At the 2015 IBM Interconnect conference, Jay Venega and Brian Turner of IBM, and Steve Klos of TagVault.org and 1E discussed how software vendors are adapting to the requirements placed on them by their customers for more accurate software information and the ability to automate IT operations.
The presentation focused on SWID tags and how they can be used to accurately identify the software vendor specific details for software installed on a device. IBM is now distributing SWID tags with all software products except those targeted for mainframe systems.
Copies of the presentation are available from the TagVault.org web site.

Key Points from the Presentation

Current problems

Before SWID tags were available, discovery tools would use an archeological best-guess approach to identifying software products leading to incomplete and incorrect information. Additionally, current discovery tools are unable to identify relationships of IBM bundled software. These issues limit the ability for customers to automate processes related to compliance, security and logistics processes.
Larger organizations have an even larger problem because they may have multiple tools in use throughout their organization, and they are unable to reconcile non-normalized data from these different tools.

SWID Tags Fix These Problems

With SWID tags, customers receive exact details about the software products and IBM also showed how customers will be able to use SWID tags to identify software bundles. These SWID tags are a game changer when it comes to automating IT processes related to compliance, security and logistics, because there is no longer a need for systems to use recognition libraries that guess at software titles, nor is there a problem with identifying how software installed as part of a bundled solution.
Examples shown included the ability to identify an application bundle such as Cognos or Websphere where the installation may utilize multiple different software products installed on multiple different devices. Current discovery systems identify each software installation as an individual install which would correlate to significantly higher software licensing costs. With SWID tags, it will be possible for customers to know exactly what they installed and how various installations are related to each other.
From a security perspective, the presentation brought up the example of the Heartbleed defect. When this vulnerability was found, publishers and customers spent a significant amount of time and resources to identify and resolve the defect. Six months after suppliers had patches for the defect, it was identified as still being present on publically available web servers for more than half of the Forbes Global 2000. The reason – there are no hard links between patches and the products they patch that can be used to provide an exception report for systems that are not actively managed by administrators or new systems that may be brought up from virtual devices or images. Without a vendor neutral, platform agnostic approach, there is no way for tools to create the exception reports that would cause administrators to prioritize a fix to a significant defect. SWID tags resolve this problem by allowing vendors to provide SWID tags with the original product and the patch. In these instances, patches and the products they patch can be identified in a standard, cross product, cross vendor and even cross platform manner simply based on inventory data.
The Federal Government has recognized these benefits and is integrating SWID tags into the overall Software Content Automation Protocol (SCAP) architecture to improve the automation capabilities used for managing inventory and security related issues.
With more accurate data, organizations can more readily automate IT operations related to compliance, security and logistics lowering costs for organization and also lowering risks related to compliance or security issues.

Cross Platform Nature of Standards Data

Numerous questions came up regarding how discovery, license compliance and security issues are dealt with using a unique approach for each vendor. Vendors provide tools to help, but there is specialist knowledge required to make the tools work properly and, when it comes to compliance, an audience member commented that it’s crazy that there is a whole services based industry that exists to support customers using a vendors free tools to support the compliance position. This will continue to be an issue as long as software is so difficult to manage properly. Standards (some current, some being published in the near future) support this automation in a cross product, cross vendor, cross platform manner. Looking at 4 of the key standards in this area, we see:

  • ISO/IEC 19770-1 (published) – Process Standard – targets the processes an organization needs to have in place to properly manage software. The standard assumes some level of accuracy of the information provided by tools, and does not address the fact that multiple tools may be required – it simply specifies what data is required and the process for how that data should be used.
  • ISO/IEC 19770-2 (published) – SWID tagging standard – this standard is available today, and an update will be published in 2015. The standard provides a consistent way for software to be identified with authoritative information directly from the publisher. This standard also allows for direct links between patches and the products they patch as well as file manifests for the various products.
  • ISO/IEC 19770-3 (expected to publish in Q4 2015) – Software Entitlement Schema – this standard provides a consistent structure that can be used by software licensors to provide an electronic means of providing the details of what a customer purchases. Using this standard, in combination with the 19770-2 standard enables customers to automate a significant portion of their compliance efforts.
  • ISO/IEC 19770-4 (in development) – Resource Utilization Metric – this standard provides a consistent structure that can be used by software licensors to provide usage data to the customer. This data completes the most of the automation requirements for compliance because organizations will be able to link usage data with entitlement requirements to determine entitlement positions.

With data provided in a standardized fashion, automation is possible and realistic in a manner that can be used in the real-world. The wrap up of the presentation indicated that customers should be requiring their software vendors to include SWID tags in every product (as well as every patch deployed). Doing this allows for a significant level of automation that is simply not possible today and, if provided by the vendor, it results in lower cost and risk while also providing a higher level of security for the organization.
1E is heavily involved with the development of these ISO standards, the secretary of the ISO/IEC working group (WG21) which develops the 19770 group of standards (Peter Beruk) is an ITAM Subject Matter Expert for 1E . The current editors of 19770-2 and 19770-3 (Steve Klos and Jason Keogh) are also 1E ITAM Subject Matter Experts involved in 1E’s Software Asset Optimization product strategies.
1E is leveraging ISO 19770-1, -2 and -3 in upcoming product releases. As -4 becomes a reality (edited by Brian Turner of IBM), 1E will leverage that data as well.
Expect an interesting announcement from 1E relating to 19770-2 SWID tags in the coming weeks!