an 16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 SOFTWARE LICENSE MANAGEMENT Dinesh O Bareja CISA, CISM, ITIL, BS7799 named SAM
My name is SAM ನನ" #ಸ% SAM ಆ'(!र न म SAM & என பயர SAM! "# SAM ఉ &
Information Gathering Some audience ques1ons - how many know the full form of SAM Now that we have been introduced to SAM and we know it relates to so=ware licenses how many have ACTUALLY read the EULA of all the installa1ons in one s organiza1on or on one s machine Against reading the EULA how many of us have read the BOM, SOW, Proposal and vendor documenta1on did anyone raise any objec1ons Is the Warranty or SLA document reading done from end to end? I am sure you would have already asked the right ques1ons and got the correct answers! (at the 1me of purchase) Some more ques1ons. Is your ITAM automated? Managed? Tradi1onal? Are you compliant with ISO27k1 controls for IT Asset Management
MY PRESENTATION It is about that one discipline which has the highest priority in our profession (or life) BUT Once entered into a Register. It is history!
This is SAM The size and shape depends on the size and maturity of your risk and compliance management systems
SAM R I S K ISMS SAM requires a]en1on as the big RISK may be overlooked in the ISMS Ocean
High 1me we got SAM s full name! In a nutshell it is about What do we own What are we using Do we have visibility How much to buy Are upgrades managed Do we audit regularly What do we need Are we Over or Under When should we buy Are all licenses managed Are we compliant to EULA
Software Asset Management So=ware licenses are valuable assets and should be managed as such Helps control costs and op1mize the so=ware assets usage Provide effec1ve control of the so=ware lifecycle Enable processes to manage so=ware health and secure the lifecycle Ensure legal compliance Achieve cost savings (salvage unused licenses; no unplanned purchases) Control of so=ware licenses over- purchase and maintenance Financial penal1es for license non- compliance Nega1ve publicity Strengthens ability for be]er vendor so=ware nego1a1ons Visibility over current state of assets
Standards STANDARDS ISO/IEC 19770-1:2006 SAM Processes regular ISO/IEC 19770-2:2009 So=ware Iden1fica1on Tag ISO/IEC 19770-3 So=ware En1tlement Tag ISO 27001 ITIL Because of the complexity of a good process and suppor1ng technology, companies struggle in their effort to achieve even an adequate level of SAM.
ISO27001 Asset Management Sec*on 7: Asset management: The organiza1on should be in a posi1on to understand what informa1on assets it holds, and to manage their security appropriately. 7.1 Responsibility for assets All [informa1on] assets should be accounted for and have a nominated owner. An inventory of informa*on assets (IT hardware, sodware, data, system documenta*on, storage media, suppor1ng assets such as computer room air condi1oners and UPSs, and ICT services) should be maintained. The inventory should record ownership and loca*on of the assets, and owners should iden*fy acceptable uses. 7.2 Informa*on classifica*on Informa1on should be classified according to its need for security protec1on and labeled accordingly. [While this is clearly most relevant to military and government organiza1ons handling protec1vely marked informa1on (Top Secret etc.), the concept of iden1fying important assets, classifying/grouping them, and applying controls that are judged suitable for assets of that nature, is broadly applicable.]
ISO19770 The standard facilitates the following through SAM implementa1on: Risk management Cost control facilita1on Compe11ve advantage
ISO19770 Business Risk Management interrup1on to or deteriora1on in the quality of IT services; legal and regulatory exposure; Damage to public image arising from any of these Cost Control Reduced direct costs of so=ware and related assets, such as by nego1a1ng be]er pricing through improved use of volume contrac1ng arrangements, and by avoiding purchasing new licenses when old ones can be redeployed Reduced 1me and cost for nego1a1ng with suppliers because of be]er informa1on availability Reduced costs through improved financial control, such as through be]er invoice reconcilia1on and more accurate forecas1ng and budge1ng Reduced infrastructure costs for managing so=ware and related assets, by ensuring that required processes are efficient and effec1ve Reduced support costs which are significantly affected by the quality of SAM processes, both directly within IT and indirectly within end- user areas
ISO19770 Compe11ve Advantage Be]er quality decision making because of availability of more complete and more transparent informa1on (e.g. IT procurement and system development decisions may be made more quickly and more reliably with be]er quality data) Able to deploy new systems and func1onality more quickly and reliably in response to market opportuni1es or demands Providing IT which is more closely aligned to business needs, thus ensuring that all users have access to appropriate so=ware and applica1ons Able to handle the IT aspects of business acquisi1ons, mergers or demergers more quickly Be]er personnel mo1va1on and client sa1sfac1on through having less IT problems
ISO19770 Framework Organiza1onal Management Processes for SAM Core SAM Processes (Processes that define SAM) Primary Process Interfaces for SAM
ISO19770 Framework Organiza*onal Management Processes for SAM Corporate governance process Roles and responsibili1es Policies, processes and procedures Competence Planning Implementa1on Monitoring Con1nual Improvement
ISO19770 Framework Core SAM Processes (Processes that define SAM) SoDware Asset Iden*fica*on SoDware Asset Inventory Management SoDware Asset Control SoDware Asset Record Verifica*on SoDware licensing compliance SoDware asset security compliance Conformance verifica*on for SAM Rela*onship and contract management for SAM Financial management for SAM Service level management for SAM Security management for SAM
ISO19770 Framework Primary Process Interfaces for SAM Change Management Process Acquisi1on Process So=ware Development Process So=ware Release Management Process So=ware Deployment Process Incident Management Process Problem Management Process Re1rement Process
ITAM Inventory Management SAM. IS NOT AT ALL plain and simple inventory management
True?? If your policy is oriented towards ITAM as a whole and does not think about sodware as a special area requiring control or iden*fied as high risk. Then this is TRUE!
