SAM Revisted

I never cease to be amazed at what customers will put up with from IT vendors. Software licensing is a case in point. Of course, customers shouldn’t assume that because software is an intangible asset, it is free and needn’t be managed but some software vendors didn’t exactly discourage their customers and end-users from putting their software everywhere without worrying too much about licensing. Now it is everywhere, the vendors are reeling its users in, pointing out the penalties and risks associated with unlicensed software. Often people are now licensing stuff they’ve already got licenses for – because they can’t find their existing licences. So far, however, I have little sympathy with these people – if you don’t manage valuable assets, you can’t really complain when your mismanagement costs you money.

And IT vendors make discovering software assets, completely and unambiguously, really easy, don’t they? Well, actually, no, they seem to make it quite hard, and it is surprisingly easy to think you have 3 different pieces of software all needing licences when, in fact, they’re all the same thing and need only one licence. So, now, my sympathy for people mismanaging their licenses is increasing.

In fact, this situation has spawned a nice little industry driven by Fear Uncertainty and Doubt around what is called “software compliance”. Now, the more responsible vendors in this space stress the proper “asset management” aspects of SAM (Software Asset Management) and the benefits it brings beyond mere licence compliance (for example, if you know what tools people are using, you can identify and train people using the wrong tools or using them inappropriately, or identify tools with security exposures that haven’t been patched) but I’m sure some just play on paranoia about the “knock on the door” from FAST (Federation Against Software Theft). Even if FAST itself promotes a more responsible asset management approach these days

I don’t apologise for bringing up ethics and motivations in a discussion of SAM – because, as usual, governance of assets is, in large part, a people issue. People aren’t just unconditionally honest or dishonest – a substantial group is “conditionally honest”. Which means that they always behave in what they see as ethical ways, but if (say) their employer is behaving unethically (exploiting staff or customers perhaps) they may feel morally justified in, say, stealing from them or disrupting their business. Margaret Levi and Audrey Sacks explore this idea in a more general context in “Achieving good government – and, maybe, legitimacy” here).

If staff see management as only concerned about licence management, and then only for particular licences when someone points out that the vendor concerned may come after them with lawyers blazing; and they also perceive management as not particularly concerned about what software they use as long as people don’t get caught stealing it, then proper software asset management won’t happen.

Similarly, if customers perceive SAM as a cynical vendor initiative aimed at extracting more money from them for shelf-ware they aren’t using, proper software asset management won’t happen. Paul Immergluck (EMEA Lead at Anglepoint) notes that “the focus of SAM seems to be very much narrowed to the context of software compliance these days,” and, he wonders, “to what extent has this trend has been instigated by the vendors?”. As an independent analyst I might even suggest that some vendors could be focussing on their own interests rather than those of their customers.

Note that “perceived” motivations are as important as actual motivations – both customer management and vendors not only have to do the right thing, they have to convince possibly cynical end-users (i.e. with those with experience of life) that they’re doing the right thing, if they want to institutionalise good governance – and that’s what SAM is part of.

Now, how hard would it be for vendors to design software so it advertised its presence when asked, always called itself by the same name and always used the same string for the company and product name? How hard would it be to make software aware of management tools? Well, perhaps not trivial for small vendors (large vendors have little excuse), but it should be possible. Industry-wide standards for software ID and entitlement tagging would be a good enabler for “licensing-aware” software – there’s an interesting white paper about all this from Dextrys, which claims to be “one of the top 5 US-Chinese software services businesses in the world”, here. If the Chinese are interested in making software asset management easier – according to the Dextrys paper: “The ‘Holy Grail’ of asset management is for both publisher and customer alike to have a comprehensive and continual understanding of exactly what has been sold, under which licensing models, what has been installed, and when, where and how often the software is actually being used – and for this information to be continuously and incrementally updated as software moves through its lifecycle” – then perhaps the Western software industry had better take notice.

There are now standards enabling SAM: ISO 19770-1, -2, -3. So, software vendors are rushing to adopt them? Not exactly, it seems to me – although, to be fair, many of their customers aren’t refusing to buy non-compliant software either. Getting involved with the standards might be a good way of convincing those involved that you are taking SAM seriously.

The problem with software tagging probably isn’t really with the big established companies, these days, who want to make licensing easier (although I’m not sure how enthusiastic some really are about full software asset management), but the myriad of small software companies, and writers of in-house software, who need a painless way to adopt the standard, and need to be sure that there will be a real business advantage to their customers if it they do.

And what of the “software compliance” industry? Well, understandably, it thinks it has adequate solutions already (libraries of software ID signatures, perhaps) and the better vendors in this space do a good job of inculcating proper SAM more widely. According to a licence management practitioner I know, Aspera, to give just one example, produces a licence management tool (SmartTrack) that works effectively – which is not trivial when you start to think about processor based licenses, core based licensing, virtual servers and so on.

