Any scenarios that compromise the security of an IT infrastructure, which we often encounter in practice, are dangerous. They make it more difficult to evaluate a software for client management or a SAM tool. Let us continue to define which specific elements play an important role in this.
1. Evaluate software for client management by its inventory
The flexibility and opportunities IT administrators get from using scripts is tremendous. I see the Powershell as arguably the most powerful scripting tool the Microsoft world has seen to date. However, this flexibility can be risky if the scripting technologies are used thoughtlessly or too quickly as they often can be.
When selecting and evaluating a suitable software for client management, inventory methods– both agent-based and agentless– are an important aspect. The inventory and detection mechanisms should not be based on script technologies. They must clearly lie in the inventory mechanisms of the tool itself and the results obtained, especially with regard to the installed software, should be matched against a valid software recognition catalog. On the one hand, it is necessary to check whether the quality and quantity of agentless and agent-based inventory are the same. Only then will valid information about the IT landscape be evaluated. On the other hand, it is not only the inventory logic that has to be examined, but also the inventory lines of communication. Crucial questions that arise from both the commercial and the public domain sectors that need to be resolved when selecting an inventory solution are:
- Is communication between agents and infrastructure “open” or is it protected by certificate-based communication?
- What authorizations are required for the taking of an inventory?
- How can a respective agent be automatically installed on the target systems when the agent-based inventory is being used?
2. Testing mechanisms for a software for client management
A software distribution, which is implemented by an installed agent on the target system, requires definitive testing mechanisms in order for the software packages to be installed. Whether a software package on the client is actually the package commissioned by the IT administrator may not be an issue, on account of the threat level by any hackers and industrial espionage in the space. Protection should be second nature for a software for client management, and must be considered and questioned concretely by the respective manufacturers during the tool evaluation.
Since the technology that sets up files are visible, maneuverable, and are installed untested for all network users, it is no longer keeping with today’s “state of the art” technology, but rather corresponds more closely with those of the past. Thoughtless authorizations on the respective distribution directories promote the compromisation of systems and networks. Not to mention simple “middle-man” scenarios, which provide software package with malicious code that are implemented and not checked by any agents on the target system.
3. Workflow-Based Software Distribution
In addition to infrastructural security of communication in the simple execution of installation commands for setup and MSI files, a software for client management must also provide control mechanisms during the process of the installation itself. Through this, a safety-oriented installation of applications is possible. A key issue, for example, is checking whether a system or user is in a particular AD security group, or whether the individual dataset of the system carries specific attributes, for example, in the asset management where automating the installation can be affected or controlled. The magic word here is workflow-based software distribution.
“Setup.exe/s” or “msiexec/i” alone were the methods of the past. Today IT administrators want the convenience and security-oriented functions of graphic-workflow-based software distribution without the complex scripting effort. They would also prefer to provide patches across the Cloud for PDF readers, browsers, and other similar industry-specific software applications via managed service offerings of tool manufacturers.
4. Licensing Aspects of Evaluation of a software for client management
Automated software distribution offers enormous flexibility, and stays true to the motto “deploy software quickly where it is needed, whether the client is connected to the local network, or just to the Internet”. A service that is sometimes taken for granted by users. This is often supported by web-based self-service portals, which offer users a kind of webshop-like experience. Through which software is quickly and easily requested in the internal app portal or partially installed without the need for authorization. However, the risk for IT managers and IT administrators is often underestimated here in the unconscious automated under-licensing. Software is distributed faster and more unconsciously than with the manual, this is a more unconventional method. For this reason, the focus should also be on the holistic approach of IT decision-makers when selecting the respective tool, i.e. the interaction of software deployment and license management.
What Does this Mean for the Evaluation of a software for client management?
Here too, workflow-based software distribution is crucial to the balance. Automation in software distribution must be able to decide whether an installation can occur in accordance with the existing license situation or whether it cannot occur due to a lack of licenses. Ideally, a ticket in IT service management is automatically opened at this step in the process, which triggers a procurement process for new licenses of the respective software and the question of licensing compliance is of no concern. One recognizes very quickly, what an exciting and complex subject holistic client management or asset management represents, and which topics must be considered when selecting the right tool. Security, compliance, and a well defined process are the basis for modern IT management.
Benedikt Gasch, CTO, Deskcenter Solutions AG