SlideShare a Scribd company logo

Software Asset Management - An iceberg named SAM

Dinesh O Bareja
Dinesh O Bareja

Software licenses are usually un-managed - assets that are out of sight seem to be out of mind. Overlooking license management is dangerous to the health of the organization and this has been proven time and again when companies have had to pay hefty fines for non compliance. Software Asset Management is a discipline which helps take care of licenses and is the iceberg which can 'titanicize' an organization.

TechnologyBusiness
1 of 52
SOFTWARE LICENSE MANAGEMENT Dinesh O Bareja CISA, CISM, ITIL, BS7799 16th Annual Karnataka Conference GRC – Compliance to Culture JULY 19 & 20, 2013 named SAM an
ನನನ ಹೆಸರು SAM ಆಗಿದೆ My name is SAM मेरा नाम SAM है என் பெயர் SAM నా పేరు SAM ఉంది
• Some audience questions - how many know the full form of SAM • Now that we have been introduced to SAM and we know it relates to software licenses – how many have ACTUALLY read the EULA of all the installations in one’s organization or on one’s machine • Against reading the EULA – how many of us have read the BOM, SOW, Proposal and vendor documentation – did anyone raise any objections • Is the Warranty or SLA document reading done from end to end? I am sure you would have already asked the “right” questions and got the “correct’ answers! (at the time of purchase) • Some more questions…. • Is your ITAM automated ? Managed ? Traditional ? • Are you compliant with ISO27k1 controls for IT Asset Management Information Gathering
MY PRESENTATION… It is about that one discipline which has the highest priority in our profession (or life) BUT Once entered into a Register …. It is history !
This is SAM The size and shape depends on the size and maturity of your risk and compliance management systems
SAM ISMS R I S K SAM requires attention as the big RISK may be overlooked in the ISMS Ocean
In a nutshell… it is about High time we got SAM’s full name! What do we own What do we need What are we using Are we Over or Under Do we have visibility When should we buy How much to buy Are all licenses managed Are upgrades managed Are we compliant to EULA Do we audit regularly
• Software licenses are valuable assets and should be managed as such • Helps control costs and optimize the software assets usage • Provide effective control of the software lifecycle • Enable processes to manage software health and secure the lifecycle • Ensure legal compliance • Achieve cost savings (salvage unused licenses; no unplanned purchases) • Control of software licenses over-purchase and maintenance • Financial penalties for license non-compliance • Negative publicity • Strengthens ability for better vendor software negotiations • Visibility over current state of assets Software Asset Management
STANDARDS • ISO/IEC 19770‐1:2006 SAM Processes – regular • ISO/IEC 19770‐2:2009 Software Identification Tag • ISO/IEC 19770‐3 Software Entitlement Tag • ISO 27001 • ITIL Standards Because of the complexity of a good process and supporting technology, companies struggle in their effort to achieve even an adequate level of SAM.
• Section 7: Asset management: The organization should be in a position to understand what information assets it holds, and to manage their security appropriately. • 7.1 Responsibility for assets • All [information] assets should be accounted for and have a nominated owner. An inventory of information assets (IT hardware, software, data, system documentation, storage media, supporting assets such as computer room air conditioners and UPSs, and ICT services) should be maintained. The inventory should record ownership and location of the assets, and owners should identify acceptable uses. • 7.2 Information classification • Information should be classified according to its need for security protection and labeled accordingly. [While this is clearly most relevant to military and government organizations handling ‘protectively marked information’ (Top Secret etc.), the concept of identifying important assets, classifying/grouping them, and applying controls that are judged suitable for assets of that nature, is broadly applicable.] ISO27001 – Asset Management
The standard facilitates the following through SAM implementation: • Risk management • Cost control facilitation • Competitive advantage ISO19770
• Business Risk Management – interruption to or deterioration in the quality of IT services; legal and regulatory exposure; Damage to public image arising from any of these • Cost Control – Reduced direct costs of software and related assets, such as by negotiating better pricing through improved use of volume contracting arrangements, and by avoiding purchasing new licenses when old ones can be redeployed – Reduced time and cost for negotiating with suppliers because of better information availability – Reduced costs through improved financial control, such as through better invoice reconciliation and more accurate forecasting and budgeting – Reduced infrastructure costs for managing software and related assets, by ensuring that required processes are efficient and effective – Reduced support costs which are significantly affected by the quality of SAM processes, both directly within IT and indirectly within end-user areas ISO19770
