Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Software Asset Management - An iceberg named SAM

10,596 views

Published on

Software licenses are usually un-managed - assets that are out of sight seem to be out of mind. Overlooking license management is dangerous to the health of the organization and this has been proven time and again when companies have had to pay hefty fines for non compliance. Software Asset Management is a discipline which helps take care of licenses and is the iceberg which can 'titanicize' an organization.

Published in: Technology, Business

Software Asset Management - An iceberg named SAM

  1. 1. SOFTWARE LICENSE MANAGEMENT Dinesh O Bareja CISA, CISM, ITIL, BS7799 16th Annual Karnataka Conference GRC – Compliance to Culture JULY 19 & 20, 2013 named SAM an
  2. 2. ನನನ ಹೆಸರು SAM ಆಗಿದೆ My name is SAM मेरा नाम SAM है என் பெயர் SAM నా పేరు SAM ఉంది
  3. 3. • Some audience questions - how many know the full form of SAM • Now that we have been introduced to SAM and we know it relates to software licenses – how many have ACTUALLY read the EULA of all the installations in one’s organization or on one’s machine • Against reading the EULA – how many of us have read the BOM, SOW, Proposal and vendor documentation – did anyone raise any objections • Is the Warranty or SLA document reading done from end to end? I am sure you would have already asked the “right” questions and got the “correct’ answers! (at the time of purchase) • Some more questions…. • Is your ITAM automated ? Managed ? Traditional ? • Are you compliant with ISO27k1 controls for IT Asset Management Information Gathering
  4. 4. MY PRESENTATION… It is about that one discipline which has the highest priority in our profession (or life) BUT Once entered into a Register …. It is history !
  5. 5. This is SAM The size and shape depends on the size and maturity of your risk and compliance management systems
  6. 6. SAM ISMS R I S K SAM requires attention as the big RISK may be overlooked in the ISMS Ocean
  7. 7. In a nutshell… it is about High time we got SAM’s full name! What do we own What do we need What are we using Are we Over or Under Do we have visibility When should we buy How much to buy Are all licenses managed Are upgrades managed Are we compliant to EULA Do we audit regularly
  8. 8. • Software licenses are valuable assets and should be managed as such • Helps control costs and optimize the software assets usage • Provide effective control of the software lifecycle • Enable processes to manage software health and secure the lifecycle • Ensure legal compliance • Achieve cost savings (salvage unused licenses; no unplanned purchases) • Control of software licenses over-purchase and maintenance • Financial penalties for license non-compliance • Negative publicity • Strengthens ability for better vendor software negotiations • Visibility over current state of assets Software Asset Management
  9. 9. STANDARDS • ISO/IEC 19770‐1:2006 SAM Processes – regular • ISO/IEC 19770‐2:2009 Software Identification Tag • ISO/IEC 19770‐3 Software Entitlement Tag • ISO 27001 • ITIL Standards Because of the complexity of a good process and supporting technology, companies struggle in their effort to achieve even an adequate level of SAM.
  10. 10. • Section 7: Asset management: The organization should be in a position to understand what information assets it holds, and to manage their security appropriately. • 7.1 Responsibility for assets • All [information] assets should be accounted for and have a nominated owner. An inventory of information assets (IT hardware, software, data, system documentation, storage media, supporting assets such as computer room air conditioners and UPSs, and ICT services) should be maintained. The inventory should record ownership and location of the assets, and owners should identify acceptable uses. • 7.2 Information classification • Information should be classified according to its need for security protection and labeled accordingly. [While this is clearly most relevant to military and government organizations handling ‘protectively marked information’ (Top Secret etc.), the concept of identifying important assets, classifying/grouping them, and applying controls that are judged suitable for assets of that nature, is broadly applicable.] ISO27001 – Asset Management
  11. 11. The standard facilitates the following through SAM implementation: • Risk management • Cost control facilitation • Competitive advantage ISO19770
  12. 12. • Business Risk Management – interruption to or deterioration in the quality of IT services; legal and regulatory exposure; Damage to public image arising from any of these • Cost Control – Reduced direct costs of software and related assets, such as by negotiating better pricing through improved use of volume contracting arrangements, and by avoiding purchasing new licenses when old ones can be redeployed – Reduced time and cost for negotiating with suppliers because of better information availability – Reduced costs through improved financial control, such as through better invoice reconciliation and more accurate forecasting and budgeting – Reduced infrastructure costs for managing software and related assets, by ensuring that required processes are efficient and effective – Reduced support costs which are significantly affected by the quality of SAM processes, both directly within IT and indirectly within end-user areas ISO19770
