Articles and Tips:
01 Feb 2006
Concerns about complying with software license agreements have plagued IT managers for as long as software has been around. The protection of intellectual property rights is a fundamental tenet of the software business. Industry watchdogs, such as the Business Software Alliance (BSA) and the Software and Information Industry Association (SIIA), are placing a renewed emphasis on enforcement, collecting hundreds of thousands of dollars in settlements and fines on a regular basis. And software vendors, often through third-party firms, are more active than ever in conducting audits of their customers. >Despite much of the high-minded talk from these watchdogs about honesty and staying legal, many analysts and pundits say the current software license-compliance campaigns are really a ploy by software vendors to generate additional revenues in a saturated market. Software vendors may generate revenue by forcing customers to "pay up" after an audit or even suggest that they move to more costly volume license programs with fewer tracking requirements. Regardless of the motives of software vendors, organizations need to take their compliance status seriously to avoid the very real risks associated with noncompliance, such as fines and embarrassing public relations that often accompanies software piracy.
Who Are the Auditors and Where Do They Get Their Authority?
In the United States, the basis for enforcing license agreements stems from the copyright provision (Title 17) of the U.S. Federal Code (and similar legislation in other jurisdictions). This federal law protects the works of software publishers and other intellectual property creators. Certain software publishers give the power of attorney to industry organizations (such as those mentioned) to enforce their rights under this law.
Figure 1: The License View of discovered software products becomes the basis for the reconciliation between software inventory and licensing data. By normalizing and filtering the discovered product list as described here, the asset manager typically reduces the number of titles they need to reconcile by a factor of 10 when compared to other tools.
The BSA and SIIA are member-driven organizations that represent the major software vendors they comprise. BSA membership includes 16 large software vendors, such as Microsoft, Adobe, Symantec and Apple, while SIIA includes hundreds of other software vendors from educational software to high-end CAD software and development tools. Novell is also a Certified Audit Software partner (CASP) with SIIA. Regional offshoots of BSA and other independent antipiracy organizations also exist, such as the Canadian Association Against Software Theft (CAAST) and in the UK, the Federation Against Software Theft (FAST). All of these organizations take the position that piracy is illegal whether it's intentional or accidental. They also agree that all it takes is one disgruntled employee, past or present, to call a piracy hotline to generate an audit.
Software audits can also be conducted by vendors themselves, although this generally remains the province of larger companies such as Microsoft, Adobe, AutoCAD and yes, even Novell.
Covering Your Bases--Four Steps to a Complete License Compliance Program
To feel confident about your organization's license-compliance status you need to have an ongoing software management program in place. Because software can move from PC to PC at Internet speed, an organization can never be 100 percent sure they are compliant at any point in time; however, a current, well-documented compliance program is the key to satisfy even the most vigilant industry watchdog.
Developing and presenting a credible compliance program to senior management, internal audit committees and third parties requires covering some critical bases.
First Base--the Policy
The cornerstone of any compliance program is a software management policy that defines organizational practices and responsibilities.
The policy should address four key areas:
Management oversight Designate a "license compliance czar," the person in the organization who owns the policy and related enforcement activities.
Organizational responsibility Outline the roles of each area in the organization responsible for software compliance. (Include IT, purchasing, legal, business units and so forth.)
Software procurement Detail the practices that control the request, approval, distribution and tracking of software and its purchase and license records.
End-user accountability Prescribe acceptable purchase and usage procedures to ensure that employees clearly understand what is expected and allowed in relation to company software. Also include clear disciplinary action for noncompliance with the policy.
Once you have a written policy and designated a license compliance czar, you have a basis for a concrete compliance program.
Second Base--the Inventory
It would be nice to start a compliance program from scratch, but the reality is you have to deal with the technology assets already in place. The key to getting your arms around your current assets is automated asset tracking. Manually collecting data through surveys or walk-around audits won't ensure ongoing license compliance. The location, user and configuration of PCs change too often to rely on an inventory snapshot for your compliance program; you need to track history as well.
Consider and include several vital areas in your inventory:
Product/suite focus It is easy to be overwhelmed by reams of software installation data that includes lists of executable files or any application that was ever installed on a particular PC. It's important to narrow your focus and ensure you are counting only real applications with licensing implications
Furthermore, because many applications are licensed in suites, software managers must overlay a suite view to the list of individual applications to determine true license position and to effectively negotiate with vendors.
User demographics In the world of software compliance, the exceptions always require follow-up. To be able to effectively address exceptions, software managers must understand not only how many installations have been discovered, but also which users and departments have the applications. When this information is tied directly to the asset inventory, managers can identify how to take corrective action, if needed.
Application details Unless you can determine the exact version, and in some cases, the specific software serial number, you won't know if the installed software matches your license agreements. The problem with some software audit tools is they read version information from unreliable source files, such as the executable file header information. This skews results.
Reporting Accurate data is useless if you don't report it in a clear and concise way. Compliance reports should provide necessary details such as version, language information and serial numbers, and be able to summarize data by department, site and/or software suite, for instance.
