With the rise of the cloud it has become much easier for IT users to bypass enterprise IT to run their own software, opening up organisations to greater cyber risk. But Software Asset Management can be a frontline of defence.
Traditionally, the notion of risk in relation to Software Asset Management (SAM) is about ensuring license compliance and mitigating against large settlements or unnecessary costs. However, as the digital reach of organisations has rapidly expanded, cyber risk has escalated, and more organisations have recognised the importance of maintaining an inventory of, and control over, IT assets as an effective step in mitigating cyber security risks.
In the traditional world where all software and hardware are ‘on premise’ and within an organisation’s exclusive control, inventory agents can be deployed to monitor activities on the devices and software. These enable ‘unsanctioned’ software to be administratively uninstalled to maintain inventory controls.
However, in a cloud world, with the rise of Software, Platform and Infrastructure as-a-Service (SaaS, PaaS and IaaS), it can be easy for a user to bypass traditional controls, and to introduce new software into the organisation without leaving any footprints. These ‘Shadow IT’ activities can increase cyber risk exposures, as the cloud services being subscribed to can deviate from approved security standards, making it easier for hackers to attack the whole organisation.
For example, for one large organisation, our team found that some users had subscribed to a number of unsanctioned SaaS applications that had not been assessed or on-boarded by IT. We also found potential for data loss through activities on cloud based storage apps like Dropbox or WeTransfer, and the number of external non-business domain email addresses (such as Gmail and Hotmail) that had been granted access to the company’s OneDrive account.
If a SAM function has a robust operating model, it can play a key role in helping to mitigate these risks.
SAM and cyber security should align at every step of a software asset’s lifecycle, from acquisition, through to deployment, and to retirement.
SAM can play a key role in knowing all of the software components, monitoring their use, and helping to ensure that appropriate security measures exist around them. SAM can help monitor if unsanctioned software is deployed, and can ensure that for sanctioned software there are adequate controls in place.
At KPMG, we can help organisations to implement a robust SAM operating model to enable a culture of better practice around SAM. We can also implement our managed service, Software Asset Management as-a-Service (SAMaaS), which helps organisations to establish a reliable inventory and control over the deployment and use of software. We delve into our SAMaaS approach in detail in our article, Taking charge of Software Asset Management.
Beyond these steps we can help organisations to implement ‘cloud access security brokers’ to automatically analyse firewall logs, assess the risk of thousands of different SaaS apps, and measure the amount of activities on each app. This includes who has accessed it and from which devices, to quickly identify software and users to investigate any anomalous activities. Security controls can then be implemented, like stopping users from uploading data to an unsanctioned app.
While these tools can’t completely eliminate risk, if used as part of a robust SAM operating model, and with SAMaaS, they can highlight issues that require further investigation.
Having mature SAM practices is essential to strong cyber security. Our team can help organisations to implement a robust SAM operating model, we can offer our SAMaaS to establish reliable data, and to provide ongoing support and control over the cyber risks in the organisations’ use of software.
The SAM manager of the future will need to play a more integral role in an organisation’s strategy. Find out what the role will look like – SAM manager of the future.
©2021 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.