Software Asset Management Best Practices
Best Practices in Software Asset Management
Of all a corporation's assets, software may be the most complicated to manage. It is intangible, expensive, licensed not owned, needs to be regularly maintained and is commonly rendered obsolete by the manufacturer. A software asset management (SAM) program is not a luxury in a time when the operation of most production assets, information technology assets and communications assets rely on software.
What is SAM?
Software asset management (SAM) is the practice of managing and optimizing the purchase, deployment, licensing, compliance, maintenance, utilization, and disposal of software assets within a company. The ITIL Library of Best Practices, defines SAM as "…all of the infrastructure and processes necessary for the effective management, control and protection of the software assets…throughout all stages of their lifecycle." The objectives of a SAM program are to reduce software costs and limit the liabilities associated with the licensing and use of software. Software asset management (SAM) provides a critical role within the organization by identifying overused, underused and illegally installed software.
The practice of keeping an up-to-date inventory of all software installed on an organization's systems, including in-house servers and workstations and mobile devices such as laptop computers and smartphones.
Establishing a SAM Program
Software asset management is not something that "just happens." A corporation must make a conscious decision to proactively manage its software assets. This process includes designing a program, obtaining senior management support and approval, establishing a multi-departmental SAM team, and acquiring the SAM software that best meets the company's needs.
Getting to "Yes" – Key Points
A key component of gaining senior management's "buy-in" is presenting the proposal in terms that align with their priorities – that is the financial benefits of SAM and the end potential liabilities of not having a SAM operation. Support for a SAM program must come from the top, with ideally a C-level executive driving the effort forward.
Software Is a Fixed Asset
A key point that needs to be presented is that licensed software is carried on the balance sheet as a depreciable asset. In the case of computer software, most companies report software as a component of their fixed Plant, Property and Equipment (PPE) assets. Software is an integral part of business. It's included as a fixed asset on most company's balance sheets. Consequently, software that is treated as PPE would be depreciated like any other fixed asset, on its own schedule. The argument must be made that licensed software needs to be managed like any other fixed asset.
Similarly, cloud-based software, or software-as-a-service (SaaS) is provided on a subscription basis. Consequently, it becomes an annual expense and is recorded on the income statement much like equipment lease payments. If cloud-based software is not proactively managed, especially the procurement of SaaS, expenses can become quite significant.
Software Is Licensed Not Owned
Unlike physical assets, software is licensed by the vendor and used under the terms of a software license agreement (SLA). Management must be made to understand the cost ramifications of being non-compliant with the terms of the SLA, including the impact an audit could have on the corporation's bottom line. An established SAM program can be a key component of maintaining compliance with the SLA and avoiding a costly and intrusive audit.
Avoiding Excessive Software Costs
It should also be made clear that a SAM program can be a key tool in avoiding the expense of over-licensing software and in the re-use of software. A Gartner study once estimated that most large corporations are over licensed by 20%. When identified, excess licenses may be returned for credit, used as credit against any license renewals or issued to new end-users. In addition, licenses that do not get used by the employee to whom they are issued can be re-used in other departments, instead of acquitting new licenses. Management needs to aware that these savings and cost avoidance measures are nearly impossible without a SAM program.
Finally, the return on investment (ROI) associated with a SAM program must be made clear. As with any other operation, there will be software, equipment and personnel costs associated with a SAM program. The potential cost savings that will accrue from a SAM program must be presented alongside the estimated costs, demonstrating the net benefit of the proposed SAM program.
Creating The SAM Team
Just as software is used across the corporation, the SAM team needs to have representatives from across the enterprise. Ideally, each of the departments listed below should assign someone to participate in the SAM team:
- Information Technology
- Production Management
Each of these departments has a vested interest in managing the corporation's software assets and will have invaluable contributions to the creation of the SAM program and the eventual selection of the SAM tool.
Regarding the operation of the team, each of the participants should provide input to the following decisions:
- Defining key requirements for, and functionality of, the SAM solution
- Comparing the benefits and risks of cloud-based and installed SAM solutions
- Identifying the information to be collected and reported by the SAM solution
- Researching and selecting potential vendors
- Establishing a SAM project budget
- Recommending a solution provider to management
- Negotiating license terms with the selected vendor
- Establishing a SAM project schedule following vendor selection
The SAM team should provide regular updates to management and keep employees apprised of the goals of the program. One key message is that the corporation is committed to properly manage its software assets. In addition, the responsibility for the proper use of the software and compliance with the SLA rests with every employee.
Choosing the right tool
There is no shortage of SAM software solution providers. Like any other product, each offering has strengths and weaknesses. Some key features for the SAM team to consider when establishing requirements and interviewing vendors include:
- Device compatibility
- Breadth and detail of software discovery and recognition
- Frequency of software library updates
- Compatibility with, or enhancement of, existing tools (e.g., Microsoft Intune and SCCM)
- Vendor audit support
- Installation process
- Required IT infrastructure
- Level of vendor training
- Maintenance costs
- Cloud management capabilities
- Support for remote devices
Each of these feature categories are examined below.