Why is SAM overlooked!
The EULA what you did not read This Is What You NEVER Read!
Surprise! When you purchase a Microso= Server you need to have a Server CAL (Client Access License) for each worksta1on that connects to the server. This is regardless of if you are using a Microso= Opera1ng System on each computer OEM License is considered compliant when you have the OEM license pasted on the machine not just possessing a paper license Have you heard of any CIO/CTO who shared a EULA with the Legal and / or Finance team?
Surprise! Maybe You Missed A LoXery! This company offered a prize hidden in the EULA A=er 3000 downloads one person claimed the $1000 prize
The EULA is a legal agreement between you (either a corporal and / or mortal en*ty) and SATAN for your eternal soul which includes your post- death hereader and any associated spiritual iden**es including good/evil alignments ( COMPLETE OWNERSHIP OF YOUR SOUL ). By selling, bargaining or otherwise surrendering the COMPLETE OWNERSHIP OF YOUR SOUL you agree to be bound in servitude to the Dark Lord for all eternity. If you disagree with this EULA or are unable or unwilling to accept these. LukeSurl.com with apologies for cropping the image
EULA s Howlers!
Some EULA Terms Your rights under this Agreement will automa1cally terminate if you fail to comply with any term of this Agreement. In case of such termina1on, you must cease all use of the So=ware, and Amazon may immediately revoke your access to the Service or to Digital Content without refund of any fees. You may make one backup copy of the So=ware, provided your backup copy is not installed or used other than for archival purposes. You may not transfer the rights of a backup copy unless you transfer all rights in the So=ware. "By pos1ng user content to any part of the site, you automa1cally grant to the company (ie Facebook) an irrevocable, perpetual, non- exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, display, reformat, translate, excerpt (in whole or in part) and distribute such user content for any purpose, commercial, adver1sing or otherwise.
More Terms Autodesk or its authorized representa2ve will have the right, on fi6een (15) days prior no2ce to Licensee, to inspect Licensee s records, systems and facili2es, including machine IDs, serial numbers and related informa2on. Microchip's authorized representa2ves will have the right to reasonably inspect, announced or unannounced and in its sole and absolute discre6on, Licensee's premises and to audit Licensee's records and inventory of Licensee's use of the So6ware, whether located on Licensee's premises or elsewhere, at any 2me, in order to ensure Licensee's adherence to the terms of this Agreement.
Consequences of Non Compliance Liability of immediate purchase Penalty Reputa1on Loss Down1me Jail Closure of business Risk of unpatched versions No Support from Vendor
Cases Construc*on Company: 500 employees across 4 offices and mul1ple construc1on sites. Using AutoCAD, Microso= Office, MS SQL, MS Project. Company had completed license reconcilia1on and transferred licenses to close delta. Vendor review discovers keygen / cracks that were not cleaned as per remedia1on plan. Four (new) addi1onal installa1ons (pirated) discovered (the users had installed as they had some urgent requirement). Vendor assesses XX instances of non- compliance and proof of compliance has to be provided within ten days. Total amount paid Rs. 1.35 cr.
Cases You are never too small Web developer - Providing design and development services for clients. Owner plus 3 employees. Organiza*on assets comprise 5 desktops and 1 laptop. Suspected that the vendor s representa1ve visited twice posing as customer. Followed by a visit from License Manager which was very unsavory. Demand of ONE license raised for compliance with proof to be provided in 7 days. Total amount paid Rs. 70,000 Architect individual professional having two assistants. Visited by vendor representa1ve and had to comply with demand for 3 licenses. Lite version was required but had to purchase high end version as per demand. Amount paid for high end version Rs. 5 lacs whereas lite version would have cost Rs. 1.5 lacs
Cases BPO and outsource development services company. 1400 employees at two loca*ons. Company is ISO27001, ISO9001, ISO20000 cer*fied. Request for review from vendor received. CISO ini1ates license reconcilia1on. Non compliance delta negligible. Vendor raises issue of CPU/User and raises new demand based on headcount to bulk license count 10 days to comply. Addi*onal license fees paid Rs. 95 lacs
Cases Business Shutdown WINTECH COMPUTERS circa 2000. 170 opera1onal centers all over the country, nearly 1,700 employees, and at least 40 students per ins1tute. Raid on the company in September 2000 carried out by Mumbai Police and officials a private inves1ga1ng firm. Wintech Computers had no license to teach Oracle so=ware. 'I want to be the Bill Gates of India's computer educa2on industry.' March 2000, Murtuza Mathani, Wintech CEO. May 2001: Mathani's whereabouts unknown.