• Competitive Advantage – Better quality decision making because of availability of more complete and more transparent information (e.g. IT procurement and system development decisions may be made more quickly and more reliably with better quality data) – Able to deploy new systems and functionality more quickly and reliably in response to market opportunities or demands – Providing IT which is more closely aligned to business needs, thus ensuring that all users have access to appropriate software and applications – Able to handle the IT aspects of business acquisitions, mergers or demergers more quickly – Better personnel motivation and client satisfaction through having less IT problems ISO19770
ISO19770 Framework Organizational Management Processes for SAM Core SAM Processes (Processes that define SAM) Primary Process Interfaces for SAM
Organizational Management Processes for SAM • Corporate governance process • Roles and responsibilities • Policies, processes and procedures • Competence • Planning • Implementation • Monitoring • Continual Improvement ISO19770 Framework
Core SAM Processes (Processes that define SAM) • Software Asset Identification • Software Asset Inventory Management • Software Asset Control • Software Asset Record Verification • Software licensing compliance • Software asset security compliance • Conformance verification for SAM • Relationship and contract management for SAM • Financial management for SAM • Service level management for SAM • Security management for SAM ISO19770 Framework
Primary Process Interfaces for SAM • Change Management Process • Acquisition Process • Software Development Process • Software Release Management Process • Software Deployment Process • Incident Management Process • Problem Management Process • Retirement Process ISO19770 Framework
• SAM …. IS NOT AT ALL plain and simple inventory management ITAM ≠ Inventory Management
If your policy is oriented towards ITAM as a whole and does not think about software as a special area requiring control or identified as high risk…. Then this is TRUE ! True ??
Why is SAM overlooked!
The EULA … what you did not read This Is What You NEVER Read!
• When you purchase a Microsoft Server you need to have a Server CAL (Client Access License) for each workstation that connects to the server. This is regardless of if you are using a Microsoft Operating System on each computer • OEM License is considered compliant when you have the OEM license pasted on the machine not just possessing a paper license Surprise! Have you heard of any CIO/CTO who shared a EULA with the Legal and / or Finance team ?
Surprise ! Maybe You Missed A Lottery! • This company offered a prize hidden in the EULA • After 3000 downloads one person claimed the $1000 prize
© LukeSurl.com – with apologies for cropping the image The EULA is a legal agreement between you (either a corporal and / or mortal entity) and SATAN for your eternal soul which includes your post-death hereafter and any associated spiritual identities including good/evil alignments (“COMPLETE OWNERSHIP OF YOUR SOUL”). By selling, bargaining or otherwise surrendering the COMPLETE OWNERSHIP OF YOUR SOUL you agree to be bound in servitude to the Dark Lord for all eternity. If you disagree with this EULA or are unable or unwilling to accept these….
• Howlers! EULA s
• Your rights under this Agreement will automatically terminate if you fail to comply with any term of this Agreement. In case of such termination, you must cease all use of the Software, and Amazon may immediately revoke your access to the Service or to Digital Content without refund of any fees. • “You may make one backup copy of the Software, provided your backup copy is not installed or used other than for archival purposes. You may not transfer the rights of a backup copy unless you transfer all rights in the Software….” • "By posting user content to any part of the site, you automatically grant to the company (ie Facebook) an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, display, reformat, translate, excerpt (in whole or in part) and distribute such user content for any purpose, commercial, advertising or otherwise…. Some EULA Terms
• Autodesk or its authorized representative will have the right, on fifteen (15) days’ prior notice to Licensee, to inspect Licensee’s records, systems and facilities, including machine IDs, serial numbers and related information. • Microchip's authorized representatives will have the right to reasonably inspect, announced or unannounced and in its sole and absolute discretion, Licensee's premises and to audit Licensee's records and inventory of Licensee's use of the Software, whether located on Licensee's premises or elsewhere, at any time, in order to ensure Licensee's adherence to the terms of this Agreement. More “Terms”
• Liability of immediate purchase • Penalty • Reputation Loss • Downtime • Jail • Closure of business • Risk of unpatched versions • No Support from Vendor Consequences of Non Compliance
• Construction Company: 500 employees across 4 offices and multiple construction sites. Using AutoCAD, Microsoft Office, MS SQL, MS Project. Company had completed license reconciliation and transferred licenses to close delta. Vendor review discovers ‘keygen / cracks’ that were not cleaned as per remediation plan. Four (new) additional installations (pirated) discovered (the users had installed as they had some urgent requirement). Vendor assesses XX instances of non- compliance and proof of compliance has to be provided within ten days. Total amount paid Rs. 1.35 cr. Cases
