Platform Virtualization and Software Licensing


Published on

Platform virtualization, however, can be a concern for end user organizations striving for software license compliance, as well as for independent software vendors (ISVs) who want to enforce license compliance and assure revenue without constraining customer deployment. This paper examines virtualization, its advantages, and why it is such a hot topic in the world of software licensing. Finally, the paper digs deeper into the options available to ISVs and presents best practices for handling software licensing in virtual environments.
license terms once the application is deployed on a virtual machine.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Platform Virtualization and Software Licensing

  1. 1. Platform Virtualization and Software Licensing: Best Practices for Software Vendors WHITE PAPER“Software publishers that have Executive Summarynot already begun addressing There are many related, yet different, definitions for virtualization floating around the to manage the licensing If examined more closely, we discover that most of them focus on a set of processes andof their applications in virtual approaches designed to make data centers more efficient. Virtualization has existed for manyenvironments are behind the years in the areas of testing and development; however, in today’s economic environment,curve. The strategy should it is becoming more and more prevalent as a way for IT to reduce costs and operate morenot only include support for efficiently.licensing in virtual environmentsbut also the ability to enforce Platform virtualization, however, can be a concern for end user organizations striving forlicense terms once the software license compliance, as well as for independent software vendors (ISVs) who want toapplication is deployed on enforce license compliance and assure revenue without constraining customer deployment.a virtual machine. Without This paper examines virtualization, its advantages, and why it is such a hot topic in the worldenforcement, the software of software licensing. Finally, the paper digs deeper into the options available to ISVs andpublisher has no control over presents best practices for handling software licensing in virtual environments.the license and therefore theirrevenue.” What is virtualization? ~Amy Konary, A few minutes with an Internet search engine provides a wealth of definitions for Research Director for IDC1 virtualization. In the world of computing, virtualization has gone from being a “buzz word” to a mainstream IT term almost as common as PC or server. It is highly unlikely that those involved with the computer industry today have not come across terms such as “virtual machine,” “VM,” and perhaps even “Hypervisor.” A few more minutes of searching reveals the abundance of vendors in the market providing a virtualization solution, with names such as VMware, XEN, VirtualBox, KVM, and, of course, Microsoft soon leading the way. The term virtualization is used universally, and can refer to platforms, applications, networks, storage, memory, and other areas. Ultimately, it is a concept where one or more instances of a physical environment are simulated or recreated artificially in software. Despite, the varied areas that fall under the term virtualization, this paper focuses on the area of platform virtualization and how it affects software licensing and the world of automated software license enforcement. Increasing Reach and Revenue through Secure Software Trialware White Paper 1
  2. 2. Why is virtualization such a hot topic?Virtualization There are so many valid reasons to justify the case for virtualization, as it is one of the most • Reduced capital and useful technological advances in the IT industry. Some of the more significant benefits gained operational costs through through virtualization are outlined below. more efficient use of hardware resources. Reduced capital and operational costs through more efficient use of hardware resources. Often, systems that support the day-to-day operation of a business (such as e-mail servers and • Further reduce costs and database servers) are consuming only around 10 percent to 30 percent of the physical machine’s environmental impact available resources. In other words, without adopting virtualization, up to 90% of a machine’s through Green IT. resources might never actually be utilized. • More efficient testing/ Considering the average purchase costs of high-performance servers, it is easy to see how development and security. this can be perceived as wasteful. By creating multiple virtual servers within a single physical • Improved scalability and machine, a company is able to make far more efficient use of their equipment, and subsequently, deployment agility. reduce the costs associated with the purchase and maintenance of multiple physical machines. • High availability/redundancy. Further reduce costs and environmental impact through Green IT. Reducing the number of servers through virtualization not only saves money through more efficient use of hardware, it also reduces power consumption, with the added benefit of reducing a company’s carbon footprint. More efficient testing/development and security. Another benefit of virtualization is apparent in testing and security. ‘Clean’ virtual images can be used to easily