  13. 13. • Competitive Advantage – Better quality decision making because of availability of more complete and more transparent information (e.g. IT procurement and system development decisions may be made more quickly and more reliably with better quality data) – Able to deploy new systems and functionality more quickly and reliably in response to market opportunities or demands – Providing IT which is more closely aligned to business needs, thus ensuring that all users have access to appropriate software and applications – Able to handle the IT aspects of business acquisitions, mergers or demergers more quickly – Better personnel motivation and client satisfaction through having less IT problems ISO19770
  14. 14. ISO19770 Framework Organizational Management Processes for SAM Core SAM Processes (Processes that define SAM) Primary Process Interfaces for SAM
  15. 15. Organizational Management Processes for SAM • Corporate governance process • Roles and responsibilities • Policies, processes and procedures • Competence • Planning • Implementation • Monitoring • Continual Improvement ISO19770 Framework
  16. 16. Core SAM Processes (Processes that define SAM) • Software Asset Identification • Software Asset Inventory Management • Software Asset Control • Software Asset Record Verification • Software licensing compliance • Software asset security compliance • Conformance verification for SAM • Relationship and contract management for SAM • Financial management for SAM • Service level management for SAM • Security management for SAM ISO19770 Framework
  17. 17. Primary Process Interfaces for SAM • Change Management Process • Acquisition Process • Software Development Process • Software Release Management Process • Software Deployment Process • Incident Management Process • Problem Management Process • Retirement Process ISO19770 Framework
  18. 18. • SAM …. IS NOT AT ALL plain and simple inventory management ITAM ≠ Inventory Management
  19. 19. If your policy is oriented towards ITAM as a whole and does not think about software as a special area requiring control or identified as high risk…. Then this is TRUE ! True ??
  20. 20. Why is SAM overlooked!
  21. 21. The EULA … what you did not read This Is What You NEVER Read!
  22. 22. • When you purchase a Microsoft Server you need to have a Server CAL (Client Access License) for each workstation that connects to the server. This is regardless of if you are using a Microsoft Operating System on each computer • OEM License is considered compliant when you have the OEM license pasted on the machine not just possessing a paper license Surprise! Have you heard of any CIO/CTO who shared a EULA with the Legal and / or Finance team ?
  23. 23. Surprise ! Maybe You Missed A Lottery! • This company offered a prize hidden in the EULA • After 3000 downloads one person claimed the $1000 prize
  24. 24. © LukeSurl.com – with apologies for cropping the image The EULA is a legal agreement between you (either a corporal and / or mortal entity) and SATAN for your eternal soul which includes your post-death hereafter and any associated spiritual identities including good/evil alignments (“COMPLETE OWNERSHIP OF YOUR SOUL”). By selling, bargaining or otherwise surrendering the COMPLETE OWNERSHIP OF YOUR SOUL you agree to be bound in servitude to the Dark Lord for all eternity. If you disagree with this EULA or are unable or unwilling to accept these….
  25. 25. • Howlers! EULA s
  26. 26. • Your rights under this Agreement will automatically terminate if you fail to comply with any term of this Agreement. In case of such termination, you must cease all use of the Software, and Amazon may immediately revoke your access to the Service or to Digital Content without refund of any fees. • “You may make one backup copy of the Software, provided your backup copy is not installed or used other than for archival purposes. You may not transfer the rights of a backup copy unless you transfer all rights in the Software….” • "By posting user content to any part of the site, you automatically grant to the company (ie Facebook) an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, display, reformat, translate, excerpt (in whole or in part) and distribute such user content for any purpose, commercial, advertising or otherwise…. Some EULA Terms
  27. 27. • Autodesk or its authorized representative will have the right, on fifteen (15) days’ prior notice to Licensee, to inspect Licensee’s records, systems and facilities, including machine IDs, serial numbers and related information. • Microchip's authorized representatives will have the right to reasonably inspect, announced or unannounced and in its sole and absolute discretion, Licensee's premises and to audit Licensee's records and inventory of Licensee's use of the Software, whether located on Licensee's premises or elsewhere, at any time, in order to ensure Licensee's adherence to the terms of this Agreement. More “Terms”
  28. 28. • Liability of immediate purchase • Penalty • Reputation Loss • Downtime • Jail • Closure of business • Risk of unpatched versions • No Support from Vendor Consequences of Non Compliance
  29. 29. • Construction Company: 500 employees across 4 offices and multiple construction sites. Using AutoCAD, Microsoft Office, MS SQL, MS Project. Company had completed license reconciliation and transferred licenses to close delta. Vendor review discovers ‘keygen / cracks’ that were not cleaned as per remediation plan. Four (new) additional installations (pirated) discovered (the users had installed as they had some urgent requirement). Vendor assesses XX instances of non- compliance and proof of compliance has to be provided within ten days. Total amount paid Rs. 1.35 cr. Cases
