Platform virtualization, however, can be a concern for end user organizations striving for software license compliance, as well as for independent software vendors (ISVs) who want to enforce license compliance and assure revenue without constraining customer deployment. This paper examines virtualization, its advantages, and why it is such a hot topic in the world of software licensing. Finally, the paper digs deeper into the options available to ISVs and presents best practices for handling software licensing in virtual environments.
license terms once the application is deployed on a virtual machine.
1. Platform Virtualization and
Software Licensing:
Best Practices for Software Vendors
WHITE PAPER
“Software publishers that have Executive Summary
not already begun addressing There are many related, yet different, definitions for virtualization floating around the Internet.
how to manage the licensing If examined more closely, we discover that most of them focus on a set of processes and
of their applications in virtual approaches designed to make data centers more efficient. Virtualization has existed for many
environments are behind the years in the areas of testing and development; however, in today’s economic environment,
curve. The strategy should it is becoming more and more prevalent as a way for IT to reduce costs and operate more
not only include support for efficiently.
licensing in virtual environments
but also the ability to enforce Platform virtualization, however, can be a concern for end user organizations striving for
license terms once the software license compliance, as well as for independent software vendors (ISVs) who want to
application is deployed on enforce license compliance and assure revenue without constraining customer deployment.
a virtual machine. Without This paper examines virtualization, its advantages, and why it is such a hot topic in the world
enforcement, the software of software licensing. Finally, the paper digs deeper into the options available to ISVs and
publisher has no control over presents best practices for handling software licensing in virtual environments.
the license and therefore their
revenue.” What is virtualization?
~Amy Konary, A few minutes with an Internet search engine provides a wealth of definitions for
Research Director for IDC1 virtualization. In the world of computing, virtualization has gone from being a “buzz word” to a
mainstream IT term almost as common as PC or server. It is highly unlikely that those involved
with the computer industry today have not come across terms such as “virtual machine,” “VM,”
and perhaps even “Hypervisor.”
A few more minutes of searching reveals the abundance of vendors in the market providing
a virtualization solution, with names such as VMware, XEN, VirtualBox, KVM, and, of course,
Microsoft soon leading the way. The term virtualization is used universally, and can refer to
platforms, applications, networks, storage, memory, and other areas. Ultimately, it is a concept
where one or more instances of a physical environment are simulated or recreated artificially
in software. Despite, the varied areas that fall under the term virtualization, this paper focuses
on the area of platform virtualization and how it affects software licensing and the world of
automated software license enforcement.
Increasing Reach and Revenue through Secure Software Trialware White Paper 1
2. Why is virtualization such a hot topic?
Virtualization There are so many valid reasons to justify the case for virtualization, as it is one of the most
• Reduced capital and useful technological advances in the IT industry. Some of the more significant benefits gained
operational costs through through virtualization are outlined below.
more efficient use of
hardware resources. Reduced capital and operational costs through more efficient use of hardware resources.
Often, systems that support the day-to-day operation of a business (such as e-mail servers and
• Further reduce costs and database servers) are consuming only around 10 percent to 30 percent of the physical machine’s
environmental impact available resources. In other words, without adopting virtualization, up to 90% of a machine’s
through Green IT. resources might never actually be utilized.
• More efficient testing/ Considering the average purchase costs of high-performance servers, it is easy to see how
development and security. this can be perceived as wasteful. By creating multiple virtual servers within a single physical
• Improved scalability and machine, a company is able to make far more efficient use of their equipment, and subsequently,
deployment agility. reduce the costs associated with the purchase and maintenance of multiple physical machines.
• High availability/redundancy. Further reduce costs and environmental impact through Green IT. Reducing the number of
servers through virtualization not only saves money through more efficient use of hardware,
it also reduces power consumption, with the added benefit of reducing a company’s carbon
footprint.
More efficient testing/development and security. Another benefit of virtualization is apparent in
testing and security. ‘Clean’ virtual images can be used to easily reproduce systems in order to
create a new environment for testing and development, or to quickly replace a system which has
been adversely affected by malware.
Improved scalability and deployment agility. Scalability is another important factor driving
virtualization. When a company is in need of additional bandwidth or increased availability, it is
comparatively simple to create new instances of a virtualized system in a short space of time,
without the costs associated with additional hardware purchases or familiarization with new
equipment.
High availability/redundancy. Virtualized servers are often installed into clustered
environments. The inherent concept of dynamically spinning up virtual image ‘clones’
dramatically reduces the complexity and costs associated with managing a clustered
infrastructure.
