Microsoft Joins the Software Tagging Bandwagon – ISO/IEC 19770-2: 2009 Hits its Stride

By IAITAM

In April, 2012, the continuing onslaught of announcements regarding software publisher adoption of the software tags was joined by Microsoft, Inc. Microsoft committed to incorporating tags and has described the process as fast and easy compared to the value that can be received. In fact, the first tags have launched in the Windows 8 preview. The momentum on tagging and the adoption of tagging to new releases and even patches is going to deliver increased identification and automation accuracy. For the busy IT Asset Management professional, IAITAM has reprinted the Microsoft announcement, plus feedback from ISO/IEC 19770 Work Group 21 Convener David Bicket and Steve Klos, President of TagVault.com.

Microsoft Announcement

Software ID Tags

In today’s rapidly evolving world of new devices and computing paradigms, many IT departments struggle to quickly, easily, and accurately inventory their IT environments. For many customers license management is more of an art than a science – where getting it wrong can have costly results.

Today many enterprise customers who want to ensure they remain compliant spend many hours to sort through and normalize the data they get from even the best inventory tools – and many customers still end up buying based on an ‘educated guess.’ To that end, we’ve heard from customers that they would like Microsoft to carefully consider ways to help them lower the cost of managing their software licenses.

Consistent and accurate data provides a solid foundation to decision making. With this in mind, Microsoft is collaborating with national standards bodies and industry leading groups to further the development of the ISO/IEC 19770-2:2009 standard for software identification tags. We are folding ISO/IEC 19770-2:2009 support into our product planning cycles, and will begin to include these tags in future product releases. System Center and the Microsoft Assessment and Planning (MAP) Toolkit will be updated such that future releases will provide the ability to inventory SWID tags.

Customer and Industry Feedback

These tags provide a universal way to identify software which makes it easier for customers to track and manage the software running within their environment. This ISO standard greatly simplifies the software identification process, helping to lower the cost of managing software licenses for most customers. We think this is an important first step in making it easier for customers to manage their software assets, and customers and industry experts agree:

“In announcing their support for software tags Microsoft has taken a giant step forward and should be commended for this visionary accomplishment in facilitating the next generation of software management. This announcement is a quantum leap in bridging software management practices of the past to the visionary programs of the future. It will not only revolutionize the way Software Asst Management (SAM) is implemented for both the publisher and their customers, but is a first step in a substantially improved software supply chain relationship. Microsoft is to be commended for their groundbreaking and insightful work in this discipline that will certainly be critical to the future of software management.”

Pat Cicala President Cicala & Associates

“Cheveron supports the use of Software ID Tags per the ISO 19770-2 Standard as it will assist large, complex environments such as ours to better manage our software compliance efforts. Using this standard provides Chevron clear, more comprehensive information.”

Robin Trebec Software Compliance Project Consultant Chevron

Uses Beyond License Management

Although software license compliance is often top of mind in discussions relating to Software Asset Management, SAM encompasses much more than just matching software use to entitlements. SAM is also a key strategy to help organizations ensure they receive maximum value from their software while minimizing risks. Customers and industry experts are also excited about the positive impact these software ID tags can have in these areas:

“The Security and integrity of information systems is a critical issue for The MITRE Corporation, its US Government sponsors, and for the nation. Secure information systems depend on reliable, cost-effective Software Asset Management (SAM) practices. MITRE sees the ISO/IEC 19770-2 Software Identification (SWID) Tag standard as a key enabler of highly reliable and automatable software inventory and assessment processes, and believes that widespread adoption of SWID tagging by software publishers will go a long way towards helping the nation protect its vital computing assets and infrastructures.”

Gary Gagnon, Senior vice president and chief Security Officer of The MITRE Corporation

“There are many aspects of managing software products in which every organization must excel in order to ensure the organization receives maximum value from their software while also minimizing security and compliance risks. These management issues are compounded by new devices and computing paradigms that are being introduced to market at a very rapid pace.

With these complexities in mind, it is exceptional to see Microsoft join a growing group of software publishers that are leading the market towards a more efficient, effective and accurate software identification process by way of their support of the ISO standard for software identification (SWID) tags. Companies, such as Microsoft, that are supporting the use of SWID tags have recognized that providing the data their customers need to improve efficiency and effectiveness of IT operations significantly strengthens customer satisfaction, lowers risk and improves the overall customer / supplier relationship.”

Steve Klos, Executive Director of TagVault.org

“Microsoft’s announcement means major benefits for all end users, because it will mean an end to the guesswork associated with so much software management. It will also enable automation of many tasks previously dealt with manually, which is increasingly critical for today’s economic infrastructure built on IT.

Microsoft’s announcement means major benefits for all end users, because it will mean an end to the guesswork associated with so much software management. It will also enable automation of many tasks previously dealt with manually, which is increasingly critical for today’s economic infrastructure built on IT.

