Software Asset Management as a Security Practice
Software asset management (SAM) and documenting software license compliance has often been viewed as a necessary but tedious bookkeeping function that takes time from higher-priority security and operational IT tasks. But a newer and more comprehensive approach that integrates SAM functions with vulnerability and patch management can fulfill software license and IT security compliance requirements simultaneously.
Dedicated enterprise SAM solutions traditionally streamline the steps involved in tracking and reporting software inventory, costs and installations. They’re powerful, sophisticated systems that can be especially useful in companies with large IT departments overseeing huge software installations or complex licensing contracts. However, SAM systems can be a mismatch for many small and medium businesses (SMBs) that can’t justify the cost and complexity of a dedicated solution but could use something more robust than Excel spreadsheets and are better aligned with day-to-day IT needs.
Making SAM Part of the IT Security and Maintenance Workflow
A more effective approach to software asset management is possible through modular unified endpoint management (UEM) systems. As the name implies, UEM unifies oversight, execution and reporting of common IT tasks within a common interface connected to a shared endpoint configuration database, and within to operational policies defined by the company. Functional modules work together to handle everything from installing and updating software, deploying patches, remote user support, and endpoint data and configuration backup and restoration. They also offer at-a-glance dashboard-style status indicators and detailed reports that can be tailored for either IT or non-technical management.
SAM functionality starts with an inventory module that automatically records the name, ID, version, size and path of each installed OS or application, as well as the configurations of every network endpoint. A license manager module then compares the results with information about the company’s available licenses, contracts and license requirements that’s been entered once manually or generated from an integrated product catalog. IT managers can choose to go further as needed by adding a software metering module to check for unused or rarely used applications, and a software deployment module to remove unneeded or unlicensed installations.
The same inventory function informs the UEM system’s vulnerability and patch management capabilities. Software installed in each endpoint is compared with automatically updated CVE lists to determine threat levels and the appropriate response actions and timing. The inventory and license manager also work together to determine if unauthorized “Shadow IT” software or devices are in use on the network. The UEM’s software deployment manager can even uninstall risky software or deny network or data access to unauthorized mobile devices and removable storage devices like USB drives.
The license manager module lets IT staff give authorized non-technical managers the ability to generate their own customized reports. For example, IT may want to know the build number of each Windows desktop. Financial and departmental managers planning next year’s budgets can access reports that might show that a newly acquired license also applies to previous versions, eliminating the need for license renewals. Or, they may identify a surplus in software maintenance contracts prompting them to reduce maintenance costs. Reports for executive management can show all software-related spending by type or department, or quickly document license compliance for a software audit.
Integrated Compliance Workflows
The strength of a UEM system is its ability to make compliance management and reporting part of regular IT maintenance and security workflows instead of separate, chores. Perhaps the greatest benefit is the transparency, consistency and proactivity in daily maintenance and security procedures.