Why is virtualization an even hotter topic in the world of licensing?
The reasons outlined above show that virtualization cannot be ignored by companies, and there
are simply too many perfectly legitimate reasons why it would be adopted. This reasoning does,
however, create a conflict when considering the interests of the software vendor.
According to Amy Konary, research director for IDC1, “Software publishers that have not already
begun addressing how to manage the licensing of their applications in virtual environments
are behind the curve. The strategy should not only include support for licensing in virtual
environments but also the ability to enforce license terms once the application is deployed on
a virtual machine. Without enforcement, the software publisher has no control over the license
and therefore their revenue.”
Today, most if not all third-party license enforcement technologies are based on a concept
known as host-based license enforcement. In short, this is a concept where the license policies
are tied to a known and authorized host or machine.
Typically, a software license will be tightly coupled to a designated or authorized computer
through a mechanism known as hardware fingerprinting or node locking. The purpose of
fingerprinting is to protect the license from unauthorized duplication or sharing by uniquely
binding a license to the machine. If the license is copied to a new machine with a new fingerprint,
it is automatically invalidated. The most common example of this is to tie the license to unique
hardware attributes such as a hard disk identifier or an Ethernet (MAC) address.
Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 2
3. Virtualization has introduced a significant challenge to this fundamental component of license
Automated License copy protection. The concept of creating virtual hardware means that virtual fingerprints can
Enforcement Options also be created. A duplicated virtual machine normally results in a duplicated fingerprint, and
• Hardware Keys the license enforcement technology will usually treat the virtual fingerprints no differently than
the fingerprints from real (physical) machines. What has historically been seen as a trusted
• Detection of Virtual
and secure anti-piracy mechanism no longer provides an acceptable level of assurance for the
Machines
software vendor.
• Virtual Machine
The most significant point here is that this does not just create an increased threat of malicious
Fingerprinting
or intended software license misuse. The primary concern for software vendors is that this
presents a new problem where conventional ‘honest’ users are now capable of inadvertently
duplicating licenses through normal everyday operations. In other words, what is becoming a
common way of deploying applications can, and does, result in the accidental duplication of
software licenses. This presents another issue where the vendor might have less power from a
legal perspective to make a stand and seek protection from those who inadvertently duplicate
their licenses.
How are software vendors handling virtualization today?
Historically, the advice offered to software licensees concerned about virtualization has been
based around steering them towards implementing changes in how they price and package
their software applications. For example, there are many papers and articles freely available on
the Internet advising the vendor to switch their licensing models from conventional seat-based
models to metric-based models, such as transaction- and consumption-based schemes.
To many vendors, the prospect of implementing such significant operational and commercial
changes often presents too great a barrier. Understandably, they are seeking ways to ‘solve’ the
problems raised by virtualization and yet maintain their existing commercial models. The main
reasons for this resistance to change stem from the fact that so many departments within an
organization would be affected. Changes to licensing models would have a direct impact on
Sales and sales models, which are also tied to the financial and auditing processes. However,
the largest impact is usually with Operations, who are responsible for the fulfillment of the
products, along with the associated licenses. Service-orientated roles, such as Customer Care
and Technical Support, would also be added to the list. Most software vendors find it difficult to
envision how significant changes to the way an application is licensed would not create multiple
problems across many independent but interconnected departments.
The lack of suitable technical solutions initially drove vendors towards creating contractual
wording that would disallow their applications from being installed onto virtualized
environments. Some basic ‘virtual machine detection’ solutions have become available in
licensing technologies that allow the vendor to enforce these policies technologically, as well as
legally. These policies have worked for a short time, but have become less valid as virtualization
has become more commonplace. This has left the vendor with one of two simple, yet difficult
choices.
i. They disallow their applications from being used on virtual machines, and so protect
themselves from potential license misuse. This option restricts the scope of their
software’s deployment and, therefore, limits sales.
ii. More commonly, they simply choose to do nothing about virtualization, keeping the
doors fully open from a sales perspective, while forcing them to accept that the license
enforcement policies are significantly weakened.
Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 3
4. An explanation of automated license enforcement options
1.Hardware Keys
The best protection against license duplication through virtualization is to store the information
responsible for enforcing the license policy in a location that is trusted or protected, or is outside
of the virtual environment. The most common example of this today is with vendors who protect
their applications with hardware keys, also known as dongles. When delivering a dongle with an
application, it is rare for the debate around virtualization and software licensing to arise.
