Asset to the company
The management of software is becoming more complex, and driven by a heightened threat landscape, securing both hardware and software has become a C-suite concern. Software is a productivity tool, and if it's not being managed properly, sooner or later, the company is going to suffer.
At the core of software asset management (SAM) is the proviso that the business is using licensed products. In South Africa, almost a third of software installed on computers - said to be worth about R2.964 billion - is not properly licensed, according to a recent study.
According to the BSA | The Software Alliance trade group, there's a clear correlation between the use of unlicensed software and malware infections.
Still, South Africa is almost the most compliant in the region, only being beaten by Israel, which reported that only 27% of its software is unlicensed, according to a 2018 BSA study.
The list is fascinating, and serves to confirm biases about some countries being more law-abiding: best in the world are Japan and New Zealand, tied at 16%, followed by Australia (18%) and Luxembourg (19%). The worst offenders are Libya, where 90% of all software is unlicensed, closely followed by Zimbabwe and Venezuela (both 89%), and Armenia and Iraq at 85%.
The IDC estimates that organisations that install unlicensed software face a one in three chance of coming across malware. This is a fact not lost on CIOs, of whom 54% globally say that lowering security risks is their main driver to using licensed software, followed by 43% saying there was less risk of legal issues.
The BSA report notes there have been recent updates to SAM by the International Organisation for Standardisation (ISO), which provide a general framework for all IT asset management, including software.
By way of example, it says if only consumer credit reporting company Equifax had properly implemented a SAM protocol, it could have avoided or at least mitigated the massive hack of September 2017, in which over 140 million consumers had their personal data accessed. And yes, the CEO and CIO were fired.
Large enterprises also have particular challenges and will have to keep track of thousands of instances of software. SAM will be of particular use here, as it will track the increasingly complex world of software licensing.
There has to be a dual approval process between execs and IT to ensure best business practice.Rowan Fine, Compucart
The reason there's all this unlicensed software is probably because someone thinks they're saving the business money. This, as it happens, is both wrongheaded and short-sighted, infers the report, saying that SAM ensures businesses get the most out of their software, and can best take advantage of new technology, such as cloud. All this means organisations can achieve up to 30% savings in annual software costs with a proper a SAM programme in place.
Not all SAM tools are equal, however. Some are better suited to particular industries, and there seems to be some variance in the interfaces: some are more text-heavy, while others incorporate graphic dashboards.
It's getting complicated
Patrick Price, principal consultant at CA Southern Africa, says he has seen SAM move from being asset-centric to one that follows an 'entitlement-centric' approach.
He says in the past, licence usage was based on how many devices the specific software application was installed on. This was a one-to-one measurement and was easily managed by counting how many installations of the software were discovered.
Now, licence entitlements have become much more complex, and, as he says, can be based on measurements such as concurrent licensing, named-user licensing, production use or development use.
CA Technologies' solution includes hardware and software asset management components.
The hardware part manages the financial, contractual, ownership and lifecycle aspects of both IT and non-IT assets. The software component manages all these things too, but also compliance of operating systems, databases and applications. Its solution was developed by Aspera Technologies.
Asked if software management has now been elevated to a board function, or does it still reside in the IT department, Price says he's noticed that more organisations are now moving it to their procurement department. He says procurement is naturally more focused on the financials of the firm, rather than compliance, and is chiefly interested in structuring the software licences to derive the greatest financial benefit.
"The feeling in some companies is that if vendors want to audit them, that is their right, but the cost for the licence compliance management and auditing must be borne by the vendor and not the user organisation. So the use of a software asset management tool is to ensure the most cost-effective use of the software and not to ensure compliance."
He says if an organisation doesn't have an effective policy, it will probably face spiralling software costs, with no control of whether what is being purchased is providing any financial benefit to the organisation.
He also raises the 'spectre' of vendor audits, which in some cases may mean millions of rand in penalties.
South Africa's Compucart, an IT and office supply specialist, also offers consulting services to its clients, and has developed its own SAM solution.
According to the company's MD Rowan Fine, it reduces costs and streamlines business processes, while optimising and scaling the software at play in the business. It also addresses risk management.
He believes the success of the solution will depend largely on effective internal communication.
"Functioning hardware and software delivers satisfied employees and increases work efficiency, which has a significant positive monetary impact. They need to know that this is a board decision and must be filtered across every user within the organisation."
By educating and involving the staff, SAM becomes 'engrained in their way of thinking'.
He suggests IT and business management be transparent about the management practice of the company, and says hosting workshops may well give users a sense of participation in the overall success of the business. This is all in the effort to encourage staff, particularly the heads of departments, to follow SAM protocols. It hardly needs to be mentioned that duplication, downloading of software, and software brought into the company could result in disciplinary action.
Compucart's solution monitors what software has been loaded, and what is being used across the organisation. All moribund software is uninstalled, and any changes must be approved by SAM representatives.
"The entire organisation runs better with SAM as automation, standardisation and complexities are reduced," he says.
While SAM used to be solely the purview of the IT department, the responsibility is now being shared with the wider board as it is they who will be accountable for adverse audits or irregularities.
"With SAM in place, broad strategies that were once a dream can now be launched with immediate reporting on how each user is coping and delivering.
"The system feedback is real, live and provides accountability. Business plans can turn into fruition as exact resources can be targeted and deployed to specific projects in order to reach deadlines and milestones," says Fine.
"If companies are not audit-ready and the findings are against the company, this can have huge financial implications and damage, and reputations are at stake."
Forrester's Josh Selonis says asset management is a critical part of the security function.
Speaking at this year's RSA Conference in San Francisco, the senior analyst said it was impossible to maintain an asset inventory in a constantly evolving environment. He likened an organisation's IT infrastructure to a giant jelly bean jar, 'that people are constantly grabbing handfuls from while someone is also helpfully refilling it'.
"We are effectively building critical security processes on a foundation of sand."
Part of the solution is what he terms an `asset intelligence model', which is based on two principles: security professionals should tie their asset definition to business function, not individual systems or workloads because containerisation and serverless computing have fragmented the traditional concept of an asset.
"As the idea of an asset moves further away from something tangible or even persistent, we need to group workloads by business function," he says.
His second suggestion involves creating an asset inventory with `queryable infrastructure'.
"In gaining an understanding of how software is developed and deployed within your organisation, you will come to understand sources of intelligence beyond simple endpoint tools that you can use to build and maintain your asset inventory. While doing so, you should be automating the ability to query for this information on demand, creating a queryable infrastructure that is the fabric of a real-time configuration management database."
Another South African company - XContent Business Solutions - uses the Microsoft tool Movere.
Jenny Prospero, the business manager, says SAM is the twin sister of the General Data Protection Regulation (GDPR).
"Both talk to governance and management of business IP as secure and compliant data, systems, technology, processes and people. Business is centred around trust in technology. It's no longer an IT responsibility, it's a business imperative owned by executive management."
She says even cloud needs asset-management-as-a-service.
"Regardless of cloud evolution, SAM principles are rooted in the people, technology and processes model."
With its solution, performance and inventory agents are deployed in its customer environment for a month to get a clear picture of the business cycle, after which a remedial report is produced. The evaluation is also particularly useful when businesses are considering cloud.
This article was first published in the November 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.