Executive Summary: Software asset management (SAM) tools are coming of age, as businesses seek to avoid licensing audits and better manage hardware and software purchases and usage in their organizations. A number of SAM solutions are available, including full-spectrum products that perform software and hardware discovery and usage metering and build a licensing repository. Increasingly, SAM vendors are working to integrate their products into configuration management databases (CMDBs), so that the SAM products can be part of broader management solutions, such as network management.

Many IT managers would fail tests on knowing what software assets are on their systems, how many copies are installed, and what their license requirements are. Often, internal audits or receipt of a dreaded Business Software Alliance (BSA) or Microsoft auditing letter will reveal many more unlicensed programs on the organization’s PCs, servers, mobile assets, or other devices than the IT department was aware of. Proactive software asset management (SAM)—an organized process for tracking and managing licenses and software usage in an organization— offers a way to avoid unpleasant auditing surprises. To better understand how a SAM strategy might benefit your organization, it’s helpful to know the components of SAM—particularly its usefulness in license management, get acquainted with SAM products that can help you manage software and other IT assets, and become familiar with SAM trends, such as the use of configuration management databases (CMDBs) in SAM implementations.

SAM and Licensing Compliance
SAM encompasses a number of components, technologies, departments, and processes to manage an organization’s software assets, including

• procurement and licensing
• deployment and patching
• discovery, metering, and license management

A SAM strategy could include the use of asset-discovery tools, application metering, and license repositories, all of which can help you get a grip on what’s in your software library and determine whether you’re in compliance with licensing requirements.

The license-compliance aspect of SAM involves different departments, including purchasing, accounting, and IT. These departments often use dissimilar processes and programs to track assets, contracts, and licenses. Getting all concerned parties to use a consistent set of license management procedures might be the biggest hurdle to an effective SAM plan. Contracts and licenses could still be on paper and not entered in an electronic repository. Accurate procurement records might be stashed in a filing cabinet in the basement in no particular order. Assets may have succumbed to “PC drift” (i.e., the undocumented movement of PCs from one area or user to another) and could be impossible to track down.

The SAM standards issue is garnering so much interest that the ISO and International Electrotechnical Commission (IEC) developed ISO/IEC 19770-1:2006, a standard that organizations can use to plan and implement SAM. (You can download a copy of the standard, for a fee, at www.iso.org/iso/catalogue_detail?csnumber=33908.)

SAM for Audit Preparation
The importance of having a SAM strategy in your organization becomes evident when you face the prospect of an audit. Say you receive a letter from an industry association or software publisher notifying you of a vendor audit, generally within 14 to 60 days of the letter date. The auditor will bring a software asset-discovery tool and search your network devices, PCs, and mobile devices for applications. Then the auditor will ask you to provide proof of licensing compliance for all software assets. Gulp! Time to cram. If you’ve been notified about an audit and are scrambling to prepare for it, here’s what you need to do:

• Use a discovery tool to find all your software assets on PCs, servers, other network devices, and mobile devices.
• Meter usage of the assets to determine how each is used and how often.
• Build your license repository to compare it with your assets for compliance.

The best way to complete all these steps is to get a SAM solution that will automatically plug into your network, find the assets, meter usage, and compare the license repository with the asset information. Alternatively, you could opt for a tool that performs a particular SAM task (e.g., creating an inventory of assets).

SAM Products
Ideally, you’ll be looking for a SAM product well before you receive any type of compliance request. Then you can set up a SAM lifecycle solution that will not only make sure you’re prepared when the auditor walks in the door but also help you get a handle on your software assets for better organization, budgeting, and legal compliance. The following partial list of SAM products can give you an idea of the types of features such solutions provide. (Also see the sidebar “Guidelines for Evaluating SAM Solutions,” page 25, for a list of questions to ask SAM vendors when you’re looking at products, and the Web-exclusive sidebar “SAM Vendors and Resources,” www.windowsitpro.com, InstantDoc ID 98247, for contact information for the SAM resources mentioned in this article.)

