Integritum – Governance, Risk, Audit, Security, Privacy, and AI

My observation is that Hardware Asset Management (HAM) and Software Asset Management (SAM) data are frequently inaccurate, with many organisations lacking even a baseline expectation for precision. Given that SAM and HAM are cost centres rather than profit centres, this is understandable.

Banks must account for every transaction, every penny, and every card issued or cancelled. This standard of precision should apply equally to IT asset data—especially in security-sensitive environments. No stakeholder would accept 90% accuracy in financial data, yet the same tolerance is often granted to IT asset records, where the risks are equally tangible. The same applies to many areas of the core business that generates revenue.

Without accurate HAM and SAM data, it becomes impossible to:

• Detect unauthorised software usage

• Know if hardware assets are missing or stolen

• Know which hardware assets and software packages need security updates

• Identify support costs which are too high because usage has dropped

• Know if you have adequate software licences

The discussion on software licences often centres around software usage without adequate licensing. Over-licensing is seldom given the same emphasis, and organisations often find themselves:

• Buying new software licences while existing licences remain idle. Reallocate unused software licences and assess actual needs before purchasing new ones. Examples of redundancy include licences for staff members who have:
  • Changed roles and no longer need access to the software.
  • Left the organisation.

• Renewing yearly support contracts based on the current number of licences, while overall software usage has dropped. Reviewing software usage before renewing support contracts could significantly reduce costs.

• Unused software installed – an external vendor software licence audit could identify the need to purchase a significant number of new licences. The business might have 100 staff using a particular product and has correctly purchased 100 software licences. However, if the audit reveals 150 installations, the vendor could demand payment for the extra 50 software licences. Removing software from systems where it is no longer required will reduce this risk and financial exposure; a case of cost avoidance rather than cost reduction, but equally important.

• Reorganise responsibilities to reduce licence requirements – distributing work inefficiently across a broad cross-section of the business increases the overall licence requirement. For example, 300 staff with access to software, but 150 use it for less than 5 minutes per day, or where software is allocated ‘just in case’.

When undertaking these activities, consider the cost of change, including licence unit costs, support fees, and the number of licences required.

Discussions about software purchasing, licensing, and the need for Software Asset Management (SAM) often begin from a position of chaos. With so many day-to-day activities and pressure to complete work, deadlines to meet and a whole ream of other reasons, the purchasing of software licences often finds its way to the end of a long list of things to do. Once the current work has been completed, and the priorities have changed, purchasing a licence can easily fall by the wayside. Software remains installed for others to use and becomes a de facto part of the corporate estate without further consideration; just one example of how unlicensed software accumulates within organisations. In essence, software licence chaos evolves through a combination of ignorance, negligence and bad management.

Other factors which contribute towards allowing this to happen include:

• The lack of control over who can download and install software – Everyone having administrator permission over their desktop is more common than people would care to admit. Combined with unrestricted internet access, is a recipe for software to be downloaded and installed as needed without giving software licensing a second thought.

• Lack of business processes around software installations – restricting internet access and permissions on desktops will prevent users from downloading software and installing it. Without defined processes for managing software requirements, users typically default to asking IT staff to install software, often without considering licensing implications. The higher the number of problems and support activities, the higher the likelihood is of this happening automatically without thinking about software licenses.

• The lack of vendor control over software usage – there are many different ways in which vendors can implement software to exercise control over software usage; however, not all methods are effective. Combined with insufficient control over software installations and by whom, contributes significantly to the use of unlicensed software.

Implementing control of software licenses needs to fall into the following programmes of work:

• Tactical work to clean up the environment of unlicensed software

• Strategic implementation of systems and processes to keep software under control, in essence, corporate-wide implementation of Software Asset Management

Demonstrating both tactical clean-up and a strategic SAM programme, along with a commitment to ‘true-up’ licence usage, can often satisfy vendors and help avoid legal entanglements.

Managing software licences is complex due to the wide range of licensing models used by vendors. Although there are many standard software licensing models, each software vendor has commercial freedom to choose their own. Here are some of the popular licensing models:

• Per user – one licence is required per user, either on a user-account or named-user basis.

• Per installation – one licence is required for each desktop or server installation. Multiple users can share the same computer with one software licence.

• Concurrent – one licence required for each concurrent user of the system. This limits the number of users who can access the system simultaneously, although many more users or installations may exist.

• Per site – all computers and people within a single corporate site can use the software with the same licence.

• Licence per processor – an adaptation of the installation licence for systems with multiple CPUs, and later evolved to address multi-core and virtualised environments

• Freeware – software downloadable and used as needed, copied and distributed without any restrictions. The vendors often include advertisements for commercial software such as a more advanced version of the same product. The ‘free’ in ‘freeware’ typically refers to cost, not user freedoms such as modification or redistribution of source code.

• Shareware – software distributed free, on a trial basis, and may have a built-in expiry date or reminders while using the software. The output from the software may have ‘Trial Version’ embedded, preventing it from being used. It could be free for personal use but requires payment for commercial use.

• Open source – source code is available to everyone to download, use, modify and redistribute. Such code is often released under licenses like the GNU General Public License (GPL) and all derivatives made available must be under the same terms.

With a growing number of cloud-based services where the vendor has control and responsibility for the platform, software vendors and their customers can exercise better control over software usage and licences. For example:

• Per feature – some features are provided as standard and others enabled upon payment of additional fees. Software features can be enabled and disabled by the vendor.

• Per space – the price charged is based on the storage space used.

• Per bandwidth – price based on the quantity of data transferred.

• Per feature usage – price is charged for each time the users take a specific action within the software. A popular approach is to introduce the sale of credits, then allow the use of credits to pay for services within software features.

Individual software vendors have the freedom to choose one or more licensing model or any variation on the same theme for their products.  Licence models can change over time as new software is released and new delivery methods become available.

Given the diverse range of software licensing models, it is sensible to adopt a centralised procurement system for software licences. Benefits include:

• Avoid scenarios where an organisation holds both a site licence and multiple individual licences for the same software at the same location.

• A centralised pool of licences can be monitored and reassigned as needed.

• Use of the most appropriate type of licence for the required usage corporate-wide. It might be more economical to purchase a site licence, for example, an option unlikely considered with decentralised purchasing.

• Reduced expenditure through economies of scale.

• Specialist licensing expertise can be concentrated within a single team, allowing other departments to focus on their primary functions.

Centralising the purchasing of software licences becomes more critical as businesses grow and will in the long-term reduce expenditure. Having individual departments or teams responsible for software purchasing can become costly, inefficient and increase the number of software licence disputes due to lack of awareness and control.