The concept is relatively simple. The use of the software is reliant on the presence of a specific
hardware key. Although the system that the software is installed onto can be virtualized (and
therefore duplicated), a USB dongle can only be accessed by one machine at a time and access
According to IDC VMs will
to it is blocked by any other machine. This means that on a single physical machine, the dongle
outnumber physical servers 2:1
can only be accessed by one virtual machine, regardless of how many virtual machines are
actually running on that physical machine.
An extension to using hardware keys would be to combine them with concurrent network
licenses. In this scenario, a license server or license manager is protected from being virtualized
by tying the licenses that it hosts to a hardware key. Whether the protected applications are
installed onto real or virtual clients has little consequence since the license manager will
maintain the license seat count. This scenario provides the software vendor with an excellent
level of assurance that the license count will be maintained, yet provides their customer with
the deployment agility that is often one of the initial factors that drives a company towards
virtualization.
Virtual
Machines
License
Server
Real
Machines
There are, however, several reasons why hardware keys are not considered to be the universal
solution to license enforcement and virtualization. For one, many virtualization technologies do
not adequately support external USB devices, meaning that a hardware key will never be seen by
the virtual machine.
Secondly, there are also many vendors who very strongly prefer not to send hardware keys to
their customers and, instead, seek a pure software-based, electronic solution. As mentioned,
the whole debate around virtualization was not born within the world of hardware keys, and it
is predominantly a concern among those who have exclusively adopted an electronic license
enforcement approach.
Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 4
5. 2. Detection of Virtual Machines
With this approach, the licensing system uses internal checks to detect if it (and therefore the
protected software) is being run on a virtual machine. The vendor can then choose to allow or
disallow their software from being used within a virtual environment, and force the applications
to be deployed only onto real machines. This biggest problem with this approach is that it is at
risk of having a short shelf-life. As mentioned, virtualization is becoming more commonplace
every day, and vendors who choose to prevent their customers from installing their applications
onto virtual environments will find that they are able to deploy (and therefore sell) their software
to fewer and fewer customers as time goes by.
Nearly 50% of enterprise There is, however, a more acceptable solution when combining this approach with a concurrent
network license deployment, as with hardware keys. By forcing the license manager onto real
organizations have already
hardware, the end customer is free to deploy the protected applications onto any mix of real
virtualized all or a portion of
versus virtual machines. This will also satisfy the desire of many software vendors to maintain
their.* IT infrastructure, and an the deployment of electronic licenses.
additional 33% plan to do so in
the next 12 months.*
Virtual
Machines
License
Server
VM
Real
Machines
3. Virtual Machine Fingerprinting
Driven specifically by the need to allow the software vendor to continue deploying and fulfilling
their software as they have done in the past, the ability to bind a license uniquely to a virtual
machine is the latest tool available to them. This links back to the discussion where the
majority of software vendors are looking for a solution that will allow them to maintain their
existing license and deployment models. The concept of virtual machine fingerprinting (VM
fingerprinting) allows the software vendor to treat virtual machines the same as real machines,
and the whole debate of virtualization becomes secondary.
By providing a fingerprinting mechanism that includes attributes that are designed with
virtualization in mind, it becomes possible to lock a license to a virtual computer and still provide
a high level of assurance that a copy of that virtual machine will not result in a working copy of
the license.
Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 5
6. Creating best practices from the available options
Seeing the various approaches that are now available to the software vendor, it is now possible
to create a workable best practices approach when considering how to address virtualization
and automated license enforcement. The primary factor to consider is the level of trust the
software vendor has with their customer. Typically, there is a direct correlation between the
level of trust the vendor has with a customer and the amount of flexibility they are willing to
offer. When the vendor has a higher level of trust, they are able to implement softer policies that
provide the end customer with far fewer deployment constraints.
High Level of Trust Low
Low Level of Protection High
Traditional VM Fingerprinting VM Detection Hardware Keys
“soft” locking (and allow or disallow)
Traditional soft locking puts the least amount of restrictions on the end customer, giving them
9 out of 10 ENT organizations will almost complete freedom in considering when and how to install a vendor’s applications. But
this is typically only suitable for end customers who have their own incentives in place for
expect their software to run on
license compliancy.
virtual machines by EoY 2011.*
Typically, end customers are seeking more assistance from their software vendors to help them
‘stay honest’, and the vendors prefer to implement measures which help to keep them compliant.
The virtual machine fingerprinting fits well into this scenario since it provides a high level of
protection from what could be termed as accidental license misuse.