Microsoft has shown major industry leadership with this announcement. Customers should demand from all publishers, for all software, what Microsoft and a few other visionaries are already delivering.”

David Bicket, Convener ISO/IEC JTC1 SC77 WG21, Software Asset Management

We will provide further updates as part of product development roadmaps in the months to come, and will also share additional details periodically here. Customers can also work with qualified Gold SAM Competency Partners to develop plans to leverage these SWID tags in the months ahead, and may also qualify for assistance through a SAM Deployment Planning engagement.

Frequently Asked Questions

Which customers do you think will see the most benefit from these tags?

Corporate & Government customers of all sizes will likely find these tags helpful in managing their enterprise IT environments. Small and medium business can also benefit from the simplification of the inventory reconciliation that these tags can bring.

What kind of information will these tags give me?

These software identification tags are simply small XML data files that are installed with the software. They contain the following mandatory data elements: Product Title, Product Version, Software Creator, Software Licensor, Tag Creator, Unique Software Identifier, and Entitlement Required (Yes/No).

Who can access these tags? Will these report my use to Microsoft?

These software ID tags are XML data files that are installed with software. They are simply markers which indicate to your IT team what software has been installed within your network. These tags do not report back to Microsoft, nor do they verify license rights. They are intended to be a tool that can provide customers with better insight into the software that they are using in order to lower the costs of managing those software assets.

Will this help me track CALs?

These software identification tags are simply small XML data files that are installed with the software. This means that they can be found with the installed software (in this example, on the server). For most servers, nothing is installed on the client devices that access them, which means that server software ID tags will not be present on the client devices. For assistance in calculating CAL requirements, you may find the MAP Toolkit and the information here helpful.

Will these tags tell me how something is licensed?

Software ID tags provide information which helps ensure you have accurate data concerning your software inventory. They do not include information about the specific license entitlements or metrics involved with that software, however having accurate inventory information is the first step in successfully determining your license requirements.

What’s the difference between ISO/IEC 19770-1 and ISO/IEC 19970-2?

ISO/IEC 19770 is a multi-part standard for Software Asset Management (SAM), currently with two parts publically available for implementation. Each part is identified by a unique suffix. Part 1 (ISO/IEC 19770-1:2012) outlines business processes for successful software asset management. Part 2 (ISO/IEC 19770-2:2009) outlines the structure for software identification tags, which can be used to improve the accuracy of software inventory collection as part of SAM. Reference:

(1)http://www.microsoft.com/sam/en/us/softwareid.aspx

A Tag Perspective: Steve Klos, TagVault.org

ITAK Editor Jenny Schuchert asked Steve to address the Microsoft adoption and the bigger picture for software tagging.

Microsoft has joined a growing community of software publishers who’ve recognized that software identification has been a problem for IT organizations in every segment of the market. The lack of authoritative software identification information provided in a standardized manner ends up costing organizations a significant amount of money, time and resources as they try to work around the limitations of a best guess effort. Not only are significant resources spent on trying to understand which and how many software titles are installed in an organization, but organizations are often purchasing, upgrading or agreeing to maintenance contracts based on a best guess effort.

Microsoft has indicated that it is committed to supporting the ISO/IEC 19770-2 standard that specifies how software identification tags are included with future software releases and the various software discovery tools Microsoft supports (see announcement). In fact, the commitment is so pervasive within the company that the preview version of Windows 8 that was released in July of 2012 includes SWID tags as part of the operating system installation(1).

One of the issues raised by critics is that there will be legacy software titles that do not include SWID tags installed throughout the network. This is certainly true. However, companies like Microsoft have recognized that SWID tags can be very easily rolled out as part of a software patching infrastructure so that 80-90% of the software from large organizations could contain authoritative SWID tags within a few years. This would greatly ease the requirements of compliance, security and logistics operations in any size of organization, with potentially millions of dollars and significant resource savings being seen by larger companies.

One of many reasons accurate software identification via SWID tags has been so critical is the U.S. Federal Government requirements to ensure a more automated security infrastructure for the networked computing infrastructure – both within the government as well as for critical infrastructure systems such as power, transportation and utilities. Many departments within the Federal Government are recognizing how much automation can be applied to the security content automation protocol (SCAP) infrastructure as well as on many of the federally mandated governance requirements for allowable software. These requirements by Federal Agencies have started the process that will require SWID tags in every software title purchased by the U.S. Governmental agencies. In fact, the U.S. Air Force has already distributed an RFP that includes requirements for all software purchased under that RFP to have SWID tags.

