Software Asset Management: One SWID to Rule Them All

How would you like a simple, effective, and consistent way to improve your software asset management and security?

You would probably like it a lot once you were convinced it actually does all of the above. So, allow us to explain.

This thing goes by the accurate-but-not-exactly-poetic acronym SWID: SoftWare IDentification Tags. SWID is supported by TagVault.org, a neutral not-for-profit certification authority. These tags, which the vendors create and are responsible for, contain unique information about an installed software application, including its name, edition, license, version, whether it’s part of a bundle and more.

While that might not sound like much it really, really is.

Here’s how it will help you with software asset management: The way things are today, your SAM discovery product(s) either use catalogs or are using an architecture that is software driven. This is a huge problem. First, catalogs are not always kept up-to-date by vendors. While some vendors – including IBM – put a lot of business resources into making sure their catalogs are timely, this is not true for everyone. So what you end up with isn’t a complete list but a best-effort set of data points.

Adding to this problem: Everyone’s catalog is different, with their own nomenclature for their products. These catalogs can have gaps in them and, if they do, you have no way of knowing what application is deployed on your systems. It can also take up to 90 days to update the catalog, and then another 90 for a company to get the catalog data and put it into production. A lot can be missed in six months.

SWIDs take care of this. Rather than relying on catalogs, all that data is in the SWID that comes with the product. So your asset management discovery solution just needs to gather tags and aggregate them across the environment. As a result, the entire process can be automated to discover and report all your software – including what version and which patches it is using.

Then there’s the problem that no two asset management tools will give the same answer on what you have on your systems. Run an inventory and one may let you know you have MSWord and one may call it Microsoft Corp. Word, so the reports don’t match up. With SWID, Microsoft (or any other vendor) can produce the definitive ID name. This gives you data consistency and enables automation for a whole range of use cases, including security. With SWIDs you’ll be able to instantly know if all the patches on your software are up-to-date.

Clearly in order for SWIDs to work, software vendors have to support it. That’s what TagVault is working on. And it already has support from many organizations. Microsoft has been tagging all of its software since last year and at IBM we’re tagging 75 percent of ours and will be at 100 percent by the end of the year.

If you think a SWID is a good idea, you can help make it become an industry standard. Here’s what you can do: As you know, vendors respond to buyers. Just make SWIDs a requirement for the software your company purchases and you will get all these great, free benefits.

For more detailed information, or to find out other ways you can help, go to TagVault.org.