SAM tools: the details behind the compliance position

The prime objective of SAM tools is the ability to create software compliance reports, also known as Effective License Positions (ELPs). The compliance report brings together two elements: the software you own versus the software you have installed and/or make use of. Whilst in my previous article, I covered what the challenges and limitations of most tools are when it comes to software entitlements upload, in this article I would like to focus on how SAM tools handle hardware, software discovery & inventory and compliance reporting.

First things first

To understand what software is installed on your devices, you first need to have a clear visibility on your hardware estate. Hardware discovery, next to entitlement evidence data gathering, plays a pivotal role in the accuracy of your compliance reporting. Any piece of hardware excluded from the discovery phase will have a direct impact on your compliance position. In other words, the software installed on it will be ignored during the software compliance calculation and you may be exposed to unknown financial risk. It is impossible to manage what you don’t know, but you should always aim for 100% discovery.

Full hardware discovery is a big challenge for most organizations. During this phase, SAM tools are great support. They will monitor and interrogate the IP addresses to identify the physical and virtual platform with potential software running on them and will collect, in an automated way, valuable information about your hardware assets, such as serial number, the number of processors, MAC address and so on. Next, the tool will centralize this information and report it back to you in the user interface of the tool.

Software Inventory

Next step in the process is the software inventory. SAM tools will collect and report the software installed on the discovered hardware. Without discussing the pro’s and con’s, there are different methods used by SAM tools to extract information from the network:

‘Own’ inventory agents – Most tools are developed with an inventory solution. The way it works is that you install inventory agents on the devices you want to manage, and they will collect and report software information in the tool’s database/library. Once in the database/library, the information is normalized and standardized and reported back to you in the user interface (UI) view.

Agentless inventory scan feature – Opposite to the agent-based solutions, some tools do not require you to install dedicated agents on your devices to collect software related information. Agentless solutions will remotely collect information from the devices in your network as long as the device is IP addressable. Similar to the agent-based solutions, all collected information will be processed and reported back to you in the UI view.

Third-party inventory sources – Some of the tools allow you to import data from other systems you may have already installed, such as SCCM and LanDesk. The data collected by these third-party tools usually needs to be normalized in different ways and mapped to the data fields within the SAM tool’s database and eventually reported back to you in the UI.

Independent of the data source, most tools use similar inventory methods to collect the software information from your environment. Some examples are: operating system file scans for software fingerprints such as executables and configuration files; installer/deinstaller files such as add-remove files, registry and install paths; and running processes.

Once collected, the data is normalized by the tool. The normalization process makes use of the software recognition library. Without going into details, the software recognition library is the brain of each SAM tool and contains pre-defined license intelligence related to software products, such as publishers, products, versions, editions, metrics, metric definitions, usage rights and recognition rules.

The way it works is that based on the information available in the software library, every discovered software evidence is classified as freeware or commercial software product, edition and version. For instance, if during inventory the tool scanned an asset with an executable file called photoshop.exe, it will next be normalized, standardized and associated with the corresponding software product and eventually reported in the UI. As detailed in my previous article, software recognition libraries are not always open to end users. Hence you cannot always validate if the discovered software evidence has been allocated to its corresponding commercial product or if the product is stored in the library with accurate licensing rules/allocation rules. A potential risk here would be for the tool to report false positives. For instance, it may happen that the tool will report a product as requiring a commercial license, but in reality, the product is free of charge. In such situations, you can ask the tool vendor to support you with more raw evidences or licensing evidence as stored in the tool’s library, that will clarify the situation.

Software and usage configuration data

How complete is the inventory data collected by SAM tools?

It depends on the type of software you are interested in. As the licensing models for desktop products are often quite simple, most SAM tools can accommodate this license intelligence in their libraries and hence they are reliable solutions for compliance reporting. But in the case of more complex software products, only reading the operating systems for software fingerprints is not enough. Instead, you should collect software and usage configuration information. For instance, if you want to monitor your business applications’ deployment and usage, most of the times you need to understand how the applications are configured, and what responsibilities, roles and modules are enabled, hence access to the applications themselves is required.

Unfortunately, most SAM tools lack functionality in this area. This means that if you want to monitor complex ERP software, you first need to understand what data is required to be collected from your environment. For this, you need to have a clear visibility on your entitlements. As mentioned in a previous article, the software contracts dictate the way one can install and use a piece of software, what type of information should be collected to determine the software usage and eventually how to set up and configure the SAM tool.

Compliance reporting performed by the tool

Once the hardware and software discovery are completed, you can start to create software compliance reports in the tool. As mentioned before, the accuracy and completeness of the compliance reporting is directly influenced by the completeness and accuracy of your entitlement contracts, hardware discovery and software inventory data. It is obvious (by now) that the SAM tool will not perform accurate compliance reporting for all your publishers and product categories. The most common trap most end users fall into, is related to the software products licensed by metrics recognized by the tool itself.

SAM tools can create automated compliance reporting for most of the desktop products and most of your products that are licensed by a metric recognized by the tool (e.g. users and concurrent users). However, often the software allocation rules applied by the tool do not respect the publisher’s licensing

rules or the metric definition as stored in the library’s tool is not aligned with the metric definition in your contracts.

For instance, you may have a product licensed by the number of users authorized by you to make use of the ERP software. Most certainly, your SAM tool is equipped to measure the number of users. However, most often the tool will report the number of users that have access to the device where the software is installed, instead of counting the users authorized to the software itself. To have an accurate user count, you may be required to look into software configuration details, most of the times not available in the tool. In such scenario, you are able to make use of the tool only to a certain level: to identify the devices where the software is installed. If you want to collect the usage information required for an accurate compliance report, you must perform data gathering and analysis outside of the tool.

Software compliance reporting is most of the times an underestimated exercise. Most people are inclined to compare it with a simple mathematical equation: a-b = c, in SAM terms this will be: entitlements – installations/deployment = license surplus/deficit. This simplified view, raises high and not realistic expectations around the accuracy and completeness of compliance reporting as performed by SAM tools. As seen, the reality is more complex than a simple math exercise. Accurate software compliance requires an in-depth entitlement analysis, software inventory from combined data sources and software allocation knowledge aligned with publishers’, most of the time dynamic, licensing rules. As detailed above, SAM tools can perform parts of these activities quite well. Yet, depending on the publisher in scope, for a complete view you may be required to look into alternative software inventory methods, analyses and reporting. Does this mean that a SAM tool is not a good investment? That depends on what you hope to get out of it. If you expect full and automated compliance reporting for all software products, then you may want to look into alternative solutions, as a SAM tool will not provide you this view. However, this expectation is often not fair. SAM tools are built with out-of-the-box discovery and inventory functionality and also offer general functionality for contract management. All these features simplify and automate good parts of SAM processes; hence when used for the right purpose, a SAM tool offers great support during your SAM cycles.

This article completes the SAM tool license set-up process and challenges. However, SAM tools require continuous maintenance. My next article in this blog series will describe what a proper SAM tool license maintenance process looks like and what skills are required for performing it.


Read more articles from this series

SAM tools: managing expectations to better manage your licenses

SAM tools: the power of a solid entitlement management process

SAM tools: what can go wrong during data upload and how you can overcome the challenges

SAM tools: linking processes and performance for successful tool management

This article was published on 11-10-2018