Pragmatic software governance


Published on

Discover how dynamically controlling your license estate leads to a software balance and protects your organization.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Pragmatic software governance

  1. 1. PRAGMATIC SOFTWARE GOVERNANCE DISCOVER HOW DYNAMICALLY CONTROLLING YOUR LICENSE ESTATE LEADS TO A SOFTWARE BALANCE AND PROTECTS YOUR ORGANIZATION GEOFF COLLINS MARTIN ANDERSON 1E APRIL 2011ABSTRACT: This whitepaper sets out the 1E view of software governance and compliance, highlighting that thecorrect approach is not to overspend and overprovision, but nor is it to wait for your chosen software vendors toaudit your enterprise. The answer is to get the balance ‘just right’.All rights reserved. No part of this document shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic,mechanical, photocopying, recording, or otherwise, without permission from 1E. No patent liability is assumed with respect to the use of theinformation contained herein. Although every precaution has been taken in the preparation of this document, 1E and the author s assume noresponsibility for errors or omissions. Neither is liability assumed for damages resulting from the information contained herein. The 1E name is aregistered trademark of 1E in the UK, US and EC. The 1E logo is a registered trademark of 1E in the UK, EC and under the Madr id protocol.NightWatchman is a registered trademark in the US and EU.
  2. 2. ContentsToo much or not enough? ......................................................................................................................................... 3What’s the recipe? .................................................................................................................................................... 4Liability and control ................................................................................................................................................... 7Getting it just right .................................................................................................................................................... 9References .............................................................................................................................................................. 10© 1E 2011 2
  3. 3. Too much or not enough?“63% of software vendors cited revenue generation as their number one reason for operating a compliance program, while 50% also want to protect their intellectual property rights.” Software compliance without tears, Ernst & Young, February 10, 20111Like Goldilocks and her porridge, when it comes to software governance and compliance, every organization needsto get things ‘just right’. Spend too much in a climate of restricted spending, overprovisioning on software licensesthat you think you might need, and you impact budgets and your ability to invest in strategic projects. By contrast,spend too little and when software vendors approach you about your installed software base you run the risk of non-compliance, fines and legal action.But what constitutes a sensible level of control? Effectively minimizing the cost of licensing and managing software,while not exposing your enterprise to the risk of an audit is the key, but it’s often not as straightforward as it mightappear. Some projects aimed at understanding and managing software compliance run on for many years andstruggle to demonstrate any return on investment. But equally, the solution cannot be so simple as to hope for thebest and shout ‘help’ when the auditors arrive.Getting it ‘just right’ is not as easy as it looks.© 1E 2011 3
  4. 4. What’s the recipe? “Gartner continues to see increasing incidence of software vendor audits, making it critical that customers negotiate with an understanding of how license compliance can be accomplished consistently and cost-effectively.” Key Issues for IT Asset Management and Procurement, Gartner, 25 February 20092No organization wants to be unprepared and have their business interrupted by a software audit. They may be ableto struggle through one but there is no guarantee that these are single occurrences. Every enterprise can and shouldbe prepared for that inevitable visit before it happens. But to be prepared you need to answer three fundamentalquestions: ‘What do I have installed?’ ‘What do I own?’ and, most importantly, ‘What do I actually need?’What software do I have installed?The first step to compliance is getting control of what has been installed in your enterprise. Many times evenanswering this seemingly simple question can be a real struggle even if they have a top of the line systemsmanagement solution in place. The unfortunate truth for many organizations is that it will boil down to anapproximation based on some raw data because of the uncontrolled manner in which software is installed andinventoried.The root of the problem lies in the vagaries of product information, with inconsistent and incomplete product names,versions and editions often published without a common format. Some standards of how software should run onWindows platforms do exist. However, the enforcement on ISVs to follow these standards is not strictly controlled. Forinstance, even though many operating systems offer file attributes, not all software publishers take advantage of thesefeatures. And in the event that software offerings do include relevant attributes, a lack of formal quality assurance cansignificantly lessen consistency.Software bundling is a common practice when releasing software that supports commoditized functionality, such asweb services. Again, publishers rarely change details in the registry entries or file attributes to indicate that thesoftware is bundled, so systems management tools typically cannot differentiate bundles from full products requiringassociated licenses. From the software vendor’s perspective, identification of suites or bundles is not their concernwhich is why they do not build such identification into their products. As a result, the reported software inventory isartificially inflated to contain items for which users can rarely prove entitlement.These inconsistencies are then compounded by the presence of ‘try before you buy’ evaluations, unrecognized bysystems management tools and often downloaded by users direct to the desktop without the knowledge of the ITdepartment. Installations such as these are not localized to individual users either. Rather, it is more the case thatone person in a department begins to independently use a piece of software which they have installed and then viaword of mouth they push others in their group to do the same. This problem worsens when we consider thatapplications can be downloaded through the Internet or via portals or installed using flash drives or disks.Then there is the issue of data collection itself. The traditional approach employs systems management tools toexamine the software for registry entries, file attributes and product identification data embedded in the code toproduce an inventory. An inventory of your desktops, notebooks and servers should give you visibility of all thesoftware you have installed. But when used for this purpose, systems management tools frequently produce a lot of© 1E 2011 4
