License Compliance is normally the first thing that is thought about when it comes to Software Asset Management (SAM). But we should take a much wider view and think about how SAM helps in other areas of IT and across the business, most significantly in the area of Information security.
One of the principle roles of SAM is to make sure all IT systems are recorded and managed for the purpose of Software license compliance. IT security also needs to make note of all devices in the infrastructure to ensure an appropriate level of security is in place.
Comparing devices in the device inventory with those found by endpoint security systems is likely to produce three things: a list of devices both in the SAM database and IT security database; those only found by SAM tools; and those only found by IT security tools.
This helps both the SAM manager and the IT security manager focus on those devices they should be managing but don’t appear in the respective databases.
Another way that Software Asset Management can assist with IT security is by making sure that relevant details from the SAM inventory are shared with the IT security manager, so they can check for older software versions that may no longer be supported or may not have the appropriate patches to close security flaws. SAM managers and Security managers should also work towards devising an authorised software list or catalogue of authorised software that software is procured from. That way security and compliance can be assessed before its brought in to the organisation.
The SAM manager should also verify that any licenses that have been allocated to individuals are being used by the intended recipients. This information can be extremely vital to IT security as the license allocation could highlight access areas that are still granted to users who no longer require it, or who no longer even work for the company.
Knowing what’s what with home workers
Telecommuting or working from home has become very popular over the last few years with many employees hardly setting foot in the office. Secure VPNs and Direct Access are now often in place to make sure your infrastructure can be accessed at anytime and from anywhere.
IT security should know who accesses the network through these secure connections, and how devices are used outside the office; for example, are they using it to download and install software they shouldn’t? Knowing exactly what software is being used and by whom, can minimise the risk of malware infecting the network.
Also with more employees that “bring your own device” to the company, this can dramatically increase the possibility of unlicensed software appearing within the infrastructure. A strong policy framework including BYOD is essential, as this will go a long way to ensuring risk is reduced and increase confidence that the organisation can remain compliant (whether the software has a company-owned license or personal one).
Cloud is another consideration for SAM and IT security managers. If part or all IT is moved to the cloud, the changes to infrastructure and architecture along with the introduction of 3rd party service providers adds another layer of complexity and also must be managed effectively to stay fully compliant and protected. But that’s a huge topic in itself and probably one for another day
SAM as an organisation’s vanguard
Software asset management should be at the frontline of an enterprise’s security strategy as they are both important contributors to strong IT governance. Combining SAM with Information security at the end point and at the core will underline otherwise invisible events and help in identifying suspicious or strange activity down to the individual device or user.
If an organisation does this, it will know just how valuable having SAM and IT security alignment really is.