• Web developer - Providing design and development services for clients. Owner plus 3 employees. Organization assets comprise 5 desktops and 1 laptop. Suspected that the vendor’s representative visited twice posing as customer. Followed by a visit from License Manager which was very unsavory. Demand of ONE license raised for compliance with proof to be provided in 7 days. Total amount paid Rs. 70,000 • Architect – individual professional having two assistants. Visited by vendor representative and had to comply with demand for 3 licenses. Lite version was required but had to purchase high end version as per demand. Amount paid for high end version Rs. 5 lacs whereas lite version would have cost Rs. 1.5 lacs Cases – You are never too small
• BPO and outsource development services company. 1400 employees at two locations. Company is ISO27001, ISO9001, ISO20000 certified. Request for review from vendor received. CISO initiates license reconciliation. Non compliance delta negligible. Vendor raises issue of CPU/User and raises new demand based on headcount to bulk license count – 10 days to comply. Additional license fees paid Rs. 95 lacs Cases
• WINTECH COMPUTERS circa 2000. 170 operational centers all over the country, nearly 1,700 employees, and at least 40 students per institute. Raid on the company in September 2000 carried out by Mumbai Police and officials a private investigating firm. Wintech Computers had no license to teach Oracle® software. 'I want to be the Bill Gates of India's computer education industry.' – March 2000, Murtuza Mathani, Wintech CEO. May 2001: Mathani's whereabouts unknown. Cases – Business Shutdown
• Large IT Services organization providing high end consulting globally. About 4000 strong workforce. Non compliant for use of software in training, backoffice – testing and research and development. Had to pay Rs 5 cr and have then recruited an Asset Manager and invested in commercial tools to manage SAM. Cases TAKEAWAY … WATCH OUT FOR TWO VERY IMPORTANT WORDS ENTITLEMENT INSTALLATION
• SAM is not to be overlooked • Not to be approached in the conventional asset management manner • Saves you from manifold risks that accrue from non- compliance • Create a position for an Asset Manager (it is economically feasible) Befriending SAM Best negotiations start before you even know what you want to buy Forrester Research http://www.computerweekly.com/ opinion/Forrester-Tips-for- software-contract-negotiation
Extract Benefits from SAM
Extract Benefits from SAM JUST TAKE CARE OF THIS NUMBER AND IT IS ENOUGH TO PROVIDE THE HARD CASH TO DEMONSTRATE THE VALUE OF YOUR OFFICE
• Mitigate Non Compliance arising out of a Mergers & Acquisitions • Clean Cracks and Keygens on your network for specific vendors • Discover and remove unauthorized installations of software from specific big name vendors whose products are used • Penalize rogue users on the network • Measure number of users accessing systems (installations) against your total license assets (entitlement) • Don’t try to be smart and uninstall after you get an audit request – the auditors have seen umpteen reactive actions and know all the tricks of the game • Bring Legal, Financial, Purchase, IT Operations and IS (Asset Mgt) functions together into a new License steering committee Risk Mitigation w. SAM Enablement
• Implement manual processes for CALs and other metrics that are not discovered by inventory tools • Calculate license entitlements to get your actual license position • Don’t overlook Open Source and trial Software • When trial versions expire REMOVE them • Create effective Change and Configuration Management controls • Implement network monitoring tools and push policies for end point configuration Risk Mitigation w. SAM Enablement
Maturity Model
This is YOUR Organization… big, strong, proud… the best! The bold corporation sailing to glory over uncharted waters!
Oops ! It’s an Iceberg !! It’s a SAMberg
Not a desired destination ! But SAM non compliance brings with it the risk of such a fate !
This is how we want it to be and continue into a long long time Without the risk of disruption due to SAM non-compliance and all the attendant disastrous outcomes
SAM is complex, but is your best friend Manage Software Licenses so that your organization is not “titanicized” Remember the EULA has a loads of ‘small type’ and reading it will be good for your organization health! And your job! Do Not Support or Condone Piracy !
• Professional Positions – Open Security Alliance (Principal and CEO) – Jharkhand Police (Cyber Security Advisor) – Pyramid Cyber Security & Forensics (Principal Advisor) – Indian Honeynet Project (Co Founder) • Like all IS professionals .. Eternal InfoSec and Technology learner. • Professional skills and special interest areas – Security Consulting and Advisory services for IS Architecture, Analysis, Optimization.. – Technologies: SOC, DLP, IRM, SIEM… – Practices: Incident Response, SAM, Forensics, Regulatory guidance.. – Community: mentoring, training, citizen outreach, India research.. • Opinioned Blogger, occasional columnist, wannabe photographer • Contact Information: Dinesh O. Bareja, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM E: dinesh@opensecurityalliance.org T: +91.9769890505 Twitter: @bizsprite Facebook: dineshobareja L: http://in.linkedin.com/in/dineshbareja
References • http://www.informationweek.in/security/13-07-15/software_asset_management_- _an_iceberg_called_sam.aspx • http://securambling.blogspot.com/2013/06/software-asset-mis-management-who.html • http://securambling.blogspot.com/2013/05/discovering-sam.html Contact Information Acknowledgements & Disclaimer Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s). E: dinesh@opensecurityalliance.org T: +91.9769890505 Twitter: @bizsprite Facebook: dineshobareja L: http://in.linkedin.com/in/dineshbareja
Software Asset Management - An iceberg named SAM

