Software Licensing: Chaos, Ignorance and Negligence

Discussions on software purchasing, licences and the need for Software Asset Management (SAM), usually begins from a position of chaos. With so many day-to-day activities and pressure to complete work, deadlines to meet and a whole ream of other reasons, the purchasing of software licences often finds its way to the end of a long list of things to do. Once the current work has been completed, and the priorities have changed, purchasing a licence can easily fall by the wayside. Software remains installed for others to use and becomes a de facto part of the corporate estate without further consideration; just one example of how unlicensed software accumulates within organisations. In essence, software licence chaos evolves through a combination of ignorance, negligence and bad management.

Other factors which contribute towards allowing this to happen include:

  • The lack of control over who can download and install software – Everyone having administrator permission over their desktop is more common than people would care to admit. Combined with unrestricted internet access, is a recipe for software to be downloaded and installed as needed without giving software licensing a second thought.
  • Lack of business processes around software installations – restricting internet access and permissions on desktops will prevent users from downloading software and installing it. Still, without processes in place for the management of software requirements by the business, the default position is for a business user to ask an administrator to install the software. The higher the number of problems and support activities, the higher the likelihood is of this happening automatically without thinking about software licenses.
  • The lack of vendor control over software usage – there are many different ways in which vendors can implement software to exercise control over software usage; however, not all methods are effective. Combined with insufficient control over software installations and by whom, contributes significantly to the use of unlicensed software.

Implementing control of software licenses needs to fall into the following programmes of work:

  • Tactical work to clean up the environment of unlicensed software
  • Strategic implementation of systems and processes to keep software under control, in essence, corporate-wide implementation of Software Asset Management

Demonstrating that both tactical and strategic works are taking place, along with an agreement that a true-up will take place upon determining actual usage and licence shortfalls, will often satisfy software vendors and avoid legal entanglements.

Software licensing models

Managing software licences is not straightforward because of the many different ways in which vendors license software. Although there are many standard software licensing models, each software vendor has commercial freedom to choose their own. Here are some of the popular licensing models:

  • Per-user – one licence required for each user of the system, which could be on a per user-account basis or a per named-user basis.
  • Per installation – one licence is required for each desktop or server installation. Multiple users can share the same computer with one software licence.
  • Concurrent – one licence required for each concurrent user of the system, an approach which essentially defines the maximum number of people who can use the system at any one time but there may be significantly more users and installations.
  • Per site – all computers and people within a single corporate site can use the software with the same licence
  • Licence per processor – an adaptation of the installation licence for systems with multiple CPUs, which was adapted further with the introduction of multi-core processors.
  • Freeware – software downloadable and used as needed, copied and distributed without any restrictions. The vendors often include advertisements for commercial software such as a more advanced version of the same product. The ‘free’ in ‘freeware’ does not mean the freedom to modify.
  • Shareware – software distributed free, on a trial basis, and may have a built-in expiry date or reminders while using the software. The output from the software may have ‘Trial Version’ embedded, preventing it from being used. It could be free for personal use but requires payment for commercial use.
  • Open Source – source code is available to everyone to download, use, modify and redistribute. Code is available under the General Public Licence (GPL) and all derivatives made available must be under the same terms.

With a growing number of cloud-based services where the vendor has control and responsibility for the platform, software vendors and their customers can exercise better control over software usage and licences. For example:

  • Per feature – some features are provided as standard and others enabled upon payment of additional fees. Software features can be enabled and disabled by the vendor.
  • Per space – the price charged is based on the storage space used
  • Per bandwidth – price based on the quantity of data transferred
  • Per feature usage – price is charged for each time the users take a specific action within the software. A popular approach is to introduce the sale of credits, then allow the use of credits to pay for services within software features.

Individual software vendors have the freedom to choose one or more licensing model or any variation on the same theme for their products.  Licence models can change over time as new software is released and new delivery methods become available.

Given the diverse range of software licensing models, it is sensible to adopt a centralised procurement system for software licences. Benefits include:

  • Avoidance of scenarios where an organisation has a site license for a product along with several individual software licences for the same product at the same site
  • A pool of licenses allowed to be controlled and transferred between people as needed
  • Use of the most appropriate type of licence for the required usage corporate-wide. It might be more economical to purchase a site licence, for example, an option unlikely considered with decentralised purchasing.
  • Reduced expenditure through economies of scale
  • The concentration of specialist knowledge about software licensing within a single team allowing other teams to focus on their core duties

Centralising the purchasing of software licences becomes more critical as businesses grow and will in the long-term reduce expenditure. Having individual departments or teams responsible for software purchasing can become costly, inefficient and increase the number of software licence disputes due to lack of awareness and control.