reproduce systems in order to create a new environment for testing and development, or to quickly replace a system which has been adversely affected by malware. Improved scalability and deployment agility. Scalability is another important factor driving virtualization. When a company is in need of additional bandwidth or increased availability, it is comparatively simple to create new instances of a virtualized system in a short space of time, without the costs associated with additional hardware purchases or familiarization with new equipment. High availability/redundancy. Virtualized servers are often installed into clustered environments. The inherent concept of dynamically spinning up virtual image ‘clones’ dramatically reduces the complexity and costs associated with managing a clustered infrastructure. Why is virtualization an even hotter topic in the world of licensing? The reasons outlined above show that virtualization cannot be ignored by companies, and there are simply too many perfectly legitimate reasons why it would be adopted. This reasoning does, however, create a conflict when considering the interests of the software vendor. According to Amy Konary, research director for IDC1, “Software publishers that have not already begun addressing how to manage the licensing of their applications in virtual environments are behind the curve. The strategy should not only include support for licensing in virtual environments but also the ability to enforce license terms once the application is deployed on a virtual machine. Without enforcement, the software publisher has no control over the license and therefore their revenue.” Today, most if not all third-party license enforcement technologies are based on a concept known as host-based license enforcement. In short, this is a concept where the license policies are tied to a known and authorized host or machine. Typically, a software license will be tightly coupled to a designated or authorized computer through a mechanism known as hardware fingerprinting or node locking. The purpose of fingerprinting is to protect the license from unauthorized duplication or sharing by uniquely binding a license to the machine. If the license is copied to a new machine with a new fingerprint, it is automatically invalidated. The most common example of this is to tie the license to unique hardware attributes such as a hard disk identifier or an Ethernet (MAC) address. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 2
  3. 3. Virtualization has introduced a significant challenge to this fundamental component of licenseAutomated License copy protection. The concept of creating virtual hardware means that virtual fingerprints canEnforcement Options also be created. A duplicated virtual machine normally results in a duplicated fingerprint, and • Hardware Keys the license enforcement technology will usually treat the virtual fingerprints no differently than the fingerprints from real (physical) machines. What has historically been seen as a trusted • Detection of Virtual and secure anti-piracy mechanism no longer provides an acceptable level of assurance for the Machines software vendor. • Virtual Machine The most significant point here is that this does not just create an increased threat of malicious Fingerprinting or intended software license misuse. The primary concern for software vendors is that this presents a new problem where conventional ‘honest’ users are now capable of inadvertently duplicating licenses through normal everyday operations. In other words, what is becoming a common way of deploying applications can, and does, result in the accidental duplication of software licenses. This presents another issue where the vendor might have less power from a legal perspective to make a stand and seek protection from those who inadvertently duplicate their licenses. How are software vendors handling virtualization today? Historically, the advice offered to software licensees concerned about virtualization has been based around steering them towards implementing changes in how they price and package their software applications. For example, there are many papers and articles freely available on the Internet advising the vendor to switch their licensing models from conventional seat-based models to metric-based models, such as transaction- and consumption-based schemes. To many vendors, the prospect of implementing such significant operational and commercial changes often presents too great a barrier. Understandably, they are seeking ways to ‘solve’ the problems raised by virtualization and yet maintain their existing commercial models. The main reasons for this resistance to change stem from the fact that so many departments within an organization would be affected. Changes to licensing models would have a direct impact on Sales and sales models, which are also tied to the financial and auditing processes. However, the largest impact is usually with Operations, who are responsible for the fulfillment of the products, along with the associated licenses. Service-orientated roles, such as Customer Care and Technical Support, would also be added to the list. Most software vendors find it difficult to envision how significant changes to the way an application is licensed would not create multiple problems across many independent but interconnected