Software Inventory – still a core requirement
Until recently, optimizing software licensing and maintenance costs started with collection of a robust inventory of application installations across the network. Configuration lockdown provided some safeguard against individuals using their company credit card to download their preferred applications but is hard to administer except perhaps as a by-product of desktop virtualization. So the ability to keep the inventory refreshed was (still is) important; monthly is OK, quarterly maybe, and annually or worse inexcusable.
Cloud Services – changing the game
Today, it is easy for users to sign up with their credit cards to cloud-based applications which will not be detected in a software inventory scan. It’s all part of the ‘liberalization’ of IT – similar to the BYOD concept.
How is the usage cost isolated? Does someone go through every credit card report and extract entries relating to cloud software? Where is the responsibility for ensuring the money has been spent wisely? With the individual, their supervisor, or IT?
Who takes responsibility for the integrity and accuracy of data generated by a cloud-based service that an individual has decided to use?
I guess the genie is out of the bottle with regards to the easy availability of cloud services, so what is an appropriate response for the organization? The organization is still ultimately responsible for the actions of its employees and the cost-effective use of resources. How does that relate to a new-found freedom for individuals to use whatever tools they want to manipulate corporate data?
The need for a governance response
What is needed is a governance framework that does not get in the way of innovative and beneficial use of cloud services, but which encourages disclosure by business managers of the use of cloud services by the individuals they supervise. This information can be exploited to reveal cloud services that could be adopted more widely across the organization. It gives the info-security team the opportunity to check that the organization’s security is not being compromised.
Something like the new Provisioning Lifecycle Management framework of the Connect product could work.