There is only one thing worse than being audited by a software vendor and finding yourself out of compliance – and that’s allowing it to happen again a few years down the line.
From a known compliant state, fully licensed and up to date – how does an organisation slowly fall out of compliance?
Where are the leaks?
End User Leaks
1. End users on the network install software themselves without an appropriate license. This can be through;
- Deliberate abuse
- Ignorance of terms and conditions or
- Not checking that the business is covered.
2. End users buy legitimate software themselves but don’t pass on purchase and license information to the purchasing department or breach the terms and conditions.
3. End users buy legitimate software but via the wrong channels e.g. not via the recognised volume agreement.
IT Department Leaks
4. IT Department install software or redeploy existing software without checking license entitlement.
5. IT Department install software, check license entitlement but then licence it incorrectly. This can be through;
- Using licenses outside their original terms and conditions e.g. OEM Confusion, using academic licenses in a commercial environment
- Using the wrong version or edition e.g. Professional rather than Standard
- Failing to inform end users of the terms and conditions once it’s installed.
6. IT Department install software in Virtual Environments incorrectly;
- Software is installed on a server which many people can access – exceeding the total number allowed to access that application.
- Software in installed which is based on the hardware profile of the machine it is installed on or number of connections without understanding the consequences.
7. Losing track of physical copies of license agreements.
Supplier Leaks
8. Your hardware supplier ships hardware with inappropriate OEM software.
9. Your software supplier sells you fake software.
10. You are misold software from the vendor or reseller or they lose track of your purchase history.
Have I missed anything? How else do companies fall out of compliance?
{ 2 trackbacks }
{ 13 comments… read them below or add one }
You might install software on a disc from a vendor that carries multiple programs that only has rights to one item you purchased
End User Leaks
4. End users buy legitimate software themselves and install it on multiple PC’s with out recognition of the license terms and conditions.
A couple of thoughts to add…
- Failing to uninstall at the end of a fixed term subscription based agreement or trial / evaluation period.
- Deliberate abuse, some software vendors specifically look on all systems for key crackers during an audit which naturally significantly changes how they engage with the account.
The end user installs the software THINKING they understand the license and reverse 2 – IT/Purchasing do not advise the end user of license terms
- Failure to retain physical copies of the EULA and Certificates of Authenticity provided with the software media, in addition to your POs and invoices.
Publishers say to hold tightly to these additional bits of physical evidence – they don’t always keep complete/actionable records either!
A few thoughts of my own:
- A physical server with a wide portfolio of applications installed is cloned and virtualised on a much more powerful machine. No consideration is given for the extra CPUs that require licensing or if any of the applications EULA’s permit or deny virtualisation rights.
- A number of desktop applications are removed from PC’s and placed on a Citrix environment. No considerations is given as to who can access what and a shortfall of 2,000 licences is uncovered during an audit.
- An application that is procured as boxed product is packaged for mass deployment and widely deployed.
In my role as a software licence compliance auditor, it is very often identified that licence shortfalls are directly attributed to an insufficient knowledge and understanding of licence terms by those responsible for licence compliance.
In particular, organisations who have deployed software in virtualised server environments are often identified as having insufficient licenses for the way in which those virtualised server environments have been configured (Using DRS for example). The licensing of virtualised environments can be very complex and with more and more organisations moving to the use of virtualised server technologies this appears to be an area where non-compliance is growing.
Machines are redeployed without being cleared of the original image. A real life example of where it can get expensive: Old CAD system is moved into a general office role. CAD software, full Office Package, maybe some graphics software and MS Project Pro are all left on the system, when the new user only needs MS Word. Previous user gets a new system and reinstalls all the previous packages, perhaps upgraded and suddenly the company is out of compliance.
End User Leaks:
Not educating your user-base to what they are and are not allowed to do with their IT equipment
IT Department Leaks:
No consideration being given to regular auditing and reconciliation of audit data against proof of entitlement.
IT Departments not ensuring that the manner in which software is deployed matches the licence they have to use it.
Insufficient knowledge transfer caused by a turnover of IT staff.
Supplier Leaks:
Trusting to your supplier that evaluation software hasn’t been bundled on to hardware you have installed.
Nice Job Martin, All true, but the thing I have seen most in the market is a lack of corporate committment to this discipline and lack of identified processes in place to track and confirm the current state.
Ben
Having strong corporate backed procurement, change and problem management processes that incorporate asset management as a key component can go a long way to stopping some of these leaks.
Thanks very much for all feedback for this article. I have taken the feedback on board and edited accordingly. I think the most important one mentioned was the loss of physical evidence to prove what you own.
I’m sure from a legal standpoint the responsibility for lost licenses sits with end users but vendors are notorious for keeping poor purchase information and I think it should be a shared responsibility.
Typically we see three major holes in companies when it comes to software licensing:
1) Imaging – images are built or modified without review by the person/unit with licensing responsibility.
2) Lack of product use rights knowledge particularly around servers and server access licenses (production, development, virtual, remote access, mobile device access, etc).
3) Guesswork, you can’t manage what you don’t know.
Many of the items listed fall into one of these three categories but I think it’s important to also acknowledge the root causes.