Sunday, May 19, 2013

Discovering SAM

Software Asset Management (SAM) and meFrankly I do hope people read through such long articles.

I chanced upon SAM in the course of my infosec consulting and was very impressed with the requirements of the practice. I also realized that a majority of software users are unaware of their license compliance requirements and are clueless about the benefits of SAM. Going deeper into SAM practices and requirements I decided that I shall take this as an area of specialization for my practice.

So I begin to review tools, standards, best practices and gaining more experience. One day I attended a seminar where BSA was a sponsor and after the talks I tried to get to talk to the person who had presented on software licensing etc. I was in for the first rude shock of my InfoSec career when I was brushed off with the comment that Big-4 are qualified for this work and that I need to be certified too … which means I should spend about $2,000 with BSA.

Walking away I wondered if I shall learn rocket science or develop some super powers by paying 2k. Today I am seriously thinking about spending this money just to get to know (firsthand) what is it that BSA teaches. I mean I have seen a lot of practices and would seriously like know if this is what is taught for the 2k!

Well after this I got down to doing my own thing, helping clients achieve compliance with their license requirements.

Until one fine day when I was to visit New Delhi and called BSA for an appointment – surprise ! I am told that they are not available for a meeting – this is disclosed after I have shared my objective for the meeting. And my objective is that I want to work with BSA guidelines in my SAM practice.

In this interim I tried to reach out to some of the License Managers with the software majors and guess what – no one had the decency to respond to my request to meet me so I can request an understanding of their licensing practices to include in my advisory service. Yes I found that there are a couple of other organizations like BSA and I found one with an Indian country manager. This Country Manager is ex-BSA head and I managed to connect with him on Linked In. After connecting I sent him a message asking for a meeting and guess what – after 6 months or so I am still waiting for a reply! Even he does not want to meet me to discuss issues of piracy and how I can work at my level to wean my clients away from this practice.

My thought is that I help my client go legit and avoid the hassle of a software audit / review / raid but it seems that all these people (organizations and software vendors) who are “supposedly” protecting the rights of license owners are not interested in having informed users.
Maybe they are afraid that an informed user will be legit and these people would have spent money hiring the big-time auditors for no reason.

Another thing I have learned is that SAM compliance audits contribute about 25-30% of the sales revenue for any of these software majors. No wonder this is highly secretive, with an expensive entry barrier and very very grim.

So, me and SAM are apparently not getting along very well. The reason is that I am a simpleton and a straight shooter and cannot understand this stonewalling. I do understand the desperate lives of these ‘license compliance’ people and the power they wield – sort of paradoxical. I do know about the modus operandi and my lawyer and consulting friends provide more case studies.

Nothing is likable here. I mean – these guys are selling software which is insecure. They issue patches in more numbers than one visits the washroom to clean up. These systems and applications are compromised and breaches take place. And if you read the license terms it is like they have done you a big favor by allowing you to use their dirty stuff. To add insult to injury, a goon in a suit may visit you at any time, shove his/her script into your network, probe your crown jewels and unleash the grim reaper on you.

Thank you for buying my software. I am not a monopoly, I am an autocratic oligarchy. And, since I was a child I wondered why Open Source existed – am I happy there is another world.

OK so SAM is not a clean thing. I call it a baby iceberg. Just because it has the smallest visible threat surface but may be the biggest threat-in-waiting. Keep the APTs, DDOS attacks, malware etc aside – this is a WMD, a pet which will turn rabid without warning and bite you.

Enough said and until the day ethics, morality and decent business practices are considered important it will be good if you prevent the WMD going off in your organization. Make sure you track every single license you purchase and install. Keep a license register and log installations, removals and retirements. Be careful not to use unlicensed software or cracks, even if it is only to test. Do not exceed the number of installations you are entitled to under your agreement. If you do not know make sure you ask your vendor to arrange a training and awareness session BEFORE you sign the PO. Oh yes, if there is an upgrade then make sure you ask this question twice because you may be entering into a grey zone.

Licenses take pride in being complicated and big. In fact everyone is unusually impressed by a document which is long, very verbose, with paragraphs in capital letters  dispersed throughout the document, numbered paragraphs, complex internal cross references,  no spelling errors and lots of legalese. That’s why you just clicked ‘accept’ and then next > next > until ‘finish’ – what you do not realize that (possibly) you violated some term of the license during installation itself !! hahahah – yes sir – read it closely and the agreement assumes that the person installing the software is authorized to legally bind the company with the terms that are being accepted.