Close

Using Software ID Tagging (SWID) to Streamline Software Asset Management

avatar
Published on March 20, 2023 by

Andrew Sweeney

The importance of software asset management (SAM) cannot be underestimated in today’s digital age. Leveraging robust SAM, enterprise IT can access license and purchasing information to manage costs and compliance, mitigate cybersecurity risks, and leverage potential efficiencies through the roll up of license versions.

The ability to identify, track and manage software distributed across the entire estate is very different to tracking hardware because any software product could contain multiple components including executable, data, configuration, library files, and more. Any of these files can be found on a device, and for accurate tracking, IT must understand where each resides, and its relationship to the original product, filtering out multiple instances.

Defining the international standard for software ID tagging

For this reason, the International Organization for Standardization (ISO) developed ISO 19770-2. This establishes best practice specifications for tagging software using XML files, to enable software discovery and identification for higher level SAM activities. A National Institute of Standards and Technology (NIST) report leverages ISO 19770-2 to promote software tagging among tag producers, including:

  • software providers (both commercial and in-house).
  • providers of software build, package, and installation tools (who provide much of the information required for SWID creation).
  • providers of inventory-based products and services (who develop tools for discovering, monitoring, and managing software assets).
  • software consumers.

SWID tagging across the asset lifecycle

ISO 19770-2 specifications require software tags to include details on the software name, version, publisher, and unique identifier, with tags being updated over the asset lifecycle:

  • At pre-installation, corpus tags should provide details on the software and installation media. These are not stored on a device but are used to verify the integrity of the product and authenticate the issuer of the package. They can aid teams in confirming they have the valid license required ahead of installation, leveraging their inventories.
  • At installation – primary tags should contain all the mandatory elements to define the software once installed (which at a minimum should include the software creator and unique identifier). Component tags should indicate relationships between software items within a bundle, while required tags inform that the software being installed relies on installation of separate software. Supplemental tags can be added to provide additional information, such as contact information or license keys.
  • During patching – patch tags should show the details and version of the update and indicate if there are other requirements or if this patch supersedes another patch.
  • Software upgrade – existing tags are removed and replaced with new primary and supplemental tags.
  • Software deletion – all tags are removed.

Ideally SWID tags should be created during development. But not all software is created equally, and while many major producers comply with SWID requirements, there are instances where you’ll be working without tags (both commercial and in-house created software), or with inconsistent tagging, providing inaccurate information for SAM.

Leveraging SWID for SAM

With information held across the IT estate within multiple disparate hybrid digital infrastructure management (HDIM) tools, IT must traditionally reconcile gaps and inconsistencies in SWID tags leveraging manual processes. That means trawling through reports, cross checking and analyzing information, as well as countless emails and phone calls to contact software teams to identify owners of proprietary software.

Manual processes also add time and risk to any SAM activity. Whether you’re trying to reconcile license purchases with usage figures using SWID tags or attempting to understand which devices are at risk using unpatched software, you’ll again need to reconcile information from many HDIM tools, delaying any actions you take to prevent issues from occurring. So how can you tackle these challenges? The answer is to leverage a digital platform conductor (DPC), a tool recognized in 4 Gartner Hype Cycles in 2022.

Using a digital platform conductor for SWID tag creation and SAM

Using a DPC you can reduce the time and risks associated with manual SAM processes and easily fill gaps and inconsistencies in SWID tags. A DPC enables this by connecting to and orchestrating all your HDIM tools.

Capabilities include:

  • Automated data discovery: data from your HDIM tools is aggregated automatically to give you a real time, holistic view of your software estate including interdependencies: this allows you to see from any angle to understand license requirements, outdated or unpatched software, and more.
  • Automated SWID tagging: Where there are gaps and inconsistencies in SWID tags, a DPC will trigger workflows to automate data gathering from tools or automate emails to vendors and in-house developers to identify ownership and obtain missing data, with inputs updating fields automatically. The same is done to gather data for the creation of supplemental tags, where additional information is required by your HDIM tools.
  • SAM automation: Workflow automation is triggered by tags. For example, use ‘required’ tags to inform the correct flow of activities so software is installed on devices in the correct order, use corpus tag data reconciled against asset licensing information to identify if you have enough licenses before installation, or flag where more are needed for compliance, and leverage deletion data to automatically update inventories and relevant tools.
    Make SWID data available to other tools to consume, for example to manage cybersecurity asset management (CSAM), using monitoring tools to notify you of any out of date or unpatched software and leveraging SWID tags combined with other data across your estate to trigger automated workflows to secure vulnerabilities.
  • Clear records: for license compliance reports and audit trails.

Book a demo to understand how you can leverage ReadyWorks, a digital platform conductor, to ensure your SAM activities are as dynamic as your software estate.