Today’s heterogeneous computing environments include servers, desktops, laptops, netbooks, tablets and smartphones. They also embrace multiple types of browsers, add-ins, macros, sandboxes and other places to run code. Given these complex, far-ranging environments it’s incredibly easy to have software bought, rented, unwittingly installed or otherwise deployed onto enterprise hardware without the direct knowledge of the IT department.
Furthermore, because cloud computing and software-as-a-service (SaaS) involve enterprise data, a comprehensive software inventory would have to include those services that run partially or entirely on the Web, accessible through a browser.
There are three complementary approaches to a software inventory: technological, interview based and financial.
The most obvious approach from an IT perspective is technological. There’s a rich set of network analysis and monitoring tools that can detect and report upon what each PC on a network has installed. Whether it’s something like the Microsoft Assessment & Planning (MAP) Toolkit, which helps determine licensing requirements in Microsoft shops, or automated inventory management systems for other dynamic enterprise settings, you can take a snapshot in time of the computing environment used by each of your users and then search for anomalies.
Similarly, compiling a list of the Web-based services and tools being deployed by your users can also have a technological component. Tools developed to monitor Web traffic to protect against data loss and malicious Web sites can also figure out where enterprise users are sharing their data. Even if a SaaS or cloud provider isn’t malicious, it still shouldn’t be used without some degree of central enterprise oversight.
However, the technological approach has its limitations. First, it’s reactive, in that you can only detect situations that have already occurred, well after the conversation has taken place that led to the adoption of an out-of-inventory solution in the first place. Second, it provides imperfect device coverage, because employees often use their own devices for business tasks and also because the multiplication in form factors may be outstripping the ability of IT departments to adequately police usage of enterprise data. Third, cloud-based services may look no different than an ordinary Web page and thus evade notice.
That’s where the interview-based approach comes in. Don’t just figure out what people do for a living and how they do it based on their server logs. Instead, ask them. Ask people about their day-to-day technology dependencies, and you’ll find out not only what applications people are using, but also the common pain points and useful ideas for improvement. Find out if there are applications on the radar that they would use if given the chance, or if there are Web applications that they use outside of the office that might make sense for your organization. By maintaining a dialogue with your users, you can also communicate the message that there are important reasons that you’re asking these questions, and that compliance with licensing agreements and security of the IT infrastructure should be top of mind. That way, you can head off rogue installations before they occur.
Finally, there’s the financial approach. Build a relationship with your accounts payable department, or whoever’s responsible for reimbursement for business expenses, corporate card payments and paying invoices to vendors. If there’s a software provider or online service that’s being used within the enterprise, it’s a fairly good bet that someone’s paying for it. While the financial approach is not the most straightforward or quickest way to conduct an audit (and it won’t detect any “free” software installed within your firewalls), the money trail can act as a valuable checksum on your other inventory efforts, and it might uncover some Web-based services and recurring payments to application providers that you may not have found otherwise.
Using these approaches, the software inventory can become not just a tiresome exercise in checking boxes, but rather a way to get closer to users and to get a better handle on IT expenses.
 | 
 |