  5. 5. ‘noise’. From a software developer’s perspective the information that accompanies the file wasn’t intended to assistthe IT Administrator’s inventory and identification process in so much as it was intended to help the softwaredevelopment and debugging process.To begin with the inventory will be full of software that you don’t need to know about, including hot fixes, drivers,toolbars, plugins and Java Runtime licenses. It will also contain duplicates caused by those inconsistent productnames, versions and editions, usually leading to double counting and inaccurate results. All of this data needs to becleaned, often as part of a laborious manual process. Once you’ve been through all that, you then need to filter yourresults just to identify the software that is commercially licensable.It is perhaps not surprising then, in a recent survey conducted by Opinion Matters on behalf of 1E, that two in everythree respondents in organizations with more than 500 employees said they found preparing for software vendor 3audits challenging.So let’s assume you’ve been able to identify what you have installed. How do you understand how much of it isactually yours?What do I own?The ability to track purchase information for licenses is much more difficult than many organizations realize or careto admit. This is typically because the information is not held in one central source, but by a number of individuals ordepartments and in a myriad of different formats.License details will be found in your accounting and purchasing departments, recorded on spreadsheets or detailedin finance applications. They will be stored on paper, filed away in cabinets somewhere by your IT team. They couldeven appear in marketing or sales, purchased from a high street store on expenses having been authorized by a linemanager. They may not have even been recorded at all! Some organizations will freely admit that because someSAM tools are so large and complex they would rather wait for a vendor to come to them with an audit rather thantry to manage the process themselves.1E’s own research would suggest that nearly 50% of enterprises still use spreadsheets to record software licenses,with almost 9% still using a paper-based filing system and a staggering 14% using nothing whatsoever.3Larger enterprises also operate on an international basis, from multiple sites and in many different countries, each ofwhich might have their own purchasing, finance or IT teams and their own local procedures governing softwarepurchases. Indeed, that same research would suggest that 43% of organizations manage their software regionally,39% by department and 20% on a project-by-project basis.3 Ian Blatchford, a partner with Ernst & Young, agrees,saying “Customers feel that their own decentralized structures often make it harder to keep track of usage around 4the organization - as does their increasingly complicated suite of IT packages."Additionally there are many organizations that have scattered licenses and overlaps in software functions due tomergers and acquisitions. This often gets overlooked and causes both over payment in software due to duplication injob functions but also liability from lost tracking of licenses.Inevitably, many organizations will be forced by the sheer complexity of uncovering and recording all this data toassign a project team to the job of gathering license information across the business. Some will even need to contactvendors and other sources, increasing still further the risk of an audit.© 1E 2011 5
  6. 6. Now let’s assume you have been able to accurately identify what software you have installed and how much of it youown. The last part of the story is to understand how much of what you have is actually needed.What do I actually need?This question could be rephrased as, “What am I actually using?”A review of your software estate may well determine how many copies of applications are installed on your systemsand whether or not you have paid for those licenses, but you also need to determine which of these softwareapplications are actually being used, by whom and how often.Without usage data, you may be purchasing software based on perceived requirements or user requests, not actualneed. Usage data plays an important role in determining which applications should be included in a standard imageand how many standard images may be needed to meet the different requirements of users. It also plays a part inmonitoring and controlling the use of unauthorized applications and in preventing the downloading of insecure, non-approved software. Having control of software licenses in your environment also reduces the risk of expensivepenalties and legal exposure.The true realization comes when you see that software usage and license liability are tightly coupled topics that canbe addressed in order to keep your software installation and purchasing decisions optimal. Software which isinstalled and used would fall into the category of “I need this software” however software which is installed yet notlicensed wouldn’t. We would refer to this as waste. But what if, in addition to waste you had software which was aliability with respect to licensing? – I.e. installed copies of software for which your organization hadn’t purchasedlicenses for yet. It’s in your best interest to know the usage information for this group of systems as well in order tomake prudent purchasing decisions.Once you know what software you have, how often you’re are using it, and how much your organization haspurchased, you have the information you need to make informed business decisions. Once you can make informedbusiness decisions, you can put software in place to automate these and keep your environment in an optimal state.© 1E 2011 6