Has software licensing become too complicated?

Following extensive discussions on the implementation of Software Asset Management (SAM), it is clear that there is still a gross misconception about software licensing in general. Licensing implications are seldom thought through when delivering change into organisations. The notion that software is licensed rather than bought is not yet fully embedded in the public awareness.

Company directors could face personal sanctions.  Also, there could be significant financial penalties for the company concerned, let alone the impact on its reputation for knowingly allowing the use of illegal software within their organisations. There is a fine line between ignorance and negligence, either way, the lack of control over software licensing is putting directors, and senior management at risk and companies need to get the software on their estate under control.

There are many factors to be considered with software licensing and establishing adequate processes to make sure businesses operate legally. The diverse range of software licensing models alone is sufficient to conclude that Software Asset Management (SAM) is not as simple as it sounds:

  • Software is licensed in many different ways and can differ from vendor to vendor
  • Software from the same vendor can be licensed differently depending on the product
  • Vendors do licence the same product in different ways depending on the option chosen
  • Licensing terms and conditions often change between product versions

Organisations need a culture change when it comes to software.

Things to consider with HAM and SAM

With so many different ready-made Software Asset Management (SAM) and Hardware Asset Management (HAM) solutions to choose from, the decision can be overwhelming and making the wrong choice can be costly. In some cases, implementing a vendor system can become so expensive that developing a bespoke system might have been faster, cheaper and better.

The best solution on the market might not be the best solution for your business if it doesn’t easily fit within your IT ecosystem.

Here are some things to consider:

  1. What data does your business have already about hardware and software?
  2. Will the new solution be the authoritative data set, or still rely on other data sources?
  3. How well does the solution fit into your organisation?
  4. What are the Infrastructure and Operating System requirements?
  5. Do software components need installing individual assets?
  6. Does the solution need any customisation to fit your environment?
  7. How much bespoke software development do you need for your requirements?
  8. Are any 3rd party software components and licences required?
  9. Which database system is required to store the data?
  10. Who will maintain and support the solution?
  11. How intuitive is the solution, and how much training is required?
  12. Does the solution manage software deployment and removal?
  13. Does the solution have workflow capability for software requests and line manager approval?
  14. Does the solution have a database of known software for identification and cataloguing?
  15. How does the solution manage software licences?
  16. Can the solution be easily integrated with licence purchasing records?
  17. Can the solution automatically detect software installations, and how does this work?
  18. How are software removals detected?
  19. How are new assets discovered?
  20. How is an accurate register of assets maintained?
  21. What types of assets does the solution manage?
  22. What reporting capability does the solution have out of the box?
  23. Does the solution allow direct access to data for bespoke reporting?
  24. Does the solution identify where installed software is out of date?
  25. Does the solution have any patch management capability?
  26. How is the data in the system maintained?
  27. What happens when new assets are purchased?
  28. What happens if assets go missing?
  29. How are missing assets detected?
  30. What is the process for decommissioning assets?
  31. How does the system handle assets being renamed?
  32. How does the solution deal with virtual machines and their hosted environments?
  33. How will software on virtual machines be managed?
  34. How does the solution distinguish between hardware and virtual hardware?
  35. Can the solution identify unauthorised executable files on assets?
  36. What documentation does the vendor provide with the solution?
  37. What does the solution consider to be a software installation?
  38. Does the solution have software recognition data to identify individual files?
  39. Does the solution have data about software and licence requirements?
  40. How are software licences reconciled with discovered software?
  41. Does the solution monitor software usage?
  42. Can the solution manage different types of software licences?
  43. How are hardware assets uniquely identified?
  44. Can the solution track the physical location of assets?
  45. Does the solution capture hardware data through WMI?

SAM and HAM are the top two controls in the Centre for Internet Security (CIS) top 20. Although they are two separate topics, in my experience over the years building bespoke systems, both HAM and SAM are so intertwined that it makes sense to deal with them together, and where appropriate expanding into other areas of security and service delivery.