departments. The lack of suitable technical solutions initially drove vendors towards creating contractual wording that would disallow their applications from being installed onto virtualized environments. Some basic ‘virtual machine detection’ solutions have become available in licensing technologies that allow the vendor to enforce these policies technologically, as well as legally. These policies have worked for a short time, but have become less valid as virtualization has become more commonplace. This has left the vendor with one of two simple, yet difficult choices. i. They disallow their applications from being used on virtual machines, and so protect themselves from potential license misuse. This option restricts the scope of their software’s deployment and, therefore, limits sales. ii. More commonly, they simply choose to do nothing about virtualization, keeping the doors fully open from a sales perspective, while forcing them to accept that the license enforcement policies are significantly weakened. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 3
  4. 4. An explanation of automated license enforcement options 1.Hardware Keys The best protection against license duplication through virtualization is to store the information responsible for enforcing the license policy in a location that is trusted or protected, or is outside of the virtual environment. The most common example of this today is with vendors who protect their applications with hardware keys, also known as dongles. When delivering a dongle with an application, it is rare for the debate around virtualization and software licensing to arise. The concept is relatively simple. The use of the software is reliant on the presence of a specific hardware key. Although the system that the software is installed onto can be virtualized (and therefore duplicated), a USB dongle can only be accessed by one machine at a time and access According to IDC VMs will to it is blocked by any other machine. This means that on a single physical machine, the dongleoutnumber physical servers 2:1 can only be accessed by one virtual machine, regardless of how many virtual machines are actually running on that physical machine. An extension to using hardware keys would be to combine them with concurrent network licenses. In this scenario, a license server or license manager is protected from being virtualized by tying the licenses that it hosts to a hardware key. Whether the protected applications are installed onto real or virtual clients has little consequence since the license manager will maintain the license seat count. This scenario provides the software vendor with an excellent level of assurance that the license count will be maintained, yet provides their customer with the deployment agility that is often one of the initial factors that drives a company towards virtualization. Virtual Machines License Server Real Machines There are, however, several reasons why hardware keys are not considered to be the universal solution to license enforcement and virtualization. For one, many virtualization technologies do not adequately support external USB devices, meaning that a hardware key will never be seen by the virtual machine. Secondly, there are also many vendors who very strongly prefer not to send hardware keys to their customers and, instead, seek a pure software-based, electronic solution. As mentioned, the whole debate around virtualization was not born within the world of hardware keys, and it is predominantly a concern among those who have exclusively adopted an electronic license enforcement approach. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 4
  5. 5. 2. Detection of Virtual Machines With this approach, the licensing system uses internal checks to detect if it (and therefore the protected software) is being run on a virtual machine. The vendor can then choose to allow or disallow their software from being used within a virtual environment, and force the applications to be deployed only onto real machines. This biggest problem with this approach is that it is at risk of having a short shelf-life. As mentioned, virtualization is becoming more commonplace every day, and vendors who choose to prevent their customers from installing their applications onto virtual environments will find that they are able to deploy (and therefore sell) their software to fewer and fewer customers as time goes by. Nearly 50% of enterprise There is, however, a more acceptable solution when combining this approach with a concurrent network license deployment, as with hardware keys. By forcing the license manager onto real organizations have already hardware, the end customer is free to deploy the protected applications onto any mix of real virtualized all or a portion of versus virtual machines. This will also satisfy the desire of many software vendors to maintaintheir.* IT infrastructure, and an the deployment of electronic licenses.additional 33% plan to do so in the next 12 months.* Virtual Machines License Server VM Real Machines 3. Virtual Machine Fingerprinting Driven specifically by the need to allow the software vendor to continue deploying and fulfilling their software as they have done in the past, the ability to bind a license uniquely to a virtual machine is the latest tool available to them. This links back to the discussion where the majority of software vendors are looking for a solution that will allow them to maintain their existing license and deployment models. The concept of virtual machine fingerprinting (VM fingerprinting) allows the software vendor to treat virtual machines the same as real machines, and the whole debate of virtualization becomes secondary. By providing a fingerprinting mechanism that includes attributes that are designed with virtualization in mind, it becomes possible to lock a license to a virtual computer and still provide a high level of assurance that a copy of that virtual machine will not result in a working copy of the license. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 5
