- Oct 26, 2017
- Debbie Rich
Spooky SAM Stories: 3 Cautionary Tales to Avoid Compliance Risk
Let’s face it, Software Asset Management has its scary spots. Dreaded data, technical tangles, and chaotic challenges. Here at Aspera, our seasoned professionals have witnessed their fair share of terrifying moments. We’ve convinced our team to share three of their spoooookiest SAM stories this week in our blog, just in time for Halloween.
Ghosts in the Machines
Pat Spencer, Senior Consultant, Aspera Technologies
I consulted years ago with a high-profile global company. This company didn’t have a real compliance program before I came aboard. The asset managers were basically a remedy team that was using spreadsheets.
One day, my team is pulling in data, working to reach a compliance position. As the SAM manager reviews the reports, he suddenly says, “What is this?” The data showed Microsoft Access, and a lot of it.
He says: “We don’t use Access. About six years ago, we renegotiated with Microsoft and said that we no longer need Office Professional. So we started paying for Office Standard, which doesn’t include Access.”
I say: “Your raw data shows that Access is installed – and on a lot of machines. When the team renegotiated the Microsoft contract, my guess is that no one actually went through to do the uninstall. So the software has been sitting unlicensed for six years.”
“No no no, that can’t be right,” says the SAM manager. Then after a few more minutes of review, he looks at me and says, “Well…can you just make it go away?”
My reply, with a straight face: “I can remove it from your compliance report. However, you still have it installed, so you need to take the right steps to fix the problem.”
I never found out if the team metered the application to discover if any employees had been using it. But they did take the initiative to go through the entire company and uninstall Access from every device. Which was probably hundreds of thousands of devices — this was a really big company!
If Microsoft had come in for a software audit, this company would have been in deep trouble. Sadly, this kind of mistake is not uncommon. And, as we all know, vendors count everything — ghosts, ghouls, and licenses that lurk in the dark.
The Walking Dead Project
Olaf Diehl, Managing Director, Aspera GmbH
I knew a very large logistics company with an IT project team that was full of ideas. They had a bunch of targets and goals for starting up their SAM service. As the organization was huge and complex, their initial plan was to go for the client devices and to count deployed software only.
This was hard work and a valid approach at the time, perhaps 10 years ago.
After that process was in place, they integrated SAM into their request management and customized the hell out of their system. The customization took many years and probably hundreds of thousands of Euros for internal resources and external support.
Several years later, the company was ready to update their system to the most recent version of their SAM solution. But guess what? This was no longer possible. Years of customizing the system had killed all versioning compatibility. Data quality issues were also poisoning the service results.
So they tried in a test environment to update. It crashed. The expected effort to fix the problems was massive. What does a clever organization do? They reverted back to a new standard system, especially since the SAM solution’s vendor promises that customization is not necessary anymore.
Do you see the light at the end of the tunnel? Ok: Go! The regression to a standard system worked quite well — at least for some months. Four years later, they were spending a huge budget and still on the hunt, like a drug addict, for a reliable result. Yet as far as I know, they still had the compatibility problem, no good data, and no significant server coverage.
And no hope, maybe. The team knew their needs and what could cure it. But their bottom line was that “we already invested so much” and political reasons inside the company prevented any helpful movement. In the end, this company was left with a very expensive trick, and never got to enjoy any treats.
The Case of the Invisible Inventory
Lawrence Dempsey, Manager of Services, Aspera Technologies
What’s your current process for dealing with ‘aging’ or old inventory data on your organization’s devices?
I was consulting at a global security company which had recently been forced to pay fines during a software audit. They decided to take SAM program seriously and rolled out a tool to manage compliance. The SAM tool tracked both hardware and software assets, and utilized deployed AM agents to each device. My job was to ascertain the ‘current state’ of SAM compliance for the company’s key strategic vendors.
The agents were configured to scan weekly, and the policy was to ensure we had a frequent scan on every device no older than 30 days. Any device with a last-scan date older than 30 days raised a red flag. That indicated either an issue with the agent, or a device that had not been on the network for awhile and could be a security risk.
I noticed there was a significant percentage of devices with aging scans, which were owned and used by the development team. But why the data was old — that’s the big question, and that was my job to find out.
If you’re familiar with managing software and hardware assets, you know that developers are fun people to deal with. They may have 3-5 devices they use, 1 for production and the rest for development, and sometimes those boundaries can be crossed. Additionally, developers can be a little bit cavalier when it comes to what they are deploying for testing and development, and what they are licensed to deploy for testing and development.
I told the developers there was a problem with their scanning agents and we needed to reinstall them. They gave a significant amount of pushback for what should be a straightforward and ‘background running’ process.
Three days later, the developers told me they had “fixed the problem” and we wouldn’t have an agent issue anymore. I said, “That’s great, thank you, how did you fix it?” Turns out they completely reformatted their computers. “Why did you do that? We could have just reinstalled the agent,” I asked. They told me: “Oh, we disabled the agent after you installed it the first time.”
Here’s the challenge: How do you manage and track assets when users have control over what you can and can’t see? The developers had full admin rights and could install what they wanted on their machines. Turns out they shouldn’t have been so trusted. This situation wasn’t about ‘accidental’ non-compliance. It was ‘intentional’ non-compliance, that is, an intentional disabling of SAM capabilities.
Here’s the lesson. Don’t always assume that aging scan data could mean a device is inactive or decommissioned. Your process should analyze the status of each device when looking at the age of inventory data. Is the device still active and deployed? If so, that’s a trigger to get updated data inventory, not to ignore the inventory completely.
Everyone enjoys a little scare on Halloween, but in software asset management, I prefer to keep the real horror to a minimum.