Software licenses are usually un-managed - assets that are out of sight seem to be out of mind. Overlooking license management is dangerous to the health of the organization and this has been proven time and again when companies have had to pay hefty fines for non compliance. Software Asset Management is a discipline which helps take care of licenses and is the iceberg which can 'titanicize' an organization.
2. ನನನ ಹೆಸರು SAM ಆಗಿದೆ
My name is SAM
मेरा नाम SAM है
என் பெயர் SAM నా పేరు SAM ఉంది
3. • Some audience questions - how many know the full form of SAM
• Now that we have been introduced to SAM and we know it relates to
software licenses – how many have ACTUALLY read the EULA of all the
installations in one’s organization or on one’s machine
• Against reading the EULA – how many of us have read the BOM, SOW,
Proposal and vendor documentation – did anyone raise any objections
• Is the Warranty or SLA document reading done from end to end? I am
sure you would have already asked the “right” questions and got the
“correct’ answers! (at the time of purchase)
• Some more questions….
• Is your ITAM automated ? Managed ? Traditional ?
• Are you compliant with ISO27k1 controls for IT Asset Management
Information Gathering
4. MY PRESENTATION…
It is about that one discipline which
has the highest priority in our
profession (or life)
BUT
Once entered into a Register ….
It is history !
5.
6. This is SAM
The size and shape
depends on the size and
maturity of your risk and
compliance management
systems
8. In a nutshell… it is about
High time we got SAM’s full name!
What do
we own
What do
we need
What are
we using
Are we
Over or
Under
Do we
have
visibility
When
should
we buy
How
much to
buy
Are all
licenses
managed
Are
upgrades
managed
Are we
compliant
to EULA
Do we
audit
regularly
9. • Software licenses are valuable assets and should be managed as such
• Helps control costs and optimize the software assets usage
• Provide effective control of the software lifecycle
• Enable processes to manage software health and secure the lifecycle
• Ensure legal compliance
• Achieve cost savings (salvage unused licenses; no unplanned purchases)
• Control of software licenses over-purchase and maintenance
• Financial penalties for license non-compliance
• Negative publicity
• Strengthens ability for better vendor software negotiations
• Visibility over current state of assets
Software Asset Management
10. STANDARDS
• ISO/IEC 19770‐1:2006 SAM Processes –
regular
• ISO/IEC 19770‐2:2009 Software
Identification Tag
• ISO/IEC 19770‐3 Software Entitlement Tag
• ISO 27001
• ITIL
Standards
Because of the
complexity of a good
process and supporting
technology, companies
struggle in their effort
to achieve even an
adequate level of SAM.
11. • Section 7: Asset management: The organization should be in a position to
understand what information assets it holds, and to manage their security
appropriately.
• 7.1 Responsibility for assets
• All [information] assets should be accounted for and have a nominated
owner. An inventory of information assets (IT hardware, software, data,
system documentation, storage media, supporting assets such as computer
room air conditioners and UPSs, and ICT services) should be maintained. The
inventory should record ownership and location of the assets, and owners
should identify acceptable uses.
• 7.2 Information classification
• Information should be classified according to its need for security protection
and labeled accordingly. [While this is clearly most relevant to military and
government organizations handling ‘protectively marked information’ (Top
Secret etc.), the concept of identifying important assets, classifying/grouping
them, and applying controls that are judged suitable for assets of that nature, is
broadly applicable.]
ISO27001 – Asset Management
12. The standard facilitates the following through SAM implementation:
• Risk management
• Cost control facilitation
• Competitive advantage
ISO19770
13. • Business Risk Management
– interruption to or deterioration in the quality of IT services; legal and regulatory
exposure; Damage to public image arising from any of these
• Cost Control
– Reduced direct costs of software and related assets, such as by negotiating
better pricing through improved use of volume contracting arrangements, and
by avoiding purchasing new licenses when old ones can be redeployed
– Reduced time and cost for negotiating with suppliers because of better
information availability
– Reduced costs through improved financial control, such as through better
invoice reconciliation and more accurate forecasting and budgeting
– Reduced infrastructure costs for managing software and related assets, by
ensuring that required processes are efficient and effective
– Reduced support costs which are significantly affected by the quality of SAM
processes, both directly within IT and indirectly within end-user areas
ISO19770
14. • Competitive Advantage
– Better quality decision making because of availability of more complete and
more transparent information (e.g. IT procurement and system development
decisions may be made more quickly and more reliably with better quality data)
– Able to deploy new systems and functionality more quickly and reliably in
response to market opportunities or demands
– Providing IT which is more closely aligned to business needs, thus ensuring that
all users have access to appropriate software and applications
– Able to handle the IT aspects of business acquisitions, mergers or demergers
more quickly
– Better personnel motivation and client satisfaction through having less IT
problems
ISO19770
16. Organizational Management Processes for SAM
• Corporate governance process
• Roles and responsibilities
• Policies, processes and procedures
• Competence
• Planning
• Implementation
• Monitoring
• Continual Improvement
ISO19770 Framework
17. Core SAM Processes (Processes that define SAM)
• Software Asset Identification
• Software Asset Inventory Management
• Software Asset Control
• Software Asset Record Verification
• Software licensing compliance
• Software asset security compliance
• Conformance verification for SAM
• Relationship and contract management for SAM
• Financial management for SAM
• Service level management for SAM
• Security management for SAM
ISO19770 Framework
18. Primary Process Interfaces for SAM
• Change Management Process
• Acquisition Process
• Software Development Process
• Software Release Management Process
• Software Deployment Process
• Incident Management Process
• Problem Management Process
• Retirement Process
ISO19770 Framework
19. • SAM …. IS NOT AT ALL plain and simple inventory management
ITAM ≠ Inventory Management
20. If your policy is oriented towards ITAM as a whole and does not think
about software as a special area requiring control or identified as high
risk…. Then this is TRUE !
