Executive Overview

The ISO/IEC 19770-2 revision has passed all country votes and has moved into the publication phase. ISO editors will work through the document and set it up for publication in sometime over the summer of 2015.
With the SWID Tag Standard (ISO/IEC 19770-2) revision reaching this pivotal moment, the standard is enjoying tremendous commercial and standards body support. Notably, numerous other standards organizations have created and are creating standards that use the SWID tag standard as a foundation including:

  • The Trusted Computing Group (TCG) has is going through the final review and approval process for SWID Message and Attributes for IF-M standard that supports the Trusted Network Connect Processes
  • The Distributed Management Task Force (DMTF) Software Entitlement Working Group has updated the Common Information Model (CIM) to support the transfer of SWID tag data
  • The National Institute for Standards and Technology (NIST) has released a draft of Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags

IBM is a perfect example of how commercial vendors are embracing SWID tags. Previously, IBM has created its own internal library of identification information for their products. This worked for their IEM solution, but wasn’t particularly useful to 3rd party organizations. Additionally, the internal catalog was good to identify IBM software, but has numerous issues identifying non-IBM software.
IBM now includes SWID tags based on the 2015 standard for all of their software releases (approximately 300 per month) and this data can be used for both internal purposes by IBM tools, as well as by 3rd party organizations that may be supporting processes such as compliance related activities.
Other large software vendors who are Tagvault.org members such as Hewlett Packard, Microsoft, and Symantec are also moving to provide SWID tags in software they create and distribute to make the IT management of those titles easier, faster and more automated.
1E is also embracing this standard – the 1E identification catalog will continue to support the ability to identify software based on file discovery data, but if a software product includes a SWID tag, that will be used as the primary identification approach. The 1E products also use the world’s first entitlement system that’s based on the upcoming ISO/IEC 19770-3 standard that defines entitlement schemas.
This unique combination of support for ISO/IEC 19770-2, 19770-3 and traditional discovery approaches for legacy applications is a game changer for the industry when it comes to compliance and entitlement management.
To see more about what tags are, how they are being leveraged and specifically, what the various standards are for, read on.

SWID Tags – The Overview

SWID tags are like a barcode on the packages you buy at a store. Every can of soup of the same brand and type will have the same barcode a different can that is a different flavor, or created by a different company or brand will have a different barcode. This allows the cash register to uniquely identify every product in the store so each item can be managed and sold independently. To support various IT security, compliance and logistics processes, software needs to move from a best guess effort that’s currently the state of the art and is applied by software recognition libraries to an authoritative SWID tag that is applied directly to the software.
With SWID tags, every software component has a unique ID associated with it and that unique ID can be used by any IT system to reference a particular software product. SWID tags can be applied to software products, patches, bundles suites, drivers, etc. Additionally, the SWID tags can be used for software installed directly on a device, or allow for more efficient and effective management of software installed in cloud and virtual environments. SWID tags will be increasingly important in the Internet of Things as more and more products include software that needs to be kept up-to-date for security reasons.
There is a lot more to SWID tags the just having a unique ID. SWID tags provide explicit identifying information about the software as well – who created the software, who licenses the software, what the product name is as well as the edition and version. All this information is needed though out a software products lifecycle from RFQ’s that aim to compare pricing for exactly the same product from different resellers to the eventual end-of-life for a software products use within an organization.

Market Reactions to SWID Tags

Market adoption of SWID tags has been taken up by some of the biggest names in software development, companies like Hewlett Packard, IBM, Microsoft and Symantec all release software that includes SWID tags and many of these companies have products that read and use the SWID tags for IT management purposes. In fact, IBM is currently seeing around 300 software releases a month – and every one of these includes a SWID tag.
These companies are tagging their software because it is becoming much more difficult for their customers to manage their IT software portfolio without the tagged information. As environments become more complex with cloud and virtual systems, mobile devices and the impending Internet of Things where everything may need to be managed and updated, knowing exactly what’s installed where is becoming critical.

The Latest News about SWID Tags

There has been a tremendous amount of energy put into the use and support of SWID tags recently. The following provides a quick summary with later blog posts going into more detail.
The US Federal Government has been actively working on improving their management of software, patches and upgrades across numerous agencies. These changes are intended to improve security, compliance and logistics activities. One project called the Continuous Diagnostics Mitigation (CDM) is being developed by the Department of Homeland Security and is intended to provide a dashboard that provides a real-time dashboard of security positions for the various government agencies.
One of the issues discussed at CDM meetings is the fact that there is a clear requirement to have consistent data coming from any inventory tools used by various government agencies. This is one of the primary drivers behind NIST developing the (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. This document will go through a number of rounds of public review and feedback to ensure that the guidelines provide the data that’s required and can be implemented by publishers and tools. Once published, this NISTIR will likely be the basis of the requirements applied to any software the US Government purchases.
The Distributed Management Task Force (DMTF) created the Software Entitlements Working Group which is focused on helping organizations manage software licenses more effectively for Cloud and Virtual environments. Since ISO/IEC has published the 19770-2 standard for Software Identification Tags, and is actively working in the 19770-3 standard for Software Entitlement Schemas and 19770-4 standard for Resource Utilization Metrics, the DMTF is leveraging these standards and, where useful, they are providing support for the Common Information Model (CIM) to report on SWID Tag data wherever possible.
Finally, the Trusted Computing Group (TCG) has is going through the final review and approval process for SWID Message and Attributes for IF-M standard that supports the Trusted Network Connect Processes. This standard is intended to be used to authoritatively identify software components on a trusted network device and allows for much more flexibility and automation for organizations using the Trusted Network Connect standards.

Summary

With the imminent publication of the revised ISO/IEC 19770-2 (SWID tag) standard, the commercial and government support behind this revision and the fact that numerous standards bodies are building standards the utilize the SWID tagging standard, we will see more customers including requirements for SWID tag support in their RFP’s, more tool providers following 1E’s efforts to utilize SWID tags and standards based entitlement data in their systems and, with these changes, organizations will have the ability to realistically manage and even automate large portions of their security, compliance and logistics operations that, today, are managed in a more ad-hoc and insecure manner.
Anyone purchasing tools today who is not buying from a vendor who is actively supporting these standards is buying antiquated technology. Make sure you validate that your vendor fully supports the ISO standards for software identification and entitlements.