By Peter Rowe
This is part 2 of the blog we posted last week. (See Software Asset Management and Governance – The Road to Hell? (Part 1))
The Scope of SAM Governance
Any updated or newly implemented Software Asset Management (SAM) governance program should take account of a wide range of processes. It is potentially the wide scope of these processes that can seem overwhelming to those responsible for implementing IT / software asset management in any organisation. There is also dependency on numerous data sources with varying degrees of trustworthiness as to their accuracy and relevance. SAM processes and procedures are key to maintaining compliance and maximising the return on the organization’s software investment. They must include at least the following:
Software Discovery, Inventory, Identification and Normalization – What applications does the organisation have installed and where are they installed? How did these applications come to be installed in the organisation, and who is responsible for them in terms of infrastructure, maintenance, licence compliance and financial management?
Application Rationalisation and Consolidation –What applications does the organisation actually use, or need to use? What versions and editions of the same software product are installed? Are there redundancies in application functionality? Application rationalization and consolidation allows organizations to periodically reduce their software footprint by standardizing on specific versions and editions of software and removing redundancies. How does the organisation create and manage what is commonly referred to as a “White List” of approved applications and a “Black List” of prohibited applications?
Software Packaging and Installation – How does the organisation package, maintain, upgrade modify and distribute the applications on the approved “White List”? How do users request new applications for consideration for entry in the “White List”? How does the organisation ensure new applications are fit-for-purpose and suited for the organisations environment?
Software Installation Requests – How do users request new software? How do users request updates to existing software? How do users request software that is not on the approved “White List” but which they can justify for business use? How do users request removal of software they no longer need?
“Harvesting,” Licence Re-Allocation, and Re-Use – What is the definition of “Usage”? How do users justify infrequently using high-cost applications? Do users get the option of “justification” or is software just removed automatically if it has not been used for a certain period of time? Can high-cost applications be leased to users for a set period to engender the view that access to applications does not need to be a perpetual concept?
Mobile Applications – Access to applications via mobile devices must be managed in the same way as access to applications on traditional platforms—desktops, laptops, etc. How does the organisation maintain the approved list of applications? How do users access the approved list of applications? How are licences and usage managed? Are the application owners even aware of some of the more complex product use rights and licensing terms for mobile applications and how is this information communicated to the organization by IT and Procurement?
Cloud Infrastructure Services and SaaS Applications – Who is responsible for purchasing cloud services? Is it centralized? How does the organization keep track of costs and utilization across multiple cloud services accounts? Are cloud infrastructure “instances” (virtual machines) being used effectively? Does the organization have the right subscription level for Software as a Service (SaaS) applications to best meet business needs while controlling costs?
Security – How can your organization reduce unlicenced and unauthorized software in the IT environment? (There is a strong correlation between occurrences of malware and unlicensed software). How do you identify occurrences of software in your environment with known software vulnerabilities? What is the process to remediate those vulnerabilities?
Combating Operational Disruption and Rising Costs
As a result of implementing or updating some or all of the SAM governance processes detailed in the section above, it is inevitable that there will be some degree of operational disruption, and a subsequent increase in costs – at least in the short term.
Good approaches to SAM governance must be holistic so that the processes encompass all of the teams across the organisation, and encompass all of the applications within the organisation however they are delivered to the end-user.
SAM governance should also be implemented in a strategic manner, rather than at the tactical level. The aim should be to implement processes that, for example, maintain continuous licence compliance, rather than just providing a way to respond to a specific software audit event.
As a result, SAM governance is generally implemented best through a staged approach where there is a clearly defined structure initially baselining both software inventory (what has been installed) and software entitlements (what has been acquired). Next there needs to be clearly defined (and documented) roles and responsibilities that are potentially mapped into any “automation” or tool capability to support the governance program. These tools can then be used as supporting evidence for documentation such as business as usual (BAU) Guides as well as underpinning regular reviews of the impact of SAM governance.
Consequently SAM governance must form an integral part of other IT processes such as Change Management as no infrastructure changes should be made without an assessment of the potential licensing impact. However, it is important to remember that SAM governance should be as agile as the rest of the organisation, and should be able to rapidly adapt to changes, as required. As highlighted in Part 1, to not make the process as efficient as possible invites users to circumvent it at every available opportunity as it will be considered ineffective and unwieldy, with no clear benefits.
Importantly, for any process that is seen to potentially introduce cost and complexity into the organisation, the business benefits must be measurable and the business value must be publicized, to combat any such negative perceptions. Similarly, those responsible for the governance must be made accountable to ensure that the processes are effective and deliver the required benefits to the organisation.
To learn more about how Flexera Software enterprise solutions help organizations implement strong software governance processes, please visit our website. Our enterprise solutions include:
- FlexNet Manager Suite for Enterprises
- App Portal
- AdminStudio Suite
- Vulnerability Intelligence Manager
- Corporate Software Inspector
You may also be interested in reading our white paper: Best Practices for Governance and Compliance Using an Enterprise App Store