Keeping track of software licences

If a company does not keep tabs on the software it is using it can get expensive - both in terms of wasting money and running foul of compliance law

Ensuring that the software deployed in a company is properly licensed is not optional. It is a legal requirement and simply being unaware of unlicensed software does not get the IT director off the hook, analyst firm Ovum has warned in its latest report on software auditing.

In the report Ovum analyst Alys Woodward recommended that users have some kind of process in place to ensure that a detailed audit of the software installed within the organisation is conducted at least twice a year.

"We regard this level of compliance as a minimum requirement for competence as a CIO or IT manager," she said. Auditing to find out exactly what software is being run is also a good way for an IT department to cut unnecessary costs.

Aidan Lawes, chief executive at the IT Service Management Forum, said, "There are lots of instances where companies find they have been paying licences for software they have not been using for years."

One such case was highlighted when the BBC implemented Sassafras Software's Keyserver. The broadcaster is always under pressure to control costs so it can limit increases in TV licence fees for its viewers and offer best value from the revenues collected.

No operations area in the BBC escapes the pressure to reduce costs and the IT department is always looking for ways to contribute to this.

The corporation has more than 27,000 computers to manage throughout the UK, and auditing usage and managing software licence compliance is a challenge.

When the BBC decided to deploy Keyserver to track software licence compliance, an initial sweep of the network showed that large numbers of installed software products were not being used.

One package was found to be installed and licensed on more than 3,000 computers but was only in use on 300 of them.

This offered an initial saving to the company but Keyserver also revealed a host of unauthorised software running on the systems. This consisted primarily of peer-to-peer applications downloaded from the internet, which posed a security threat as well as potentially degrading the service for official network traffic.

Once located, the offending packages could be removed and blocked. There was also the possibility of revealing unauthorised packages that could be beneficial to the company which could be properly assessed, licensed and controlled.

The BBC now conducts weekly audits of every PC and integrates these reports with Altiris client management data to produce consolidated deployment and usage reports to ensure that software usage remains legal and acceptable.

Keyserver has also been linked to an in-house software purchasing system for more accurate purchasing control. This also gives the purchasing staff a better basis to work from when negotiating with software suppliers.

The company has integrated Keyserver with Microsoft Active Directory for end-point authentication and the net effect is the ability to centralise control. Previously, there were dozens of people scattered across different departments responsible for software management; this has been reduced to two full-time positions within the IT department.

Ray Wang, principal analyst at Forrester Research, said, "It is difficult dealing with multiple suppliers and the number of licences and contracts that are out there. It takes about 23% of an IT department's time to manage the supplier relationships - and that is productivity wasted."

The decommissioning of computers, the repurposing of equipment, or situations where a system is taken out of service for a prolonged period can all lead to licences lying dormant.

Management software can flag that something has gone offline but cannot work out why, and it may even forget it existed when the next auditing sweep is made. Sun Microsystems is looking at an interesting use of RFID chips in this regard.

The Sun RFID Industry Solution is a hardware and software combination based on Java to provide real-time visibility and an audit trail of asset movements and maintenance records.

It is designed to track assets that are not attached to a network and goes beyond IT hardware to include any asset, such as medical equipment.

Under such a system, every computer or peripheral would have a unique RFID tag by which it can not only be identified but also be discovered if it is not where it should be.

The system would be most effective if numerous RFID receivers were placed around a company's buildings, but it is possible to search using a handheld device.

The current maximum range of an RFID signal is 10 metres for a handheld detector combined with the latest UHF tags, so the method would not be simple but it would be a vast improvement on manually searching every nook and cranny.

Unused hardware would be located and the inventory could be checked to determine whether there was any licensed software on board using up a licence key that could be applied elsewhere.

The need for a software inventory has led to the situation where licence management is a component part of high-end suites such as HP Openview, IBM Tivoli and CA Unicenter. These are mainly sold to companies that would tend to apply for site licences to ensure compliance with licensing rules for key applications rather than worrying about juggling individual licences.

For instance, HP offers licence management as part of its Openview enterprise systems management offering. Ian Curtis, HP's software director for UK and Ireland, said this had been enhanced by the addition of technologies that came with the acquisition of IT asset management firm Peregrine Systems.

The central piece is an asset management module that not only details hardware assets but also the software inventory of each computer on the network, bringing Openview into line with other suppliers' products.

Wang said larger companies were trying to move their suppliers away from individual licensing. "If given the opportunity, enterprises plan to move away from the named-user model.

We expect this dissatisfaction to continue through 2008, when new licensing models around business processes and virtualisation technologies will be introduced by suppliers as standard and accepted by large enterprises."

All embracing licences only work with widespread applications such as office productivity suites, core databases and ERP/CRM systems. At some point all companies have to handle more limited licensing.

Options become reduced as company size decreases. The cost benefits of site and enterprise licensing is eclipsed and alternatives such as concurrent licensing and named-user licensing are inevitable.

At this level there are options in the less expensive management suites for licence management along with inventory and deployment. Companies involved in these areas include BigFix, Vector Networks' PC Duo Enterprise, Managesoft and L Aesk.

Alternatively there are products that specialise in licence management. Suppliers in this field include Sassafras Software, Scalable Software, and Palamida.

Typical features of these packages are the ability to control licences for internally developed software as well as externally sourced applications.

Amy Konary, programme director for software pricing, licensing and delivery at analyst firm IDC, described asset management as having three processes. The initial phase is the discovery of hardware and software within the environment.

Licence management is the important task of monitoring and controlling the number of seats available for each package. Finally there is software metering to determine who is using specific software, rather than merely owning it.

Konary said, "Compliance is one benefit, but a more enticing benefit is the ability to better control, manage and predict software usage to help plan for future purchases more effectively and avoid overbuying.

Although software suppliers typically make it easy for customers to buy more software, they do not typically make it easy for customers that bought too much in the first place and want to downsize."

IDC predicts worldwide revenue associated with software product lifecycle management will grow at 24.3% from 2004 to 2009 to reach £550m by 2009. According to Konary, the US will account for half of this total revenue. One of the reasons for this is the country's more stringent laws controlling company governance.

In the near term, there is the problem of web services and how licences could be adapted for the fragmented applets that will form the applications of the future. Wang said, "You could potentially price by process, or price by a module of services relating to a process, or you could take it to another level of abstraction where you can use a collection of services if you are in this role. This is where role-based pricing comes in."

The web basis of the services means that it would be possible to charge on a per use basis or on a contract basis. Suppliers will want customers to use as many of their web services as possible and that is where Wang sees role-based pricing coming in.

Microsoft is defining different combinations of its Visual Studio Team System and corresponding subscription offerings for three roles: architects, testers, and developers. It is also showing signs of preparing the ground for roles in its Office suite by defining numerous package combinations for the 2007 Office System.

Although no supplier has yet developed role-based licensing, Wang believes Microsoft is closest to it. "It has rolled out user-based pricing based on significant building of software based on roles and as it does that it has the capability to price by roles. This will definitely give Microsoft the advantage of eventually building web services around these roles - if it chooses to do it.

Which software is hardest to track?

Auditing software has difficulty identifying programs that:

  • Do not update the operating system management controls completely or correctly
  • Do not appear in its list of recognised applications
  • Do not leave evidence on a hard disc or in memory
  • Reside on an unsupported platform
  • Reside on machines that are not active; for instance, never turned on, or never connected to the network.

Source: Ovum

Vote for your IT greats

Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?

Vote now at:

Read more on Wireless networking