Recommended

Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITDinesh O Bareja
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Security Awareness
Security AwarenessSecurity Awareness
Security AwarenessDinesh O Bareja
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India ReadyDinesh O Bareja
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked InDinesh O Bareja
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 

Recommended

Business - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITBusiness - IT Alignment Increases Value Of IT
Business - IT Alignment Increases Value Of ITDinesh O Bareja
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Security Awareness
Security AwarenessSecurity Awareness
Security AwarenessDinesh O Bareja
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India ReadyDinesh O Bareja
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked InDinesh O Bareja
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information SecurityDinesh O Bareja
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident ResponseDinesh O Bareja
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionDinesh O Bareja
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance AwarenessDinesh O Bareja
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSDinesh O Bareja
 
WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers Dinesh O Bareja
 
Cybersecurity 2.0
Cybersecurity 2.0Cybersecurity 2.0
Cybersecurity 2.0Dinesh O Bareja
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCDinesh O Bareja
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013Dinesh O Bareja
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in IndiaDinesh O Bareja
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security AwarenessDinesh O Bareja
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

More Related Content

Viewers also liked

Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information SecurityDinesh O Bareja
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident ResponseDinesh O Bareja
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionDinesh O Bareja
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its PreventionDinesh O Bareja
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSDinesh O Bareja
 

Viewers also liked (9)

Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information Security
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident Response
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for Government
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introduction
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CS
 

More from Dinesh O Bareja

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers Dinesh O Bareja
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCDinesh O Bareja
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013Dinesh O Bareja
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in IndiaDinesh O Bareja
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security AwarenessDinesh O Bareja
 

More from Dinesh O Bareja (9)

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers
 
Cybersecurity 2.0
Cybersecurity 2.0Cybersecurity 2.0
Cybersecurity 2.0
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRC
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with IT
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in India
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness20100224 Presentation at RGIT Mumbai - Information Security Awareness
20100224 Presentation at RGIT Mumbai - Information Security Awareness
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Software Asset Management - An iceberg named SAM