No two companies have the same SAM requirements. To truly meet the company's requirements, a SAM solution needs to be configurable in terms of the appearance and content of the dashboard, the number and definition of database fields, custom report generation, standard reporting, and inter-operability with other systems within the organization. The SAM team should consider the process involved in customizing the solution to best fit the company's needs and objectives. In some cases, database programmers are needed to write new reports. More advanced solutions include a configuration layer that speeds the customization and even enables administrators to make modifications after the system is installed. Key factors include:
- The degree to which professional services are needed for initial installation and later modifications
- The ability of the users to create ad-hoc reports
- The ability for systems administrators to add fields
- The ease of importing data from existing sources
Configurability is a critical factor in terms of the useability and the degree to which the SAM solution meets the corporation's specific needs.
Corporations' computing infrastructure and network architecture are constantly changing. Businesses grow through acquisition and expansion. The number of end user devices expands and changes as technology advances. Business models adapt to external forces, such as the adoption of remote work. A SAM solution needs to easily scale across the corporation, including the number, type, and location of installed and mobile devices. The SAM solution needs to work as well for a company with 1,000 devices as one with 100,000. A corollary to scalability is deployment, A system that depends on installed agents will scale far less quickly than an agentless solution. Key factors for the SAM team to consider include:
- Support for wired and mobile devices
- Support for remote workers and distant facilities
- The endpoint for installed discovery agent software
- Device count limitations
- Dynamic expansion as the company's computing needs increase
Scalability is critical to ensure that all the firm's software can be managed as the company's needs grow.
There are several factors that must be considered when selecting a SAM tool. Key among them are:
- Breadth of software discovery (software and device types)
- Software discovery detail
- Software recognition library
- Re-use of existing information from existing tools (e.g., SCCM, Active Directory)
- Ability to discover cloud assets
- Ease and detail of reporting
Breadth of Software Discovery
To provide the maximum benefit to the organization, a SAM tool must discover the widest range of software titles in use across all the devices used by the organization. This would include server software, desktop/laptop applications and mobile device software apps. Failure to do so results in an inaccurate picture of the licensed software, which can lead to software license compliance issues, undetected vulnerabilities, and the use of unauthorized or unsupported software. When selecting a SAM tool, it is critical to ascertain that the vendor's standard offering includes discovery of the entire suite of software licensed by the corporation.
Software Discovery Detail
Simply discovering software titles is not sufficient to provide the detail necessary for a fully functional SAM program. To be effective, the SAM software must discover and report on details including software title by version and release, software patches, drivers, and device location. This level of discovery detail can become crucial when upgrading or replacing equipment or operating systems, identifying vulnerable software, and locating unpatched devices. In addition, many software titles can have multiple identifiers depending on the reseller from whom they were acquired. Consequently, the SAM tool needs to recognize and reconcile these software titles for purposes of determining license compliance and evaluating under/over licensing situations.
Software Recognition Library
Software recognition libraries must be continually updated by the vendor to ensure that discovery and reporting functions are as accurate as possible. Updates and additions should include titles, releases, and versions. The vendor should commit to regularly adding new software to the library and to researching software that is encountered but not identified. If the SAM tool is not cloud-based, these updates should be regularly transmitted to the server hosting the SAM tool. In addition, to enable the software title recognition function described above, the library should index the various identifiers assigned to the same software title (e.g., MSWord, Word, Win 10 Word).
Re-Use of Existing Information
Most companies already have some electronic records detailing software license purchases, what software is installed on various machines and the software titles in use within the organization. Software vendors provide tools to identify and inventory their software products in use by licensees (e.g., Microsoft SCCM and Active Directory). This information is valuable to the organization and should be integrated into, or used by, the SAM tool. Ideally, the SAM tool will augment the vendor-provided systems to develop a thorough and complete SAM resource.
Ability to Discover Cloud Assets
Almost all companies nowadays operate cloud infrastructure, not just direct SAAS services but also cloud servers, cloud databases and other cloud infrastructure are often part of the organization's IT asset portfolio. Therefore, the ability to discover what software is on these servers is crucial
Data isn't information until it can be used. Accurate, flexible, and easy-to-use reporting is key to the success of any SAM program. Beyond standard vendor configured reports, the user should be able to configure reports on selected fields and save them or run them on an ad hoc basis. For maximum value, the user interface should be easy to use and not require database programming. Reports should also be able to use Boolean processes to identify systems without key software products (e.g., security software), software not listed on purchasing records (e.g., software purchased by an employee) or important patches. The system should also provide a dashboard reporting system to management with real-time information on areas of particular interest.
