software identification understanding the methodologies (and why it matters) kris barker co-founder...
TRANSCRIPT
Software Identification
Understanding the Methodologies (And Why it Matters)
Kris BarkerCo-founder & CEO Express Metrix / Apptria Technologies
Agenda
Software Identification – Why Do We Care?
The Role of SAM Tools
Identification Challenges
Identification Methodologies
Software Tagging Standard
Technology Selection Criteria
Summary and Q&A
About Express Metrix
Recognized leader in IT asset management solutions
Express Software Manager (flagship product) known for superior software identification
Software catalog under development over 15 years
Launched Apptria Technologies in June, 2011 to help ISVs improve identification within their products
Software Identification:Why Do We Care?
License compliance
Cost control (license “right-sizing”)
Corporate software standards
Migration planning
Version control
Security (malware)
Nuisance applications
Network impact
The Role of SAM Tools
SAM is a process
Tools are a part of the process
Software identification is part of the tool
▫ Accuracy should be key evaluation criteria
▫ Identification is not foolproof ∴ tools must be flexible!
SAM Tool 3-Step Process
1. Data Collection(discover what’s out there)
2. Identification(recognize & normalize)
3. Reconciliation (compare to entitlements)
Where Identification Takes Place
At the point of data collection
▫ Locally (resident agent)
▫ Remotely (remote access)
On the back end
▫ From collected raw data
▫ Based on other identification criteria
Identification Challenges – Inconsistency Rules!
Evals, betas, RCs
Non-standard installation techniques (unzip / copy vs. install, non-MSI installs)
Inconsistently specified data (names, versioning, etc.)
Homegrown applications
Installation based on components vs. licensable entities
Suites and application editions
Application plugins / non-executable applications
Scarcity of ISO software id tagging
Etc.
Identification Methodologies
Registry (Add / Remove) analysis
Installer (MSI) database
File header analysis
Software identification database
Software id tagging
Registry (Add / Remove) Analysis
Identification based on values in the registry and/or items shown in Add / Remove Programs
Pros▫ Easy to collect (including remotely)▫ Fast
Cons▫ Limited based on installation mechanism (incomplete)▫ Does not match 1-to-1 with entitlement requirements▫ May not sufficiently indicate/include version and/or SP level▫ May not include installation location information▫ May be inconsistent across releases
Installer (MSI) Database
Information obtained by querying the installed application database
Pros▫ Easy to collect basic data▫ Can also collect component relationships, etc.
Cons▫ Limited based on installation method (MSI)▫ May not match 1-to-1 with entitlement requirements▫ May not sufficiently indicate/include version and/or SP level▫ May be inconsistent across releases
File Header Analysis
Information contained within header of application executable files
Pros▫ Simple process (disk scan)▫ Finds everything executable
Cons▫ Requires full disk scan▫ Requires that each file be opened/read▫ Can’t tell file/application/entitlement relationship▫ Can’t completely determine suites▫ Data often inconsistent/incomplete▫ Shared component data may not be useful
Software Identification Database(Software Catalog)
Collected file and other signatures compared against a database of normalized applications
Pros▫ Can include file/application/entitlement relationship▫ Normalized, consistent application data (apples to apples)▫ Can handle suites, editions, other “more than .exe” apps▫ Can include other related information (categories, use rights)
Cons▫ Never 100% complete▫ Must be regularly updated
Express Software Identification Database (ESID)*
Identification method utilized by Express Software Manager (client collects raw inventory/usage data)
Built on file information derived from combination of: Registry analysis Installer database File header analysis Start menu Software id tags Etc.
Designed to allow software to be organized and viewed based on licensing/entitlement
Ensures normalization / consistency Updated monthly
* OEMed to technology providers as the Apptria Software Catalog
Software ID Tagging
Identification based on client-resident “tags” indicating the presence of applications
Pros▫ Normalized identification present on client▫ Doesn’t depend on installation mechanism▫ Can be present without any local component/executable▫ ISO standard▫ Relationship to entitlement standard for reconciliation
Cons▫ Not (yet) widely adopted▫ Questionable relevancy for older apps▫ Mixed environments create tool challenges
Software Tagging Standard
ISO 19770-2 standard in place since November, 2009 TagVault.org created as registration authority and information hub
(info, tools, source code, etc.) End-user interest
▫ Large companies starting to request from vendors
▫ Push from governmental agencies
Publisher / tool support▫ Adobe & Symantec leading the way
▫ Most tool vendors have stated or planned support
▫ Microsoft recently announced it will support
Entitlement (19770-3) standard work in progress
Technology Selection Criteria
Collects everything (or close to it!)
Normalizes identified titles/vendors
Identifies with entitlements in mind
Provides means of handling unidentified commercial apps and homegrown apps
Analyzes and presents data in a way that addresses business issues
Summary
Normalized, thorough identification is critical for effective SAM
Tools utilize different (and sometimes multiple) methods, each with pros and cons
Software tagging provides the promise of standardized identification, but timeframe is uncertain
Tools will always require some manual intervention – no identification method is perfect
Learn More AboutExpress Software Manager
30 day EvaluationExpressMetrix.com/trial
Live Product Demonstration ExpressMetrix.com/products/webinars
Self-Guided Flash Demo ExpressMetrix.com/products/demo