The Perils of Partial SAM

This article has been contributed by David Chamberlain of License Dashboard

Software Compliance plays a leading role in both ITAM and SAM, with business decisions made and risks mitigated on its very calculation. Inaccuracies on either side of the compliance equation – that is, Licenses Required versus Licenses Owned – could render the data coming from a SAM tool, and therefore all the business decisions made as a result, completely useless. In consequence, the efforts of the team of SAM analysts is a total waste, and the true context of SAM completeness goes unappreciated.

We are a SAM savvy and commercially ethical generation. These days, businesses don’t want the risk of non-compliance. Businesses want to purchase only the licenses they need. They want to use only pre-approved software. They shop around to get the best possible price, but they are prepared, of course, to pay for the software they use.

Compliance is an aspiration and is managed by an expensive SAM tool with specialist resource employed to keep on top of software license management. The SAM tool reports what has been deployed, and the IT department records the software licenses bought. End user confidence is high in the world of SAM, surely there is no reason for concern?…

Why the output from your SAM tool just isn’t enough

“Why do vendors audit? Can’t I just send them a record of my expensive SAM tool’s output?”

Software vendors employ in-house specialists, and use external contractors for their audit or review purposes. These experts test the completeness of SAM data, scrutinising the entire IT network, including areas that the SAM tool may not be pointed toward, looking for scenarios that have been unaccounted for. It makes sense, then, to mirror that approach. It makes even more sense to find a SAM tool that mirrors that approach, as it’s the vendors’ findings that form the basis of negotiating any remediation.

Inadvertently putting your business at risk

According to our global team of SAM experts, it’s all too easy to get caught out when it comes to compliance. Here are the nine most common ways in which customers unknowingly put themselves at risk of non-compliance:

1. Discovery Tool Completeness

How do you know all assets are being monitored? If you aren’t capturing your entire IT estate, you are at risk of wrongly assuming compliance. Discovering 70 out of 100 instances of Acrobat installs would suggest only 70 licenses are required – 30 short. Your SAM tool needs to integrate with AD so you can be sure your estate is captured

2. Data Centre Variables

Your data center is the largest area at risk of non-compliance. Your SAM tool needs to understand all of its variables, plus any additional liability that may arise due to the potential mobility of software when it is deployed in a cluster. Because of that mobility, the software deployed may require active maintenance.

3. Application Consumption

Indirect usage massively impacts license requirement, and so discovering what software is deployed can often be insufficient in understanding compliance. Your SAM tool must understand how an application is being consumed – whether it’s accessible via the internet or from any device, whether there is multiplexing in the architecture or soft partitioning. If you have costly development software deployed, is it locked down in terms of access to it, or do you require a Visual Studio Subscription for everybody?

4. User Based Licensing

Software usage is shifting toward a per-user model, rather than a per-device model, which can be complicated for monitoring. Your SAM tool must be able to resolve users’ multiple aliases to a primary username, and it must be able to manage subscriptions that allows for multiple installs across multiple devices and associate a primary user with their devices efficiently.

5. The Grandfather Clause

Are pre-existing arrangements and certain allowances for agreements likely to alter? What is the effect on grandfathering rights? The edition of the license held, or the very metrics it is measured by may be subject to change.

6. Citrix/RDS/VDI Usage

Using these methods for delivering applications is typically controlled by user groups, which is a direct conflict for applications licensed per device where there is a 90-day reassignment rule. Unless you are able to report of only the devices where the application has been used in the last 90 days, a vendor could, in theory, expect a license for every device where it has the potential to run.

7. Unit of Measurement

It is simply not enough to capture the deployment of software. The software license itself governs the metrics that must be used to establish compliance. Your SAM tool should understand these metric behaviours and know for example whether to look for processors or cores and if there are any associated minimums.

8. Entitlement =/= Entitlement

Entering rows of software purchases into a licence management system does not necessarily lead you to an effective deployment position. Procurement records are no guarantee that software has not been returned or genuine; some lines may well be expired, novated or prone to human entry error. It could be that new purchasing vehicles  invalidate your perpetual rights to use software acquired under a prior agreement. Also vendors generally will not allow an entitlement to be used against an install where the licence model is upgrade or maintenance renewal and an appropriate base licence has not been found. Licences with active maintenance can also offer different deployment rights when the maintenance is active at the point of a new version of software or triggering of a grandfathering right.

9. Misunderstanding Deployment Allowance

You need to know if you’re allowed to downgrade and by how far, and whether you have the right to re-image. You should know which edition is the correct one to be using, and whether you can down-edition. If the version of your software is stand alone, the network version should not be deployed, and you should check to see if you can deploy individual components of suite software. If you have licenced a host for maximum visualization are all edition and versions deployed on the virtual servers covered by the host license?

An audit-centric approach to SAM is essential

Although users have bought and deployed software in good faith, horror stories about mis-deployment like those above are still rife. Not capturing the full IT estate or deployment architecture can lead to unexpected, but significant, shortfalls in the case of an audit or review. Of course, much can be negotiated with the software vendor, but whilst they may concede in some areas, they will have the upper hand in any discussion around remediation. More often than not, actual compliance is a long way from the zero true up picture painted by Partial SAM.

If you do not have an audit-centric SAM tool – one where data is challenged, actions are requested, processes are demanded, and calculations are transparent – then you will need to allocate a further resource or risk exposure to non-compliance.