Compliance and Audit Support
One of the key benefits of a SAM program is to determine the level of compliance with a firm's software license agreements (SLA), to make any necessary adjustments and to maintain full compliance going forward. Compliance is simply using the same number of software titles that were paid for and using them in accordance with the terms of the SLA. A good SAM tool will:
- Compare the number of discovered software titles
- Normalize the different versions and identifiers
- Aggregate them into a total count of that title
- Compare that number to the purchased license quantity
- Report any over and under licensed software
If the numbers of discovered tiles and purchased titles match, the firm is in compliance with the SLA. If the purchased quantities are greater than the number of titles discovered, the company is over licensed and can delay future purchases of those titles. If the opposite is true, the company is out of compliance and can take steps to acquire additional licenses. Measuring software license compliance should not be an annual event, but a continuing process where the firm identifies compliance issues on an ongoing basis and is prepared for an audit request from any software vendor.
Software companies conduct regular compliance audits, which can be costly, disruptive and time consuming for the targeted company. In many cases, the software vendors aggressively conduct the audits and treat them as a revenue generating exercise. If a company is found to be out of compliance, it must purchase additional licenses and pay damages. A SAM program can mitigate the impact and cost of an audit. Ideally, the accuracy of the reports generated by the SAM solution in use is certified by one of the major software auditing agencies (e.g., SIIA, BSA). In that case, the company can run the requested reports, submit those reports to the software vendor and the issue will be quickly resolved.
However, if the selected SAM tool is not certified, or if the company is unsure of how to generate the requested information, the SAM vendor should be ready to provide the professional services needed to generate those reports. As part of those professional services, the vendor should explain its methodology to the auditor to substantiate the accuracy of the information provided by the SAM solution.
In the absence of a SAM tool, the targeted company should research a SAM vendor, or contact its large account reseller (LAR), that will provide SAM as a service. Such a service would normally be provided via the cloud, and no installation would be needed on the company's premises. SAM, as a service, should rely on an agentless system to facilitate initiation of the program to minimize any disruption to the target company's operations.
SAM and the Cloud
Cloud computing has changed the entire landscape of corporate computing, but it has not eliminated the need for firms to manage, measure and monitor their cloud-based software assets. Software-as-a-Service (SaaS) assets must be counted and reconciled just as on-premises must be managed. Measuring and accounting for cloud assets is becoming even more critical as major software providers are moving to cloud-based products. Microsoft's Windows 10, Office 365 and Adobe's entire suite of products are prime examples. It is critical that a firm utilize a single resource to analyze its software asset information.
Most companies utilize multiple cloud providers in the form of both SaaS products and cloud servers. Managing all those assets involves discovery and API integration, plus numerous reporting, and tracking resources. Ideally, the SAM tool selected has the capability to manage both cloud-based and on-premises software assets,
bringing them into the same database. This provides a single, unified, and holistic view of all of a firm's assets in one single solution. Such an approach provides several benefits:
- Cloud assets and "behind-the-firewall" assets are incorporated into a single ITAM database and can be analyzed, measured, and reconciled using one application
- Information required for software license compliance, overall software license count, under/over license counts, and cost/risk assessments are easily obtained
- Cost analysis and avoidance can be accessed using a comprehensive dashboard with standard and custom reports
- As virtual machines can switch from cloud to local processing, the pathway that the virtual machine has visited should be visible
As firms typically use multiple cloud providers, the SAM solution should be able to compare assets across cloud providers and identify duplication differences and compatibility issues. Utilizing a single SAM solution will result in cost-savings and improved efficiencies. Knowing what cloud services are being paid for is key to cost containment. Without an ongoing centralized inventory of cloud resources, firms can continue to pay for a server that the firm stopped using for several months. Comparing cloud performance to value is critical to maintaining cost efficiencies, but difficult to do without the information collected in a single database.
Managing all the enterprise's software assets in one coordinated, continuously updated resource will lead to cost efficiencies, improved controls, and better risk management.
Measuring SAM Success
Simply acquiring and installing a SAM tool does not constitute success. The organization needs to establish agreed-to performance indicators to measure the progress and the success of the SAM program. Typically, performance indicators measure six components of an activity:
- Input - the inputs required of an activity to produce an output
- Output - the outcome or results of an activity or group of activities
- Activity - the transformation produced by an activity
- Mechanism - what enables an activity to work
- Control - an object or system that controls the activity's production through compliance
- Time - a temporal element of the activity
No two organizations would have the same performance indicators, however, some common SAM project activities that are measured include:
- Installation timeframe
- Time to generate useful information from the system
- Number of discovered software titles
- Software inventory compared to purchasing records
- Degree of software license compliance
- Active use of the information generated by the solution
- ROI generated by the SAM program
Whatever metrics are decided upon, management should be kept appraised of the progress of the program and any financial benefits that result.
SAM – A Critical Function
There is little debate on the value that a fully functional SAM program brings to an organization. Proper planning, careful SAM tool selection and a methodical implementation will yield ongoing operational and financial benefits to the organization.