By John Emmitt
Deloitte recently published a whitepaper on “Minimizing the threat landscape through integration of Software Asset Management and Security.” The paper states:
“…an effective SAM initiative can help reduce organizational risk and help the enterprise establish a solid foundation to become secure, vigilant, and resilient.”
While software asset management (SAM) is typically not a top CIO priority, Deloitte UK’s 2014 CIO survey found that “Strengthening Risk and Security Management” jumps into the list of the top three priorities. It’s also interesting to note that number 4 on the list is “Reduce IT Cost” which is a key objective of SAM and Software License Optimization solutions and programs.
Figure 1: IT Priorities Next 12-18 Months (2014 CIO Survey data)
How does Software Asset Management help?
As stated in the paper: “SAM helps to minimize the attack surface of an enterprise by preventing unauthorized software from being installed, detecting and removing unwanted, redundant and unsupported software, reducing exposure to vulnerabilities through effective patch management processes and validating access controls.”
Here are some of their suggested techniques for reducing security risk:
- Maintain a software request catalog of authorized software. Another name for this is an enterprise app store. The items in the catalog should be pre-screened and approved from a security perspective rather than just considering the functional value of the software to the business.
- Implement a formal software request process. This means having a process for users and business units to request software that is not yet in the catalog. The enterprise app store can help manage this process too. The app store would typically provide an automated request and approval process for software that is already in the catalog, which streamlines the application delivery process.
- Adopt security controls before installing purchased software. Items in the software catalog (aka enterprise app store) should have been vetted by a security expert prior to inclusion and new items would also go through the security vetting process.
- Find and remove or patch software that is blacklisted or has vulnerabilities. Software Vulnerability Management tools can scan the network and find software with known vulnerabilities. Similarly, software asset management and license optimization tools can collect inventory data, perform application recognition, and compare installed software against a blacklist of prohibited software. Software Vulnerability Management tools also automate the process of applying patches to vulnerable software to mitigate the security risk.
- Track and manage software contracts with software asset management tools. By keeping software contracts current, organizations can help ensure that software is kept up to date and available patches are able to be deployed. Not all SAM tools have comprehensive contract management capabilities, so consider this as part of your SAM tool selection criteria.
- Utilize application rationalization and consolidation tools to reduce cost and risk. Redundant and obsolete software in your IT environment not only increases maintenance and support costs, but also increases security risks. There is the potential for more vulnerabilities in the environment and a larger software footprint makes it harder to keep all of your software properly patched and up-to-date. By employing application rationalization tools, you can eliminate redundant and/or obsolete software in your environment.
- Leverage Software License Optimization tools to determine who requires access to which applications. Managing users that either leave the organization or take on different roles is critical to security as well as cost control. License management tools provide insight into software usage that can improve this process. These tools can find and help remove idle users, for example, and allow reharvesting of unused licenses.
For more information, please view our on-demand webinar: Software License Optimization - Critical to an Effective Cybersecurity Strategy, with Bill Keyworth, VP of Research at IDC.