In May, theBusiness Software
Alliance, the industry's licensing watchdog,
launched a six-week blitz to cut the use ofillegally copied or counterfeit softwareacross 5,000 businesses in the Manchester
area.
Organisations in the city were sent a letter advising them to
audit the software installed on their systems and check whether it
was properly licensed.
The BSA warned that 11 companies were already under
investigation for software licence violations. But it said no legal
action would be taken against any company that signed up to its
software audit programme by 30 June.
Campaigns such as the Manchester crackdown feature regularly in
the BSA's efforts to reduce the proportion of
illegal software in use around the world. The organisation says
26% of business software in the UK is illegal, although the way
this figure is calculated by research firm IDC has been
questioned.
What is not in doubt is that many businesses have a discrepancy
between the licences they have bought and the software installed on
their systems.
"Typically, this happens because there is not enough control
over the process of acquiring software," says Peter Alderson,
software asset management specialist at Computacenter.
Although software accounts for a sizeable chunk of IT assets,
contributing as much as 40% to the annual cost of ownership of IT,
most companies make little effort to maintain accurate records.
"It is rare that people will do this unprompted," says Gregory
Lefort, managing director at
Staff & Line, an
asset management tools company. "Companies tend to firefight rather
than anticipate what may happen."
Preparing for audit
All software licences contain clauses about the supplier's right
to audit their use. How should a company prepare for the
possibility of an audit? The hardest task is to establish what
licences it is entitled to. The problem is that it is not enough to
prove that a purchase took place. "You need to create evidence of
ownership," says Alderson.
Users may be required to produce certificates, product boxes,
manuals and even media on which software was supplied, as well as
purchase orders and invoices.
Alderson says companies need a dual system: a record of the
licences and a physical store of evidence. The record should
summarise the number of licences. This avoids double counting when
a company buys a new version of software it already owns.
The next step is to find out what software is installed. In most
cases, this involves using a discovery tool, such as products from
Centennial, Eracent and EasyVista, which dispatch agents to inspect
systems and log the software a business is using.
Discovery tools work best with the simplest form of software
licence: one installation per machine. It is more complex when a
user buys a concurrent licence that might, for example, allow 500
PCs out of a total estate of 1,000 to access a program at any one
time. Concurrent licences and licences covering client server
systems require metering, which may be difficult to provide
retrospectively.
Virtual complications
The development of virtual machines has added a further
complication.
"Approach
virtualisation very carefully," says Phil Heap, head of
consultancy and membership products and services at the Federation
Against Software Theft (Fast). "Some virtual machines are only
licensable when they are switched on, and you need to use tools to
record when they are switched on and when they are switched off.
One of the exciting things is that hundreds of virtual machines can
be created in minutes, but you will need another layer of
administration to ensure only certain people can create them."
Reconciling the results from the record of entitlement and the
discovery process can be problematic. For instance, some discovery
tools record information about the same piece of software in
different ways. The
Leonard Cheshire Disability charity encountered this problem
when tracking 1,600 PCs in 150 locations.
"One of the problems is that with such disjointed systems,
keeping everything in one place is no easy task," says Joy Jerram,
the charity's service delivery manager. "We did try using Microsoft
SMS [now called Configuration Manager] and that discovered all our
assets without a problem, but it became extremely labour intensive
for us to administer. We had too much information and were spending
hours trying to decipher all this data."
Matching company records with suppliers' records can be tricky,
too. "Vendors may have a different view from you," says Alderson.
"To make matters worse, there are only a small number of vendors
who can give you accurate information about what you own."
He stresses that an audit gives only a snapshot of a constantly
changing picture. Winning over a sceptical board of directors, who
may see software asset management as merely an expense, is the
first step to long-term software compliance. Companies should spend
3% to 5% of the value of software they own on managing its use,
says analyst firm Gartner.
Not only are there 21 pieces of legislation that affect the
software that companies own, including the Computer Misuse Act, the
Data Protection Act and the Copyright, Designs and Patents Act, but
hefty penalties of up to 10 years' imprisonment associated with
flagrant copyright breaches.
The BSA also says an organisation that runs copied software may
have to pay fines for past unlicensed use, back licences and legal
costs.
But there is also an upside to asset management: the prospect of
saving money by using existing licences more effectively. An audit
not only reveals gaps in licensing, but also programs for which an
organisation may have too many licences.
"If you eliminate software you do not need, you can save
millions," says Mark Cresswell, chief executive at
Scalable Software, a company
that provides software metering tools. "One customer was paying
$22,000 a month for three commonly used desktop packages, but had
enough copies that they didn't need to buy another licence for four
years."
How does a company acquire more licences than it needs? Often it
is the fault of the IT department for not watching the comings and
goings of employees, so that it buys new licences instead of
reassigning existing ones.
Equally, a company may be paying for software for individuals
who rarely use it, or managers may have allowed staff to buy
programs when licences were already available.
Achieving compliance
Of course, working out what licences a company needs is not
easy. There are more than 500 types of Microsoft licence alone.
Licences may be perpetual or for a specific period and they may or
may not include an entitlement to patches and upgrades.
"It is important to have a process in place that begins with
asking for the business case for acquiring a piece of software,"
says Heap. "The next question is whether the organisation already
has the software that is needed and whether it is tested and
approved. The final question is whether you have a licence for
it."
In the longer term, it is advisable to introduce controls such
as central procurement with management sign-off on purchases, and
to appoint an individual with responsibility for ensuring that
software is compliant.
Companies looking to kick-start an asset management programme
should concentrate on the top five or 10 publishers. They should
prepare for an audit by building relationships with suppliers so
they can obtain updated information that allows them to check their
records.
Some software companies believe helping users to manage their
licences not only ensures their products are paid for, but is a
welcome additional service. However, the industry's approach to
licensing doesn't always make it easy for users to stay on the
right side of the law. "The biggest cry is for the industry to
simplify these licences," says Heap.
Some commentators go further: accusing suppliers of using
confusion about licences to increase revenues. "The industry could
do more to make asset management easier. One tactic is to seek out
customers who are under-licensed," says Lee Schofield, director for
alliances at Trustmarque.
Nonetheless, he maintains more users are taking software
auditing seriously. They do not wait for suppliers to come knocking
at their doors, but have moved compliance to the top of their
agenda.