Platform Virtualization and Software Licensing: Best Practices for Software Vendors WHITE PAPER Software publishers that have not already begun addressing how to manage the licensing of their applications in virtual environments are behind the curve. The strategy should not only include support for licensing in virtual environments but also the ability to enforce license terms once the application is deployed on a virtual machine. Without enforcement, the software publisher has no control over the license and therefore their revenue. Executive Summary There are many related, yet different, definitions for virtualization floating around the Internet. If examined more closely, we discover that most of them focus on a set of processes and approaches designed to make data centers more efficient. Virtualization has existed for many years in the areas of testing and development; however, in today s economic environment, it is becoming more and more prevalent as a way for IT to reduce costs and operate more efficiently. Platform virtualization, however, can be a concern for end user organizations striving for software license compliance, as well as for independent software vendors (ISVs) who want to enforce license compliance and assure revenue without constraining customer deployment. This paper examines virtualization, its advantages, and why it is such a hot topic in the world of software licensing. Finally, the paper digs deeper into the options available to ISVs and presents best practices for handling software licensing in virtual environments. What is virtualization? A few minutes with an Internet search engine provides a wealth of definitions for virtualization. In the world of computing, virtualization has gone from being a buzz word to a mainstream IT term almost as common as PC or server. It is highly unlikely that those involved with the computer industry today have not come across terms such as virtual machine, VM, and perhaps even Hypervisor. A few more minutes of searching reveals the abundance of vendors in the market providing a virtualization solution, with names such as VMware, XEN, VirtualBox, KVM, and, of course, Microsoft soon leading the way. The term virtualization is used universally, and can refer to platforms, applications, networks, storage, memory, and other areas. Ultimately, it is a concept where one or more instances of a physical environment are simulated or recreated artificially in software. Despite, the varied areas that fall under the term virtualization, this paper focuses on the area of platform virtualization and how it affects software licensing and the world of automated software license enforcement. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 1
According to the BSA/IDC 2010 Piracy Report - for every $100 worth of legitimate software sold, an additional $75 worth of unlicensed software also made its way into the market generating absolutely no revenue to the original ISV. Why is virtualization such a hot topic? There are so many valid reasons to justify the case for virtualization, as it is one of the most useful technological advances in the IT industry. Some of the more significant benefits gained through virtualization are outlined below. Reduced capital and operational costs through more efficient use of hardware resources. Often, systems that support the day-to-day operation of a business (such as e-mail servers and database servers) are consuming only around 10 percent to 30 percent of the physical machine s available resources. In other words, without adopting virtualization, up to 90% of a machine s resources might never actually be utilized. Considering the average purchase costs of high-performance servers, it is easy to see how this can be perceived as wasteful. By creating multiple virtual servers within a single physical machine, a company is able to make far more efficient use of their equipment, and subsequently, reduce the costs associated with the purchase and maintenance of multiple physical machines. Further reduce costs and environmental impact through Green IT. Reducing the number of servers through virtualization not only saves money through more efficient use of hardware, it also reduces power consumption, with the added benefit of reducing a company s carbon footprint. More efficient testing/development and security. Another benefit of virtualization is apparent in testing and security. Clean virtual images can be used to easily reproduce systems in order to create a new environment for testing and development, or to quickly replace a system which has been adversely affected by malware. Improved scalability and deployment agility. Scalability is another important factor driving virtualization. When a company is in need of additional bandwidth or increased availability, it is comparatively simple to create new instances of a virtualized system in a short space of time, without the costs associated with additional hardware purchases or familiarization with new equipment. High availability/redundancy. Virtualized servers are often installed into clustered environments. The inherent concept of dynamically spinning up virtual image clones dramatically reduces the complexity and costs associated with managing a clustered infrastructure. Why is virtualization an even hotter topic in the world of licensing? The reasons outlined above show that virtualization cannot be ignored by companies, and there are simply too many perfectly legitimate reasons why it would be adopted. This reasoning does, however, create a conflict when considering the interests of the software vendor. According to Amy Konary, research director for IDC1, Software publishers that have not already begun addressing how to manage the licensing of their applications in virtual environments are behind the curve. The strategy should not only include support for licensing in virtual environments but also the ability to enforce license terms once the application is deployed on a virtual machine. Without enforcement, the software publisher has no control over the license and therefore their revenue. Today, most if not all third-party license enforcement technologies are based on a concept known as host-based license enforcement. In short, this is a concept where the license policies are tied to a known and authorized host or machine. Typically, a software license will be tightly coupled to a designated or authorized computer through a mechanism known as hardware fingerprinting or node locking. The purpose of fingerprinting is to protect the license from unauthorized duplication or sharing by uniquely binding a license to the machine. If the license is copied to a new machine with a new fingerprint, it is automatically invalidated. The most common example of this is to tie the license to unique hardware attributes such as a hard disk identifier or an Ethernet (MAC) address. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 2