True ??
23. The EULA … what you did not read
This Is What You NEVER Read!
24. • When you purchase a Microsoft Server you
need to have a Server CAL (Client Access
License) for each workstation that
connects to the server. This is regardless of
if you are using a Microsoft Operating
System on each computer
• OEM License is considered compliant when
you have the OEM license pasted on the
machine not just possessing a paper
license
Surprise!
Have you heard
of any CIO/CTO
who shared a
EULA with the
Legal and / or
Finance team ?
25. Surprise !
Maybe You Missed A
Lottery!
• This company offered a
prize hidden in the EULA
• After 3000 downloads one
person claimed the $1000
prize
28. • Your rights under this Agreement will automatically terminate if you fail to
comply with any term of this Agreement. In case of such termination, you
must cease all use of the Software, and Amazon may immediately revoke
your access to the Service or to Digital Content without refund of any fees.
• “You may make one backup copy of the Software, provided your backup
copy is not installed or used other than for archival purposes. You may not
transfer the rights of a backup copy unless you transfer all rights in the
Software….”
• "By posting user content to any part of the site, you automatically grant to
the company (ie Facebook) an irrevocable, perpetual, non-exclusive,
transferable, fully paid, worldwide license (with the right to sublicense) to
use, copy, publicly perform, display, reformat, translate, excerpt (in whole
or in part) and distribute such user content for any purpose, commercial,
advertising or otherwise….
Some EULA Terms
29. • Autodesk or its authorized representative will have the right, on fifteen
(15) days’ prior notice to Licensee, to inspect Licensee’s records, systems
and facilities, including machine IDs, serial numbers and related
information.
• Microchip's authorized representatives will have the right to
reasonably inspect, announced or unannounced and in its sole and
absolute discretion, Licensee's premises and to audit Licensee's records
and inventory of Licensee's use of the Software, whether located on
Licensee's premises or elsewhere, at any time, in order to ensure
Licensee's adherence to the terms of this Agreement.
More “Terms”
30. • Liability of immediate purchase
• Penalty
• Reputation Loss
• Downtime
• Jail
• Closure of business
• Risk of unpatched versions
• No Support from Vendor
Consequences of Non Compliance
31.
32. • Construction Company: 500 employees across 4 offices and
multiple construction sites. Using AutoCAD, Microsoft Office,
MS SQL, MS Project. Company had completed license
reconciliation and transferred licenses to close delta. Vendor
review discovers ‘keygen / cracks’ that were not cleaned as per
remediation plan. Four (new) additional installations (pirated)
discovered (the users had installed as they had some urgent
requirement). Vendor assesses XX instances of non-
compliance and proof of compliance has to be provided within
ten days. Total amount paid Rs. 1.35 cr.
Cases
33. • Web developer - Providing design and development services
for clients. Owner plus 3 employees. Organization assets
comprise 5 desktops and 1 laptop. Suspected that the
vendor’s representative visited twice posing as customer.
Followed by a visit from License Manager which was very
unsavory. Demand of ONE license raised for compliance with
proof to be provided in 7 days. Total amount paid Rs. 70,000
• Architect – individual professional having two assistants.
Visited by vendor representative and had to comply with
demand for 3 licenses. Lite version was required but had to
purchase high end version as per demand. Amount paid for
high end version Rs. 5 lacs whereas lite version would have
cost Rs. 1.5 lacs
Cases – You are never too small
34. • BPO and outsource development services company. 1400
employees at two locations. Company is ISO27001, ISO9001,
ISO20000 certified. Request for review from vendor received.
