Is ISO 19770-2 Effective?
As track records go, the success of standards in Software Asset Management is at best debatable. The original ISO 19770-1 international standard for SAM was first published in 2006 and was updated in 2012.
However, eight years after its introduction, to the best of my knowledge, not a single organization has yet been certified as meeting the requirements of the standard.
Even the 2012 iteration of the standard is still seen as onerous and setting a bar that is just not realistic for most organizations.
The ISO 19770-2 – and the more recent ISO 19770-3 – standards are different beasts in their nature. Rather than being aimed at SAM practitioners and end user organizations, they are designed to be implemented by software vendors and then leveraged by Software Asset Management solutions and end users.
In theory, these standards have the potential to make certain elements of SAM easier, automated or more understandable.
ISO 19770-2 EXPLAINED
ISO 19770-2 was first introduced in 2009, with a recent revision released in 2015. SWID or SoftWare IDentification Tags are designed to help organizations identify what software they have installed within their estate to help them understand their compliance position.
A SWID tag is added to a software package by the vendor before it is provided to the customer for deployment. It displays information about the software, including name, edition, version, vendor and even whether it is part of a software bundle or not. It is up to the software vendor themselves to populate the SWID tags with all of the above information, and more, so that their customers can see what applications are in use.
As designed in ISO 19770-2, it is incumbent on the software vendor to provide SWID tags for their applications and make sure that the information provided is accurate. This is important, as without the right information in the SWID tag, it is not fit for purpose and can actually create problems calculating an Effective License Position (ELP) for the vendor. The responsibility is with the vendor to adopt SWID tags and to make sure that each application has a unique identifier.
Because the SWID tag is created and populated by the software publisher in accordance with the ISO 19970-2 standard, SAM technology vendors were pressured to use SWID tags as the primary recognition where available. In theory, the SWID tags are infallible and a ‘single source of truth’ for the true nature of the installed application.
These tags are used to normalize the installation data to help the SAM team identify what a software bundle or package is, without having to wade through incomprehensible exe files or msi packages.
A number of the world’s leading software vendors support the SWID concept, such as Microsoft, HP and Symantec. Another vendor, Adobe, provides SWID tags for their applications.
However, it has been identified by a number of Adobe customers that their SWID tags are factually wrong.
FUNDAMENTALLY FLAWED
Adobe provides SWID tags for its software products, such as Acrobat and Creative Cloud. However, there appears to be a major flaw – individual Adobe Creative Cloud suite products are given two SWID tags–one for the product and one for Creative Cloud Suite as shown in the Screenshot below:
This means that any SAM solution using SWID tags as a way of inventorying software will show that the user has the full Creative Cloud suite installed, rather than the unique applications that are installed and being used.
BACK TO BASICS
The only reliable solution currently is to fully inventory what Creative Cloud applications are installed, and then perform manual calculations to determine if a particular user should have individual licenses or the suite license. The default is to buy a suite license.
In a large estate, this is quite time-consuming, especially if several Adobe products are available individually. Don’t forget that with Adobe products, you do not need to have the full suite if you are only accessing one product – you can just purchase a subscription license for the individual package.
Because a vendor can install incorrect SWID tags, it raises questions marks of ISO 19770-2 whose prime focus is on making recognizing installed software easier and 100% accurate. This is evident when you consider that with the recent release of Creative Cloud 2015.5 – not only do the SWID tags not identify the individual applications, but customers are also reporting that any ‘Team’ elements have also disappeared from recognition.
THEORY v REALITY
The ISO standards are meant to be a framework universally adopted to enable greater software recognition for customers. In theory, ISO 19770-2 brings value to all parties involved in the Software Asset Management ecosystem – vendors, tools providers and end user organizations.
However, in reality, the more advanced SAM technologies in the world are looking for the unique SWID information, but finding inaccurate information. There needs to be a firm decision made by both the vendors and the ISO 19770-2 standard owners; either they all either adhere to the standard or openly admit that they don’t, so the inaccuracies can stop. Those vendors that will and do follow the ISO 19770-2 standard and introduce SWID tags need to take extra care to populate the SWID tag with all of the information required by the user.
End users just want to know what is installed and what the usage stats are, so if the ISO 19770-2 standard cannot provide such information, we should revert back to existing software recognition so that SAM and associated technologies can still provide transparency and visibility to their organization.
FUTURE FOR ISO 19770-2
Without universal adoption of SWID tags and ISO 19770-2 standard, the future of the standard will always be questionable. Add in the fact that mega vendors like Adobe are getting it wrong and you end up with a standard that cant currently be trusted.
It doesn’t bode well for the future of ISO 19770-2 in its current form, or indeed ISO 19770-3 which is supposed to make it easier to manage entitlement schema (arguably an even more complex matter with more scope for getting things wrong).
SOFTWARE RECOGNITION WILL ALWAYS BE IMPORTANT
One of Software Asset Management’s primary objectives is to inventory hardware assets and identify the software installed. That will never change. It is also an integral part of software license optimization – without knowing what is installed and how often it is being used you will never be in the position to make informed decisions about what your users need.
In conclusion, we need a standard way of identifying software that all vendors agree to. If that is ISO 19770-2 then fantastic – but the vendors need to ensure that they all provide SWID tags and that they are unique to each application.
Snow Inventory does not just rely on SWID tags to inventory software install on your machines. Our Software Recognition Service, with over 46,000 vendors and 389,000 application and suite definitions is the largest in the world. See for yourself and book a test drive today!