Government to work within the security content and automation protocol (SCAP) infrastructure (this provides better operational security for federal agencies as well as critical infrastructure organizations)
- Ability to clearly identify added value for tool vendors who create SWID tags by identifying the tool publisher as the creator of field created tags
- Tool vendors can integrate their inventory findings with other tools that they may not even have direct integration with
- Tag Consumers
- Sales and Service will have the accurate name provided by the publisher in an electronic form that can be read and used by their systems.
- Tool providers can focus more on the differentiating capabilities of their tools rather than spending time and resources on software catalogs (where every tool provider typically spend tremendous resources).
- End-user organizations can reconcile data between tools and utilize discovery data for more than a single IT process.
- Inventory does not need to be processed through an antiquated matching process to be properly identified
- Publisher data can be validated through digital signature, allowing for more authoritative and non-modifiable data
- Every tool collecting inventory will have exactly the same reference information, so data is transferable
- By using standardized data structures, only one inventory tool is required with the ability to have more IT tools using the same data set rather than having to collect their own data
- The ability to leverage existing security tools that are used by critical infrastructure organizations to further minimize the possibility of network and malware attacks
- Having a consistent way to represent software titles for security, logistics and compliance
- Software entitlements to help automate the software compliance processes
Documents to Reference
- Whitepapers on the following topics
- Analysis of Software Identification Tools
- Software Purchasers can Change the World
- The Future of Software Asset Management
- Implementing SWID Tags as Part of an IT Process
- Using ISO/IEC 19770 – 2 Software Identification Tags to Enhance Software Asset Management