WIXLIB

Key TakeawaysÂÂ Cloud computing did not end license compliance worries, but rather creatednew ones. These challenges could be overcome with effective software assetmanagement;ÂÂ Software asset management is as critical for organizations moving to thecloud as it is for organizations running traditional on-premise IT environments.Effective SAM is a cloud enabler;ÂÂ While the goal of SAM does not change with the cloud, the “how” of SAMdoes need to be adapted for cloud environments;ÂÂ SAM should be an integral part of an organization’s cloud strategy andimplementation plan, and be fully embedded in all stages of the cloudmanagement process;ÂÂ SAM should further be adapted to manage the cloud service as a whole,beyond the management of just the underlying assets. SAM in the cloudshould rely more on policies and automated controls in order to address thedynamic and real-time nature of cloud provisioning;ÂÂ Traditional software license agreements require special attention whena move to the cloud is considered to ensure license compliance. It isrecommended that the organization works closely with the software publisheron such moves;ÂÂ BYOD may represent additional risks to organizations, particularly inconjunction with cloud services; andÂÂ Software as a service introduces potential challenges related to unauthorizeduse and shelfware.4BSA The Software Alliance

NAVIGATING THE CLOUDIntroduction to Cloud TechnologiesA baseline definition of cloud computing and related conceptsis provided below. However, it should be noted that cloudtechnologies, platforms, and approaches continue to rapidly evolve.The National Institute of Standards and Technology (NIST) defines cloud computing as1:a model for enabling ubiquitous, convenient, on-demand network access to ashared pool of configurable computing resources (e.g., networks, servers, storage,applications, and services) that can be rapidly provisioned and released withminimal management effort or service provider interaction.Cloud computing is gaining momentum due to a convergence of multiple trendsincluding: the maturity of virtualization and virtualization management technologies;Big Data (the collection, storage, management, and analysis of very large data sets); thespread of affordable, high-capacity broadband networks; and the proliferation of mobileconnected devices, among others.BSA The Software Alliance5

Cloud Service ModelsCloud computing providers use various service models. Actual cloud solutions mayinvolve any combination of approaches. The three most common service models, asdefined by NIST, are detailed below.Software as a Service(SaaS):The capability provided to the customer is to use theprovider’s applications running on a cloud infrastructure.The applications are accessible from various clientdevices through either a thin client interface, such asa web browser (e.g., web-based email), or a programinterface. The customer does not manage or controlthe underlying cloud infrastructure including network,servers, operating systems, storage, or even individualapplication capabilities, with the possible exception oflimited user-specific application configuration settings.Platform as a Service(PaaS):The capability provided to the customer is to deployonto the cloud infrastructure customer-created oracquired applications created using programminglanguages, libraries, services, and tools supported by theprovider. The customer still does not manage or controlthe underlying cloud infrastructure but has control overthe deployed applications and possibly configurationsettings for the application-hosting environment.Infrastructure as a Service(IaaS):The capability provided to the customer is to provisionprocessing, storage, networks, and other fundamentalcomputing resources. The customer is able to deployand run arbitrary software which can include operatingsystems and applications. The customer again does notmanage or control the underlying cloud infrastructurebut has control over operating systems, storage, anddeployed applications; and possibly limited control ofselect networking components (e.g., host firewalls).Traditional IT architecture may be described as including eight key components. Thefollowing chart demonstrates how responsibility is shifted for each component undereach of the three cloud service models between the organization and the CSP:Organization ManagedCSP Managed6 Applications Applications Applications Applications Data Data Data Data Middleware Middleware Middleware Middleware Operating Systemm Operating Systemm Operating Systemm Operating System Virtualization Virtualization Virtualization Virtualization Hardware Hardware Hardware Hardware Storage Storage Storage Storage Networking Networking Networking NetworkingOn PremiseIaaSPaaSSaaSBSA The Software Alliance

NAVIGATING THE CLOUDCloud Deployment ModelsCloud technologies could be offered using various deployment models. The mostcommon deployment models, as defined by NIST, include:Private cloud:The cloud infrastructure is provisioned for exclusive use by asingle organization (customer) comprising multiple internalcustomers (e.g., business units). It may be owned, managed, andoperated by the customer, a third party, or some combination ofthem, and it may exist on or off premises.Communitycloud:The cloud infrastructure is provisioned for exclusive use by aspecific community of customers from organizations that haveshared concerns (e.g., mission, security requirements, policy, andcompliance considerations). It may be owned, managed, andoperated by one or more of the organizations in the community,a third party, or some combination of them, and it may exist onor off-premises.Public cloud:The cloud infrastructure is provisioned for open use by thegeneral public. It may be owned, managed, and operated bya business, academic, or government organization, or somecombination of them. It exists on the premises of the cloudprovider.Hybrid cloud:The cloud infrastructure is a composition of two or more distinctcloud infrastructures (private, community, or public) that remainunique entities, but are bound together by standardized orproprietary technology that enables data and applicationportability (e.g., cloud bursting for load balancing betweenclouds).A popular and fast-growing segment of the public cloud, known as the personal cloud,provides services to individual consumers. Personal cloud services include social media,personal email, document creation and editing, music/photo/video/file storage, andmany others.BSA The Software Alliance7

