Minimizing the threat landscape
The integration of Software Asset Management and Security
While Software Asset Management (SAM) has traditionally been thought of as simply a cost minimizing function, its potential to drive value in an organization goes far beyond that limited viewpoint. Even the best security program can be hamstrung if IT administrators don’t have a firm understanding of where all of the company’s software assets reside, if they are being used, and who needs access to them. By bringing inventorying capabilities into the mix, SAM complements and strengthens security tools and processes, significantly improving the company’s ability to protect its data and systems and reduce operational risk.
- The point of intersection
- Preventative controls
- Weed out the renegades
- Keep software healthy
- Download the whitepaper
The point of intersection
Good software asset management is crucial to effective security practices to help combat cyber-attacks that can cost companies an average of $20 million a year – not to mention the long-term reputational damage any leak of customer information can cause. Although many organizational processes and tools are adequate at maintaining specific information on software assets, very few offer the intelligence required to help IT professionals manage complex networks with multiple vendors and platforms across a global IT landscape. An effective SAM practice delivers intelligence on software across the enterprise, driving value by providing managers with the necessary visibility to make the most informed cyber security decisions. When integrated, SAM and information security tools and processes become mutually reinforcing. SAM helps to minimize the attack surface of an enterprise by preventing unauthorized software from being installed, detecting and removing unwanted, redundant and unsupported software, reducing exposure to vulnerabilities through effective patch management processes and validating access controls.
Five key tenets of SAM and security
- SAM tools can provide the forensics to identify unauthorized software
- Leveraging SAM to support patch management can help to ensure process is efficient and scope of target systems are complete and current
- SAM can identify redundant or outdated software ensuring software remains necessary and current
- The convergence of IAM and SAM can optimize user access to system from both a security and licensing perspective
- The integration of security as part of a formal request process can prevent insecure software before it’s installed
Prevent unauthorized software before it’s installed
One of the most basic SAM practices and preventative security measures—one that many companies fail to fully employ—is compiling a catalog or list of authorized software from which business units can select the most appropriate options. Maintaining a catalog of authorized software, and making sure business units only purchase from the catalog, means that IT are better positioned to place security measures (once software in the catalog is evaluated and approved by security processes) for when the software is installed. It improves the chances of monitoring the security posture of the software and eradicating unauthorized software posing risks to the organization. It is important to include security considerations when evaluating software for inclusion in the catalog. A security advisor can be involved to assess the security of the software, inclusion into the software catalog and pre-authorize the distribution through an organization’s standard request process.
The software catalog is the first line of defense; however, since a catalog won’t always include everything a business user might need, a formal software request process for both catalog and non-catalog software should be established. Enforcing a formal request process gives IT administrators better visibility into what software the business wishes to introduce into the environment, and improves their ability to forecast demand and make more informed decisions regarding installation approvals. While many organizations only include procurement within the approval process, including representatives from SAM and security is essential to getting full value out of the process. Including a security advisor as part of the software purchasing team offers a number of advantages. Security specialists will dig into such issues as whether the software has any known vulnerabilities, whether it is supported by the vendor, whether it is aligned with the company’s security standards, and whether the company’s network firewall rules will need to be altered in order to run the software. Ignoring these considerations can result in additional costs or significant exposure for the organization.
- Adopt security controls before installing purchased software.
- Establish a catalog of software that has been approved from both a functionality and a security perspective.
- Develop a formal request process to ensure IT is apprised of any software the business wishes to acquire.
Find and weed out the renegades
Having a formal request process reduces the likelihood that unauthorized software will enter the environment, but it’s not a guarantee. Companies, therefore, need ways to ferret out rogue software that has made its way inside the network using detective controls as part of a vulnerability management program. Part of this task can be accomplished by security tools, which scan servers looking for known vulnerabilities and as a result may identify specific software that has introduced a security issue. The security tool would then notify IT administrators so it can be removed or remediated by a patch or upgrade.
- Unauthorized software may bypass preventative controls therefore detective controls as part of a vulnerability management program
- Maintain a blacklist of software to easily identify rogue software.
- SAM tools have the capability to maintain and detect blacklist software.
Keep software healthy and show redundant software the exit
To help maintain the functionality and security of their software, vendors issue new patches, releases, and upgrades. Patch management is important to all software--across operating systems, applications, databases, and firmware. Failure to patch or upgrade can result in a vulnerability that can be exploited by hackers. Patches have varying levels of impact and criticality, and orchestrating their deployment--including outage timing, change management, and testing--adds further complexity to security management. A patch rollout may also need to be phased across multiple business units, involving other systems directly or indirectly.
Underutilized, redundant, or legacy software increases an organization’s software footprint beyond what is required, increasing costs and creating unnecessary security issues. For instance, employees often install software on their desktops for specific projects and then forget about it. If IT administrators are unaware where this software resides, they may fail to upgrade it or apply security patches. Licenses may also expire, compromising compliance and incurring financial risks. Software that is not being used in one part of the organization can often be re-harvested and deployed elsewhere, saving the company money in licensing fees.
Three ways on how SAM keeps software healthy:
- Completeness - Provides visibility into scope of system and software running to ensure that patches and anti-virus are applied to all applicable systems
- Efficiency - Assists security administrators to develop and plan roll-out schedules minimizing disruption to the business
- Currency - Ensures currency of software to provide latest functionality to business users and ensuring availability, confidentiality and integrity of systems