by: Steve Schmidt
A number of recent discussion with ISVs have centered around expanding their software compliance programs. This has been triggered in part by industry examples such as those provided by SAP and Oracle. SAP has a policy of reviewing compliance frequently, and has provided basic tools to gather the required information. In recent news, Oracle has a verification program underway, where third party solutions have been confirmed to provide high quality data that can be used during a compliance review cycle.
Automation is a key requirement to expand a software compliance program. Neither the ISV nor their Enterprise customers will tolerate too much manual activity. From the Enterprise perspective, data regarding what is installed and used needs to be collected rapidly and accurately, from across the entire enterprise. If there is too much work, ISVs cannot reasonably expect high participation in the program. Instead they will hear “I want to be in compliance, but need your help to get there; what tools can be used to do that?” If pushed too far, user satisfaction also declines and starts to affect all parts of the customer-vendor relationship. From the ISV perspective, mechanisms to get the usage data back to them are needed, as are mechanisms to perform the comparison of usage data to a full list of software entitlements per customer. Hiring tens or hundreds of additional employees to go onsite to gather data, or to compare lists, is not an option.
Three key considerations in determining an approach to automation are:
• The level of pre-instrumentation required in the application - In other words, does the application need to be built in such a way that it can be identified and tracked? This depends on what type of information is needed to find the application and determine “usage” per the software license agreement. For most applications, solutions can be built to identify where existing versions are deployed and once that is done, any components required for advanced usage tracking can be installed in a targeted manner. This process can be improved, though, for future generations of the product by shipping those versions with a self-identifying and usage tracking capability. Thinking through that design now will improve software compliance program expansion options dramatically in the future.
• Data access - Who will have access to the information and how it will be shared? In many cases, the Enterprise users of the data will want to confirm that the solution is sending only the data required. A demonstration of the type of data may be sufficient. In other cases, the ability to review the filtered and pre-packaged results before they are shared with the ISV will be a requirement.
• Entitlement aggregation process – What will be the ultimate source of truth regarding the customer entitlements? Many ISVs sell and deliver their products through multiple channels, including direct, distributors, resellers, and retail. Ideally, there would be a common view per customer across all these software entitlement sources, which is maintained automatically so that it is accurate at all times. Integrating that data source directly with the data regarding entitlement consumption (what is downloaded, what is installed, what is used, etc.) will further streamline the process.
Where do you see automation successfully driving software compliance program expansion? What other factors are key to the automation process?