  • 1. SOFTWARE LICENSE MANAGEMENT Dinesh O Bareja CISA, CISM, ITIL, BS7799 16th Annual Karnataka Conference GRC – Compliance to Culture JULY 19 & 20, 2013 named SAM an
  • 2. ನನನ ಹೆಸರು SAM ಆಗಿದೆ My name is SAM मेरा नाम SAM है என் பெயர் SAM నా పేరు SAM ఉంది
  • 3. • Some audience questions - how many know the full form of SAM • Now that we have been introduced to SAM and we know it relates to software licenses – how many have ACTUALLY read the EULA of all the installations in one’s organization or on one’s machine • Against reading the EULA – how many of us have read the BOM, SOW, Proposal and vendor documentation – did anyone raise any objections • Is the Warranty or SLA document reading done from end to end? I am sure you would have already asked the “right” questions and got the “correct’ answers! (at the time of purchase) • Some more questions…. • Is your ITAM automated ? Managed ? Traditional ? • Are you compliant with ISO27k1 controls for IT Asset Management Information Gathering
  • 4. MY PRESENTATION… It is about that one discipline which has the highest priority in our profession (or life) BUT Once entered into a Register …. It is history !
  • 5.
  • 6. This is SAM The size and shape depends on the size and maturity of your risk and compliance management systems
  • 7. SAM ISMS R I S K SAM requires attention as the big RISK may be overlooked in the ISMS Ocean
  • 8. In a nutshell… it is about High time we got SAM’s full name! What do we own What do we need What are we using Are we Over or Under Do we have visibility When should we buy How much to buy Are all licenses managed Are upgrades managed Are we compliant to EULA Do we audit regularly
  • 9. • Software licenses are valuable assets and should be managed as such • Helps control costs and optimize the software assets usage • Provide effective control of the software lifecycle • Enable processes to manage software health and secure the lifecycle • Ensure legal compliance • Achieve cost savings (salvage unused licenses; no unplanned purchases) • Control of software licenses over-purchase and maintenance • Financial penalties for license non-compliance • Negative publicity • Strengthens ability for better vendor software negotiations • Visibility over current state of assets Software Asset Management
  • 10. STANDARDS • ISO/IEC 19770‐1:2006 SAM Processes – regular • ISO/IEC 19770‐2:2009 Software Identification Tag • ISO/IEC 19770‐3 Software Entitlement Tag • ISO 27001 • ITIL Standards Because of the complexity of a good process and supporting technology, companies struggle in their effort to achieve even an adequate level of SAM.
  • 11. • Section 7: Asset management: The organization should be in a position to understand what information assets it holds, and to manage their security appropriately. • 7.1 Responsibility for assets • All [information] assets should be accounted for and have a nominated owner. An inventory of information assets (IT hardware, software, data, system documentation, storage media, supporting assets such as computer room air conditioners and UPSs, and ICT services) should be maintained. The inventory should record ownership and location of the assets, and owners should identify acceptable uses. • 7.2 Information classification • Information should be classified according to its need for security protection and labeled accordingly. [While this is clearly most relevant to military and government organizations handling ‘protectively marked information’ (Top Secret etc.), the concept of identifying important assets, classifying/grouping them, and applying controls that are judged suitable for assets of that nature, is broadly applicable.] ISO27001 – Asset Management
  • 12. The standard facilitates the following through SAM implementation: • Risk management • Cost control facilitation • Competitive advantage ISO19770
  • 13. • Business Risk Management – interruption to or deterioration in the quality of IT services; legal and regulatory exposure; Damage to public image arising from any of these • Cost Control – Reduced direct costs of software and related assets, such as by negotiating better pricing through improved use of volume contracting arrangements, and by avoiding purchasing new licenses when old ones can be redeployed – Reduced time and cost for negotiating with suppliers because of better information availability – Reduced costs through improved financial control, such as through better invoice reconciliation and more accurate forecasting and budgeting – Reduced infrastructure costs for managing software and related assets, by ensuring that required processes are efficient and effective – Reduced support costs which are significantly affected by the quality of SAM processes, both directly within IT and indirectly within end-user areas ISO19770
  • 14. • Competitive Advantage – Better quality decision making because of availability of more complete and more transparent information (e.g. IT procurement and system development decisions may be made more quickly and more reliably with better quality data) – Able to deploy new systems and functionality more quickly and reliably in response to market opportunities or demands – Providing IT which is more closely aligned to business needs, thus ensuring that all users have access to appropriate software and applications – Able to handle the IT aspects of business acquisitions, mergers or demergers more quickly – Better personnel motivation and client satisfaction through having less IT problems ISO19770