  7. 7. Liability and control “In a survey of attendees at our IT Asset Management, Procurement and IT Financial Management Conference conducted in November 2010, 61% of the 144 respondents said they had been audited by at least one software vendor in the past 12 months.” IT Asset Managers Should Prepare Now, Gartner, 2 March 20115But even if you can find out what you have, how often you’re using it and how much you’re paying for it, how do youmanage your liability and control your risk?In the vast majority of cases organizations fall out of compliance by accident rather than by design. It may take youmany months (or in some cases years) to audit your software licenses, ownership and usage in preparation for thataudit. But how are you going to keep that information up-to-date ready for next year or the year after that. You don’tknow when a software vendor will request an audit, just that they surely will.While perhaps there has been a tendency over the years to shy away from discussing software compliance, itremains the primary goal for many organizations in reviewing their software licenses. 40% of the enterprises Opinion 3Matters questioned said this was their main concern, with a further 22% highlighting reduced business risk.It’s not just a question of identification; it’s also a question of control and the ability to take action in order toremediate a problem. With this in mind, software license management tools provide the next and arguably mostimportant step in the process.Audit data, as we have seen, can only contribute towards compliancy if it is combined with entitlement data,obtained from recording purchases and reports from vendors. For many enterprises, this ‘true up’ could be an almostentirely manual process requiring analysis of general ledger postings and tracking back to accounts payable to findthe invoices. Furthermore, it could be out of date in a matter of days. The key point here is that license managementtools need to be “plugged-in” to the active software estate to consistently present compliance status to the ITdepartment.Advanced license management tools automate the correlation of installation, ownership and critically need,providing a central resource for ongoing compliancy while responding to and reducing liability in the short, mediumand long term. The ability for a license management tool to control compliance is considered a base from which acomplete compliance program can be built. The control of this data must be automatic, ‘active’ and ongoing. It mustbe continually tracked and monitored, alerting appropriate managers when the business falls out of compliance or isoverbuying licenses and thereby wasting money.Rather than simply identifying what has, or has not, been purchased, sophisticated tools can manage centralizeddeployment and removal of applications, auto-reclaim unused software on one client machine and deploy to anotherand even ‘rent’ applications to users on a temporary basis for only as long as they need them. They can also reduceor even remove purchased but unused applications, known as ‘shelfware’, from the business. It is these elements ofadvanced control that set some software license tools apart.© 1E 2011 7
  8. 8. More importantly, your enterprise will enjoy immediate cost savings from improved software allocation, volumelicense discounts, better price points, accurate asset depreciation and more - all while eliminating the risksassociated with software non-compliance, lack of policy enforcement and inappropriate or unnecessary usage.© 1E 2011 8
  9. 9. Getting it just right“Software audits are increasing. Organizations must fund IT asset management disciplines or will risk high, unexpected financial liability due to software compliance problems. Having good asset management can reduce the time and pain of a software vendor audit.” IT Asset Managers Should Prepare Now, Gartner, 2 March 20115Uniquely focused on software waste, AppClarity™ from 1E delivers compliance without complexity by filtering outirrelevant license data to show just licensable software, organizing it by financial impact or vendor so you can quicklyfocus your compliance efforts.AppClarity enables your organization to make immediate reductions in software costs by analyzing all yourapplications instantly and providing you with actionable results, reducing your spend within one month. Byidentifying the software you actually use, then automatically removing what you don’t need and reallocating toreduce license liability, AppClarity enables you to financially quantify all software waste by identifying and controllingunused software across your whole enterprise.AppClarity also reduces business risk by controlling unapproved and prohibited software installs (such as torrent-likeapplications), automating software removal to protect your organization. From a security perspective this has theadded benefit of reducing your entire company’s attack surface.Using a simple traffic light status to show compliance, together with additional guidance on how that compliance wascalculated, AppClarity provides comprehensive reporting for vendor audits with just a few mouse clicks, reducing thecost and time it takes for your enterprise to prepare for any software vendor audit. Never again will you need toconduct manual ‘true ups’ and labor intensive audits.Through feature identification techniques, AppClarity also has the ability to provide reports and actions where“functional overlap” is taking place in your organization. This means that AppClarity can help reduce overspendingdue to two applications being purchased and installed which provide the same features and functions to the usercommunity.By making sense of what software you have, why you have it, and where and how it is being used, AppClarity allowsyou to make informed strategic and operational decisions, putting you in a much stronger negotiating position whenrenewing maintenance or purchasing additional licenses. And it does this on a continual basis, month-on-month,year-on-year.Deploying AppClarity alongside other 1E products like Shopping™ delivers a solution that further enhances licensecontrol by offering the opportunity to rent applications on a short term basis to users, so that short term needs donot become long term liabilities.Getting it ‘just right’ is possible; you just have to know where to look.© 1E 2011 9
  10. 10. References1 Software compliance without tears Monitoring customers’ software usage in a complex world, February 10, 2011.Available from:$FILE/EY_-_Software_compliance_without_tears_Monitoring_customers_software_usage_in_a_complex_world.pdf2 Key Issues for IT Asset Management and Procurement, February 25, 2009. Available from: Software Efficiency Report 2011. Opinion Matters survey on behalf of 1E, 20114 Software compliance without tears. Software asset management survey, Ernst & Young March 20115 Survey Analysis: Survey Shows Another Increase in Software Vendor Audits; IT Asset Managers Should PrepareNow, March 2, 2011. Available from:© 1E 2011 10