Software Asset Management Best Practices
Best Practices in Software Asset Management - Updated for 2023
Of all corporate assets, software may be the most complicated to manage. It is intangible, expensive, licensed not owned, and must be regularly maintained. It is also often rendered obsolete by the manufacturer. At a time when the operation of most production assets, information technology assets and communications assets relies on software, having a robust software asset management (SAM) program is not a luxury, it is a necessity.
What is SAM?
Software asset management (SAM) is a detailed process for managing and optimizing all aspects of a company's software. This includes the purchasing, deployment, licensing, compliance, maintenance, usage, and disposal of software assets. SAM can also help organizations get the most from their IT operations and improve overall performance. This is why SAM Best Practices are designed to help maximize the effectiveness of a company's software investments. They can help limit the liabilities associated with the licensing and use of software as well as achieve long-term savings by identifying overused, underused and illegally installed software.
Establishing a SAM Program
Failing to actively take steps to establish a software asset management plan exposes businesses to significant risks. This can include getting bogged down in complex software compliance issues as well as being committed to incredibly inefficient software purchases that can cost a company hundreds of thousands of dollars.
To avoid these risks, care must be taken is to create an effective software asset management (SAM) plan. As a first step, a comprehensive inventory of all the software owned or licensed by the company must be compiled and made available to the relevant parties in the form of a reliable and well-managed database.
When completed, this inventory will also provide all relevant stakeholders with an overview of what software is being used, by whom, and for what purpose. Once this information has been established, a SAM plan can be devised and implemented that will help optimize software purchases, reduce costs, and achieve strategic goals.
Obtaining senior management support and approval is also crucial, as is establishing a multi-departmental SAM team, and acquiring the SAM software that best meets the company's needs.
Achieving Management Buy-in
A significant factor for gaining management SAM buy-in is presenting the proposal in terms that align with their priorities. Emphasizing the financial benefits of SAM and the potential liabilities of not having a SAM practice in place will frame things in terms that management can easily relate to and will act as an effective motivator for ensuring action is taken.
Ideally, a C-level executive should be in charge of driving this topic forward if the necessary results are to be achieved.
Software Is a Fixed Asset
Licensed software is a depreciable asset. In the case of computer software, most companies record software as part of their fixed Plant, Property and Equipment (PPE) assets.
Software is an integral part of business and is included as a fixed asset on most companies’ balance sheets. Consequently, software that is treated as PPE would be depreciated like any other fixed asset, with its own schedule. Thus the point must be made that licensed software needs to be managed like any other fixed asset.
Similarly, cloud-based software, or software-as-a-service (SaaS) is provided on a subscription basis. Consequently, it becomes an annual expense and is recorded on the income statement much like equipment lease payments. If cloud-based software is not proactively managed, especially the procurement of SaaS, expenses can become significant.
Software Is Licensed Not Owned
Unlike physical assets, software is licensed by the vendor and used by companies under the terms of a software license agreement (SLA).
The cost ramifications of non-compliance must be made clear to management, including the impact an audit could have on the corporation's bottom line. Vendors are fully entitled to carry out license audits if they believe a business is not adhering to the terms of service. If a company is found not to be adhering to the SLA, hefty fines can ensue.
An established SAM practice can act as a key component in maintaining compliance with the SLA and avoiding a costly and intrusive audit.
Avoiding Excessive Software Costs
A SAM program can be a key tool in facilitating re-use of software as well as avoiding the expense of over-licensing.
When identified, excess licenses may be returned in exchange for credit (e.g. for future purchases or against license renewals) or issued to new end-users. In addition, licenses that do not get used by designated employees can be redeployed to other departments, instead of purchasing new licenses.
These savings and cost avoidance measures are nearly impossible without a SAM program.
The return on investment (ROI) associated with a SAM program must also be emphasized. As with any other operation, there will be software, equipment and personnel costs associated with a SAM program. The potential savings that can be achieved through a SAM program must be presented alongside the estimated costs of implementing such a program. Only in this way can the net benefit of the proposed SAM program be clearly demonstrated.