  • 15. ISO19770 Framework Organizational Management Processes for SAM Core SAM Processes (Processes that define SAM) Primary Process Interfaces for SAM
  • 16. Organizational Management Processes for SAM • Corporate governance process • Roles and responsibilities • Policies, processes and procedures • Competence • Planning • Implementation • Monitoring • Continual Improvement ISO19770 Framework
  • 17. Core SAM Processes (Processes that define SAM) • Software Asset Identification • Software Asset Inventory Management • Software Asset Control • Software Asset Record Verification • Software licensing compliance • Software asset security compliance • Conformance verification for SAM • Relationship and contract management for SAM • Financial management for SAM • Service level management for SAM • Security management for SAM ISO19770 Framework
  • 18. Primary Process Interfaces for SAM • Change Management Process • Acquisition Process • Software Development Process • Software Release Management Process • Software Deployment Process • Incident Management Process • Problem Management Process • Retirement Process ISO19770 Framework
  • 19. • SAM …. IS NOT AT ALL plain and simple inventory management ITAM ≠ Inventory Management
  • 20. If your policy is oriented towards ITAM as a whole and does not think about software as a special area requiring control or identified as high risk…. Then this is TRUE ! True ??
  • 21.
  • 22. Why is SAM overlooked!
  • 23. The EULA … what you did not read This Is What You NEVER Read!
  • 24. • When you purchase a Microsoft Server you need to have a Server CAL (Client Access License) for each workstation that connects to the server. This is regardless of if you are using a Microsoft Operating System on each computer • OEM License is considered compliant when you have the OEM license pasted on the machine not just possessing a paper license Surprise! Have you heard of any CIO/CTO who shared a EULA with the Legal and / or Finance team ?
  • 25. Surprise ! Maybe You Missed A Lottery! • This company offered a prize hidden in the EULA • After 3000 downloads one person claimed the $1000 prize
  • 26. © LukeSurl.com – with apologies for cropping the image The EULA is a legal agreement between you (either a corporal and / or mortal entity) and SATAN for your eternal soul which includes your post-death hereafter and any associated spiritual identities including good/evil alignments (“COMPLETE OWNERSHIP OF YOUR SOUL”). By selling, bargaining or otherwise surrendering the COMPLETE OWNERSHIP OF YOUR SOUL you agree to be bound in servitude to the Dark Lord for all eternity. If you disagree with this EULA or are unable or unwilling to accept these….
  • 28. • Your rights under this Agreement will automatically terminate if you fail to comply with any term of this Agreement. In case of such termination, you must cease all use of the Software, and Amazon may immediately revoke your access to the Service or to Digital Content without refund of any fees. • “You may make one backup copy of the Software, provided your backup copy is not installed or used other than for archival purposes. You may not transfer the rights of a backup copy unless you transfer all rights in the Software….” • "By posting user content to any part of the site, you automatically grant to the company (ie Facebook) an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, display, reformat, translate, excerpt (in whole or in part) and distribute such user content for any purpose, commercial, advertising or otherwise…. Some EULA Terms
  • 29. • Autodesk or its authorized representative will have the right, on fifteen (15) days’ prior notice to Licensee, to inspect Licensee’s records, systems and facilities, including machine IDs, serial numbers and related information. • Microchip's authorized representatives will have the right to reasonably inspect, announced or unannounced and in its sole and absolute discretion, Licensee's premises and to audit Licensee's records and inventory of Licensee's use of the Software, whether located on Licensee's premises or elsewhere, at any time, in order to ensure Licensee's adherence to the terms of this Agreement. More “Terms”
  • 30. • Liability of immediate purchase • Penalty • Reputation Loss • Downtime • Jail • Closure of business • Risk of unpatched versions • No Support from Vendor Consequences of Non Compliance
  • 31.
  • 32. • Construction Company: 500 employees across 4 offices and multiple construction sites. Using AutoCAD, Microsoft Office, MS SQL, MS Project. Company had completed license reconciliation and transferred licenses to close delta. Vendor review discovers ‘keygen / cracks’ that were not cleaned as per remediation plan. Four (new) additional installations (pirated) discovered (the users had installed as they had some urgent requirement). Vendor assesses XX instances of non- compliance and proof of compliance has to be provided within ten days. Total amount paid Rs. 1.35 cr. Cases
  • 33. • Web developer - Providing design and development services for clients. Owner plus 3 employees. Organization assets comprise 5 desktops and 1 laptop. Suspected that the vendor’s representative visited twice posing as customer. Followed by a visit from License Manager which was very unsavory. Demand of ONE license raised for compliance with proof to be provided in 7 days. Total amount paid Rs. 70,000 • Architect – individual professional having two assistants. Visited by vendor representative and had to comply with demand for 3 licenses. Lite version was required but had to purchase high end version as per demand. Amount paid for high end version Rs. 5 lacs whereas lite version would have cost Rs. 1.5 lacs Cases – You are never too small