CA Unicenter Asset Portfolio Management
This comprehensive asset management solution aims to facilitate the collection and sharing of information among IT, accounting, and purchasing to give you a clear picture of your organization’s software assets, including licensing. IT might have a firm grasp of its network and software assets, but without licensing information, a compliance assessment is worthless. If you add purchasing and deployment to the mix to determine whether too many or too few licenses are procured and how the assets are deployed, gaining a comprehensive understanding of the entire process could be a nightmare. Asset Portfolio Management not only can give IT administrators and business managers the full view of IT assets and license compliance, it might also unearth options for better procurement and deployment efficiencies, cost management, and streamlined processes.

HP OpenView AssetCenter
This solution is designed to manage your IT asset management lifecycle from procurement to management and retirement. AssetCenter lets you compare business goals and the software tools necessary to accomplish those goals with what’s in your software asset library. This comparison capability could save you from having to buy additional products and licenses if you already have the assets on hand. Then you’ll need to monitor changes in the IT infrastructure so that assets aren’t lost when new employees are assigned new assets or existing assets are reassigned. AssetCenter consolidates IT asset information in a CMDB repository, including user information (more about CMDBs a little later). It also includes a license repository for ongoing monitoring of asset procurement and usage.

LANDesk Management Suite
LANDesk’s asset lifecycle solution provides discovery, metering, and license-compliance features. The LANDesk Management Suite also lets administrators set policies to stop use of unauthorized or unlicensed software. An IT admin can set policies for unauthorized programs or types of programs, such as games and audio and video players. AssetCenter’s remote control module lets administrators delete unauthorized programs from users’ computers, even if the users are off the LAN and working remotely.

Absolute Software’s Computrace
Computrace is geared toward organizations whose asset management concerns are mainly about security or PC drift. Since most discovery tools provide only an asset snapshot, assets that move around might easily get lost. Computrace enables asset tracking, policy setting, and remote control, but its differentiator is the client agent. The agent proactively reports to a monitoring center the asset’s MAC address, any configuration changes made to the asset, and policy violations. Computrace also includes a LoJack for Laptops option, a theftprotection service that tracks, locates, and recovers stolen computers. Computrace can be embedded in a computer’s BIOS firmware at the OEM factory or installed on a computer’s hard drive. When embedded in the BIOS, Computrace will survive OS reinstallation, hard-drive reformatting, and even harddrive replacement. Computrace is supported on 32-bit versions of Windows Server 2003, Windows XP, and Windows 2000 and 32-bit and 64-bit versions of Windows Vista as well as on Mac OS X.

Continued on page 2

AppSense Terminal Server License Management
This product, a component of AppSense Management Suite (you can buy it separately from other products in the suite), offers policy enforcement and application restrictions for application-delivery infrastructures that are based on Windows 2003 Terminal Services or Citrix Systems products. Since Microsoft’s Terminal Services licensing is frequently based on potential application users rather than actual or concurrent users, proactively restricting application access can greatly decrease the number of licenses an organization must acquire. AppSense’s kernel-level filter driver intercepts all file-execution requests to determine whether they’re authorized. If not, the user gets a denial message.

Microsoft System Center Configuration Manager 2007
Asset intelligence, a feature of Configuration Manager 2007 that’s been around since Systems Management Server 2003 SP3, provides a variety of reports in the areas of license management, software metering and inventory, and hardware inventory. These reports, which draw from the inventory and application-usage data that Configuration Manager collects, can give IT an accurate picture of hardware and software usage in an organization. For example, the license management client agent reports provide information about licenses in use and time until expiration; the software agent collects information about software titles installed on IT assets. The license management reports are formatted similar to a Microsoft License Statement for easy comparisons. By comparing the software asset intelligence reports with the license management reports, you can determine whether you’re complying with your Microsoft application licenses.

By default, asset intelligence isn’t enabled in Configuration Manager. To gather software asset information, you must enable the hardware inventory client agent and the applicable classes in the sms_def.mof file. Microsoft provides direction for configuring asset intelligence data collection and all the classes that must be enabled at technet.microsoft.com/en-us/library/bb694072.aspx. A number of software reports also rely on the software metering client agent for data. Instructions for configuring software inventory for a site are at technet.microsoft.com/en-us/library/bb633191.aspx.

SAM Trends: Integration and CMDBs
The integration of SAM products into larger, more inclusive network management solutions is the next market step. The ability to use the data from the discovery tool and license management repository as part of a larger CMDB operation is what vendors are striving for in the near future.