Once you have your inventory in hand, there are also other considerations:
While legal compliance is generally relevant at a corporate level, day-today license management often requires tying licenses to organizational units (site, department or cost center) and even to individual workstations in some cases. Novell ZENworks Asset Management allows you to break down overall license quantities and allocate them to specific groups or workstations. ZENworks Asset Management not only identifies risk issues and cost-savings opportunities, but also gives you granular views to take action. It allows you to determine:
which departments have more installations than allocated licenses
which high-priced applications are installed on workstations with no allocation
which workstations within a cost center are consuming allocated licenses but do not have particular software installed.
And if you have not kept records that would indicate how to allocate licenses, ZENworks Asset Management includes a set of wizards to help establish baselines from which to manage allocations.
Just about every organization strives for an environment where standards are part of day-to-day operating procedures. Standards come into play in numerous areas. Some relate to specific configurations and images, while others relate to approved software applications at an organization level.
ZENworks Asset Management helps you set and manage a list of approved applications for your organization. You can simply create an approved list or get more specific and create a set of standards categories, for example, Standard, VP Approval, and Policy Violation. Either way, you can track purchasing standards and report on exceptions.
Third Base--the Reconciliation
Once you have a solid inventory, it must be reconciled to your purchase and license information. Industry experts recommend that you use certain documentation as primary proof-of-ownership:
The actual reconciliation process must account for the terms of volume purchase and suite agreements as well as copies purchased at the local retail outlet. The reconciliation process is immensely more manageable with inventory information that isolates products and product suites, manufacturers and serial numbers. With this level of accurate information, you can demonstrate your compliance status with confidence.
ZENworks Asset Management includes an autoreconciliation feature that attempts to match discovered products to purchased products using a number of text matching algorithms. You can also use the autoreconciliation process to create a set of licenses based on the normalized manufacturer and product names contained in the ZENworks Asset Management Knowledgebase. ZENworks Asset Management also has connectors to purchasing information from major software resellers such as SHI, SoftChoice and Software Spectrum.
Once discovered, and after catalog products are linked to a common license, you get an immediate picture of over- and under-licensed situations. The ZENworks Asset Management compliance report represents a near real-time view of potential risk and cost-savings scenarios because:
discovery data is constantly updated as scheduled inventories occur, and
license quantities are updated as purchase records are imported.
Home--the Enforcement Zone
Once the initial inventory and reconciliation is complete, the focus of the software manager should shift to enforcing policies and keeping the program current. The best way to ensure that your organization keeps the lid on illegal software is to tightly control the procurement and distribution process, and to maintain an automated inventory. Even software that comes in through legitimate channels can find its way onto more computers than intended if not controlled properly. Unfortunately, software also comes into organizations through the back door, and only through a vigilant inventory process will you know what is actually installed in your organization.
Software managers should also look to the internal audit group for an independent review of policies and practices. This will not only allow the program to be fine tuned, but will also help prove diligence to external parties.
Implementing a software compliance program is not necessarily easy, but following these steps and using the right tools can keep you on track and focused on the critical elements of the program.
Proven Technology--Accurate and Reliable
The release of ZENworks Asset Management and its award-winning asset tracking and discovery tools provide unmatched accuracy for a true accounting of your hardware and software assets. ZENworks Asset Management reports on the full range of IT devices: servers and routers, desktops and handhelds--and the software running them. ZENworks Asset Management can scale to your environment--whether you have PCs at one location or all over the world.
With powerful software usage and license tracking, ZENworks Asset Management will allow you to cut the costs associated with end-user support and reduce your legal exposure with simplified management of software license compliance. Combined with the strengths of the ZENworks 7 Suite, Novell is helping to ensure that your IT environment is stable, secure and reliable--today and in the future.
Figure 2: In addition to license compliance tracking, ZENworks Asset Management also provides features, like license allocation and purchasing standards, that are important in the overall software asset management program.
Figure 3: ZENworks Asset Management reports are presented within the Web Console and offer extensive drill-down capabilities so you can see the big picture and hone in on the details necessary to take action.
And the Survey Says
"Your risk of being audited by a software company has never been greater, given the large number of vendors active in the market today, the decrease in new license revenue and vendors' need to find additional sources of revenue. Noncompliance with software usage rights can be extremely costly, with penalties exceeding $100,000, and can result in negative publicity for your company."
--Gartner Research, "Software License Compliance Remains a Problem for Many Companies" by Patricia Adams, March 24, 2005
BSA PRESS RELEASE "Washington, D.C., (Wednesday, December 7, 2005)--The Business Software Alliance (BSA), a watchdog group representing the nation's leading software manufacturers, today announced that five Los Angelesarea organizations paid BSA a combined total of $555,403.17 to settle claims that they had unlicensed copies of software programs installed on office computers..."
SIIA PRESS RELEASE "Washington, D.C.--August 4, 2005--The Software & Information Industry Association (SIIA), the principal trade association of the software industry, today announced that they awarded two whistleblowers $5,000 apiece for reporting their current or former employers continued use of pirated software to SIIA..."