Cases Large IT Services organiza1on providing high end consul1ng globally. About 4000 strong workforce. Non compliant for use of so=ware in training, backoffice tes1ng and research and development. Had to pay Rs 5 cr and have then recruited an Asset Manager and invested in commercial tools to manage SAM. TAKEAWAY WATCH OUT FOR TWO VERY IMPORTANT WORDS ENTITLEMENT INSTALLATION
Befriending SAM SAM is not to be overlooked Not to be approached in the conven1onal asset management manner Saves you from manifold risks that accrue from non- compliance Create a posi1on for an Asset Manager (it is economically feasible) Best nego*a*ons start before you even know what you want to buy Forrester Research h]p://www.computerweekly.com/ opinion/forrester- Tips- for- so=ware- contract- nego1a1on
Extract BeneWits from SAM JUST TAKE CARE OF THIS NUMBER AND IT IS ENOUGH TO PROVIDE THE HARD CASH TO DEMONSTRATE THE VALUE OF YOUR OFFICE
Risk Mitigation w. SAM Enablement Mi1gate Non Compliance arising out of a Mergers & Acquisi*ons Clean Cracks and Keygens on your network for specific vendors Discover and remove unauthorized installa*ons of so=ware from specific big name vendors whose products are used Penalize rogue users on the network Measure number of users accessing systems (installa*ons) against your total license assets (en*tlement) Don t try to be smart and uninstall a=er you get an audit request the auditors have seen umpteen reac1ve ac1ons and know all the tricks of the game Bring Legal, Financial, Purchase, IT Opera1ons and IS (Asset Mgt) func1ons together into a new License steering commi]ee
Risk Mitigation w. SAM Enablement Implement manual processes for CALs and other metrics that are not discovered by inventory tools Calculate license en1tlements to get your actual license posi1on Don t overlook Open Source and trial SoDware When trial versions expire REMOVE them Create effec1ve Change and Configura*on Management controls Implement network monitoring tools and push policies for end point configura1on
Maturity Model
This is YOUR Organiza1on big, strong, proud the best! The bold corpora1on sailing to glory over uncharted waters!
Oops! It s an Iceberg!! It s a SAMberg
Not a desired des1na1on! But SAM non compliance brings with it the risk of such a fate!
This is how we want it to be and con*nue into a long long *me Without the risk of disrup1on due to SAM non- compliance and all the a]endant disastrous outcomes
SAM is complex, but is your best friend Manage Software Licenses so that your organization is not titanicized Remember the EULA has a loads of small type and reading it will be good for your organization health! And your job! Do Not Support or Condone Piracy!
Dinesh O. Bareja, CISA, CISM, ITIL, BS7799, Cert IPR, Cert ERM Professional Posi*ons Open Security Alliance (Principal and CEO) Jharkhand Police (Cyber Security Advisor) Pyramid Cyber Security & Forensics (Principal Advisor) Indian Honeynet Project (Co Founder) Like all IS professionals.. Eternal InfoSec and Technology learner. Professional skills and special interest areas Security Consul1ng and Advisory services for IS Architecture, Analysis, Op1miza1on.. Technologies: SOC, DLP, IRM, SIEM Prac1ces: Incident Response, SAM, Forensics, Regulatory guidance.. Community: mentoring, training, ci1zen outreach, India research.. Opinioned Blogger, occasional columnist, wannabe photographer Contact Informa1on: E: dinesh@opensecurityalliance.org T: +91.9769890505 Twi]er: @bizsprite Facebook: dineshobareja L: h]p://in.linkedin.com/in/dineshbareja
References htp://www.informa2onweek.in/security/13-07- 15/so6ware_asset_management_- _an_iceberg_called_sam.aspx htp://securambling.blogspot.com/2013/06/so6ware- asset- mis- management- who.html htp://securambling.blogspot.com/2013/05/discovering- sam.html Contact Informa*on E: dinesh@opensecurityalliance.org T: +91.9769890505 Twi]er: @bizsprite Facebook: dineshobareja L: h]p://in.linkedin.com/in/dineshbareja Acknowledgements & Disclaimer Various resources on the internet have been referred to contribute to the informa2on presented. Images have been acknowledged where possible. Any company names, brand names, trade marks are men2oned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of rela2on (exclusive or otherwise) by the author(s), unless otherwise men2oned. Apologies for any infrac2on, as this would be wholly uninten2onal, and objec2ons may please be communicated to us for remedia2on of the erroneous ac2on(s).