By Vincent Smyth, General Manager, Flexera Software
Implementing Software License Optimisation solutions to reduce software costs, optimise spend and ensure continual software license compliance is well understood. However, perhaps less understood is that the investment have made by organisations in software license management solutions can significantly enhance their cyber-security defenses as well.
Software License Optimisation solutions – at a foundational level – provide a full enterprise-wide hardware and software asset inventory — the essential “evidence” organisations require to detect unlicensed and/or unauthorised IT assets. The ability to find these unlicensed and unauthorised assets is critical to identifying potential security vulnerabilities and can significantly help reduce the security risk of organisations.
Continual inventory of software and hardware essential
There is evidence to support this view. A recent global Business Software Association/IDC Study, highlighted that the more unlicensed software running on an organisation’s network, the greater the malware risk. The report concluded that lowering the incidence of unlicensed software will lower cybersecurity risk. The ability to see licensed and unlicensed installations is, therefore, critical for cybersecurity purposes. To address the connection between unlicensed software and security threats, IDC analysed rates of unlicensed software use and cybersecurity threats in 81 countries.
In fact, the SANS Institute’s Security Controls – a set of practices prioritising security functions that are effective against the latest Advanced Targeted Threats — prioritise as its foundation an organisation’s ability to 1) inventory authorised and unauthorised hardware devices on the network, and 2) inventory authorised and unauthorised software on the network.
Leverage Software License Optimisation processes
Software License Optimisation processes and technology that many organisations have already invested in provide visibility and control of the IT environment by collecting and analysing comprehensive hardware and software inventory data. Reports on assets installed in the environment allow rationalisation and consolidation of both hardware and software assets, mitigating risks that unused and/or non-standard assets may be misappropriated for malicious purposes.
CIO’s should look to leveraging their Software License Optimisation technology for detecting and collecting “evidence” on the network that can be used for identifying critical IT assets. These solutions can track an extensive set of hardware asset properties including:
- Identification: serial number, asset tag, part number, manufacturer, model, parent/child relationship with other assets
- Purchase data: purchase order number, purchase order date, price, vendor, acquisition mode (purchased, leased, loaned, rented, etc.), delivery date
- Financial data: warranty, depreciation (current/residual values, depreciation method…), chargeback (monthly charge)
- User/group allocation: location, cost center, business unit, user assigned to the asset
- Technical: any relevant technical details to the asset
- Contractual: relationship with contracts, vendors and payment schedules
- Asset status: Assets can be purchased, installed, in stock, disposed, retired
- Baseline tracking of assets: identify changes for each asset over time; computers missing or changed are flagged. (supports tracking of IMAC—Installs, Moves, Adds and Changes)
Similarly, Software License Optimisation technology can discover authorised (managed) and unauthorised (unmanaged) software on the network by providing:
- Automated identification and normalisation of software titles, versions and editions installed and/or in use in the IT environment. Through utilisation of these solutions’ Application Recognition Libraries, they can also support many complex license models to streamline this process.
- Fully automated purchase order processing— imported purchase orders (‘POs’) can update existing licenses or generate new licenses in an asset management repository, as necessary, without any operator interaction
- Accurate reconciliation of software inventory and purchases to generate a license compliance position using Stock Keeping Unit (SKU) Libraries.
Beyond inventory too – the ability to identify contract and maintenance expirations has a security implication. If maintenance on a software title expires – the organisation may no longer receive vital security patches and updates from the vendor when they are issued. Contract management modules in these systems allow organisations to keep track of contract renewal and expiration dates. This helps CIOs ensure that software maintenance doesn’t lapse so that the latest version of software and security patches are available, minimising security risk.
While organisations can have several sources of software and hardware inventory data, they usually do not have a means to consolidate that data from across all their systems and environments. This is essential to arrive at an accurate inventory that can provide high-level insight into what authorised versus unauthorised systems are running on the corporate network. And it is this lack of management-level insight that renders organisations vulnerable.