Creating The SAM Team
Just as software is used throughout the company, the SAM team should also be composed of representatives from across the enterprise. Ideally, each of the departments listed below should assign someone to participate in the SAM team:
- Information Technology
- Production Management
Each of these departments has a vested interest in managing the corporation's software assets. They can also contribute significantly to creating the SAM program and the eventual selection of the SAM tool.
As for team operations, each of the participants should provide input to the following decisions:
- Defining key requirements for, and functionality of, the SAM solution
- Comparing the benefits and risks of cloud-based and installed SAM solutions
- Identifying the information to be collected and reported by the SAM solution
- Researching and selecting potential vendors
- Establishing a SAM project budget
- Recommending a solution provider to management
- Negotiating license terms with the selected vendor
- Establishing a SAM project schedule following vendor selection
The SAM team should provide regular updates to management and keep employees apprised of the goals of the program. One key message is that the corporation is committed to properly manage its software assets. In addition, the responsibility for the proper use of the software and compliance with the SLA rests with every employee.
Choosing the right tool
There is a wealth of SAM software solution providers on the market. And like any other product, each offering has its strengths and weaknesses.
Some key features for the SAM team to consider when drawing up requirements and interviewing vendors include:
- Device compatibility
- Breadth and detail of software discovery and recognition
- Frequency of software library updates
- Compatibility with, or enhancement of, existing tools (e.g., Microsoft Intune and SCCM)
- Vendor audit support
- Installation process
- Required IT infrastructure
- Level of vendor training
- Maintenance costs
- Cloud management capabilities
- Support for remote devices
Each of these feature categories are examined below.
No two companies have the same SAM requirements.
To truly meet the company's requirements, a SAM solution needs to be configurable. These include the appearance and content of the dashboard, the number and definition of database fields, custom report generation, standard reporting, and the solution’s inter-operability with other systems within the organization.
The SAM team should carefully consider the process involved in customizing the solution so that it best fits the company's needs. For more advanced solutions, this may require database programmers for writing new reports or the inclusion of a configuration layer that speeds customization and even enables administrators to make modifications after the system is installed.
Key factors include:
- The degree to which professional services are needed for initial installation and later modifications
- The ability of the users to create ad-hoc reports
- The ability for systems administrators to add fields
- The ease of importing data from existing sources
Configurability is a critical factor when it comes to usability and the degree to which the SAM solution meets the corporation's specific needs.
Corporations' computing infrastructure and network architecture are constantly changing.
Businesses grow through acquisition and expansion. The number of end user devices expands and changes as technology advances. Business models adapt to external forces, such as adopting remote work. A SAM solution needs to easily scale across the corporation and include the number, type, and location of installed and mobile devices.
The SAM solution also needs to work as well for a company with 1,000 devices as one with 100,000.
A corollary to scalability is deployment. A system that depends on installed agents will scale far less quickly than an agentless solution. Key factors for the SAM team to consider include:
- Support for wired and mobile devices
- Support for remote workers and distant facilities
- The endpoint for installed discovery agent software
- Device count limitations
- Dynamic expansion as the company's computing needs increase
Scalability is critical to ensure that all the firm's software can be managed as the company's needs grow.
These factors that must be considered when selecting a SAM tool:
- Breadth of software discovery (software and device types)
- Software discovery detail
- Software recognition library
- Re-use of existing information from existing tools (e.g., SCCM, Active Directory)
- Use of licensed software in remote locations and work-from-home locations
- Ability to discover cloud assets
- Ease and detail of reporting
Extent of Software Discovery
To provide maximize benefits, a SAM tool must discover the widest range of software titles in use across all devices in the organization. This would include server software, desktop/laptop applications and mobile device software apps.
Failure to do so results in an inaccurate picture of the licensed software, which can lead to software license compliance issues, undetected vulnerabilities, and the use of unauthorized or unsupported software.
