So long SWID tags; we barely knew you…
For those who have been in the SAM world in the last decade (voluntarily or otherwise), you might recall a promising SAM standard called SWIDTags. Introduced in 2009, SWIDTags held the promise to revolutionize the SAM industry by empowering software vendors to include more SAM data. More SAM data would improve the management and security aspects of SAM.
SWID tags were the equivalent of a ‘Hi My Name is’ name tags for software applications but contained many new SAM data points that go far beyond the typical ‘Publisher, Title, Version’.
So, what happened? Where are all the SWID Tags today?
The SWID beginning
SWID stands for ‘Software Identification’. It is a data specification that was published by the ISO (International Standards Organization) in 2009. An international group of SAM subject matter experts created the ISO 19770 ‘Working Group’ to create a family of standards for managing software.
SWID is formally known as ISO/IEC 19770-2, and it’s actually the 2nd standard. In 2006, the ISO published a SAM framework called 19770-1; it was a SAM model to help achieve corporate governance. Software vendors (Microsoft) and service providers (Deloitte) readily promoted 19770-1 to their corporate clients who were struggling with SAM.
As a result of the success 19770-1 in 2006, the 19770 Working Group focused on expanding SAM data elements so more valuable SAM data could be introduced as part of the inventory process. At the same time, Microsoft was also expanding into SAM. Near the end of the Win95 era (Windows 7 launched in October 2009), Microsoft developed a Windows Management technology (WMI) to help collect software and hardware data. In 2008, Microsoft got further into the SAM game by acquiring AssetLabs (I was a co-founder) and started to put AssetLabs software title categorization libraries into the ‘Asset Intellgence’ section of SCCM. Microsoft also joined 19770 ‘Working Group’.
The SWID Plan
The plan was to develop a XML data structure (similar to HTML) that contained many SAM attributes. The XML ‘SWIDTag’ would be part of the software install. New SAM elements included MediaType, ChannelType, LicenseType, ProductFamily, and Edition .
By design, anyone could publish a SWIDTag; from software vendors, SAM tool providers or corporations who wanted to create SWIDTags for internal use. SWIDTags could also be certified, authenticating the trustworthiness of the SWIDTag publisher.
SWIDTags launched, TagVault is born
The SWIDTag ‘standard’ was launched in late 2009. Some of the 19770 Working Group members created an independent corporation to act as ‘certification’ clearing house. They called it TagVault.org
TagVault.org became the ‘rubber-hits-road’ counterpart of the 19770 Working Group, drumming up support across the industry and providing marketing for SWIDTags. By 2014, TagVault.org offered SWIDTag certification for software vendors, provided SWIDTag tools for install tools (InstallShield, installAnywhere, WIX, etc) and had support from Microsoft, IBM, IAITAM, NSA, US Army, and others. The leadership team at TagVault.org included senior employees from Microsoft, IBM, MITRE & Symantec (https://web.archive.org/web/20170906142544/https://tagvault.org/about/leadership-team/)
Fast forward to today: TagVault.org is now shut down. Many software vendors that once supported and/or supplied SWIDTags are walking away, and it’s likely that you’ve never seen a SWIDTag (even though there’s one on your Windows 10 device!)
What happened? Stay tuned for part 2…