When tighter policies are required by the vendor, the detection and denial of virtual machines
becomes preferable. It is more common to combine this capability with concurrent network
licenses, as previously discussed, to create a more workable solution.
Lastly, for maximum levels of assurance, a hardware key is the best choice so that the
information related to license enforcement can be stored in a location that is trusted and
guaranteed to be external to the virtualized environment.
Closing Thoughts
It is clear that virtualization is not a short term craze. It is here to stay and, in many ways, is
still in its infancy. As virtualization evolves, it will become increasingly more difficult to tell the
difference between virtual and real environments. Automated software license enforcement
must evolve with virtualization, and the initial tendencies to distance license enforcement from
virtualization threaten to make the problem a harder one to solve.
Fortunately, there are now feasible options available for software publishers to stop perceiving
virtualization as a source of revenue leakage or a blocker of sales, but instead as an opportunity.
Those vendors who utilize the tools available to embrace virtualization the soonest will create a
significant differentiator between themselves and their competitors.
The SafeNet Approach to Licensing in Virtual Environments
SafeNet recognizes that the rapidly growing popularity of virtual machines (VMs) within
enterprise organizations makes a software vendor’s ability to license and control their
applications within any virtual environment critical to business growth and durability.
Successful management of software requires not only support for licensing in virtual
environments, but also the ability to enforce license terms once the application is deployed on a
virtual machine. Without the enforcement, software publishers have no control over the license
and, therefore, their revenue.
Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 6
7. While hardware keys remain the most effective way to prevent unauthorized use and distribution
SafeNet’s options for of software in virtualized environments, for some, that option is not practical. Until the release
licensing applications of SafeNet’s VM fingerprinting solution, software vendors wishing to extend their software-
in any virtualized based licensing implementation to support virtualized environments were limited to methods
environment allow you to: that detect the presence of a VM and either allow or deny the execution of the software within
• Protect revenue by those environments—an incomplete solution without any measure of controlling the application
preventing copy/duplication once authorized.
of applications in virtual With SafeNet, there is finally a viable third option – authorize and control software in any
environments virtualized environment with the industry’s first and only technology-agnostic VM fingerprinting
• Reduce churn, secure new solution. By enabling software vendors to uniquely lock a license to a single VM, just as they
business, and improve would in a traditional licensing scenario, SafeNet’s technology protects the license, and
competitive position by therefore the application, from copy and duplication in any end user environment, virtualized or
supporting use of your otherwise.
application(s) within virtual SafeNet is the industry’s only software licensing and management technology vendor to offer
environments software vendors both hardware- and software-based options for licensing applications in any
• Increase profit with licensing virtualized environment.
and pricing models for virtual • Protect revenue by preventing copy/duplication of applications in virtual environments
environments
• Reduce churn, secure new business, and improve competitive position by supporting use of
your application(s) within virtual environments
• Increase profit with licensing and pricing models for virtual environments
SafeNet Software Rights Management Solutions
Sentinel HASP®
Sentinel HASP, formerly Aladdin HASP SRM, is the industry’s first and only
software licensing and security solution to enable the use of either software- or
hardware-based protection keys to enforce software protection and licensing.
With Sentinel HASP, you can increase your profits by protecting against losses
from software piracy and intellectual property theft, and enable innovative
business models to increase value and differentiate your products.
Sentinel HASP fully integrates with your existing software product lifecycle to minimize
disruptions to development and business processes. Featuring easy-to-use, role-based tools for
developers, product managers, order processing, and production, Sentinel HASP ensures a short
learning curve and optimum use of employee time and core competencies—ensuring quick time-
to-market and the ability to quickly respond to changing market needs.
To download a FREE Sentinel HASP Developer Kit, visit:
http://www3.safenet-inc.com/Special/hasp/safenet-hasp-srm-order/default/asp
Sentinel RMS®
Sentinel RMS is a robust license enablement and enforcement solution providing
software and technology vendors with control and visibility into how their
applications are deployed and used. Focused on scalable and flexible license
management, RMS is ideal for applications deployed in medium to large scale
enterprise environments.
Implementation of RMS provides a tie-in to software licensing agreements in order
to enforce the terms and conditions by which you manage your products. In addition
to reducing the risk of piracy, RMS enables you to offer a variety of license models
to flexibly price and package your products.
When combined with Sentinel EMS, SafeNet’s enterprise-oriented, Web-based management
system, Sentinel RMS provides a complete solution for license management and enforcement.
Sentinel RMS is deployed by both industry-leading enterprise software vendors and high-tech
device manufacturers.
Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 7