CAAST PRESS RELEASE "Toronto, ON--Monday, September 19, 2005--The Canadian Alliance Against Software Theft (CAAST) and theBusiness Software Alliance (BSA), watchdog groups representing the world's leading software manufacturers, today announced that a national Canadian engineering company, agreed to pay CDN $52,500 after a self-audit revealed that it had unlicensed copies of Adobe and Microsoft software programs installed on its computers."
FAST PRESS RELEASE 28 April 2005--The Federation Against Software Theft (FAST) warns company directors that they risk being branded 'software thieves' because of the actions of their employees, including those in the IT department. This warning follows The Federation's recent discovery of over 5,800 illegal digital music files in a software audit of 2,500 PCs at a UK financial services organization...
Who are the auditors?
Business Software Alliance
(BSA)--The Business Software Alliance describes themselves as "the foremost organization dedicated to promoting a safe and legal digital world." They are by far the biggest of the software auditors, and the most active, regularly conducting compliance awareness and enforcement campaigns globally. BSA educates consumers on software management and copyright protection, cyber security, trade, e-commerce and other Internetrelated issues. BSA members include Adobe, Apple, Autodesk, Avid, Bentley Systems, Borland, Cadence, Cisco Systems, CNC Software/Mastercam, Dell, Entrust, HP, IBM, Intel, Internet Security Systems, Macromedia, McAfee, Inc., Microsoft, PTC, RSA Security, SAP, SolidWorks, Sybase, Symantec, Synopsys and UGS Corp.
Software and Information Industry Association
(SIIA)--Originally known as the Software Publisher's Association (SPA), the Software & Information Industry Association describe themselves as "the principal trade association for the software and digital content industry." In addition to conducting software audits, SIIA also provides global services in government relations, business development, corporate education and intellectual property protection to leading software companies. SIIA's self-described mission is to promote the common interests of the software and digital content industry, protect the intellectual property of member companies, advocate a legal and regulatory environment that benefits the entire industry, and inform the industry and the broader public by serving as a resource on trends, technologies, policies and related issues that affect member firms.
Federation Against Software Theft
(FAST)--The Federation Against Software Theft (FAST) was set up in 1984 by the British Computer Society's Copyright Committee. It was the first software copyright organization. Its first action was to raise the awareness of software piracy and to lobby the U.K. Parliament for changes in the Copyright Act of 1956 to reflect the needs of software authors and publishers. This campaign was successful and it has since been able to influence other legislation that impacts on the proper safeguarding of software. The work of FAST in this area has directly influenced the way software copyright law and investigations are carried out in many other countries.
It is also unique in that it is the only association in the world that represents both software publishers and end users. All the other associations concerned with software management represent software publishers only, and therefore, have an approach that is not geared to helping organizations and end users who are actually responsible for managing software.
Under the copyright provision (Title 17) of the U.S. Federal Code, the works of software publishers are protected, and many have written provisions into their licensing agreements that allow them to conduct random audits on demand without prior notice.
What relationship does Novell have to the auditors?
Novell is a member of SIIA and FAST, and Novell is a Certified Audit Software partner (CASP) with SIIA. Novell has an agreement with BSA to offer a free 90-day eval of ZENworks Asset Management through the BSA Web site. Novell does not share user information or auditing data with any of the auditing agencies. Audits conducted with ZENworks Asset Management are accepted by all of the auditing organizations and Novell has established long-term relationships with them to ensure that its products are developed to meet their standards. Novell has more than 15 years as a vendor of software auditing tools and as an independent source of information on licensing-related topics.
The License View
Unlike most configuration and asset management tools, ZENworks Asset Management employs a number of sophisticated techniques to ensure that your software inventory is complete, accurate, normalized and tuned for license compliance reconciliation and reporting. The key to providing a "License View" of software discovered on your network is the ZENworks Asset Management Knowledgebase. This Knowledgebase is built and maintained by our team of Technology Analysts, who add and code hundreds of products each month. The Knowledgebase, which is updated monthly, provides a set of filters that create the License View, which:
rolls up point releases and service packs
excludes titles with no license implication
ignores suite components when installed as part of the suite
identifies standalone suite components when installed outside of the suite
distinguishes between full and runtime editions. Actually, this is just part of the application view, or in other words, basic software inventory. It is also starting to distinguish eval/trial software from full product.
Compliance *plus* savings
Another facet of compliance and software asset management is application usage trend analysis.
With ZENworks Asset Management, application usage tracking occurs at the workstation level and captures the following information for both locally-run and server-run applications:
daily total run-time
daily active (foreground window) time
Combined with the compliance status, this information provides another key perspective for decision making. For instance, in under-licensing scenarios, it may be possible to uninstall the applications from workstations where they have not been used for an extended period of time. ZENworks Asset Management not only enables tracking of suites at the suite level for license reconciliation, but also at the underlying component level to allow for usage analysis. This can be useful for determining if employees are using all components of the suite and if not, to implement a plan to provision them with a more limited suite edition.
* Originally published in Novell Connection Magazine
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.