Extract from ISS-N004-v3.2, Cloud Computing and License Management by David Bicket, March, 2011, printed with permission, Text and diagrams © David Bicket 2011.
David Bicket, the convener of the ISO/IEC working group developing SAM standards, published a white paper on the ISO SAM Standards website, www.19770.org that explains the architecture that the standards will provide to license management. In this extract, David explains the existing approaches to license management from the cloud perspective, as well as a summary of the structured approach that is based on the SAM standards architecture.
Many of the challenges for cloud computing license management are advanced versions of familiar license management issues. Cloud computing has advanced such issues as:
- Licensing terms and conditions which lag behind shifting business models (leasing, rental, outsourcing, now public cloud computing) and technologies (virtualization in particular).
- Licensing models based on metrics which are difficult to measure and control, such as client access licenses, rather than the simplistic ‘per‐install’ metric.
- Challenges discovering what software is installed and measuring how much it is being used, especially in virtual environments.
- Challenges managing the inventory of licenses purchased, including knowing what is actually owned and the associated terms and conditions, given the real‐world dynamics of mergers, divestures, and reorganizations.
- Challenges managing environments with mixed ownership of license entitlements, e.g. client and server software owned by different entities.
- Technological mindset that licensing is not the concern of techies, but rather of someone else – anyone else.
- Hosting/outsourcing mindset that license management – and license compliance – is the responsibility of the other party – whether provider or consumer.
Furthermore, cloud computing does not exist on its own, nor does license management for cloud computing exist on its own. A significant ‘traditional’ infrastructure of mainframes, servers, PCs, smartphones, etc. will continue to exist, with an ongoing need to manage licenses in these environments. New licensing terms and conditions which allow licenses to be used interchangeably between traditional platforms and cloud platforms will require even closer integration of the entire license management infrastructure.
Organizations typically address license management with several different approaches, with the approaches for cloud environments simply more extreme versions of that general behavior. Two of these approaches are really attempts to minimize the need for license management (sourcing and contractual approaches). The mashup approach is a realistic description of the current methods used to actively manage licensing across complex infrastructures including in the cloud. The structured approach is under development and the answer to these issues.
The Sourcing Approach
The sourcing approach to license management attempts to eliminate or minimize the need for license management through choosing software which does not require the management of metrics like “the number of installed copies,” “the number of users,” or “the number of cores on which the software is run” which are not necessarily easily measurable in the context of cloud computing. Free and open-source software (FOSS) is commonly used in cloud computing in part for this reason.
Although such an approach will limit the direct financial impact of licensing, it will not eliminate the need for good software management, and in some respects simply shifts the nature of the exposures to be managed. These are some of the issues to be considered in taking a FOSS sourcing approach:
- There is still a requirement to comply with open source licensing terms and conditions. Vendor audits are unlikely, but there could still be significant implications for the user. For example, any applications developed under AGPL terms, even though used only in SAAS environments, may require the offering and provision of source code.
- Version control is more challenging because of the ease of modification and the need for monitoring of industry updates of embedded coding which may be critical for security, for example.
- For securing an IT system against security threats it is necessary to know what software you are using, and also what software an attacker might be able to access even if it is not in normal use by authorized users. This is totally independent of whether the software in question is FOSS or proprietary. Consequently, the software discovery aspect of software asset management is just as important with a FOSS approach as with proprietary software.
- Metering requirements exist when FOSS is used to provide a software-based service, both for the purposes of billing (especially if using a third-party cloud service provider), and for resource management and planning purposes.
The Contractual Approach
The contractual approach to license management attempts to eliminate or minimize the need for license management by assigning such responsibilities to another party, typically an outsourcer.
Although it is essential that responsibilities for licensing and license compliance are clarified in contractual arrangements such as for outsourcing, there are clear limits and potentially major cost implications depending on how the terms and conditions are specified, and on how license ownership is structured. The following are some of the issues to consider:
- It is not possible to override legal and contractual obligations with software manufacturers by means of contractual arrangements with hosters or outsourcers (or anyone else).If an organization is using unlicensed software, then it will almost certainly have the primary exposure itself. It would need to seek subsequent recourse against any other organization with which it had contracted for license management.
- The terms and conditions for services provided by hosters / cloud service providers may still place significant responsibility for license compliance on the end-user organization.(These terms and conditions may in fact have been specified by the software manufacturer, and be included in end-user agreements as a requirement of the hoster’s own licensing agreements.)
- Often it will be more cost-effective for an organization to use its own licenses even in a hosting or outsourcing situation. The cost of providing equivalent entitlements purely through the hoster can be several times as high as using own licensing, and at the end of the hosting arrangement there may be no perpetual licenses available for transfer.
The Mashup Approach
The mashup approach is based on a mix of different tools and approaches, typically combined in a highly manual way. This is the way most license management is currently practiced, because of the complexities of dealing with all of the different licensing models, and the limitations and specialist focus of many of the tools that exist. This approach is also required in corporate environments where there are multiple subsidiaries or operating units which have different sets of tools and systems for asset management.
In principle this approach works, but with significant inefficiencies and with the risk of major deficiencies in coverage and accuracy. Some of the common problems associated with the mashup approach are:
- Inaccurate identification of installed software. It can be particularly problematic to identify properly the suites or packages from/with which a component product was installed, and program options which, if enabled, require additional licenses.
- Inconsistent naming of identified software. The results produced by different tools can be difficult to consolidate because of variations in the way the same products are labeled by different tools.
- Inability of tools to produce accurate usage information for many licensing metrics. Metering under virtualization is particularly difficult although improvements are being made. Even minor variations of the standard ‘per-install’ metric can cause complications (e.g. secondary use rights for installations on an additional device of a specific type exclusively used by the same end-user). Some metrics require detailed and complex analysis of the computing infrastructure to assess – e.g. the number of end-users, devices in some cases, the architecture, the nature of connections, the nature of processing, and the specific software with which connections are made. There are specialist tools to produce metric measurements for specific situations, such as CAL usage or usage in hosted environments, but even these specialist tools have their limitations.
- Limited credibility for much license entitlement data collection, because of problems in areas like completeness and accuracy of original data collection, validity of proof of license (e.g. reseller documentation rather than software manufacturer confirmations), complications relating to upgrades or maintenance with additional issues about inconsistent quantities and inconsistent ownership, and the complications of mergers, divestures, re-organizations, and unclear license ownership resulting in many such cases.
The Structured approach
The structured approach is still evolving through the projects underway by the ISO/IEC JTC1 SC7 WG21. It is based on the development and exploitation of a common technological architecture for asset management. Parts of this architecture are already in place, others are in development, and some have yet to be developed. As these components are adopted into the current mashup approach, the ability to manage licensing competently and cost-effectively will increase. While these developments are not exclusive to cloud computing, they are necessary and major parts of the solution for cloud computing.
In summary, the essential elements of a structured approach to license management are:
- Common data structures for storing asset management information which can be used consistently by all tools to provide interoperability between tools, between different IT infrastructures, and between different asset owners.
- Development of application programming interfaces (APIs) to facilitate the discovery of and access to these common data structures in all types of IT environments, including virtual environments and in cloud computing. These APIs need to be included both in operating systems and in asset management tools and repositories.
- Development/refinement of metric measuring tools to provide the detailed measurements needed for asset management in general, and for cloud computing in particular.
Further details of the overall architecture of the structured approach are given in Annex A of the full paper, available on www.19770.org.
Text and diagrams © David Bicket 2011.