  6. 6. Creating best practices from the available options Seeing the various approaches that are now available to the software vendor, it is now possible to create a workable best practices approach when considering how to address virtualization and automated license enforcement. The primary factor to consider is the level of trust the software vendor has with their customer. Typically, there is a direct correlation between the level of trust the vendor has with a customer and the amount of flexibility they are willing to offer. When the vendor has a higher level of trust, they are able to implement softer policies that provide the end customer with far fewer deployment constraints. High Level of Trust Low Low Level of Protection High Traditional VM Fingerprinting VM Detection Hardware Keys “soft” locking (and allow or disallow) Traditional soft locking puts the least amount of restrictions on the end customer, giving them9 out of 10 ENT organizations will almost complete freedom in considering when and how to install a vendor’s applications. But this is typically only suitable for end customers who have their own incentives in place for expect their software to run on license compliancy. virtual machines by EoY 2011.* Typically, end customers are seeking more assistance from their software vendors to help them ‘stay honest’, and the vendors prefer to implement measures which help to keep them compliant. The virtual machine fingerprinting fits well into this scenario since it provides a high level of protection from what could be termed as accidental license misuse. When tighter policies are required by the vendor, the detection and denial of virtual machines becomes preferable. It is more common to combine this capability with concurrent network licenses, as previously discussed, to create a more workable solution. Lastly, for maximum levels of assurance, a hardware key is the best choice so that the information related to license enforcement can be stored in a location that is trusted and guaranteed to be external to the virtualized environment. Closing Thoughts It is clear that virtualization is not a short term craze. It is here to stay and, in many ways, is still in its infancy. As virtualization evolves, it will become increasingly more difficult to tell the difference between virtual and real environments. Automated software license enforcement must evolve with virtualization, and the initial tendencies to distance license enforcement from virtualization threaten to make the problem a harder one to solve. Fortunately, there are now feasible options available for software publishers to stop perceiving virtualization as a source of revenue leakage or a blocker of sales, but instead as an opportunity. Those vendors who utilize the tools available to embrace virtualization the soonest will create a significant differentiator between themselves and their competitors. The SafeNet Approach to Licensing in Virtual Environments SafeNet recognizes that the rapidly growing popularity of virtual machines (VMs) within enterprise organizations makes a software vendor’s ability to license and control their applications within any virtual environment critical to business growth and durability. Successful management of software requires not only support for licensing in virtual environments, but also the ability to enforce license terms once the application is deployed on a virtual machine. Without the enforcement, software publishers have no control over the license and, therefore, their revenue. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 6
  7. 7. While hardware keys remain the most effective way to prevent unauthorized use and distributionSafeNet’s options for of software in virtualized environments, for some, that option is not practical. Until the releaselicensing applications of SafeNet’s VM fingerprinting solution, software vendors wishing to extend their software-in any virtualized based licensing implementation to support virtualized environments were limited to methodsenvironment allow you to: that detect the presence of a VM and either allow or deny the execution of the software within • Protect revenue by those environments—an incomplete solution without any measure of controlling the application preventing copy/duplication once authorized. of applications in virtual With SafeNet, there is finally a viable third option – authorize and control software in any environments virtualized environment with the industry’s first and only technology-agnostic VM fingerprinting • Reduce churn, secure new solution. By enabling software vendors to uniquely lock a license to a single VM, just as