Understanding the Relationship Between SAM and Security

Security and IT asset management go hand in hand. Mobility, cloud computing and virtualization complicate them both. Mobility and cloud put more software outside the traditional network perimeter. Virtualization balloons the instances of licensed software.

Most organizations have software running both inside traditional network firewalls and outside on devices connected over wireless links. These hybrid infrastructures present challenges to both security and software asset management. From a security standpoint, mobile devices share many of the same threats that desktop computers confront. But they also bring threat vectors of their own, such as data exfiltration from unauthorized or nonquarantined applications, mobile malware and loss of the device itself.

From a software asset management standpoint, mobile devices amplify the possibility of problems with license management, such as having more copies than needed or more than the enterprise is authorized to have under a volume license agreement.

Shifting Security Threats

The past year has produced sensational news of data losses, network penetration and malware implanted using social engineering techniques. For many, the case of former National Security Agency contractor Edward Snowden made real the insider threat.

Snowden was hardly the first. For more than a decade, the U.S. Computer Emergency Readiness Team (US-CERT) has been studying insider threats. There are two basic types: inadvertent losses that result from user carelessness or lack of training; and trusted insiders who commit deliberate malicious acts, resulting in data theft of one sort or another. One recent US-CERT study detailing insider theft of intellectual property found that it has occurred across all public, educational and commercial sectors.

US-CERT has a name for nonmalicious breaches by employees or trading partners: unintentional insider threats. UITs don’t necessarily arrive by phishing or malware. Users manage to lose data all by themselves. They lose devices, forget to log off, visit questionable websites and work on sensitive material from untrusted devices or over unsecured networks.

Malicious insider threats are a different story. US-CERT research shows three main motivations for insiders to breach security: fraud, sabotage and theft of intellectual property. No one can read minds, but some behaviors that are detectable on the network can give clues to malicious activity. And implementing some basic security procedures can make it harder for a lone wolf to act.

Know Thy Software

Ultimately, most security issues involve software. In addition to traditional security threats, noncompliance with volume license agreements can create security problems. Further, many organizations face risks associated with unauthorized software that employees install on their devices — especially mobile devices, which some organizations do not lock down as fastidiously as they do desktop PCs.

Regardless of the source of software, IT managers should set up mechanisms for monitoring software use. The IT team needs to know what users have installed and what they are using. Knowing installations is essential to security, helping to ensure that users have only the correct software and that it is configured properly. Knowing usage patterns helps to control costs. It can also help an enterprise to avoid buying too many licenses when unused licenses are available in its inventory.

Finally, knowing that all the licenses in the directory are valid, active and being used helps ensure that, should a security event occur, security staff aren’t distracted by chasing down phantom machines and thus extending the remediation time. Beyond that, data about users, applications, versions and configuration help the organization ensure data protection. It’s a two-way street: Users need tools — but only authorized ones — to access internal information to do their jobs. Database and network administrators need assurance that only authorized users have access to information resources and applications that are appropriate to the users’ roles.

Given the scope and dynamic nature of the information needed to manage security and licensing costs, how can an enterprise keep up? The answer is by using a software asset management solution. SAM is the only practical way an organization can maintain thorough visibility of, and control over, its software. SAM enables structured, repeatable processes for cybersecurity, cost control and license compliance. SAM is no less necessary for users of cloud-hosted software than for organizations that host all of their software internally.

Want to learn more? Check out CDW’s white paper, “The Dynamic Duo: SAM and Security.”