It’s the time of year when we get a little reflective and look back on trends we are seeing in the software asset management industry. One of the biggest trends I’ve noted this year in Software Asset Management is vendors deliberately targeting what I call “Accidental Access” for huge software audit settlements. You will want to understand accidental access and be proactive to ensure your organization doesn’t get hit with an audit.
Define Accidental Access
I define accidental access as occurring when software is inadvertently installed in a location in which it COULD potentially be accessed by other unintended users. In a simple example a copy of Project Professional is installed on a server with the intention of making it accessible to a subset of 25 licensed users. However, the entire company of 2,500 users could theoretically access this copy of Project Professional. This would mean that all 2,500 users would technically need a license for Project Professional not just the initially assumed 25 users.
It Gets More Complicated.
Software licensing models are generally designed by licensing geeks like yours truly and because of that, they get complicated. We think we’ve built a licensing model that’s fair for both the consumer and the software vendor and we release it into the market. Then a combination of new technology in terms of new ways to deploy/consume coupled with highly technical people breaks the model. In the past, technology like terminal services or remote desktop have been highly disruptive to existing licensing models. Today licensing models need to contend with virtualization, VDI, Active Directory, and cloud among others.
What’s the Worst That Could Happen?
In the past, most software vendors didn’t target accidental access specifically in an audit or a Software Asset Management engagement. It may have been brought up as a negotiation tactic but it wasn’t targeted. A common tactic we are now seeing is that they approach you and request that you conduct an internal assessment which seems benign on the surface. Usually one of the questions in their site survey document asks if you use virtualization technologies in your environment. Once you confirm that you have virtual environments they will frequently shift the engagement into a more formal audit.
This last year I’ve observed multiple vendors who have targeted this to attempt to drive large compliance settlements. This issue popped up enough this year that we wrote an article warning about this risk. In the example used in our article the potential gap was in the hundreds of millions of dollars.
This year we also explored the issue of SAP Indirect Access which is similar in that they are targeting what I will call non traditional users for whom it was assumed that licenses were not required. The contracts are vague but courts in Europe have ruled in SAP’s favor and it has resulted in penalties in the hundreds of millions of dollars.
What Can I Do About it?
The best approach is to get ahead of this potential issue and be proactive. The good news is that there are a number of steps you can take to mitigate possible exposure by accidental access.
Step 1: Read your contracts and look for language around how they license their products and how they define the ways you can access their products. For example, here is the language from SAP’s contracts specific to the term “use”:
Based on what you see in these contracts you made need to make some changes in terms of how you deploy/provide access to the software.
Step 2: Use a software inventory tool to see what is deployed on your network. If you have one already that’s great! If not, consider looking into something like Microsoft Map which is both free and also what Microsoft would use in a software audit/Software Asset Management engagement. https://www.microsoft.com/en-ca/download/details.aspx?id=7826
Step 3: Review your server access and your Active Directory (AD) structure. Check settings and policies and ensure that only the people/devices who need access to server-based applications have access. This can be a complicated exercise and can also include taking steps like creating an AD User/Device group policy in which you can control access. I strongly recommend that you contact us at MetrixData360 for some expert guidance before you undertake this exercise.
Step 4: Consider a series of Self Assessment exercises in which you effectively conduct a self-audit to ensure that you are prepared and that there are no Accidental Access problems lurking. MetrixData360 specializes in offering self-assessments for a number of major and not so major software vendors. This gives you the ability to get ahead of things and ensure that the audit is conducted with the same rigor you would expect from a software vendor audit. We have helped our clients save millions of dollars in terms of audit settlement avoidance.
Step 5: This sounds complicated and I don’t want to do it myself. Honestly, I don’t blame you if you are feeling this way about software asset management and the issues surrounding accidental access. The good news is that we have a managed service offering called SAM Compass. SAM Compass is a totally unique and proven process that taps into your existing data and allows you to easily visualize deployment data. It solidifies your software license position and identifies opportunities for optimization and cost reduction of licensing. If you think SAM Compass might be right for you either click the contact us button below or join us for a free webinar to learn more.