Many organizations lack a good overview of the relation between the licenses they’ve purchased and those that are actually used. Consequently, they run the risk of incurring a substantial fine if it is found during a software license audit that more licenses are used than have been purchased.
The software costs may also turn out higher than strictly necessary, as some licenses may be assigned to user accounts that are no longer in use. In other words, proactive management of software assets is a highly valuable process for any organization. However, software asset management tools use a reactive approach and are, therefore, not the best solution.
There are multiple various reasons for the proliferation of software licenses. In many organizations, authorization is granted all too easily when employees request access rights to a particular application even if they don’t need it. For lack of time, managers tend to delegate such requests to their support staff that often have no inkling as to whether the employee actually needs the software. As a result, approval is usually given too readily.
It is evident that a general procedure for assigning access rights is missing from this process, as is a central department that is wholly responsible for software license management. In many cases, various different persons or departments are responsible for the licenses to one or more software applications. Even though it would seem logical to make the IT department responsible for assigning access rights, but as it turns out this is an equally ineffective solution.
Members of the IT department have no idea about which access rights employees actually require, so they ask their manager. Added to which, they lack a good overview of the license costs. The costs are not ingrained in them, as it were. To them, granting access rights simply means adding an employee’s user account to a particular Active Directory group rather than taking a major bite out of the license budget.
The problem is that people often forget to revoke access rights that are no longer necessary, such as when employees leave the organization or in case of a change in title. In this way, the unnecessary license costs can quickly add up.
License managers and SAM won’t do the trick
There are enough reasons why organizations have trouble managing the license costs. So what can they do about it? How can they manage their license cost more effectively and better prepare themselves for future software license audits?
Some organizations use so-called license managers. These applications match the number of used licenses against the number of purchased licenses. However, the problem is that license managers invariably use a reactive approach. They carry out checks at intervals — possibly just before an audit — and only change things afterwards. This increases the risk of fines and can lead to a great deal of frustration within the organization. For instance, with a self-regulating system an employee can be logged out of a particular application when another employee logs in at the same time if the number of available licenses is exceeded.
Virtually all organizations use software asset management (SAM) for this purpose. These tools make it possible to create an inventory of all the hardware and software used across the organization. Unfortunately, this is also a reactive approach. Moreover, it only provides an overview of the status quo. Would it not be better to know whether employees really need an application before assigning them access rights and incurring license costs?
SAM tools also are predominantly used by IT departments. However, the IT department will have no idea concerning which applications employees actually need to perform their daily duties.
Thankfully, there are ways to proactively manage the license costs and put the manager or organization at the heart of this process. A number of summarized options follow:
Role-based Access Control (RBAC)
When access rights have to be assigned to new users, administrators often resort to copying an existing user account. This incurs the risk that new employees are inadvertently provided with access to additional applications and systems they do not require. Not enough attention is paid to revoking rights after copying an existing user account. Usually the assumption is that new employees should be able to assume their duties quickly. At best, revoking excess rights is an afterthought. Advised by standards and IT auditors, as well as driven by unnecessary license costs, organizations come to realise the importance of a responsible approach to rights management.
RBAC is a technique for setting up authorization management. With RBAC, authorizations are not assigned to individual staff members but to RBAC roles, which comprise the employee’s department, title, location and cost center. This technique can also be applied to application management, which would then be defined as role based application control, or managing users’ right to launch applications.
The starting point of RBAC is to set up a matrix that indicates which applications are assigned to employees, based on their title and/or department. This application matrix can be populated by matching organizational roles (how employees are listed in the HR system, particularly with regard to their name, title, department and cost centre) against the technical roles (applications and folders) currently present across the organization.
By matching the HR system and network, it is possible to gain insight into which applications are generally used for each organizational role. For instance, it could be that 90 percent of users in a particular role (e.g. the role of nurse at the cardiology department) use a particular application, such as a work shift calendar. The logical step would then be to automatically assign all new employees in this role the same authorizations.
This alignment between the HR system and network may also bring exceptions in the use of other applications to light. Once the applications needed for a particular organizational role have been identified, it will become more noticeable when an employee in the same role has access to additional applications. This will provide a sound basis for performing additional validations of access rights. Chances are that the employee in question is unnecessarily increasing the license costs.
After RBAC has been used to define who is able to do what and who is not, employees will be prevented from accessing applications that their organizational role does not require. This prevents unnecessary license costs and reinforces the organization’s position when a vendor decides to perform a software audit.
Needless to say, we are referring to the relatively cheaper licenses that are bought in high volumes and used by a large number of employees, such as Microsoft Office, Adobe Acrobat or antivirus software. The RBAC matrix offers insight into applications that are used in bulk, and thus provides a sounds basis for negotiations with vendors on the procurement of licenses.
Besides assigning these cheaper ‘bulk applications’ to users, it will be necessary to provide some employees with access to software of a more exclusive nature, such as Visio, Photoshop or SPSS. These applications are not associated with a particular role or title but assigned on an individual basis. As a rule, licenses assigned to individuals are more expensive.
The organization proper will know best which of these applications employees actually need to perform their daily duties. Managers and employees often know this better than the IT department, so it is only logical to make the organization responsible for monitoring a legally sound use of these more expensive applications. Contrary to the IT department, license costs are ingrained in managers. As they are charged to a manager’s cost center, the manager in question will be more conscious of unnecessary license usage.
For this reason, the manager and employee should be put at the heart of the authorisation process. They should be able to request, verify and approve facilities. For instance, a web portal can be set up through which employees may request access to applications, network shares, functional mailboxes and distribution lists. Based on a predefined workflow, requests can be automatically assigned to the responsible manager and a license manager, if required.
By retrieving information from the HR system it will be possible to determine the manager of the employee who is requesting access rights. Managers, as well as system and application administrators, can check a dashboard to verify how often an employee has launched an application, the number of minutes it has been used and the number of idle minutes. The manager can then act accordingly. If a particular user does not use an application for a long period, access rights can be suspended. It is also possible to notify users that they are not actively using the application and are therefore incurring unnecessary license costs.
By creating an interface with a facility management system or configuration management database (CMDB), managers will also be able to map out the total license costs, as well as the assigned applications and used applications for each employee.
Single-seat software licenses are based on the number of individual users who need access to the software. When, for instance, 50 seats are purchased, this means only 50 individuals will have access to the application rather than random users having access 50 times. Single-seat software licenses are useful for more expensive suites that are exclusively used on a project basis, such as Microsoft Visio.
Because of the short period in which this type of application is often used and to prevent productivity loss – it often takes quite some time to get approval requests for this type of license – employees can be provided with access during a three-month “trial period.” In this scenario, employees can request access rights using a web form and have their request approved by their manager. After three months, they will receive notification that their trial period has run out, in which case access can be extended for another two terms. This will now allow employees to embark on their duties right away without all the administrative hassle associated with obtaining a full license. More importantly, no unused licenses will be floating about. The license will be transparent and managed by the organization proper.
License costs are made up of relatively low costs for bulk software and higher costs for applications that are only used by a small group of employees. Role-based access control is a fine method for determining access rights to bulk software. In case of relatively expensive software the recommendation would be to make the organization proper responsible for assigning access. Employees and managers know best which applications are actually needed. Added to which, managers are sure to keep an eye on the license costs.
Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions.
Photo courtesy of Shutterstock.