Concerns about complying with software license agreements have plagued IT managers for as long as software has been around. The protection of intellectual property rights is a fundamental tenet of the software business. Industry watchdogs, such as the Business Software Alliance (BSA) and the Software and Information Industry Association (SIIA), are placing a renewed emphasis on enforcement, collecting hundreds of thousands of dollars in settlements and fines on a regular basis. And software vendors, often through third-party firms, are more active than ever in conducting audits of their customers. >Despite much of the high-minded talk from these watchdogs about honesty and staying legal, many analysts and pundits say the current software license-compliance campaigns are really a ploy by software vendors to generate additional revenues in a saturated market. Software vendors may generate revenue by forcing customers to “pay up” after an audit or even suggest that they move to more costly volume license programs with fewer tracking requirements. Regardless of the motives of software vendors, organizations need to take their compliance status seriously to avoid the very real risks associated with noncompliance, such as fines and embarrassing public relations that often accompanies software piracy.
> Who Are the Auditors and Where Do They Get Their Authority?
In the United States, the basis for enforcing license agreements stems from the copyright provision (Title 17) of the U.S. Federal Code (and similar legislation in other jurisdictions). This federal law protects the works of software publishers and other intellectual property creators. Certain software publishers give the power of attorney to industry organizations (such as those mentioned) to enforce their rights under this law.
The BSA and SIIA are member-driven organizations that represent the major software vendors they comprise. BSA membership includes 16 large software vendors, such as Microsoft, Adobe, Symantec and Apple, while SIIA includes hundreds of other software vendors from educational software to high-end CAD software and development tools. Novell is also a Certified Audit Software partner (CASP) with SIIA. Regional offshoots of BSA and other independent antipiracy organizations also exist, such as the Canadian Association Against Software Theft (CAAST) and in the UK, the Federation Against Software Theft (FAST). All of these organizations take the position that piracy is illegal whether it's intentional or accidental. They also agree that all it takes is one disgruntled employee, past or present, to call a piracy hotline to generate an audit.
Software audits can also be conducted by vendors themselves, although this generally remains the province of larger companies such as Microsoft, Adobe, AutoCAD and yes, even Novell.
> Covering Your Bases—Four Steps to a Complete License Compliance Program
To feel confident about your organization's license-compliance status you need to have an ongoing software management program in place. Because software can move from PC to PC at Internet speed, an organization can never be 100 percent sure they are compliant at any point in time; however, a current, well-documented compliance program is the key to satisfy even the most vigilant industry watchdog.
Developing and presenting a credible compliance program to senior management, internal audit committees and third parties requires covering some critical bases.
> First Base—the Policy
The cornerstone of any compliance program is a software management policy that defines organizational practices and responsibilities.
The policy should address four key areas:
- Management oversight Designate a "license compliance czar," the person in the organization who owns the policy and related enforcement activities.
- Organizational responsibility Outline the roles of each area in the organization responsible for software compliance. (Include IT, purchasing, legal, business units and so forth.)
- Software procurement Detail the practices that control the request, approval, distribution and tracking of software and its purchase and license records.
- End-user accountability Prescribe acceptable purchase and usage procedures to ensure that employees clearly understand what is expected and allowed in relation to company software. Also include clear disciplinary action for noncompliance with the policy.
Once you have a written policy and designated a license compliance czar, you have a basis for a concrete compliance program.
> Second Base—the Inventory
It would be nice to start a compliance program from scratch, but the reality is you have to deal with the technology assets already in place. The key to getting your arms around your current assets is automated asset tracking. Manually collecting data through surveys or walk-around audits won't ensure ongoing license compliance. The location, user and configuration of PCs change too often to rely on an inventory snapshot for your compliance program; you need to track history as well.
Consider and include several vital areas in your inventory:
- Product/suite focus It is easy to be overwhelmed by reams of software installation data that includes lists of executable files or any application that was ever installed on a particular PC. It's important to narrow your focus and ensure you are counting only real applications with licensing implications
Furthermore, because many applications are licensed in suites, software managers must overlay a suite view to the list of individual applications to determine true license position and to effectively negotiate with vendors.
- User demographics In the world of software compliance, the exceptions always require follow-up. To be able to effectively address exceptions, software managers must understand not only how many installations have been discovered, but also which users and departments have the applications. When this information is tied directly to the asset inventory, managers can identify how to take corrective action, if needed.
