CYBERSECURITY PADAWAN

Whenever I think about SAM and software assets, I remember my very first CND lesson – forget about scharfes-ing the word “asset” because it has nothing in common with what you’re up against in IT management. Instead, replace “s” with the dollar sign (“$”) and you would be getting a whole lot closer to SAM and ITAM. Yes, I’ve probably used this aphorism before, but, in my mind, it kind of captures the essence of software asset management.

Poetic license aside, in this article, we will be revisiting SAM, wrap our heads around the constitutional differences between software asset management and IT asset management (ITAM), go through some SAM\ITAM policies, and more. Should you be interested to learn more about the intrinsic and extrinsic benefits of software and IT management, be sure to check out the articles written by my lovely colleagues. My personal favorites are:

So, let’s have a chat about SAM and ITAM.

What is Software Asset Management?

Because no self-respecting article can’t go without a “what-is?” section, let’s see about defining SAM. So, according to Wiki, SAM is “a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization and disposal of software applications within an organization.

Deloitte adds that any SAM “includes all the necessary processes and infrastructure to plan, control, and protect your investments in enterprise software throughout each phase of the lifecycle.” Nice choice of words, don’t you think? Allow me to break it down for you – imagine two businesses; XY, a small, family-owned business, with, let’s say, 10 employees.

On the other hand, XYZ Corp, the second business, has 1,000 employees and twice as many endpoints (i.e., laptops, desktop computers, tablets, servers, physical firewalls, routers, switches, hubs, WAPs, etc.) running literally hundreds of different software.

Now think about it – if you were the owner of a family business, what would you need, software-wise to ensure business continuity? I’ll go first: accounting software, antivirus/anti-malware, an inventory app, and, perhaps, a paid, business-like social media account for shoutouts. So, four paid licenses in total. Not very much to wrap your head around in the area of licensing management.

Tracking can be done with an excel spreadsheet or something. And now for the real tear-jerking question: what would you do, software inventory-wise, when you have hundreds of endpoints, each running two, three, or found different types of licensed software? For one, spreadsheet tracking aka manual, static, data entry is out of the question. Well, I guess you can hire someone with Mentat-like computing powers, but there’s an easier way to go about this. Yup, you’ve guessed it – SAM.

Software Asset Management is more than an app inventory tool; it’s a framework that covers all software key areas: acquisition, deployment, usage, audit, retirement, and EOL. Comparesoft’s oversimplified SAM matrix defines a quadriphasic software-asset life cycle: Planning, Procurement, Ops & Maintenance, Disposal. Let’s break it down even further.

Planning in SAM

Which came first? The chicken or the egg? In our case, which one takes precedence – implementation or establishing a baseline? Well, at this point, I’m just going to assume that you’ve already deployed a software asset management solution and that you’re eager to start building. So, establishing a baseline it is. The very first rule of software, not Ferengi acquisition, is to conduct a minute inventory of what you have.

This includes software running on your desktop PCs, laptops, wearables, servers, IoT devices, routers, hubs, wireless access points, smartphones, tablets, and pretty much everything capable of running software – yes, even coffee machines and smart fridges fall into that category. Now that all your eggs are in the same basket, it’s time to make some determinations. These assumptions will help you move the ‘needle’ in the right direction. At this point, something visual like a checklist, a process tree, or a brain map can really speed up the process. Here are a couple of pointers to get you started:

  • How many ACTIVE endpoints does your organization have?
  • How many endpoints are COMPANY-OWNED? How many are BYODs?
  • How many software apps are running on your endpoints?
  • How many of those are company-sanctioned and how many are in violation of your company’s policies?
  • How many endpoints are running unpatched or outdated software?
  • How long will it take to deploy updates and security patches on all your endpoints?
  • How many endpoints can pass off as major security risks?
  • Can you measure software efficiency? If so, are the apps actually helping employees carry out their daily tasks, or do they create more bottlenecks?
  • Cost vs efficiency in retiring EOLs and suboptimal software.
  • What type of new software is required?

As you can imagine, the list is (almost) never-ending, and being disconcerted or getting lost in translation are actually fine and, why not, part of the process. Don’t forget that careful SAM planning can help you get rid of some nasty security and compliance issues.