When selecting a SAM tool, it is critical to find out whether a vendor's standard offering includes the discovery of all software licensed by the company.
Software Discovery Detail
Simply discovering software is not enough to provide the detail needed for a fully functional SAM program.
To be effective, the SAM software must discover and report on the details. These include software titles by version and release, software patches, drivers, and device location.
This level of discovery detail can become critical when upgrading or replacing equipment or operating systems. It can also help in identifying vulnerable software and locating unpatched devices.
In addition, many software titles can have multiple identifiers depending on the reseller that supplied them. Consequently, the SAM tool needs to recognize and reconcile these software titles to determine license compliance and evaluate any under/over licensing situations.
Software Recognition Library
Software vendors must continually update software recognition libraries to ensure that discovery and reporting functions are as accurate as possible.
Updates and additions should include software titles, releases, and versions. The vendor should commit to regularly adding new software to the library and to researching software that is discovered but not identified. If the SAM tool is not cloud-based, these updates should be regularly transmitted to the server hosting the SAM tool.
Also, to make sure the software title recognition function works as described above, the library should index the various identifiers assigned to the same software title (e.g., MSWord, Word, Win 10 Word).
Re-Use of Existing Information
Most companies already have some form of electronic records that track software license purchases, what software is installed on various machines, and the software titles in use within the organization.
Software vendors provide tools to identify and inventory their products being used by licensees (e.g., Microsoft SCCM and Active Directory). This is valuable information to the organization and should be integrated into, or used by, the SAM tool. Ideally, the SAM solution will augment the vendor-provided tools to provide a thorough and complete SAM resource.
Ability to Discover Cloud Assets
Almost all companies nowadays operate a cloud infrastructure. This means not just direct SaaS offerings, but also cloud servers, cloud databases and other cloud infrastructure will often form part of the organization's IT asset portfolio. So, the ability to discover what software is installed on these servers is extremely important.
Licensing becomes even more complicated when companies work with (or within) virtual environments. Server virtualization rights often permit the installation of a software solution or operating system on both a physical host as well as several virtual machines (VMs).
Given the dynamic nature of this type of environment and the complexity of the licensing requirements, maintaining server virtualization rights can become challenging, if not impossible, without an appropriate SAM solution in place.
Data isn't useful until it can be reported upon.
Accurate, flexible, and easy-to-use reporting is key for a successful SAM program. In addition to standard, vendor-supplied reports, the user should be able to configure reports based on selected fields and save them or run them on an ad hoc basis.
For maximum value, the user interface should be easy to use and not require any database programming skills. Reports should also include the use of Boolean processes to identify systems missing key software products (e.g. security software), software not listed on purchasing records (e.g. software purchased or installed by an employee) or important patches.
The system should also provide a dashboard reporting system with real-time information on areas of particular interest.
Compliance and Audit Support
One of the key benefits of a SAM program is determining a company’s level of compliance with its software license agreements (SLA). This gives the company the ability to make any necessary adjustments and to maintain full compliance at all times. Compliance is simply using the same number of software titles as were paid for and using them in accordance with the terms of the SLA. A good SAM tool will:
- Compare the number of discovered software titles
- Normalize the different versions and identifiers
- Aggregate them into a total count of that title
- Compare that number to the purchased license quantity
- Report any over and under licensed software
If the numbers of discovered titles and purchased titles match, the firm is in compliance with the SLA.
If the purchased quantities are greater than the number of titles discovered, the company is over licensed and can put any future purchases of those titles on hold.
If, however, the opposite is true, the company is out of compliance and must take steps to acquire additional licenses.
This is why monitoring software license compliance should be a continuing process whereby the firm identifies compliance issues on an ongoing basis and is prepared for an audit request from any software vendor at any time.
Software companies conduct regular compliance audits. These can be costly, disruptive and time consuming for the company in question.
Software vendors can be aggressive in conducting audits and often treat them as a revenue generating exercise: If a company is found to be out of compliance, it must purchase additional licenses on top of paying damages.