CISO initiates license reconciliation. Non compliance delta
negligible. Vendor raises issue of CPU/User and raises new
demand based on headcount to bulk license count – 10 days to
comply. Additional license fees paid Rs. 95 lacs
Cases
35. • WINTECH COMPUTERS circa 2000. 170 operational
centers all over the country, nearly 1,700 employees,
and at least 40 students per institute. Raid on the
company in September 2000 carried out by Mumbai
Police and officials a private investigating firm.
Wintech Computers had no license to teach Oracle®
software.
'I want to be the Bill Gates of India's computer
education industry.' – March 2000, Murtuza Mathani,
Wintech CEO.
May 2001: Mathani's whereabouts unknown.
Cases – Business Shutdown
36. • Large IT Services organization providing high end consulting globally.
About 4000 strong workforce. Non compliant for use of software in
training, backoffice – testing and research and development. Had to pay
Rs 5 cr and have then recruited an Asset Manager and invested in
commercial tools to manage SAM.
Cases
TAKEAWAY … WATCH OUT FOR TWO VERY
IMPORTANT WORDS
ENTITLEMENT
INSTALLATION
37. • SAM is not to be
overlooked
• Not to be approached in
the conventional asset
management manner
• Saves you from manifold
risks that accrue from non-
compliance
• Create a position for an
Asset Manager (it is
economically feasible)
Befriending SAM
Best negotiations
start before you
even know what
you want to buy
Forrester Research
http://www.computerweekly.com/
opinion/Forrester-Tips-for-
software-contract-negotiation
39. Extract Benefits from SAM
JUST TAKE CARE OF THIS NUMBER
AND IT IS ENOUGH TO PROVIDE THE
HARD CASH TO DEMONSTRATE THE
VALUE OF YOUR OFFICE
40.
41. • Mitigate Non Compliance arising out of a Mergers & Acquisitions
• Clean Cracks and Keygens on your network for specific vendors
• Discover and remove unauthorized installations of software from
specific big name vendors whose products are used
• Penalize rogue users on the network
• Measure number of users accessing systems (installations) against your
total license assets (entitlement)
• Don’t try to be smart and uninstall after you get an audit request – the
auditors have seen umpteen reactive actions and know all the tricks of
the game
• Bring Legal, Financial, Purchase, IT Operations and IS (Asset Mgt)
functions together into a new License steering committee
Risk Mitigation w. SAM Enablement
42. • Implement manual processes for CALs and other metrics that are
not discovered by inventory tools
• Calculate license entitlements to get your actual license position
• Don’t overlook Open Source and trial Software
• When trial versions expire REMOVE them
• Create effective Change and Configuration Management controls
• Implement network monitoring tools and push policies for end point
configuration
Risk Mitigation w. SAM Enablement
47. Not a desired destination !
But SAM non compliance
brings with it the risk of
such a fate !
48. This is how we want it to be and
continue into a long long time
Without the risk of disruption
due to SAM non-compliance and
all the attendant disastrous
outcomes
49. SAM is complex, but is your best friend
Manage Software Licenses so that your organization is
not “titanicized”
Remember the EULA has a loads of ‘small type’ and
reading it will be good for your organization health! And
your job!
Do Not Support or Condone Piracy !
50. • Professional Positions
– Open Security Alliance (Principal and CEO)
– Jharkhand Police (Cyber Security Advisor)
– Pyramid Cyber Security & Forensics (Principal Advisor)
– Indian Honeynet Project (Co Founder)
• Like all IS professionals .. Eternal InfoSec and Technology learner.
• Professional skills and special interest areas
– Security Consulting and Advisory services for IS Architecture, Analysis, Optimization..
– Technologies: SOC, DLP, IRM, SIEM…
– Practices: Incident Response, SAM, Forensics, Regulatory guidance..
– Community: mentoring, training, citizen outreach, India research..
• Opinioned Blogger, occasional columnist, wannabe photographer
• Contact Information:
Dinesh O. Bareja,
CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM
E: dinesh@opensecurityalliance.org T: +91.9769890505
Twitter: @bizsprite Facebook: dineshobareja
L: http://in.linkedin.com/in/dineshbareja
51. References
• http://www.informationweek.in/security/13-07-15/software_asset_management_-
_an_iceberg_called_sam.aspx
• http://securambling.blogspot.com/2013/06/software-asset-mis-management-who.html
• http://securambling.blogspot.com/2013/05/discovering-sam.html
Contact Information
Acknowledgements & Disclaimer
Various resources on the internet have been referred to contribute to the information presented.
Images have been acknowledged where possible. Any company names, brand names, trade
marks are mentioned only to facilitate understanding of the message being communicated - no
claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless
otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and
objections may please be communicated to us for remediation of the erroneous action(s).
E: dinesh@opensecurityalliance.org T: +91.9769890505
Twitter: @bizsprite Facebook: dineshobareja
L: http://in.linkedin.com/in/dineshbareja