SWID tags are here and the software publishers are recognizing that tags are a critical requirement because customers are demanding them. Obviously, SWID tags are not a silver bullet that will solve all IT problems, but it’s clear that it’s the first step to authoritative data that customers will be able to use to increase automation and decrease costs. Microsoft has been able to “turn on a dime” and start to support SWID tags fast. That’s the way It should be since SWID tags are easy and inexpensive to implement, and provide very high value to the customer. I look forward to seeing more software publisher’s supporting SWID tags as they too recognize the value they provide to customers and low cost of implementation!

Reference: (1) http://www.itassetmanagement.net/2012/06/14/windows8-iso-tag/

Q & A with David Bicket: ISO/IEC Work Group 21 Convener

ITAK Editor Jenny Schuchert asked David Bicket for feedback on the progress of the ISO/IEC-designed software tag and the bigger picture for Software Asset Management infrastructure.

Q: In the effort to improve software compliance within organizations, how important is software tagging?

David Bicket: Software tagging is one of the essential technological advances we need to facilitate more accurate and more automated management of software compliance. Much software cannot be accurately identified, with differences between trialware vs. full versions, suites vs. individual components, individual vs. bundled products, and run-time versions being some of the most common areas of misidentification. If you don’t know what you have, you can’t manage it, or license it properly.

Q: What do you think the impact will be of the Microsoft adoption to the time table for general adoption?

David Bicket: Microsoft’s adoption of software tagging answers the biggest question which users have had in the past – when will Microsoft do it? It will take time even for Microsoft to roll out tags throughout its product lines, but any tool vendor not supporting tags now will face a bleak future, and customer pressure on other vendors will increase steadily for them to also supply tags.

Q: Does tagging remain a topic of interest to the ISO/IEC working group for Software Asset Management?

David Bicket: Tagging is part of the technological infrastructure needed for effective software management in all environments – including in the cloud – and WG21 will continue to work to put the rest of that infrastructure in place. The entitlement tag is well developed already, and will help to automate one of the most labor-intensive areas of IT management, namely license management, and it will facilitate effective control in both centralized and decentralized environments. Additional projects needed include the following:

  • Work has started on a software tag for embedded software – ultimately even more important than the SWID tag in terms of number of devices affected.
  • There is a need for a common structure for recording or logging usage, whether against licensing metrics or other metrics needed for capacity management etc.
  • We need to ensure we can access the necessary information regardless of the deployment technology – e.g. in virtualized instances, which requires looking at APIs
  • Other tags we may be considering in the future are for hardware, media and documentation identification and management.

Whatever is needed to enable effective and efficient software management, we need to consider if standards can help the cause, and coordinate with other organizations as needed to make it happen.

Open Letter from Software Buyers to Software Publishers

This open letter, written by Pat Cicala, has been widely published in order to encourage “the customer” take an active role in promoting (actually, demanding) adoption of the ISO Software Identification (‘SWID’) Tag standard ISO/IEC 19770-2:2009. Results from the individuals responding to the request to sign this letter will be presented at the IAITAM conference in October of 2012.)

Dear software publishers,

This is an open letter from the buyers and managers of software licenses and software (“software buyers”), to software publishers.

In a world where most business processes are now IT-enabled, software publishers have facilitated quantum leap improvements in how most business is conducted. Sadly, little of this extraordinary skill has been applied to the business of managing the software itself. It is a case of “the cobbler’s children wear no shoes.” Existing automation cannot reliably address critical identification and management deficiencies.

The result is a software ecosystem that is difficult and costly to manage. Software buyers bear most of the costs and risks of dealing with this situation, and software publishers, as a group, have not done much to help. Some software publisher representatives have tried to improve the situation, but the independent development team structure of most software publishers slows progress.

To manage software effectively for the purposes of well-controlled deployment, security, and license compliance, software buyers invest extraordinary effort and significant money. If the investment into this seemingly bottomless pit is limited, then software buyers are exposed to increased risks of operational problems, security breaches, and license non-compliance. Software buyers then have the risk of even higher costs from these types of issues. This includes the risk of potentially costly license compliance audits from software publishers. Organizations that ignore the need for license compliance may get the results they deserve, but those who try conscientiously to be compliant often feel that the results are unfair when software publishers have not provided the capabilities and information needed to manage this area cost-effectively. There is also significant tool-vendor lock-in for all organizations, and organizations that have to consolidate the results from multiple discovery tools suffer even more because of proprietary approaches that inhibit the interoperability of data between different tools and across organizations.

Software buyers are therefore asking software publishers to address the area of software management now and make it possible for software buyers to manage software competently and with a reasonable level of effort instead of the unreasonable level currently required. Software publishers will also benefit significantly from this effort in virtually all areas. Software publishers can expect more bottom-line revenue, not from expensive and combative compliance events, but proactively as software buyers manage compliance effectively. A good analogy for the impact of this change is a highway transport system. Bad roads and bottlenecks inhibit commerce. Good roads result in more traffic and more effective commerce. Easy but effective software management results in more software deployment without unnecessary risks. Software publishers will see improvement in their costs for managing software releases for patch and update purposes. Fixing software management removes reasons for buyers to reject or displace publisher software with non-commercial options.

