Software and Hardware Asset Management

Regardless of which SAM or HAM solution you selected, it will need your data for the system to work. Ultimately, the data is the system, without it, the solution offers no value. It doesn’t matter how much money you spend on building or buying and delivering a system, without your data, it will not provide any meaningful service to the business.

I have taken over failing projects where businesses have already purchased a solution, but it is not yet operational. Often, nobody involved in the project understood:

• What data already existed

• The location of the data

• Who could provide the data and how

Also, very little information was available as to how the system would function in the target environment. In several cases, the non-technical buyer assumed that procurement alone would resolve asset management challenges. Data and many other factors are essential and need consideration long before a buying decision. The availability of data will depend on the size, the age and the maturity of the business.

With mergers and acquisitions, different solutions exist already, and with data fragmented across multiple systems with no holistic view of hardware or software. Due to the inaccuracy of data over time, compiling data from multiple sources will allow an accurate picture to emerge. Examples of potential data sources include:

• Active Directory – details of all computer accounts in the domain along with the date and time stamps showing when assets last accessed the network. The same principle will apply to other directory services.

• DHCP allocation – the logs will contain details of every piece of hardware with an allocated IP address. This data will also indicate how recently each piece of equipment accessed the network.

• Purchasing records – details of hardware and software purchases will be available, though often stored in formats unsuitable for automated analysis.

• Anti-virus – details of assets with anti-virus software installed and details of the most recent virus definitions updates

• Support Teams – individual support teams should have information on what hardware assets fall within the scope of services they offer

• Laptop allocation records – details of laptops purchased, their location, and who is responsible for them

The list of data sources will differ for every organisation and in some cases may include manually maintained spreadsheets with details of computers. From an accurate or partially accurate list of hardware assets, inexpensive utilities can identify software installations and usage.

Tools such as Microsoft Access or SQL Server can yield actionable insights when combined with known data sources. These software packages can answer many questions about hardware and software from this raw data already available. Consider the following actions:

• Get access to the data

• Perform some analysis

• Find out what the data says

I have observed the following in numerous cases:

• Expensive solutions remain undelivered for excessive periods due to insufficient skills to deliver and operate the service

• Many data sources within businesses often remain unknown, or known but not understood, analysed or utilised

It is not always necessary at this stage to decide to buy a commercial product or build an in-house asset management system. Getting the data and performing an analysis can often provide actionable intelligence to mitigate sources of risk and increase overall compliance.

Key drivers for implementing Hardware Asset Management (HAM) and Software Asset Management (SAM) include:

• Security assurance – effective patch management depends on complete and accurate hardware and software inventories. Having a detailed list of hardware and software is crucial if you want to be sure that all software on all devices gets updated to the latest version and any security patches are applied.

• Asset valuation – determining the current value of assets for accounting purposes – such as for negotiating a price during mergers and acquisitions or for end-of-year valuation purposes.

• Software licence compliance – beginning the discussion on HAM and SAM in direct response to vendor accusations or investigation by the Federation Against Software Theft (FAST).

• Response to an audit – could be an internal or external audit, but generally where SAM and HAM identified deficiencies need corrective actions, or as a preventative response to known under-licensing risks.

• Budgeting and cost centre allocation – calculating the costs per business unit of IT services for cross-charging purposes.

HAM and SAM are crucial aspects in the implementation of security standards. Capturing information about corporate assets and maintaining inventory accuracy is essential, and achieved in several different ways, for example:

• Use of data from existing services such as Active Directory, anti-virus solutions, DHCP and other sources of data within the organisation

• Connecting remotely to individual assets to assess the current state of the asset and capture information about software installations

• Deploy background agents to gather continuous telemetry to update software and hardware inventory records

• Maintain the inventory manually

Agents may not exist for all asset types, and a combination of the above is likely to maintain data over time. These operational dependencies must be understood early, as they directly influence rollout timelines and ongoing SAM and HAM data accuracy. If an asset requires an agent, you will need an initial inventory as a starting point.

My observation is that Hardware Asset Management (HAM) and Software Asset Management (SAM) data are frequently inaccurate, with many organisations lacking even a baseline expectation for precision. Given that SAM and HAM are cost centres rather than profit centres, this is understandable.

Banks must account for every transaction, every penny, and every card issued or cancelled. This standard of precision should apply equally to IT asset data—especially in security-sensitive environments. No stakeholder would accept 90% accuracy in financial data, yet the same tolerance is often granted to IT asset records, where the risks are equally tangible. The same applies to many areas of the core business that generates revenue.

Without accurate HAM and SAM data, it becomes impossible to:

• Detect unauthorised software usage

• Know if hardware assets are missing or stolen

• Know which hardware assets and software packages need security updates

• Identify support costs which are too high because usage has dropped

• Know if you have adequate software licences

The discussion on software licences often centres around software usage without adequate licensing. Over-licensing is seldom given the same emphasis, and organisations often find themselves:

• Buying new software licences while existing licences remain idle. Reallocate unused software licences and assess actual needs before purchasing new ones. Examples of redundancy include licences for staff members who have:
  • Changed roles and no longer need access to the software.
  • Left the organisation.

• Renewing yearly support contracts based on the current number of licences, while overall software usage has dropped. Reviewing software usage before renewing support contracts could significantly reduce costs.

• Unused software installed – an external vendor software licence audit could identify the need to purchase a significant number of new licences. The business might have 100 staff using a particular product and has correctly purchased 100 software licences. However, if the audit reveals 150 installations, the vendor could demand payment for the extra 50 software licences. Removing software from systems where it is no longer required will reduce this risk and financial exposure; a case of cost avoidance rather than cost reduction, but equally important.

• Reorganise responsibilities to reduce licence requirements – distributing work inefficiently across a broad cross-section of the business increases the overall licence requirement. For example, 300 staff with access to software, but 150 use it for less than 5 minutes per day, or where software is allocated ‘just in case’.

When undertaking these activities, consider the cost of change, including licence unit costs, support fees, and the number of licences required.