For example, Numara Software is integrating its SAM product Track-It! with its Foot- Prints service desk solution to provide more IT services in one package. The Numara Track-It! asset management and Help desk solution combines the discovery, metering, and license repository of a SAM system and a full Help desk solution. Track-It! also has modules for software deployment, patch management, administration remote control, and network monitoring. When the product’s discovery, metering, and license-compliance tools complete their tasks, Track-It! creates a Help desk ticket to make sure the information gets to staff whose job it is to resolve compliance issues. For example, the Track- It! discovery and license-compliance tools might find that a company has 125 Microsoft Office 2007 installations, but its license allows only 100 installations. Track-It! will create a Help desk ticket to assign someone to determine whether all 125 installations are necessary and the Office 2007 license must be upgraded, or whether the Office 2007 instances can be uninstalled to comply with the current license.

Other integrated solutions, such as CA Unicenter Asset Portfolio Management, HP OpenView AssetCenter, and LANDesk Management Suite, are also moving toward incorporating CMDBs in their products. A CMDB—basically a single-source-ofrecord for everything related to IT—contains information about an organization’s IT assets, including hardware, software, and employees, and their relationships with one another. A CMDB is required if your organization is adopting the best practices of an IT Infrastructure Library (ITIL) and also is a key element in IT Service Management (ITSM: the relationship between enterprise IT infrastructure and the organization’s business goals). SAM is one component of the CMDB.

Having a complete CMDB can benefit an IT department by giving you better knowledge

• for budgeting and purchasing. The CMDB is a central repository with knowledge of every configuration item, its use, its compliance with license limitations and requirements, and how each asset is related and affected by every other asset. Once you understand what applications and assets are frequently used, and which are not, you can better support budget and procurement requests.
• giving you more control over IT assets. When you have a central repository of IT information, you can monitor all your hardware and software assets and be notified of any configuration changes or software installations. With that information and information about how those changes might affect other enterprise IT components, you’ll have more control over your IT infrastructure.
• helping you respond to events that cause loss of productivity and downtime. Using the CMDB, you can trace how and when an event occurred and what processes it affected, which can help you identify and resolve the problem.

Implementing a CMDB
Organizing and collecting all the data necessary for a successful CMDB is the formidable barrier to its widespread adoption. IT will need to obtain the cooperation of departments such as purchasing and HR to integrate purchasing data with the automated asset-discovery tool and license repository. Other impediments include the problems that come with a single-point-of-entry database approach and the ability to host such a large repository in one location. The idea of a federated database is gaining acceptance in the ITIL community. The CMDB would store a limited amount of data on each configuration item, then link to other locations— known as CDMB extended data sites—with expanded knowledge of the requested item. This approach would meet the goal of establishing a single point of reference for IT knowledge, but reduce the CMDB’s size.

Implementing a CMDB is a long-term process. You may have to change many processes and win over staunch detractors. Then there are the financial and time commitments that implementing a CMDB will require. Here are some of the steps you’ll have to take during the process:

• Educate your employees about CMDB benefits. To successfully establish a CMDB, you’ll have to have enough support to get every department on board.
• Determine how IT can support your business goals.
• Establish what data the CMDB requires and where it currently resides. Interdepartmental cooperation will be essential.
• Use an automated discovery tool to find out what assets you have. The database is only as good as its data.
• Integrate data from disparate applications and departments, such as licensing information and requirements, purchasing processes, and asset retirement procedures.
• Diagram the relationships between configuration items. This is crucial and possibly the most important step to developing a successful CMDB.
• Establish the CMDB administrative processes. Decide who has access and how information is to be updated.

Better Information About IT Assets
If you’re seriously considering implementing a SAM solution, keep in mind that it will likely be part of a CMDB. Therefore, you’ll need to determine which departments must be involved in preparing for the SAM and CMDB and start getting key people on board. You’ll also need figure out how to integrate disparate departmental operations programs and databases and initiate the process of integrating their data. As you’ve probably gathered by now, putting a SAM in place involves some significant effort, but the ROI will come in increased network efficiencies, time and money savings, and perhaps most important, peace of mind in knowing that your organization is complying with licensing agreements.