A SAM program can mitigate the impact and cost of an audit. Ideally, the accuracy of the reports generated by the chosen SAM solution is certified by one of the major software auditing agencies (e.g., SIIA, BSA). That being the case, the company can run the requested reports, submit those reports to the software vendor, and the issue will be quickly resolved.
However, if the selected SAM tool is not certified – or if the company is unsure of how to generate the requested information – the SAM vendor should be ready to provide the services needed to generate those reports. As part of those services, the vendor should explain its methodology to the auditor to substantiate the accuracy of the information provided by the SAM solution.
If no SAM tool is in place, the targeted company should research a SAM vendor or contact its large account reseller (LAR), who will provide SAM as a service. Such a service would normally be provided via the cloud; no on-site installation would be required.
SAM, as a service, should rely on an agentless system. This makes introducing the SAM program easier and minimizes any disruption to the target company's operations.
SAM and the Cloud
Cloud computing has changed the entire landscape of corporate computing. It has not, however, eliminated the need for firms to manage, measure and monitor their cloud-based software assets.
Software-as-a-Service (SaaS) assets must be counted and reconciled just as on-premises assets must be managed. Measuring and accounting for cloud assets is becoming even more critical as major software providers are moving to cloud-based products.
Microsoft's Windows 10, Office 365 and Adobe's entire suite of products are prime examples. This makes it all the more important that firms use a single resource to analyze their software asset information.
Most companies use multiple cloud providers in the form of both SaaS products and cloud servers. Managing all those assets involves discovery and API integration, plus numerous reporting, and tracking resources.
Ideally, the chosen SAM tool can manage both cloud-based and on-premises software assets, bringing them into the same database. This provides a single, unified view of a firm's assets in a single solution. Such an approach provides several benefits:
- Cloud assets and "behind-the-firewall" assets are incorporated into a single ITAM database and can be analyzed, measured, and reconciled using one application
- Information required for software license compliance, overall software license count, under/over license counts, and cost/risk assessments are easily obtained
- Cost analysis and avoidance can be accessed using a comprehensive dashboard with standard and custom reports
- As virtual machines can switch from cloud to local processing, the pathway that the virtual machine has visited should be visible
Firms typically use multiple cloud providers, so the SAM solution should be able to compare assets across providers and identify any duplication incidents and compatibility issues.
Also, using a single SAM solution will deliver cost-savings and improved efficiencies. Knowing what cloud services are being paid for is key to cost containment. Without an ongoing centralized inventory of cloud resources, firms can continue to pay for a server they stopped using several months ago. Comparing cloud performance to value is crucial for maintaining cost efficiencies, but difficult to do without the information collected in a single database.
Managing all the enterprise's software assets in one coordinated, continuously updated resource will lead to cost efficiencies, improved controls, and better risk management.
Measuring SAM Success
Simply acquiring and installing a SAM tool doesn’t mean the job is done. The organization needs to establish agreed performance indicators to measure the progress and success of the SAM program. Typically, performance indicators measure six components of activity:
- Input - the inputs required of an activity to produce an output
- Output - the outcome or results of an activity or group of activities
- Activity - the transformation produced by an activity
- Mechanism - what enables an activity to work
- Control - an object or system that controls the activity's production through compliance
- Time - a temporal element of the activity
No two organizations will have the same performance indicators. However, some common SAM project activities that are measured include:
- Installation timeframe
- Time to generate useful information from the system
- Number of discovered software titles
- Software inventory compared to purchasing records
- Degree of software license compliance
- Active use of the information generated by the solution
- ROI generated by the SAM program
Whatever metrics are agreed, management should be kept appraised of the progress of the program as well as any resulting financial benefits.
SAM – A Critical Function
There is little debate on the value that a fully functional SAM program brings to an organization. Proper planning, careful SAM tool selection and a methodical implementation will yield ongoing operational and financial benefits to the organization.