Automated License Enforcement Options Hardware Keys Detection of Virtual Virtual Machine Fingerprinting Virtualization has introduced a significant challenge to this fundamental component of license copy protection. The concept of creating virtual hardware means that virtual fingerprints can also be created. A duplicated virtual machine normally results in a duplicated fingerprint, and the license enforcement technology will usually treat the virtual fingerprints no differently than the fingerprints from real (physical) machines. What has historically been seen as a trusted and secure anti-piracy mechanism no longer provides an acceptable level of assurance for the software vendor. The most significant point here is that this does not just create an increased threat of malicious or intended software license misuse. The primary concern for software vendors is that this presents a new problem where conventional honest users are now capable of inadvertently duplicating licenses through normal everyday operations. In other words, what is becoming a common way of deploying applications can, and does, result in the accidental duplication of software licenses. This presents another issue where the vendor might have less power from a legal perspective to make a stand and seek protection from those who inadvertently duplicate their licenses. How are software vendors handling virtualization today? Historically, the advice offered to software licensees concerned about virtualization has been based around steering them towards implementing changes in how they price and package their software applications. For example, there are many papers and articles freely available on the Internet advising the vendor to switch their licensing models from conventional seat-based models to metric-based models, such as transaction- and consumption-based schemes. To many vendors, the prospect of implementing such significant operational and commercial changes often presents too great a barrier. Understandably, they are seeking ways to solve the problems raised by virtualization and yet maintain their existing commercial models. The main reasons for this resistance to change stem from the fact that so many departments within an organization would be affected. Changes to licensing models would have a direct impact on Sales and sales models, which are also tied to the financial and auditing processes. However, the largest impact is usually with Operations, who are responsible for the fulfillment of the products, along with the associated licenses. Service-orientated roles, such as Customer Care and Technical Support, would also be added to the list. Most software vendors find it difficult to envision how significant changes to the way an application is licensed would not create multiple problems across many independent but interconnected departments. The lack of suitable technical solutions initially drove vendors towards creating contractual wording that would disallow their applications from being installed onto virtualized environments. Some basic virtual machine detection solutions have become available in licensing technologies that allow the vendor to enforce these policies technologically, as well as legally. These policies have worked for a short time, but have become less valid as virtualization has become more commonplace. This has left the vendor with one of two simple, yet difficult choices. i. They disallow their applications from being used on virtual machines, and so protect themselves from potential license misuse. This option restricts the scope of their software s deployment and, therefore, limits sales. ii. More commonly, they simply choose to do nothing about virtualization, keeping the doors fully open from a sales perspective, while forcing them to accept that the license enforcement policies are significantly weakened. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 3
According to IDC VMs will outnumber physical servers 2:1 An explanation of automated license enforcement options 1.Hardware Keys The best protection against license duplication through virtualization is to store the information responsible for enforcing the license policy in a location that is trusted or protected, or is outside of the virtual environment. The most common example of this today is with vendors who protect their applications with hardware keys, also known as dongles. When delivering a dongle with an application, it is rare for the debate around virtualization and software licensing to arise. The concept is relatively simple. The use of the software is reliant on the presence of a specific hardware key. Although the system that the software is installed onto can be virtualized (and therefore duplicated), a USB dongle can only be accessed by one machine at a time and access to it is blocked by any other machine. This means that on a single physical machine, the dongle can only be accessed by one virtual machine, regardless of how many virtual machines are actually running on that physical machine. An extension to using hardware keys would be to combine them with concurrent network licenses. In this scenario, a license server or license manager is protected from being virtualized by tying the licenses that it hosts to a hardware key. Whether the protected applications are installed onto real or virtual clients has little consequence since the license manager will maintain the license seat count. This scenario provides the software vendor with an excellent level of assurance that the license count will be maintained, yet provides their customer with the deployment agility that is often one of the initial factors that drives a company towards virtualization. Virtual License Server Real There are, however, several reasons why hardware keys are not considered to be the universal solution to license enforcement and virtualization. For one, many virtualization technologies do not adequately support external USB devices, meaning that a hardware key will never be seen by the virtual machine. Secondly, there are also many vendors who very strongly prefer not to send hardware keys to their customers and, instead, seek a pure software-based, electronic solution. As mentioned, the whole debate around virtualization was not born within the world of hardware keys, and it is predominantly a concern among those who have exclusively adopted an electronic license enforcement approach. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 4
