ARTICLE: Ten Leaks In Your Software Management Process
There is only one thing worse than being audited by a software vendor and finding yourself out of compliance – and that’s allowing it to happen again a few years down the line.
From a known compliant state, fully licensed and up to date – how does an organisation slowly fall out of compliance?
Where are the leaks?
End User Leaks
1. End users on the network install software themselves without an appropriate license. This can be through;
- Deliberate abuse
- Ignorance of terms and conditions or
- Not checking that the business is covered.
2. End users buy legitimate software themselves but don’t pass on purchase and license information to the purchasing department or breach the terms and conditions.
3. End users buy legitimate software but via the wrong channels e.g. not via the recognised volume agreement.
IT Department Leaks
4. IT Department install software or redeploy existing software without checking license entitlement.
5. IT Department install software, check license entitlement but then licence it incorrectly. This can be through;
- Using licenses outside their original terms and conditions e.g. OEM Confusion, using academic licenses in a commercial environment
- Using the wrong version or edition e.g. Professional rather than Standard
- Failing to inform end users of the terms and conditions once it’s installed.
6. IT Department install software in Virtual Environments incorrectly;
- Software is installed on a server which many people can access – exceeding the total number allowed to access that application.
- Software in installed which is based on the hardware profile of the machine it is installed on or number of connections without understanding the consequences.
7. Losing track of physical copies of license agreements.
Supplier Leaks
8. Your hardware supplier ships hardware with inappropriate OEM software.
9. Your software supplier sells you fake software.
10. You are misold software from the vendor or reseller or they lose track of your purchase history.
Have I missed anything? How else do companies fall out of compliance?
Related articles:
- Tags: Software Leaks · Software Management
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.
End User Leaks
4. End users buy legitimate software themselves and install it on multiple PC’s with out recognition
of the license terms and conditions.
Having strong corporate backed procurement, change and problem management processes that incorporate asset management
as a key component can go a long way to stopping some of these leaks.
One area that hasn’t been touched on is Mergers, Acquisitions, and Divestitures: often SAM is only an afterthought
during the course of these activities when the IT department is brought in to figure out how to integrate the new units or there’s tight
time pressure to consider how the new organization will split licenses with the old.
It’s no wonder that SW Publishers and Auditors
pay attention to the financial pages for announcements of these events.
You might install software on a disc from a vendor that carries multiple programs that only has rights to one item you
purchased
A couple of thoughts to add…
– Failing to uninstall at the end of a fixed term
subscription based agreement or trial / evaluation period.
– Deliberate abuse, some software vendors specifically look on all systems
for key crackers during an audit which naturally significantly changes how they engage with the account.
The end user installs the software THINKING they understand the license
and reverse 2 – IT/Purchasing do not advise the end user of license terms
– Failure to retain physical copies of the EULA and Certificates of Authenticity provided with
the software media, in addition to your POs and invoices.
Publishers say to hold tightly to these additional bits of physical
evidence – they don’t always keep complete/actionable records either!
– Failure to retain physical copies of the EULA and Certificates of Authenticity provided with the software media, in addition to your POs and invoices.
Publishers say to hold tightly to these additional bits of physical evidence – they don’t always keep complete/actionable records either!
A few thoughts of
my own:
– A physical server with a wide portfolio of applications installed is cloned and virtualised on a much more powerful
machine. No consideration is given for the extra CPUs that require licensing or if any of the applications EULA’s permit or deny
virtualisation rights.
– A number of desktop applications are removed from PC’s and placed on a Citrix environment. No
considerations is given as to who can access what and a shortfall of 2,000 licences is uncovered during an audit.
– An application
that is procured as boxed product is packaged for mass deployment and widely deployed.
In my role as a software licence compliance auditor, it is very often identified that licence shortfalls are
directly attributed to an insufficient knowledge and understanding of licence terms by those responsible for licence compliance.
In particular, organisations who have deployed software in virtualised server environments are often identified as having insufficient
licenses for the way in which those virtualised server environments have been configured (Using DRS for example). The licensing of
virtualised environments can be very complex and with more and more organisations moving to the use of virtualised server technologies
this appears to be an area where non-compliance is growing.
Machines are redeployed without being cleared of the original image. A
real life example of where it can get expensive: Old CAD system is moved into a general office role. CAD software, full Office Package,
maybe some graphics software and MS Project Pro are all left on the system, when the new user only needs MS Word. Previous user gets a
new system and reinstalls all the previous packages, perhaps upgraded and suddenly the company is out of compliance.
End User Leaks:
Not educating your user-base to what they are and
are not allowed to do with their IT equipment
IT Department Leaks:
No consideration being given to regular auditing and
reconciliation of audit data against proof of entitlement.
IT Departments not ensuring that the manner in which software is deployed
matches the licence they have to use it.
Insufficient knowledge transfer caused by a turnover of IT staff.
Supplier Leaks:
Trusting to your supplier that evaluation software hasn’t been bundled on to hardware you have installed.
Nice Job Martin, All true, but the thing I have seen most in the market is
a lack of corporate committment to this discipline and lack of identified processes in place to track and confirm the current state.
Ben
Thanks very much for all feedback for
this article. I have taken the feedback on board and edited accordingly. I think the most important one mentioned was the loss of
physical evidence to prove what you own.
I’m sure from a legal standpoint the responsibility for lost licenses sits with end
users but vendors are notorious for keeping poor purchase information and I think it should be a shared responsibility.
Typically we see three major holes in companies when it comes to software
licensing:
1) Imaging – images are built or modified without review by the person/unit with licensing responsibility.
2) Lack
of product use rights knowledge particularly around servers and server access licenses (production, development, virtual, remote access,
mobile device access, etc).
3) Guesswork, you can’t manage what you don’t know.
Many of the items listed fall into one of
these three categories but I think it’s important to also acknowledge the root causes.
Good point. Thanks Tim