Procurement in SAM

After having established the baseline, it’s time to tackle the procurement part. Now, buying new software is not as easy as going to the supermarket. It takes careful consideration and a whole lot of legwork – bear in mind that acquisition, in itself, is subjected to a workflow. Regardless of your acquisitions and pricing, you will probably need to make a business case.

Based on your recommendations, execs will determine if the investment is sound or a dead-end. I won’t even bother getting into details, because it defeats the purpose of this article. On your end, please ensure that the need is real, all global deployment requirements are met, and that your business case features alternatives.

Operations & Maintenance

Provided that all went well during the planning and procurement phases, you’re now the proud owner of several new pieces of software. As part of the software asset life cycle, ops & maintenance is considered the longest and, sometimes, the most tedious. You will need to monitor everything, tend to hiccups, nurse broken apps back to health, and ensure that everything’s up to speed.

Ops & maintenance can also aid you in gauging the ‘life expectancy’ of an app or suite; very important in figuring out if the worthiness of the investment.

Disposal

Is there software life after death? Yes and no – every piece of software, especially those of the open-source variety can be repurposed or recycled. Others just end up into, well, oblivion, I guess. Why is disposal important? Because EOLs and legacies become liabilities the moment the developing companies cease to release security patches and or updates. Those are entry points that can (and will) be used by malicious hackers to APT your networks and or endpoints.

Familiarity or sentimental values should be excised as far as cybersecurity is concerned. And this, dear reader, is where the disposal phase comes into play – to identify EOL software and plot the best course of action. As I’ve mentioned, some apps and software can be recycled which is great, considering that we would have eliminated the need to search for an adequate substitute, but most end up in the bin.

To sum up: SAM or software asset management is a framework that describes the life cycle of every piece of software owned by a company. SAM frameworks may have slight alterations, but all the rest on four major pillars: planning, acquisition, operations & maintenance, and disposal. Planning, acquisition, and disposal are less resource-intensive, while ops & maintenance are both resource-intensive and time-consuming.

What is IT Asset Management (ITAM)?

With SAM covered, we’re ready to tackle ITAM; it’s important to see both sides of the story in order to understand the SAM – ITAM ‘parallax’ effect. First, let’s have a nice chat about the elephant in the room: if ITAM is the same thing as SAM, why the need for extra letters? IT Asset Management IS NOT THE SAME thing as SAM. However, they are akin – think of SAM as the child and ITAM as the parent. And it’s only natural for it to be this way since hardware and software is a match made in Heaven.

Just as SAM is the framework for acquiring, operating, maintaining, and disposing of software, ITAM “entails the management of the physical components of computers and computer networks, from acquisition through disposal.” From container to ‘containee’ and containerization, everything in a company is an asset, and every little asset is subjected to policies.

ITAM has, more or less, the same ruleset as SAM. The only thing that sets them apart is the financial aspect. Evidently, a piece of equipment does not amount to the same face value as a piece of software, all the more reason why your business case should be on point when recommending X hardware over Y hardware. Here’s what a typical ITAM flow looks like:

Source

There’s something familiar about it, isn’t it? Well, if “SAM” was the first thing to go through your mind, you’re absolutely right – ITAM and SAM flows are, more or less, the same. Translated, the diagram above would read something along these lines – ITAM is a six-phased process: acquisition, creation & registration, distribution, storage, distribution & collection, and disposal. I would also add planning and ops, and maintenance to the flow.

So, how would this work? Say your business case has previously been rubberstamped by C-Sec. The vendor is contacted and the deal is closed. After that, the ITAM entry for the purchased product’s created and the item shipped to the end-user. Until Disposal kicks in, the item can be subjected to a back-and-forth with IT for maintenance or debugging. And when the pearly gates time comes, the hardware will be replaced, repurposed, or simply destroyed. Such is the cycle of life!

As you might imagine, there are many out there who believe that SAM and ITAM are one and the same – wrong! On the other hand, when comparing life cycle flows, there are virtually no differences between the two.

Now, before we dive into the parallax I was talking about, let’s get back to that little limerick I was telling you about in the intro – spelling assets with dollar signs instead of letters. Well, if software assets are spelled using two dollar signs, hardware assets should be spelled using three or more “$” signs. Remember this the next time you want to push a business case for new software or hardware assets.