Introduction to Software AssetManagementThe Information Technology Infrastructure Library (ITIL) definesSoftware Asset Management2 as:All the infrastructure and processes necessary for the effective management,control, and protection of the software assets within an organization throughout allthe stages of its lifecycle.The following functional definitions further advance the above standard definition:SAM is the practice of effectively managing what an organization does and doesnot do with software. It is a set of managed processes and functional capabilities tomanage the software assets throughout the five stages of their lifecycle (planning,requisition, deployment, maintenance, and retirement).Software License Management (SLM) is the application of SAM to licensing (measuringand managing license entitlements and license consumptions).Software License Compliance (SLC) is a subset of SAM and SLM and is the act ofensuring compliance with the terms and conditions governing the licensing and useof software. Software license compliance is a key objective of SAM. In order to ensurecompliance with its software license agreements, an organization should performperiodic reconciliation between license consumption and license entitlement. Licenseconsumption information is obtained by analyzing complete and accurate softwaredeployment information, including a count of licensing metrics (which vary by product),the application of licensing rules, product use rights, and other information (for example,product bundling rules). License entitlement information is obtained by analyzingcomplete and accurate purchase histories, software license agreements, and otherinformation such as product name migrations and related licensing rules.8BSA The Software Alliance

NAVIGATING THE CLOUDAs implied above, SAM has the following characteristics:ÂÂ SAM is a business practice, involving people,processes, and technology;ÂÂ SAM includes a set of managed processes andfunctional capabilities. Tools can help facilitate,and in some cases automate, these processes andcapabilities; however, deploying a tool by itselfdoes not ensure the effective practice of managingsoftware assets;ÂÂ SAM is about all software for which an organizationdeems it necessary to set governing policies. As such,it is not just about software on desktops. In fact, SAMis most importantly about software on servers giventhat is where the cost of software assets — as wellas their operational impact — is most concentrated.Interestingly, cloud is all about software on serversas well. SAM may also address software on phones,storage arrays, switches, printers, storage media, andother devices; andÂÂ SAM is a multi-disciplinary practice. To be effective,SAM cannot function in a departmental silo, butrequires collaboration among several departments,including IT, Finance, Procurement, Legal, HR, andothers.Effective SAM results in the ability to know, withreasonable completeness and accuracy, on a consistentand repeatable basis, the software asset entitlementsthat are owned, the software assets that are deployed,and where and how the assets are being used. Thiscompetency serves multiple objectives, including SLM,SLC, information security, business continuity, changeand configuration management, and license compliance.BSA The Software AllianceEffective information security requires theidentification of all hardware and softwareassets across the organization, to ensure theseassets are authorized to be deployed, areauthentic/genuine (i.e.,not tampered with), andare configured with the latest security patchesreleased by the software publisher to protectagainst security vulnerabilities. Effective businesscontinuity requires knowing which assets supportwhich business processes, as well as identifyingany interdependencies between assets. Italso requires the ability to rebuild any server,down to the required version/patch level of allsoftware components. Effective change andconfiguration management requires knowingthat no unauthorized changes are being made tomachine configurations which, in turn, requiresknowing which machines an organization has,their locations, and their configurations.9

SAM StandardsThe International Organization for Standardization (ISO) is the largest and mostrecognized global standards-setting body. ISO’s 197703 family of SAM standardsrepresent the only global standard for SAM.19770-1 SAM ProcessesBSA’s SAM AdvantageCourse4 is the firstindustry SAM coursealigned to ISO/IEC19770-1:2012standard.Published first in 2006 and revised in 2012, this standard focuses on SAM processes andtiered assessment of conformance. The standard identifies four tiers of SAM adoption, allcentered on outcomes.ISO 19770-1 TIERED ASSESSMENT FRAMEWORKTier 4Tier 3Full ISO/IEC SAM ConformanceAchieving best-in-class strategic SAMTier 2Operational IntegrationImproving efficiencyTier 1Practical ManagementImproving management controls & driving immediate benefitsTrustworthy DataKnowing what you have so you can manage itISO/IEC 19770-1 identifies an integrated set of processes found within SAM as well as atiered approach to focus their implementation. The 27 identified processes are classifiedunder three major categories and six sub-groups. The four-tiered implementationapproach is based on achieving specific results of conformance from the processes.ISO/IEC 19770-1 applies to all software as well as all technological architectures. It is asrelevant to an office productivity application installed on a laptop as it is to an applicationoffered under a SaaS offering in a cloud computing environment.10BSA The Software Alliance

