Hot Stuff! Software Audit Tools/Suites
With letters from the Business Software Alliance (an industry association focused on reminding businesses that legal licensing of software is not optional, and that failures to comply with licensing requirements can result in substantial fines) more or less routine in the business world, operations of all sizes need to know what software is running on which machines and to be sure that there’s a legitimate license around for each copy in use. While this may not appear to be a security issue per se, consider that security may be broadly defined as protecting a business or organization from loss or harm and the consequences of fines for illegal copies of software. Consider also that users may install software without worrying about such niceties, or that unused software may be costing money with no possibility of return, and you’ll understand why this matter is of interest to all kinds of IT staff, including information security types.
A new generation of auditing software is available in today’s marketplace. It goes beyond merely keeping track of what it finds, to removing unauthorized items it may discover and to installing copies of items that might otherwise be missing from standard configurations. Inventory is good, but appropriate action is even better, especially since it allows network administrators to enforce license compliance before outside audits force such things to occur at significantly greater cost.
Table 1 lists a set of 9 software audit and license compliance toolsets, all of which were recently reviewed in SC Magazine (www.scmagazine.com/scmagazine/2003_08/test_02/) and for which detailed reviews are also available there. The Centennial Discover Web Edition and Altiris products qualified for both “Best Buy” and “Recommended” status in that article, and may therefore be worth a closer look.
Most of these products work by installing a software agent on client machines, which then communicates inventory information to some central repository of software information. After initial inventory is complete, most such products report on equipment status and contents on a periodic basis, and collect information about the humans who interact with these machines (such as user name, department, phone number, and so forth) on a regular basis. Many such products work only with Windows PCs, but some also support Macintosh, Unix, and Linux systems as well (including the Centennial product mentioned earlier here). Regular reports and analyses help these products deliver and summarize their finding to administrators, who can then use them as the basis for any follow-ups required.
Table 1: Software Inventory/Audit/Management Tools & Suites
ACL for Windows
ACL Services Ltd
Altiris Asset Management Suite