Software buyers need solutions that provide more accurate information and support more automated processes. The greatest opportunities are the implementation of industry-standard software identification and license management. Software buyers understand the advantages of competition between software publishers, but not in aspects critical to successful management. What’s needed is for software publishers to work together to give software buyers the necessary information and software management capabilities using an industry-standard method. Software publishers also need to ensure internal cooperation so that all development teams participate in this effort.

The most important step that can be taken immediately is to support the ISO Software Identification (‘SWID’) Tag standard ISO/IEC 19770-2:2009. A number of software publishers already provide SWID tags for some or many of their products, including Adobe, Symantec, CA, HP, Flexera and most recently, Microsoft. A significant number of tool providers also already support SWID tags. Software buyers need much more. Software buyers are asking for the comprehensive provision of SWID tags from all product development teams from all software publishers. We understand that software publishers and their development teams have lengthy planning cycles, and that changes cannot happen overnight. However, the industry infrastructure for SWID tags is in place and key industry products like InstallShield, InstallAnywhere, and Advanced Installer all now produce SWID tags. There is also a non-profit organization called TagVault.org that exists to facilitate implementation of SWID tags, cross-industry data normalization, and tag certification.

Because this infrastructure is already in place, it should be realistic for software publishers to provide SWID tags with all new products and new versions of existing products by December 2012. While it may take more time to produce SWID tags for legacy products, upcoming competitive evaluations are already providing impetus to this change.

Software buyers have compelling reasons for implementing SWID tags including for software deployment, security, and license compliance. Security is an area of particular concern, and it is becoming clear that SWID tags facilitate a major advance in IT security. US Government agencies are currently working with TagVault.org to provide better solutions for both government and private sector security management. Sources of further information are given at the end of this open letter.

A second step that software publishers can take is to join industry efforts to develop Software Entitlement Tags for the planned ISO/IEC 19770-3. Managing licenses is one of the most intensively manual activities left in IT. Give software buyers an industry-standard capability to manage licenses electronically.

This open letter is a request to software publishers to act decisively and constructively to achieve a quantum leap improvement in the manageability of software and licenses. Software buyers are pursuing other ways of achieving this objective. Software buyers are driving change, acting individually and collectively, through industry associations, and through governmental and elected representatives. Software buyers are using all reasonable means to convince publishers’ sales, technical, legal and executive personnel that these changes must be made, and that all software publishers need to act. Software buyers’ tactics include:

  1. Emphasizing the need for change to software publishers’ personnel in the course of regular business contacts
  2. Including these issues in contractual negotiations. For example, the audit clause in most software licensing agreements has been one-sided. Software publishers can expect increasing demands to link audit rights to the software publishers’ performance in making software and licenses more manageable
  3. Elevating software publisher participation in these improvements to a priority consideration during competitive evaluations

Software buyers are impatient for a dramatic improvement in the manageability of software and of licensing. Software publishers are essential to this very important effort. Of course, software buyers will speak loudest through the persuasion of market demand to reward supporters. Please consider this letter your opportunity to receive the benefit of that demand.

There is much more that can be said about this area, and this open letter cannot cover it all. We recommend that you also review the following:

  1. Advocacy video by Pat Cicala with a message on why this is so important – http://www.youtube.com/watch?v=MfXpgUWUFpc
  2. Automation of CPE Names Using Certified SWID Tags (for security) [http://www.tagvault.org/Automating_CPE_name_creation#attachments]
  3. White paper on ‘How to get vendors to make software more manageable’, including sample contract language [http://www.19770.org/download/file/15/]
  4. White paper detailing how to include software tagging requirements in RFP documents [http://www.tagvault.org/balance]
  5. Further information about SWID tagging
  6. Software Identification Tags – a Strategic Solution [http://www.tagvault.org/sites/default/files/WP%20-%20Software%20Tags%20Strategic%20Solution%2020101204%20Final_0.pdf]
  7. Using software identification tags to enhance software asset management [http://www.tagvault.org/sites/default/files/Using-Software-ID-Tags-WP-published.pdf]
  8. Analysis of the accuracy and interoperability of software discovery tools [http://www.tagvault.org/discovery_tools]
  9. Information about TagVault.org [http://www.tagvault.org/about/more_details]
  10. Information about how to get involved in 19770-3 development work [http://www.sassafras.com/ISO/]

Sincerely,

Your customers, the software buyers

Sign this letter! (http://www.surveymonkey.com/s/XMQQMBP)

About the Author

The International Association of IT Asset Managers (IAITAM) is the largest organization providing education, certification and thought leadership to the management of IT as a business. IT Asset Management is the management of hardware, software, mobile and other technology to maximize the value to the organization.