2. Detection of Virtual With this approach, the licensing system uses internal checks to detect if it (and therefore the protected software) is being run on a virtual machine. The vendor can then choose to allow or disallow their software from being used within a virtual environment, and force the applications to be deployed only onto real machines. This biggest problem with this approach is that it is at risk of having a short shelf-life. As mentioned, virtualization is becoming more commonplace every day, and vendors who choose to prevent their customers from installing their applications onto virtual environments will find that they are able to deploy (and therefore sell) their software to fewer and fewer customers as time goes by. Nearly 50% of enterprise organizations have already virtualized all or a portion of their.* IT infrastructure, and an additional 33% plan to do so in the next 12 months.* There is, however, a more acceptable solution when combining this approach with a concurrent network license deployment, as with hardware keys. By forcing the license manager onto real hardware, the end customer is free to deploy the protected applications onto any mix of real versus virtual machines. This will also satisfy the desire of many software vendors to maintain the deployment of electronic licenses. Virtual License Server VM Real 3. Virtual Machine Fingerprinting Driven specifically by the need to allow the software vendor to continue deploying and fulfilling their software as they have done in the past, the ability to bind a license uniquely to a virtual machine is the latest tool available to them. This links back to the discussion where the majority of software vendors are looking for a solution that will allow them to maintain their existing license and deployment models. The concept of virtual machine fingerprinting (VM fingerprinting) allows the software vendor to treat virtual machines the same as real machines, and the whole debate of virtualization becomes secondary. By providing a fingerprinting mechanism that includes attributes that are designed with virtualization in mind, it becomes possible to lock a license to a virtual computer and still provide a high level of assurance that a copy of that virtual machine will not result in a working copy of the license. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 5
Creating best practices from the available options Seeing the various approaches that are now available to the software vendor, it is now possible to create a workable best practices approach when considering how to address virtualization and automated license enforcement. The primary factor to consider is the level of trust the software vendor has with their customer. Typically, there is a direct correlation between the level of trust the vendor has with a customer and the amount of flexibility they are willing to offer. When the vendor has a higher level of trust, they are able to implement softer policies that provide the end customer with far fewer deployment constraints. High Level of Trust Low Low Level of Protection High Traditional VM Fingerprinting VM Detection Hardware Keys soft locking (and allow or disallow) 9 out of 10 ENT organizations will expect their software to run on virtual machines by EoY 2011.* Traditional soft locking puts the least amount of restrictions on the end customer, giving them almost complete freedom in considering when and how to install a vendor s applications. But this is typically only suitable for end customers who have their own incentives in place for license compliancy. Typically, end customers are seeking more assistance from their software vendors to help them stay honest, and the vendors prefer to implement measures which help to keep them compliant. The virtual machine fingerprinting fits well into this scenario since it provides a high level of protection from what could be termed as accidental license misuse. When tighter policies are required by the vendor, the detection and denial of virtual machines becomes preferable. It is more common to combine this capability with concurrent network licenses, as previously discussed, to create a more workable solution. Lastly, for maximum levels of assurance, a hardware key is the best choice so that the information related to license enforcement can be stored in a location that is trusted and guaranteed to be external to the virtualized environment. Closing Thoughts It is clear that virtualization is not a short term craze. It is here to stay and, in many ways, is still in its infancy. As virtualization evolves, it will become increasingly more difficult to tell the difference between virtual and real environments. Automated software license enforcement must evolve with virtualization, and the initial tendencies to distance license enforcement from virtualization threaten to make the problem a harder one to solve. Fortunately, there are now feasible options available for software publishers to stop perceiving virtualization as a source of revenue leakage or a blocker of sales, but instead as an opportunity. Those vendors who utilize the tools available to embrace virtualization the soonest will create a significant differentiator between themselves and their competitors. The SafeNet Approach to Licensing in Virtual Environments SafeNet recognizes that the rapidly growing popularity of virtual machines (VMs) within enterprise organizations makes a software vendor s ability to license and control their applications within any virtual environment critical to business growth and durability. Successful management of software requires not only support for licensing in virtual environments, but also the ability to enforce license terms once the application is deployed on a virtual machine. Without the enforcement, software publishers have no control over the license and, therefore, their revenue. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 6
