For most, software asset management (SAM) starts with the aim of establishing an organisation's software licence compliance status, writes Matt Fisher, director at FrontRange Solutions.
Part of the process of arriving at a licensing position is the creation of a full software audit from PCs, servers and other devices across the network. But many organisations miss a trick by failing to realise what a valuable asset the software audit is.
In August 2009, the SANS Institute, a well respected organisation involved in IT security training and certification, published its "Twenty Critical Controls for Effective Cyber Defense: Consensus Audit".
The Consensus Audit Group (CAG) comprises past and current CIOs and CISOs from federal agencies, who came together to agree on a prioritised set of 20 critical security controls.
Of these prioritised controls, the first two are:
- Inventory of authorised and unauthorised devices.
- Inventory of authorised and unauthorised software.
Specifically, the CAG states that before anything else, organisations should: "Deploy software inventory tools throughout the organisation covering each of the operating system types in use, including servers, workstations and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. Furthermore, the tool should record not only the type of software installed on each system, but also its version number and patch level."
For any organisation either already invested in SAM or about to kick off a SAM project, this is good news, as good software inventory product can kill two birds with one stone. The very same information that is critical to establishing what software is on the network, and therefore requires a licence, can also be used by security professionals to check for authorised and unauthorised software.
We should not forget about the hardware. The same technology that delivers a full software audit can also keep track of exactly what PCs and other devices are connecting to the corporate network. As the CAG states: "The [hardware] inventory should include every system that has an IP address on the network, including, but not limited to, desktops, laptops, servers, network equipment (routers, switches, firewalls, etc), printers, storage area networks, voice-over-IP telephones, etc."
Again, this is where the choice of technology can make a real difference. Not all solutions can accurately cover all major operating systems, let alone detect a wide range of IP-addressable hardware. Many cannot even detect new PCs or devices that are added to the network in between scheduled audits.
An organisation with 5,000 or so PCs could see anything between 200 and 300 new PCs added to the network each month. As such, without the ability to auto-detect new PCs and the software loaded on them, it only takes a few months for the audit information contained in a non-dynamic asset repository to become worthless. If the information in the repository is out of date, it might as well not exist as it cannot offer any real value to the organisation.
It is also worth considering how this information can be used by other areas of IT, such as service management. Analysts say that the average helpdesk call lasts around 17 minutes, with nearly half of the time used to collect information about the PC configuration and software installations. By having that information available to the helpdesk, populated directly from your dynamic asset repository, call times can be reduced and overall customer satisfaction improved. This information also aids better resolution times and increases the ratio of first-time-fixes.
So if you are at the stage where you are thinking about the technology you need to support your organisation's SAM initiative, perhaps it is worth thinking outside of the immediate SAM project and looking for technology that will deliver a wider benefit to the business.
This was first published in February 2010