Microsoft Licensing – Developing a sound SAM discipline
Proactive Software Asset Management should be taken very seriously. Whether you realize the legal, financial, and operational importance or you just fear an audit, the importance of a Software Asset Management (SAM) discipline should never be underestimated.
Despite knowing that Microsoft will request at least a self-assessment, several companies still fail to implement sound SAM policies. Please bear in mind that using unauthorized software is considered piracy and is treated as such in court. Falsifying a self-assessment or pleading ignorance won’t help you, and the media attention if a piracy case goes to court can be extremely damaging.
IT Asset Management (ITAM)
It is impossible to manage software licenses without evaluating the hardware on which the software runs. Therefore, an effective SAM discipline should be an integral part of your overall IT Asset Management strategy. This impacts more than just legal and financial issues. ITAM also addresses lifecycle management, maintenance, security, risk mitigation, and other critical business functions.
International Organization for Standardization (ISO)
In 2003, the International Organization for Standardization began developing best practices for SAM programs. Today there are scalable standards and best practices that may be applied to companies of all sizes. Another benefit from ISO standardization is Software ID tags (SWID). The use of SWIDs enables a degree of automation when performing a software inventory.
Microsoft Assessment and Planning Toolkit (MAP)
Microsoft offers a free Assessment and Planning (MAP) Toolkit that takes advantage of SWID technology. The MAP Toolkit is quite effective in determining software installed on-premises and can be a good starting point for a software inventory, but it will not provide a comprehensive list of devices or users who may access on-premises systems. Microsoft acknowledges the limitations of their MAP Toolkit:
The Software Usage reports should be used as a baseline for Client Access License (CAL) usage analysis rather than as an authoritative summary of software usage. Due to the wide variety of ways that software can be deployed and inventoried in your environment, the Software Usage Tracker cannot always produce accurate counts of server software and access to that software. These reports are for informational purposes only and should not be used as the sole source of information for determining software license usage compliance.
It is unlikely that a company will ever be able to rely solely upon automation tools to conduct an accurate licensing or software inventory.
How to approach SAM
Whether a company is being audited, or starting or improving a SAM discipline, the logical first step is to list all software installed on company assets, including virtual instances. You must identify every person and device that accesses company assets and is running the software.
Once you have this accurate inventory of software, devices, and users, you must perform a similar inventory of licenses and CALs. This may include Volume Licencing (VL) Agreements, product keys, Original Equipment Manufacturer (OEM) licenses, Full Packaged Products (FPPs), Certificates of Authenticity (COAs), upgrade entitlements, and any applicable purchase records.
The comparison may reveal instances where systems have been retired or repurposed and the software may be eligible for use elsewhere. It may also uncover instances where the company has insufficient licenses or opportunities for more efficient or cost effective licensing. If the assessment shows license shortages your company must purchase appropriate licenses to become compliant.
An important and often overlooked aspect of SAM is to educate employees and users. Many organizations rely solely upon their IT department to ensure compliance. This may mean that you miss Bring Your Own Device (BYOD) hardware that is not controlled by IT. Also pay extra attention to the Microsoft Home Use Program.
The Microsoft audit regime
In case of an audit, Microsoft doesn’t necessarily suspect or accuse companies of being non-compliant, but they do expect them to pay for all software they use or have installed. At least once every three years Microsoft requests an assessment from their Volume Licensing customers, often communicated via email. A customer then is tasked with performing a self audit so the entire cost and burden lies with the auditee.
If Microsoft chooses to exercise their rights to an onsite audit this will be performed at Microsoft’s expense unless the audit reveals a five percent or greater deficiency in the required licenses. Then the offending customer must pay for the audit in addition to the license shortages.
If a company defies the terms of their software licenses – knowingly or unknowingly – and a Microsoft audit request does not motivate them to implement appropriate SAM discipline, the Business Software Alliance (officially BSA | The Software Aliance) may step in. This consortium of many of the world’s largest software publishers aims to fight and reduce software copyright violation. The BSA is well funded by member companies and settlements it wins. A primary way in which the BSA learns of piracy is via disgruntled employees. The Software Alliance has run campaigns such as ‘Bust Your Boss!’ which stated:
Is your current or former employer using pirated software in their office? Hit ’em where it really hurts – report their illegal software use today.
The BSA offers rewards of up to USD 1,000,000 for tips that lead to a settlement. Even for relatively minor violations, the potential reward payment can be up to USD 5,000 for settlements as small as USD 15,000.
If an employee or someone with information of a violation files a report with the BSA, there may be more incriminating evidence than a typical audit would reveal. While most BSA settlements occur without formal legal action, evidence of knowingly using software without proper licenses will make it much more difficult for the offending company to negotiate terms.
Are you prepared, or is it time to act?
All our remarks on Microsoft software audits intend to alert organizations, especially Microsoft Volume Licensing customers. We have been discussing how to prepare, what to expect, how to remediate, and consequences of non-compliance.
Software is unique since it can be replicated freely, and is therefore often governed by complex rules for usage. Moreover, some software products are used by almost everyone in an organization. Software represents a significant financial investment for almost every organization, and few can function without it.
Every company should therefore proactively implement an appropriate Software Asset Management program. Don’t make the mistake of postponing the start of this until there is a convenient time for it. Nor should you wait until you are being audited. Implementing a SAM program requires proper planning. Depending upon the size of the organization a sound SAM discipline may require dedicated resources and possibly guidance from seasoned experts.
Four articles – read them all!
This is the final article in our series on license audits, focusing on Microsoft. To get a more complete picture you may want to read them all. Number one was on preparing for an audit and the importance of being very well documented and organized. The second explored what auditors will look for in a ‘Software Asset Management Review’, as Microsoft prefers to call it. Our third article examined what to do in case of unfavorable results. It also provided examples of inaccuracies we frequently encounter in audit situations.
If you are in need of extra expertise, and a structured license administration and management approach, feel free to contact B-lay. We will help you make software compliance an exciting opportunity to improve your business!
Richard is one of the managing partners at B-lay. He started to work in the license management industry in 2004 and worked for almost 10 years at Oracle as regional director of compliance. He uses his knowledge of enterprise software vendors (such as Oracle, SAP, IBM and Microsoft) to educate, equip and enable software end users in their challenges regarding proper software license management. Richard holds a master’s degree in IT, from University of Amsterdam in the Netherlands.