The ITAM Review

News, reviews and resources for worldwide ITAM, SAM and Licensing professionals.

License compliance a headache? Cloud could make it worse.

As IT and procurement communities are being surrounded by an army of SaaS, PaaS and IaaS sales teams, a potentially dangerous sentiment has grown that by shifting apps elsewhere and/or by paying subscription instead of owning perpetual licenses, the license compliance headaches (and ultimately the vendor audits that everyone loves) will go away.

We compared the top four license compliance risk areas between the traditional, on premise world and the ‘Cloud’ world, and believe that the reality may be less welcoming. We considered the following risk areas:

  • Excess install, i.e. deploying more copies than entitled
  • Virtualisation, i.e. paid for virtual capacity while physical capacity needs licensing
  • User access and licensed roles, i.e. granting user features or access not entitled
  • In-direct access, i.e. hiding real users behind shared or application accounts.

Excess Install

Example License Metric: Instance, Install, Device, Computer

Example Publisher: Most publishers



Risk Level

Risk is limited if software discovery has good coverage.

Risk is higher as it can be more challenging to establish software discovery and maintain coverage in the mist of traditional DC, private cloud and public cloud (IaaS) due to compatibility, security and network issues.

Additionally, many SaaS applications can be accessed via multiple devices; keeping track of licensable devices can be challenging outside of a corporate network.



Example License Metric: CPU, Processor Value Unit, Core / Core Factor, Processor

Example Publisher: Microsoft, IBM, Oracle



Risk Level

Licensing terms for applications in virtual environments, particularly terms relating to CPU capacity counting rules, often vary between vendors and are difficult to understand.

Keeping track of the licensable CPU counts and capacity levels typically requires deployment advanced monitoring systems.

Often publishers will only allow ‘Bring Your Own License’ to a limited selection of IaaS provider, or consider them as eligible for virtualised (discounted) CPU capacity counting rules.

Deploying monitoring systems to track CPU counts and capacity levels in IaaS can be more challenging due to compatibility, security and network issues.


User access and licensed roles

Example License Metric: Administrator, Professional User, Standard User, Limited User

Example Publisher: SAP, IBM



Risk Level

Usage rights for each user role is defined in software license agreements and often bespoke.

Subsequently assignment and access to usage rights often cannot be technically restricted, and are difficult to report and translate into licensed roles.

While the traditional compliance risks remain, software publishers now have real time visibility and full audit trial of a user’s usage right assignments.


In-direct Access

Example License Metric: Authorized user, Named user, Employee

Example Publisher: SAP, IBM, Oracle



Risk Level

Often publishers’ licensing rules require all human users interacted with their application either directly, by having a named account, or indirectly through a shared account or third-party application account, to be fully licensed.

Software Asset Management (SAM) functions often only have visibility to count the number of accounts within an application, but not the true number of human users that may be ‘hiding’ behind shared or in-human application accounts.

Having full visibility of system architecture and user access routing is the most important success factor to restrict in-direct access.

Obtaining such visibility is more challenging in a public cloud environment considering Cloud Service Provider’s proprietary architecture information and possible shared access routing mechanism.


Additionally, there are matters that can make License Compliance even more challenging in the Cloud:

  • Shadow IT and ‘click through’ License agreements.
  • Blurry licensing liability boundaries between you and your ISPs.
  • Geographic restrictions in licensing agreements vs. Cloud location.

In conclusion:

  • Moving to Cloud can make software License compliance a harder challenge.
  • SAM needs to be more proactive in License agreement negotiations, Cloud architecture design and migration planning.
  • Process and governance changes are required to support effective SAM in the Cloud.


Eric Chiu leads HW Fisher’s IT Asset Consulting practice (FIAC). Supported by a team of highly experienced IP Forensic Consultants, Eric shares his expertise in software licensing with his clients through various consulting and services engagements.

As a veteran of software licence compliance, Eric has experience in the design and management of Software Licence Compliance Programmes for many of the top-10 software publishers and has led hundreds of enterprise-level licence audits on their behalf.

In recent years his focus has been on advising enterprises over strategic and tactical matters in establishing and operating Software Asset Management (SAM) and has provided services to a wide-range of clients from SMEs to substantial enterprise clients.

Erics blend of experience provides him with a unique perspective in SAM, which emphasizes efficiencies and high ROI on the journey of achieving compliance and optimised asset utilisation.


Eric will be sponsoring and speaking at our global conferences this year. Come meet Eric and attend his expert sessions at our UK Conference on 13th & 14th June, US Conference on 27th & 27th September and Australia Conference on 22nd and 23rd November.


Image credit


About Guest Contributor

This post was written by a guest contributor. Please see their details in the post above. If you'd like to guest post for The ITAM Review please contact us.

Leave a Comment