In the past 12 months, the spotlight on corporate behavior has reinforced and
refreshed a software inventory issue that is as old as the software industry
itself - software license compliance. Through the years, a steady stream of
software inventory products has been available to those organizations who were
concerned enough to perform a software audit to ensure they were legally
entitled to run all of the software installed on their network. Today, it has
become clear that the legal obligations of misusing software licenses extend to
the officers of an organization and therefore, the stakes for accuracy in
software inventory management just got a lot higher.
There are a number of software audit techniques available in the industry.
Some software inventory tools provide huge listings of every executable item
found on a hard drive. This type of exhaustive software inventory report might
be of interest to some, but is of little direct use to the Compliance Officer
who needs not just accuracy and comprehensiveness, but also relevance and
succinctness in the data produced. Facilitating software license compliance is
not about producing mile-high piles of printout; it is about providing accurate
and timely data that starts at the organization summary level and facilitates
drill-down examination into the inevitable compliance anomalies.
A Compliance Officer can take several approaches to selecting a software
audit tool - including samples of software inventory analyses from a
representative selection of desktops.
First generation software inventory products
Early software inventory products relied on file names and sizes to identify
applications. In some, multiple versions of the same application were classified
as separate packages to inflate the apparent number of packages recognized. Of
course, listing versions of the same application as different packages
complicated the job of the Compliance Officer trying to prepare for a software
audit by compiling relevant information on application ownership.
Although recognition techniques have expanded, Compliance Officers should be
watchful for any software inventory tools that still contain this hangover from
earlier days. Instead, one should look for software audit tools that record the
detail of multiple application versions installed, and also consolidate that
information as drill-down detail within an overview of a single known licensed
application.
The Add/Remove programs generation
A second generation of software inventory products came onto the market
relying on reading data in the Add/Remove programs section of the registry to
perform a software audit. This was attractive to tools vendors looking for a
quick and easy entry to the growing market for software inventory, as it
bypassed the need to build a library of file-based recognition rules.
For a while, 'Add/Remove Programs' became fashionable, but the data held in
the registry was often incomplete and unreliable, or just plain inconsistent.
Total reliance on this software audit technique is mainly seen at the lower end
of the market.
It is, however, a handy technique for establishing the identity of previously
unrecognized applications, around which a relevant application recognition
rule-set can be based.
The file headers generation
The third major software inventory technique is the interrogation of file
headers ('VersionInfo') in which application vendors provide application, vendor
and version information. This is a voluntary practice, and there are
inconsistencies in the way it is applied which must be overcome to generate
succinct and usable results.
Multiple executable files (DLLs as well as EXEs) in an application directory
tree will contain differing VersionInfo; individual programmers in the vendor's
development team may have adopted cryptic versions of their employer's name. In
an ideal world, this variability would not exist, but since when has desktop
computing been an ideal world?
The Compliance Officer, still embroiled in selecting a tool on which this
career-critical software audit exercise is going to be based, should look for a
software inventory tool which addresses this problem by applying intelligence to
the VersionInfo interrogation process to generate a complete and accurate
picture of the application, the vendor and the version.
Mature software audit products
The existence of multiple approaches to software identification increases the
challenge of choosing a software audit tool. All three software inventory
techniques described above have strengths and weaknesses. There are, however, a
handful of mature software audit products that have grown up through all three
eras and have evolved to combine the three identification techniques in the
pursuit of producing data that is comprehensive but concise.
These are products which have matured to address the software audit needs of
the CIO and Compliance Officer, while not forgetting the needs of the original
software auditors - the front-line network administrator daunted by the task of
maintaining hundreds or thousands of desktops in a stable but up-to-date
condition.
A software audit tool should provide precise, uncluttered comprehensive asset
data that can be accessed from a browser, combined with access to the precise
version information of one DLL in thousands, which is critical to smooth
operations and productivity.
As a Compliance Officer, once you are into a detailed assessment of a short
list of software audit tools, why not get the vendor to take the wraps off the
underlying database structure, if they don't already publish it? Look for the
ability to hook into the data in the future to use it in ways you or the tool
vendor haven't even thought of yet. Is it easy to generate and run queries
against the data? Is it accessible to your favorite reporting tool? How easy is
it to extend the database with other tables to attach characteristics
appropriate to your organization?
Future considerations
Finally, before making a software inventory tool selection based solely on
performance in a compliance context, determine what your next priority is going
to be. When the software audit reveals applications that are installed in excess
of the number of licenses you own, what action are you going to take? Simply
purchasing more licenses to match up with the copies installed is laudable and
great news for the application vendors, but it's not very savvy.
That's where software utilization measurement comes to the rescue. Suitably
integrated with the software inventory data, application usage ('metering') data
identifies the rarely or never used copies of expensive application software.
These copies can become your first target for reducing the number of installed
copies of an application down to the purchased level to achieve compliance. And,
although a Compliance Officer may be pleased to find the installation count of
application X is below the number of licenses owned, the CIO is still going to
want to know how and when these copies are used and if the scope exists to
de-install software and reduce the annual maintenance contract on the
application.
Conclusion
So, when looking for a software audit tool to support the drive for license
compliance, it makes sense to team up with colleagues charged with minimizing
desktop ownership costs.
Historically, license compliance has carried the image of provoking massive
additional costs in buying more copies, but experience shows that broadening the
scope of a compliance exercise to what Vector Networks terms "Software Asset
Optimization" can result in massive annual cost savings as desktop application
deployment is brought back into line with the organization's true
requirements.