  • 34. • BPO and outsource development services company. 1400 employees at two locations. Company is ISO27001, ISO9001, ISO20000 certified. Request for review from vendor received. CISO initiates license reconciliation. Non compliance delta negligible. Vendor raises issue of CPU/User and raises new demand based on headcount to bulk license count – 10 days to comply. Additional license fees paid Rs. 95 lacs Cases
  • 35. • WINTECH COMPUTERS circa 2000. 170 operational centers all over the country, nearly 1,700 employees, and at least 40 students per institute. Raid on the company in September 2000 carried out by Mumbai Police and officials a private investigating firm. Wintech Computers had no license to teach Oracle® software. 'I want to be the Bill Gates of India's computer education industry.' – March 2000, Murtuza Mathani, Wintech CEO. May 2001: Mathani's whereabouts unknown. Cases – Business Shutdown
  • 36. • Large IT Services organization providing high end consulting globally. About 4000 strong workforce. Non compliant for use of software in training, backoffice – testing and research and development. Had to pay Rs 5 cr and have then recruited an Asset Manager and invested in commercial tools to manage SAM. Cases TAKEAWAY … WATCH OUT FOR TWO VERY IMPORTANT WORDS ENTITLEMENT INSTALLATION
  • 37. • SAM is not to be overlooked • Not to be approached in the conventional asset management manner • Saves you from manifold risks that accrue from non- compliance • Create a position for an Asset Manager (it is economically feasible) Befriending SAM Best negotiations start before you even know what you want to buy Forrester Research http://www.computerweekly.com/ opinion/Forrester-Tips-for- software-contract-negotiation
  • 39. Extract Benefits from SAM JUST TAKE CARE OF THIS NUMBER AND IT IS ENOUGH TO PROVIDE THE HARD CASH TO DEMONSTRATE THE VALUE OF YOUR OFFICE
  • 40.
  • 41. • Mitigate Non Compliance arising out of a Mergers & Acquisitions • Clean Cracks and Keygens on your network for specific vendors • Discover and remove unauthorized installations of software from specific big name vendors whose products are used • Penalize rogue users on the network • Measure number of users accessing systems (installations) against your total license assets (entitlement) • Don’t try to be smart and uninstall after you get an audit request – the auditors have seen umpteen reactive actions and know all the tricks of the game • Bring Legal, Financial, Purchase, IT Operations and IS (Asset Mgt) functions together into a new License steering committee Risk Mitigation w. SAM Enablement
  • 42. • Implement manual processes for CALs and other metrics that are not discovered by inventory tools • Calculate license entitlements to get your actual license position • Don’t overlook Open Source and trial Software • When trial versions expire REMOVE them • Create effective Change and Configuration Management controls • Implement network monitoring tools and push policies for end point configuration Risk Mitigation w. SAM Enablement
  • 44.
  • 45. This is YOUR Organization… big, strong, proud… the best! The bold corporation sailing to glory over uncharted waters!
  • 46. Oops ! It’s an Iceberg !! It’s a SAMberg
  • 47. Not a desired destination ! But SAM non compliance brings with it the risk of such a fate !
  • 48. This is how we want it to be and continue into a long long time Without the risk of disruption due to SAM non-compliance and all the attendant disastrous outcomes
  • 49. SAM is complex, but is your best friend Manage Software Licenses so that your organization is not “titanicized” Remember the EULA has a loads of ‘small type’ and reading it will be good for your organization health! And your job! Do Not Support or Condone Piracy !
  • 50. • Professional Positions – Open Security Alliance (Principal and CEO) – Jharkhand Police (Cyber Security Advisor) – Pyramid Cyber Security & Forensics (Principal Advisor) – Indian Honeynet Project (Co Founder) • Like all IS professionals .. Eternal InfoSec and Technology learner. • Professional skills and special interest areas – Security Consulting and Advisory services for IS Architecture, Analysis, Optimization.. – Technologies: SOC, DLP, IRM, SIEM… – Practices: Incident Response, SAM, Forensics, Regulatory guidance.. – Community: mentoring, training, citizen outreach, India research.. • Opinioned Blogger, occasional columnist, wannabe photographer • Contact Information: Dinesh O. Bareja, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM E: dinesh@opensecurityalliance.org T: +91.9769890505 Twitter: @bizsprite Facebook: dineshobareja L: http://in.linkedin.com/in/dineshbareja
  • 51. References • http://www.informationweek.in/security/13-07-15/software_asset_management_- _an_iceberg_called_sam.aspx • http://securambling.blogspot.com/2013/06/software-asset-mis-management-who.html • http://securambling.blogspot.com/2013/05/discovering-sam.html Contact Information Acknowledgements & Disclaimer Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s). E: dinesh@opensecurityalliance.org T: +91.9769890505 Twitter: @bizsprite Facebook: dineshobareja L: http://in.linkedin.com/in/dineshbareja