  30. 30. • Web developer - Providing design and development services for clients. Owner plus 3 employees. Organization assets comprise 5 desktops and 1 laptop. Suspected that the vendor’s representative visited twice posing as customer. Followed by a visit from License Manager which was very unsavory. Demand of ONE license raised for compliance with proof to be provided in 7 days. Total amount paid Rs. 70,000 • Architect – individual professional having two assistants. Visited by vendor representative and had to comply with demand for 3 licenses. Lite version was required but had to purchase high end version as per demand. Amount paid for high end version Rs. 5 lacs whereas lite version would have cost Rs. 1.5 lacs Cases – You are never too small
  31. 31. • BPO and outsource development services company. 1400 employees at two locations. Company is ISO27001, ISO9001, ISO20000 certified. Request for review from vendor received. CISO initiates license reconciliation. Non compliance delta negligible. Vendor raises issue of CPU/User and raises new demand based on headcount to bulk license count – 10 days to comply. Additional license fees paid Rs. 95 lacs Cases
  32. 32. • WINTECH COMPUTERS circa 2000. 170 operational centers all over the country, nearly 1,700 employees, and at least 40 students per institute. Raid on the company in September 2000 carried out by Mumbai Police and officials a private investigating firm. Wintech Computers had no license to teach Oracle® software. 'I want to be the Bill Gates of India's computer education industry.' – March 2000, Murtuza Mathani, Wintech CEO. May 2001: Mathani's whereabouts unknown. Cases – Business Shutdown
  33. 33. • Large IT Services organization providing high end consulting globally. About 4000 strong workforce. Non compliant for use of software in training, backoffice – testing and research and development. Had to pay Rs 5 cr and have then recruited an Asset Manager and invested in commercial tools to manage SAM. Cases TAKEAWAY … WATCH OUT FOR TWO VERY IMPORTANT WORDS ENTITLEMENT INSTALLATION
  34. 34. • SAM is not to be overlooked • Not to be approached in the conventional asset management manner • Saves you from manifold risks that accrue from non- compliance • Create a position for an Asset Manager (it is economically feasible) Befriending SAM Best negotiations start before you even know what you want to buy Forrester Research http://www.computerweekly.com/ opinion/Forrester-Tips-for- software-contract-negotiation
  35. 35. Extract Benefits from SAM
  36. 36. Extract Benefits from SAM JUST TAKE CARE OF THIS NUMBER AND IT IS ENOUGH TO PROVIDE THE HARD CASH TO DEMONSTRATE THE VALUE OF YOUR OFFICE
  37. 37. • Mitigate Non Compliance arising out of a Mergers & Acquisitions • Clean Cracks and Keygens on your network for specific vendors • Discover and remove unauthorized installations of software from specific big name vendors whose products are used • Penalize rogue users on the network • Measure number of users accessing systems (installations) against your total license assets (entitlement) • Don’t try to be smart and uninstall after you get an audit request – the auditors have seen umpteen reactive actions and know all the tricks of the game • Bring Legal, Financial, Purchase, IT Operations and IS (Asset Mgt) functions together into a new License steering committee Risk Mitigation w. SAM Enablement
  38. 38. • Implement manual processes for CALs and other metrics that are not discovered by inventory tools • Calculate license entitlements to get your actual license position • Don’t overlook Open Source and trial Software • When trial versions expire REMOVE them • Create effective Change and Configuration Management controls • Implement network monitoring tools and push policies for end point configuration Risk Mitigation w. SAM Enablement
  39. 39. Maturity Model
  40. 40. This is YOUR Organization… big, strong, proud… the best! The bold corporation sailing to glory over uncharted waters!
  41. 41. Oops ! It’s an Iceberg !! It’s a SAMberg
  42. 42. Not a desired destination ! But SAM non compliance brings with it the risk of such a fate !
  43. 43. This is how we want it to be and continue into a long long time Without the risk of disruption due to SAM non-compliance and all the attendant disastrous outcomes
  44. 44. SAM is complex, but is your best friend Manage Software Licenses so that your organization is not “titanicized” Remember the EULA has a loads of ‘small type’ and reading it will be good for your organization health! And your job! Do Not Support or Condone Piracy !
  45. 45. • Professional Positions – Open Security Alliance (Principal and CEO) – Jharkhand Police (Cyber Security Advisor) – Pyramid Cyber Security & Forensics (Principal Advisor) – Indian Honeynet Project (Co Founder) • Like all IS professionals .. Eternal InfoSec and Technology learner. • Professional skills and special interest areas – Security Consulting and Advisory services for IS Architecture, Analysis, Optimization.. – Technologies: SOC, DLP, IRM, SIEM… – Practices: Incident Response, SAM, Forensics, Regulatory guidance.. – Community: mentoring, training, citizen outreach, India research.. • Opinioned Blogger, occasional columnist, wannabe photographer • Contact Information: Dinesh O. Bareja, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM E: dinesh@opensecurityalliance.org T: +91.9769890505 Twitter: @bizsprite Facebook: dineshobareja L: http://in.linkedin.com/in/dineshbareja
  46. 46. References • http://www.informationweek.in/security/13-07-15/software_asset_management_- _an_iceberg_called_sam.aspx • http://securambling.blogspot.com/2013/06/software-asset-mis-management-who.html • http://securambling.blogspot.com/2013/05/discovering-sam.html Contact Information Acknowledgements & Disclaimer Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s). E: dinesh@opensecurityalliance.org T: +91.9769890505 Twitter: @bizsprite Facebook: dineshobareja L: http://in.linkedin.com/in/dineshbareja

×