SAM – ITAM Parallax

And so, creepingly, we have arrived at the very heart of this article which is the SAM – ITAM parallax effect. Some clarifications before we get started – parallax is a term derived from physics – optics, to be more precise – and it describes a visual phenomenon whereby the direction or position of an object appears to be different when the observer shifts his position. Yes, I know this isn’t a physics class, but bear with me on this one. The effect itself is endemic to photography, but it also has broad applicability in visual arts.

Now, what does this have to do with software or hardware management? Well, when viewed from a fixed, predetermined position, ITAM and SAM are one and the same. However, once the ‘observer’s view gets shifted, the established rapport between the two of them becomes even more clear. Give it time – all will be clear in a couple of minutes. So, ITAM and SAM caught in this ever-revolving, Hotel Overlook-like front door – what a merry masquerade as Byron used to say. Now, envision the two becoming interlocked, like a total eclipse of the SAM.

This point of conjunction is called cybersecurity. In other words, as far as internal and external security is concerned the line between ITAM and SAM becomes so thin, that you could hold a candle to it and still get blinded by the light.  At this point, both ITAM and SAM are standing on the same step of an imaginary ladder that spirals all the way up to, well, healthy growth.

With the assets in place, it’s time to take a stab at the issues from a cybersecurity standpoint – does this topology ensure lock-tight cybersecurity? What are the most vulnerable links? Can they be fixed or should we eliminate them? As you know, the foundation or, better said, the ties that bind the two together is a mix between compliance, metering/monitoring, and loop assessment – the best of both worlds.

To sum up: the ITAM – SAM parallax effect refers to a type of ‘occlusion’ that occurs when software asset management and IT asset management are viewed from a cybersecurity perspective. In this case, an asset equates or amounts to a potential vulnerability, one that can endanger privacy, compliance, and data integrity.

Heimdal Official Logo
System admins waste 30% of their time manually managing user rights or installations

Heimdal™ Privileged Access Management

Is the automatic PAM solution that makes everything easier.
  • Automate the elevation of admin rights on request;
  • Approve or reject escalations with one click;
  • Provide a full audit trail into user behavior;
  • Automatically de-escalate on infection;
Try it for FREE today Offer valid only for companies.

Parting Thoughts and Software Asset Management Recommendations

Finally, we’ve reached the end of this long-winded article. If you can still conjure up the willpower to face up yet another section, then here are my recommendations in the general (and particular) area of software asset management.

1. SAM = ecosystem

SAM is not a set-and-forget application filling out your disk space and haunting your nights. It’s an entire ecosystem, one with its own quirks and pangs. So, overstating the obvious, be sure to thoroughly read the product’s documentation before going in. Riding shotgun when your infrastructure’s security is on the line just won’t do.

2. Licensing

Another Captain Obvious moment – learn what a license is. Most of us assume that it’s just a piece of paper etched with a shiny hologram that gives your company the right to use of the software. Actually a license consists of many different things; to name some, you have the software’s packaging, the master copy, the documentation, authorization codes, release documentation, licensing terms and conditions,  operational instances, support terms and conditions, free copies, demos and so on.

3. Conducting a software audit

Probably the least favorite part of being a sysadmin. Nonetheless, it’s essential for discovering hidden flaws, suboptimal configuration, and ensuring that everything’s up to speed. Audits are typically conducted by a third-party for that unbiased perspective. You should know that audits are nothing like those unannounced quizzes in school.

The auditor will give you a timely heads-up to prepare all the necessary info. This includes names, device PIDS, version numbers, vendor names, update pathways, licensing meters, terms, license details, history of vendor names and\or products, support info, geolocational limitation, and the total number of software running on all machines. Do your homework right!

4. Automation FTW!

Auto-piloting your workflows is one of the best feelings in the world; all the more reason to find that very special SAM to ensure the fluidity of your patching-updating-upgrading-software inventory flow. Heimdal™ Security’s Patch & Asset Management makes SAM easy, certifies global patch or update deployment, and helps you compile inventory reports faster than you can say “software asset management”.

With these in mind, I hope you’ve enjoyed my article. As always, for rants, comments, praises, or beer donations, please use the comments section. Stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP