US +1 770-622-2850;   EU +44 (0) 12-1286-4600

The Cornerstone of Effective Desktop Application License Compliance

By Colin Bartram, Director of Technology, Vector Networks

Recently, the spotlight on corporate ethics has reinforced and refreshed an issue that is as old as the software industry itself – License Compliance. Over the years, a steady stream of software inventory products has been available for those organizations concerned to ensure they are legally entitled to run the software installed on their network; but now it has become clear that the legal obligations extend to the officers of the organization.  For these people, the stakes for accuracy in software identification just got a lot higher.

In the software audit industry, there are a number of techniques offered. Some tools provide a huge listing of every executable item found on a hard drive. This might be of interest to some, but is of little direct use to the Compliance Officer who needs not just accuracy and comprehensiveness, but also relevance and succinctness in the data produced.  Facilitating Software License Compliance is not about producing mile-high piles of printouts, it is about providing accurate data that starts at organization summary level and facilitates drill-down examination into the inevitable compliance anomalies.

A Compliance Officer can take several approaches to selecting an audit tool –- including samples of analysis from a representative selection of desktops.

Early inventory products relied on file names and sizes to identify applications. In some, multiple versions of the same application were classified as separate packages to inflate the apparent number of ‘packages’ recognized.  Of course, listing versions of the same app as different packages then complicates the job of the Compliance Officer trying to compile relevant information on application ownership.  Although recognition techniques have expanded, Compliance Officers should be watchful for any tools that utilize earlier technologies to ensure relevant data is being gathered.  Instead, today’s Compliance should not only look for tools which record the detail of multiple application versions installed, but also consolidate that information as drill-down detail within an overview of a single known licensed application.

A second generation of inventory products came onto the market relying on reading data in the Add/Remove programs section of the registry. This was attractive to tools vendors looking for a quick and easy entry to the growing market for software inventory, as it bypassed the need to build a library of file-based recognition rules. For a while, ‘Add/Remove Programs’ became fashionable, but the data held in the registry was often incomplete, and unreliable, or just plain inconsistent, and total reliance on this technique is mainly seen at the lower end of the market. It is however a handy technique to establishing the identity of hitherto unrecognized applications, around which an applicable application recognition rule-set can be based

The third major technique is the interrogation of file headers (‘VersionInfo’) in which application vendors provide application, vendor and version information. This is a voluntary practice, and there are inconsistencies in the way it is applied which must be overcome to generate succinct and usable results. Multiple executable files (DLLs as well as EXEs) in an application directory tree will contain differing VersionInfo; individual programmers in the vendor’s development team may have adopted cryptic versions of their employer’s name. In an ideal world, this variability would not exist, but since when has desktop computing been an ideal world?  The Compliance Officer, still embroiled in selecting a tool on which this career-critical audit exercise is going to be based, should look for a tool which addresses this problem by applying intelligence to the VersionInfo interrogation process, to generate a complete and accurate picture of the application, the vendor and the version.

The existence of multiple approaches to software identification increases the challenge of choosing a tool. All three techniques described here have strengths and weaknesses. There are however a handful of mature software audit products that have grown up through all three eras, and which have evolved to combine the three identification techniques in the pursuit of producing data that is comprehensive but concise. These are products which have matured to address the needs of the CIO and Compliance Officer while not forgetting the needs of the original software auditors – the front-line network administrator faced with the task of maintaining hundreds or thousands of desktops in a stable but up-to-date condition.  Look for precise, uncluttered comprehensive asset data that can be accessed from a browser, combined with access to the precise version information of one DLL in thousands critical to smooth running and productivity.

Once into a detailed assessment of a short list of audit tools, why not get the vendor to take the wraps off the underlying database structure (if they don’t simply publish it anyway). Look for the ability to hook into the data in the future to use it in ways you (or the tool vendor!) haven’t even though of yet. Is it easy to generate and run queries against the data? Is it accessible to your favourite reporting tool?  How easy is it to extend the database with other tables to attach characteristics appropriate to your organization?

Finally, before making a selection based solely on performance in a Compliance context, what is the next priority going to be?  When the audit reveals applications that are installed in excess of the number of licenses you own, what action are you going to take?  Simply purchasing more licenses to match up with the copies installed is laudable and great news for the application vendors, but it’s not very savvy.  And that’s where application usage information comes to the rescue.  Suitably integrated with the audit data, application usage (‘metering’) data identifies the rarely or never used copies of expensive application software, and these copies become your first target for reducing the number of installed copies of an application down to the purchased level to achieve compliance.  And although the Compliance Officer may be pleased to find the installation count of application X is below the number of licenses owned, the CIO is still going to want to know whether these copies are all used, or whether scope exists to de-install software and reduce the annual maintenance contract on application X.

So, when looking for a software audit tool to support your drive for license compliance, it makes sense to team up with colleagues charged with minimizing desktop ownership costs.  Historically, license compliance has carried the image of provoking massive additional costs in buying more copies.  However, the industry is broadening the scope of a compliance exercise to what Vector Networks terms Software Asset Optimization.  These new methods can result in massive annual cost savings as desktop application deployment is brought back into line with the organization’s true requirements.