they business, and improve would in a traditional licensing scenario, SafeNet’s technology protects the license, and competitive position by therefore the application, from copy and duplication in any end user environment, virtualized or supporting use of your otherwise. application(s) within virtual SafeNet is the industry’s only software licensing and management technology vendor to offer environments software vendors both hardware- and software-based options for licensing applications in any • Increase profit with licensing virtualized environment. and pricing models for virtual • Protect revenue by preventing copy/duplication of applications in virtual environments environments • Reduce churn, secure new business, and improve competitive position by supporting use of your application(s) within virtual environments • Increase profit with licensing and pricing models for virtual environments SafeNet Software Rights Management Solutions Sentinel HASP® Sentinel HASP, formerly Aladdin HASP SRM, is the industry’s first and only software licensing and security solution to enable the use of either software- or hardware-based protection keys to enforce software protection and licensing. With Sentinel HASP, you can increase your profits by protecting against losses from software piracy and intellectual property theft, and enable innovative business models to increase value and differentiate your products. Sentinel HASP fully integrates with your existing software product lifecycle to minimize disruptions to development and business processes. Featuring easy-to-use, role-based tools for developers, product managers, order processing, and production, Sentinel HASP ensures a short learning curve and optimum use of employee time and core competencies—ensuring quick time- to-market and the ability to quickly respond to changing market needs. To download a FREE Sentinel HASP Developer Kit, visit: Sentinel RMS® Sentinel RMS is a robust license enablement and enforcement solution providing software and technology vendors with control and visibility into how their applications are deployed and used. Focused on scalable and flexible license management, RMS is ideal for applications deployed in medium to large scale enterprise environments. Implementation of RMS provides a tie-in to software licensing agreements in order to enforce the terms and conditions by which you manage your products. In addition to reducing the risk of piracy, RMS enables you to offer a variety of license models to flexibly price and package your products. When combined with Sentinel EMS, SafeNet’s enterprise-oriented, Web-based management system, Sentinel RMS provides a complete solution for license management and enforcement. Sentinel RMS is deployed by both industry-leading enterprise software vendors and high-tech device manufacturers. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 7
  8. 8. SafeNet Sentinel Software Monetization Solutions SafeNet has more than 25 years of experience in delivering innovative and reliable software licensing and entitlement management solutions to software and technology vendors worldwide. Easy to integrate and use, innovative, and feature-focused, the company’s family of Sentinel®LicensingLive!™ (lahy’sun sing lahyv’), Software Monetization Solutions are designed to meet the unique license enablement,adj. n. [SAFENET, INTERACTIVE] enforcement, and management requirements of any organization, regardless of size, technical1. Immediate access to the best requirements or organizational structure. Only with SafeNet are clients able to address allpractices and emerging challenges of their anti-piracy, IP protection, license enablement, and license management challengesassociated with software packaging, while increasing overall profitability, improving internal operations, maintaining competitivepricing, fulfillment, delivery and positioning, and enhancing relationships with their customers and end users. With a provenmanagement. 2. A forum bringing history in adapting to new requirements and introducing new technologies to address evolvingtogether software vendors, industry market conditions, SafeNet’s more than 25,000 customers around the globe know that byanalysts, licensing consultants and choosing Sentinel, they choose the freedom to evolve how they do business today, tomorrow, andtechnology vendors. beyond. For more information on SafeNet’s complete portfolio of Software Monetization Solutions for installed, embedded, and cloud applications or to download a free evaluation of our award winning products please visit Join the Conversation Sentinel Online * Enterprise End-User Survey: In September 2010, SafeNet commissioned Vanson Bourne, a third party firm, to Twitter surveyed 300 senior IT decision-makers in the USA (typically CIOs or equivalent), normally the head of the IT function!/LicensingLive within the organisation. Respondents were based in finance, RDT (retail, distribution and transport), the public sector, manufacturing and other commercial sectors. In April of 2010 Vanson Bourne completed the same study across LinkedIn select European and Asian territories. YouTube Contact Us: For all office locations and contact information, please visit BrightTalk Follow Us: ©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-11.16.10 Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 8