NAVIGATING THE CLOUDISO 19770-1 SAM PROCESSES FRAMEWORK19770-2 Software ID TagsISO/IEC 19770-2 is focused on Software ID Tags (SWID). Published in 2009, its mainobjective is to establish a framework that provides a complete and accurate identificationof installed software, which benefits both software publishers and end-user organizations.19770-2 defines both mandatory and optional elements within a SWID tag. The SWIDtags use standardized XML placed at predetermined locations on machines when thecorresponding software is installed.TagVault5 (tagvault.org) is a non-profit organization established to facilitate theimplementation of 19770-2 by hosting a central tag repository.Future ISO SAMStandards: ISO iscurrently working ona number of futurestandards, including19770-3, which willfocus on softwarelicense entitlementtags, and 19770-7which will addressthe managementof 19770-2 and19770-3 tags.Multiple software publishers have embraced the standard and now ship new softwarewith SWID tags. For publishers who are not yet supporting SWID tags, as well as forlegacy software products, an organization may use self-created or third-party SWID tags.The use of SWID tags enables an organization to quickly identify, with increased accuracy,software deployed within its environments. In an IaaS/PaaS environment, the use of selfcreated SWID tags may enable organizations to differentiate their own software fromsoftware provided by the CSP or software of other customers. Therefore, SWID tags,which are increasingly part of SAM in all environments, may become particularly relevantin facilitating the management of software assets in the cloud.BSA The Software Alliance11

General Considerations for SAM inthe CloudAs it relates to software licensing, each of the different cloud servicemodels carries specific risks and requires specific considerationswhich are discussed over the next few sections. This section covers,at a high level, some of the general considerations for SAM acrossall cloud service and deployment models.Adapting SAM to the CloudCloud computing does not preclude an organization’s need for SAM. The cloudenvironment is simply a different infrastructure where SAM processes need to operateeffectively. Organizations must tailor their implementations of the 27 process areas inISO 19770-1 to take into account the nuances of the software and architectures withintheir cloud environment. Just as organizations must adapt their approach to handle thedifferences between physical and virtual environments, they must adapt their approach tohandle the cloud environment.Organizations need to specifically address cloud computing within their policies andprocedures to fulfill their ISO 19770-1 requirements. Key considerations to address whenimplementing SAM in the cloud include:ÂÂ Changing nature of software assets. Traditional (pre-cloud) SAM focuses solelyon managing the lifecycle of the underlying software assets. With the cloud, SAMprograms are now required to manage the cloud service, whether in place of or inaddition to managing the software assets. In a way, the cloud service itself becomesan asset that requires managing. Given that certain aspects of SAM are now deliveredvia the CSP and not owned by the customer, SAM programs need to monitor aCSP’s compliance with its service level agreements (SLAs) and other applicablerequirements. The ability to perform such monitoring effectively represents a newmindset, a new skill set, and a new toolset that SAM programs need to develop.12BSA The Software Alliance

NAVIGATING THE CLOUDÂÂ Real-time SAM. One of the business benefits ofthe cloud is its agility and speed-to-market. Cloudservices can be provisioned or released with a fewmouse clicks. Many traditional (pre-cloud) SAMprocesses assume longer lifecycles, allowing moretime for planning, contracting, periodic discoveryand reconciliations, and other SAM control activities.With the cloud, SAM programs must adapt to amore real-time environment by designing processesto allow for faster reaction and relying more heavilyon detailed policies and processes on cloudcontracting, deployment, and management acrossthe organization.ÂÂ Decentralization. Cloud services, particularly SaaS,are generally easy to implement and may not requiresignificant IT knowledge or resources. As such, manyorganizations find that their employees are bypassingnormal IT procurement processes to deploy cloudservices. SaaS providers may target the businessbuyers directly (e.g., sales or HR departments)rather than going through the traditional ITbuyers. Cloud services are typically consideredoperational expenses, bypassing the more rigorousapproval processes that may be in place for capitalexpenditures. In fact, cloud services can often be paidfor using a corporate credit card, bypassing normalprocurement/finance approval gateways. Because ofthese factors, IT and SAM functions may learn aboutsome cloud implementations only after the fact (ornot at all) and, therefore, would not be involved inthe contracting phase. This may result in a number ofchallenges:–– Weak contracting. The SAM function, IT, andprocurement may not be sufficiently involved inthe contracting phase;–– Increased license compliance exposure. TheSAM function may not be involved in designing,contracting, and monitoring the cloud solutionwith respect to licensing risk;–– Loss of control over where an organization keepsits data. The loss of control may result in privacy,information security, and business continuityexposures;BSA The Software Al

cloud enabler, ineffective SAM can undermine many of the financial advantages and other benefits provided by cloud computing. SAM in the Cloud Once an organization moves an operation to the cloud, its SAM program must adapt to address the new and varied challenges presented by cloud architecture. While SAM principles remain unchanged, licensing .