- Application details Unless you can determine the exact version, and in some cases, the specific software serial number, you won't know if the installed software matches your license agreements. The problem with some software audit tools is they read version information from unreliable source files, such as the executable file header information. This skews results.
- Reporting Accurate data is useless if you don't report it in a clear and concise way. Compliance reports should provide necessary details such as version, language information and serial numbers, and be able to summarize data by department, site and/or software suite, for instance.
Once you have your inventory in hand, there are also other considerations:
> License Allocation
While legal compliance is generally relevant at a corporate level, day-today license management often requires tying licenses to organizational units (site, department or cost center) and even to individual workstations in some cases. Novell ZENworks Asset Management allows you to break down overall license quantities and allocate them to specific groups or workstations. ZENworks Asset Management not only identifies risk issues and cost-savings opportunities, but also gives you granular views to take action. It allows you to determine:
- which departments have more installations than allocated licenses
- which high-priced applications are installed on workstations with no allocation
- which workstations within a cost center are consuming allocated licenses but do not have particular software installed.
And if you have not kept records that would indicate how to allocate licenses, ZENworks Asset Management includes a set of wizards to help establish baselines from which to manage allocations.
> Purchasing Standards
Just about every organization strives for an environment where standards are part of day-to-day operating procedures. Standards come into play in numerous areas. Some relate to specific configurations and images, while others relate to approved software applications at an organization level.
ZENworks Asset Management helps you set and manage a list of approved applications for your organization. You can simply create an approved list or get more specific and create a set of standards categories, for example, Standard, VP Approval, and Policy Violation. Either way, you can track purchasing standards and report on exceptions.
> Third Base—the Reconciliation
Once you have a solid inventory, it must be reconciled to your purchase and license information. Industry experts recommend that you use certain documentation as primary proof-of-ownership:
- purchase records
The actual reconciliation process must account for the terms of volume purchase and suite agreements as well as copies purchased at the local retail outlet. The reconciliation process is immensely more manageable with inventory information that isolates products and product suites, manufacturers and serial numbers. With this level of accurate information, you can demonstrate your compliance status with confidence.
ZENworks Asset Management includes an autoreconciliation feature that attempts to match discovered products to purchased products using a number of text matching algorithms. You can also use the autoreconciliation process to create a set of licenses based on the normalized manufacturer and product names contained in the ZENworks Asset Management Knowledgebase. ZENworks Asset Management also has connectors to purchasing information from major software resellers such as SHI, SoftChoice and Software Spectrum.
Once discovered, and after catalog products are linked to a common license, you get an immediate picture of over- and under-licensed situations. The ZENworks Asset Management compliance report represents a near real-time view of potential risk and cost-savings scenarios because:
- discovery data is constantly updated as scheduled inventories occur, and
- license quantities are updated as purchase records are imported.
> Home—the Enforcement Zone
Once the initial inventory and reconciliation is complete, the focus of the software manager should shift to enforcing policies and keeping the program current. The best way to ensure that your organization keeps the lid on illegal software is to tightly control the procurement and distribution process, and to maintain an automated inventory. Even software that comes in through legitimate channels can find its way onto more computers than intended if not controlled properly. Unfortunately, software also comes into organizations through the back door, and only through a vigilant inventory process will you know what is actually installed in your organization.
Software managers should also look to the internal audit group for an independent review of policies and practices. This will not only allow the program to be fine tuned, but will also help prove diligence to external parties.
Implementing a software compliance program is not necessarily easy, but following these steps and using the right tools can keep you on track and focused on the critical elements of the program.
> Proven Technology—Accurate and Reliable
The release of ZENworks Asset Management and its award-winning asset tracking and discovery tools provide unmatched accuracy for a true accounting of your hardware and software assets. ZENworks Asset Management reports on the full range of IT devices: servers and routers, desktops and handhelds—and the software running them. ZENworks Asset Management can scale to your environment—whether you have PCs at one location or all over the world.
With powerful software usage and license tracking, ZENworks Asset Management will allow you to cut the costs associated with end-user support and reduce your legal exposure with simplified management of software license compliance. Combined with the strengths of the ZENworks 7 Suite, Novell is helping to ensure that your IT environment is stable, secure and reliable—today and in the future.