SafeNet s options for licensing applications in any virtualized environment allow you to: Protect revenue by preventing copy/duplication of applications in virtual environments Reduce churn, secure new business, and improve competitive position by supporting use of your application(s) within virtual environments Increase profit with licensing and pricing models for virtual environments While hardware keys remain the most effective way to prevent unauthorized use and distribution of software in virtualized environments, for some, that option is not practical. Until the release of SafeNet s VM fingerprinting solution, software vendors wishing to extend their software-based licensing implementation to support virtualized environments were limited to methods that detect the presence of a VM and either allow or deny the execution of the software within those environments an incomplete solution without any measure of controlling the application once authorized. With SafeNet, there is finally a viable third option authorize and control software in any virtualized environment with the industry s first and only technology-agnostic VM fingerprinting solution. By enabling software vendors to uniquely lock a license to a single VM, just as they would in a traditional licensing scenario, SafeNet s technology protects the license, and therefore the application, from copy and duplication in any end user environment, virtualized or otherwise. SafeNet is the industry s only software licensing and management technology vendor to offer software vendors both hardware- and software-based options for licensing applications in any virtualized environment. Protect revenue by preventing copy/duplication of applications in virtual environments Reduce churn, secure new business, and improve competitive position by supporting use of your application(s) within virtual environments Increase profit with licensing and pricing models for virtual environments SafeNet Software Rights Management Solutions Sentinel HASP Sentinel HASP, formerly Aladdin HASP SRM, is the industry s first and only software licensing and security solution to enable the use of either software- or hardware-based protection keys to enforce software protection and licensing. With Sentinel HASP, you can increase your profits by protecting against losses from software piracy and intellectual property theft, and enable innovative business models to increase value and differentiate your products. Sentinel HASP fully integrates with your existing software product lifecycle to minimize disruptions to development and business processes. Featuring easy-to-use, role-based tools for developers, product managers, order processing, and production, Sentinel HASP ensures a short learning curve and optimum use of employee time and core competencies ensuring quick timeto-market and the ability to quickly respond to changing market needs. To download a FREE Sentinel HASP Developer Kit, visit: http://www3.safenet-inc.com/special/hasp/safenet-hasp-srm-order/default/asp Sentinel RMS Sentinel RMS is a robust license enablement and enforcement solution providing software and technology vendors with control and visibility into how their applications are deployed and used. Focused on scalable and flexible license management, RMS is ideal for applications deployed in medium to large scale enterprise environments. Implementation of RMS provides a tie-in to software licensing agreements in order to enforce the terms and conditions by which you manage your products. In addition to reducing the risk of piracy, RMS enables you to offer a variety of license models to flexibly price and package your products. When combined with Sentinel EMS, SafeNet s enterprise-oriented, Web-based management system, Sentinel RMS provides a complete solution for license management and enforcement. Sentinel RMS is deployed by both industry-leading enterprise software vendors and high-tech device manufacturers. Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 7
LicensingLive! (lahy sun sing lahyv ), adj. n. [SAFENET, INTERACTIVE] 1. Immediate access to the best practices and emerging challenges associated with software packaging, pricing, fulfillment, delivery and management. 2. A forum bringing together software vendors, industry analysts, licensing consultants and technology vendors. SafeNet Sentinel Software Monetization Solutions SafeNet has more than 25 years of experience in delivering innovative and reliable software licensing and entitlement management solutions to software and technology vendors worldwide. Easy to integrate and use, innovative, and feature-focused, the company s family of Sentinel Software Monetization Solutions are designed to meet the unique license enablement, enforcement, and management requirements of any organization, regardless of size, technical requirements or organizational structure. Only with SafeNet are clients able to address all of their anti-piracy, IP protection, license enablement, and license management challenges while increasing overall profitability, improving internal operations, maintaining competitive positioning, and enhancing relationships with their customers and end users. With a proven history in adapting to new requirements and introducing new technologies to address evolving market conditions, SafeNet s more than 25,000 customers around the globe know that by choosing Sentinel, they choose the freedom to evolve how they do business today, tomorrow, and beyond. For more information on SafeNet s complete portfolio of Software Monetization Solutions for installed, embedded, and cloud applications or to download a free evaluation of our award winning products please visit www.safenet-inc.com/sentinel Join the Conversation Sentinel Online www.safenet-inc.com/sentinel www.licensinglive.com Twitter http://twitter.com/#!/licensinglive LinkedIn http://bit.ly/linkedinlicensinglive YouTube http://www.youtube.com/user/licensinglive BrightTalk http://www.brighttalk.com/channel/5572 Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected 2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (A4)-11.16.10 Platform Virtualization and Software Licensing: Best Practices for Software Vendors White Paper 8