Software Asset Mis-management... who deserves to be hit?

It was another day and I was excited when I learned about another possible 'victim' of the SAM missile. Am putting them here for record...

Case 1 - Last month a close friend who is the IS head got the review call and I was happy to help him face the notice and the threatening discussions that followed when he pushed back. Yes, he pushed back and the License Manager was sort of surprised and changed tracks. Eventually it was a bad one and everyone was smelling bad too. To cut the story short his company was wrong in the license use - they have a good quantity of licenses but needed more. They were plain lazy and this requirement kept going under against other "priority" budget items. Well they had to spend about Rs. 85 lacs ($ 150k) within a week of closure. 

So much for the budget ! All I can be happy about is that they are compliant and I could help them save about Rs. 40 lacs ($ 70k) - pro bono work to help a friend. 


Today a fellow consultant provided information about a bank that is presently under scrutiny. Now this is different - it is a bank and they are covered only about 15% with licenses. And the balance 85% these guys are using pirated stuff. Well they are desperately trying to move to open source and I am waiting for them to be HIT. They deserve to be HIT and HIT BAD and i hope that the s/w vendor that is reviewing them includes a penalty too. 

I did offer to help and may provide advice too, but it is going to cost them if I am called. I know that they will not agree to pay my fees and will just seek advice (which I am not going to offer).

In any case I do not think they can be saved and I will really not be happy doing this.

===============


Am I being judgmental ? I don't think so as it is my prerogative. However, as I repeatedly say - I do not support piracy. Especially if the person (or entity) can afford to buy the software. I am against strong arm tactics against ignorance bred due to complexity, and will continue to speak out my mind whenever I come across an instance. 

In the above cases both could afford to buy licenses, one was delayed in purchasing and had a friend at the helm, so I wsa okay in my support. The other could afford to buy but did not do this on purpose and deserve to be penalized. If I can get a share of the amount they will have to spend it will be my good luck :)

More SAM as and license stories as I keep going hunting.

Discovering SAM

Software Asset Management (SAM) and meFrankly I do hope people read through such long articles.

I chanced upon SAM in the course of my infosec consulting and was very impressed with the requirements of the practice. I also realized that a majority of software users are unaware of their license compliance requirements and are clueless about the benefits of SAM. Going deeper into SAM practices and requirements I decided that I shall take this as an area of specialization for my practice.

So I begin to review tools, standards, best practices and gaining more experience. One day I attended a seminar where BSA was a sponsor and after the talks I tried to get to talk to the person who had presented on software licensing etc. I was in for the first rude shock of my InfoSec career when I was brushed off with the comment that Big-4 are qualified for this work and that I need to be certified too … which means I should spend about $2,000 with BSA.

Walking away I wondered if I shall learn rocket science or develop some super powers by paying 2k. Today I am seriously thinking about spending this money just to get to know (firsthand) what is it that BSA teaches. I mean I have seen a lot of practices and would seriously like know if this is what is taught for the 2k!

Well after this I got down to doing my own thing, helping clients achieve compliance with their license requirements.

Until one fine day when I was to visit New Delhi and called BSA for an appointment – surprise ! I am told that they are not available for a meeting – this is disclosed after I have shared my objective for the meeting. And my objective is that I want to work with BSA guidelines in my SAM practice.

In this interim I tried to reach out to some of the License Managers with the software majors and guess what – no one had the decency to respond to my request to meet me so I can request an understanding of their licensing practices to include in my advisory service. Yes I found that there are a couple of other organizations like BSA and I found one with an Indian country manager. This Country Manager is ex-BSA head and I managed to connect with him on Linked In. After connecting I sent him a message asking for a meeting and guess what – after 6 months or so I am still waiting for a reply! Even he does not want to meet me to discuss issues of piracy and how I can work at my level to wean my clients away from this practice.

My thought is that I help my client go legit and avoid the hassle of a software audit / review / raid but it seems that all these people (organizations and software vendors) who are “supposedly” protecting the rights of license owners are not interested in having informed users.
Maybe they are afraid that an informed user will be legit and these people would have spent money hiring the big-time auditors for no reason.

Another thing I have learned is that SAM compliance audits contribute about 25-30% of the sales revenue for any of these software majors. No wonder this is highly secretive, with an expensive entry barrier and very very grim.

So, me and SAM are apparently not getting along very well. The reason is that I am a simpleton and a straight shooter and cannot understand this stonewalling. I do understand the desperate lives of these ‘license compliance’ people and the power they wield – sort of paradoxical. I do know about the modus operandi and my lawyer and consulting friends provide more case studies.

Nothing is likable here. I mean – these guys are selling software which is insecure. They issue patches in more numbers than one visits the washroom to clean up. These systems and applications are compromised and breaches take place. And if you read the license terms it is like they have done you a big favor by allowing you to use their dirty stuff. To add insult to injury, a goon in a suit may visit you at any time, shove his/her script into your network, probe your crown jewels and unleash the grim reaper on you.

Thank you for buying my software. I am not a monopoly, I am an autocratic oligarchy. And, since I was a child I wondered why Open Source existed – am I happy there is another world.

OK so SAM is not a clean thing. I call it a baby iceberg. Just because it has the smallest visible threat surface but may be the biggest threat-in-waiting. Keep the APTs, DDOS attacks, malware etc aside – this is a WMD, a pet which will turn rabid without warning and bite you.

Enough said and until the day ethics, morality and decent business practices are considered important it will be good if you prevent the WMD going off in your organization. Make sure you track every single license you purchase and install. Keep a license register and log installations, removals and retirements. Be careful not to use unlicensed software or cracks, even if it is only to test. Do not exceed the number of installations you are entitled to under your agreement. If you do not know make sure you ask your vendor to arrange a training and awareness session BEFORE you sign the PO. Oh yes, if there is an upgrade then make sure you ask this question twice because you may be entering into a grey zone.

Licenses take pride in being complicated and big. In fact everyone is unusually impressed by a document which is long, very verbose, with paragraphs in capital letters  dispersed throughout the document, numbered paragraphs, complex internal cross references,  no spelling errors and lots of legalese. That’s why you just clicked ‘accept’ and then next > next > until ‘finish’ – what you do not realize that (possibly) you violated some term of the license during installation itself !! hahahah – yes sir – read it closely and the agreement assumes that the person installing the software is authorized to legally bind the company with the terms that are being accepted.