Andy Fisher, New Business Development Director for Business Continuity Services Ltd, points out that a standard is all very well but there needs to be a phased approach to implementing it and, at least until the latest ISO initiatives came along, people are expected to put a lot of real work up front in the expectation of only potential benefits down the line. He is still a bit sceptical about the practical utility of a standard and whether it adds much to what we already have – even if it would have been useful when this all started. Business Continuity Services Ltd sells, for example, a “Universal Software Library Subscription Service” which “turns the raw software discovery data into meaningful Business Intelligence” – in other words, it’s a list of software identification profiles based on software encountered in the wild, updated regularly, with consultancy to help you make sense of the chaos software vendors seem to have helped create.

But, the wide adoption of an effective standard would perhaps damage the software compliance industry’s business model (presumably, with effective standards, SAM could be simply built into more general tools and people would need less consultancy) – so how really disinterested is the opinion of its participants on standards? I’m not suggesting that the better players are cynically disparaging standards; they may simply have convinced themselves of a different view. After all not everybody in the standards-making process is necessarily disinterested either – some people may be interested in standards as an end in themselves; some vendors try to use standards as a way of locking people into their software (certification against standards can be made expensive, so as to discourage new entrants), some vendors see standards as a way of slowing down the competition while they catch up and so on.

Well, now, what are the action points from all this? I think that software asset management, like asset management generally, is a fundamental part of good governance – but its benefits must be emphasised as much as, or more than, the cost of non-compliance, if we’re going to get buy-in. I don’t believe that “compliance by diktat” is ever particularly cost-effective (or even very effective at all, in practice). The vendors of software assets have a “moral obligation” to make SAM easy for all of its stakeholders – in return for the benefit, to them, of honest license revenue. Ian Preskett (who is on the BCS CMSG committee with me), for example, points out that fonts are licensable software assets that must be managed – yet “features” of much office software make inadvertent distribution of unlicensed fonts, embedded in documents, all too easy. If vendors don’t make managing such software assets straightforward, their customers may not take them seriously – these customers may not be “morally right” in this, but they are possibly responding to misleading messages being sent by vendors.

I see a good basis for managing software assets in the ISO/IEC 19770 standards. They allow for incremental implementation and seem quite well thought through. Nevertheless, exploiting them will take work and they can’t be taken for granted. For many users of software (despite a lot of talk about SAM and the new availability of standards), nothing much has changed in practice and software assets still aren’t being properly managed.

If you don’t like the new standards, there are other approaches – based on libraries of software signatures etc. – and these seem effective enough for now, as long as they are used in the context of proper asset management. However, they don’t address the fundamental issue, which is that software is often inherently difficult to manage, and they may not scale up well as businesses move beyond simple licence management and their software estate gets more complex.

I suggest that everyone reads up on the 19770 standards: the TagVault ISO/IEC 19770-2 Software ID tags FAQ is here; and the ISO/IEC 19770-3 Entitlement tags standard is here. However, you probably don’t need to read the actual 19770-2 standard (unless you are a vendor making your software compliant), for example, just know enough about it to know why compliance might matter. There is also a good vendor-independent SAM networking/discussion group being sponsored by the BCS CMSG: e-mail Ian Preskett or David Phillips using samnetworking@bcs-cmsg.org.uk.

If you aren’t planning to use ISO/IEC 19770 at present, perhaps think further about this decision and discuss it – and explore the options – with your peer group, with the vendors of your software and with whatever SAM and license management providers you do use.

If you think the standards-making process is not working, perhaps you should take part in it and help to improve it (although that might be a bit of an overhead for a small company, unless someone on-staff is altruistically inclined). If you do decide that ISO/IEC 19770 is the basis of a useful idea, you then need to include standards support in the wish lists you send to your vendors and include it in your selection procedures. ISO/IEC 19770 support is only part of the selection decision, but it should be considered.

SAM is a lot more than license-compliance but optimising licensing may justify the initial investment – eliminating shelf-ware and duplicate licenses may save you shedloads of money (Fisher claims that some of his customers can show 30-40 man-hours per month resource savings and possible over-licensing involving millions of pounds). Do you know how much license compliance and management is costing you, how much money you are wasting on shelf-ware and duplicate licenses at the moment and what risks poor software asset management (beyond any licensing issues) exposes you to? And, if not, why not? When there’s a cost you can’t put a value on, there’s a good chance that you won’t like it when you do.

Now for the standards organisations. Rather than publishing standards documents, I always wonder why they don’t produce software modules embodying the standards (the OMG approaches this with its reference implementations and interoperability testing programs). Why not publish generic, customisable, software modules that vendors, and in-house developers, can simply plug into their code, in order to deliver standardised software identification? Making implementation easier would encourage adoption.

Finally, remember that software which makes SAM easier and more effective is more useful and cost-effective for the businesses using it. If existing software vendors aren’t providing this, then perhaps new software vendors will appear, possibly from unexpected places, that will. “In the meantime,” according to Preskett, “companies should invest in a license management tool that is able to deal with complex licensing models, create processes based on ISO 19770-1 and obtain senior management buy-in – and then SAM is manageable”.