Software Provider’s End-User License Empowerment Shifts ITAM Program Governance

In News, The "iN" Report by IAITAM

Microsoft’s announcement that it will let end-users buy some of their own apps and licenses through Office 365 should have IT Asset Managers concerned.

The announcement, released by the software giant this week, could force decentralization of IT Asset Management (ITAM) programs and open the door for compliance, financial and other risks. If other publishers follow suit, it would change the way an ITAM Program Manager would need to facilitate controlling the program – or leave them in a position of having no control at all.

Controlling the Environment

Barbara Rembiesa, President and CEO of The International Association of IT Asset Managers (IAITAM), has said for years that you cannot manage what you do not know you have. For that reason, IAITAM developed a centralized ITAM model that incorporates 12 Key Process Areas (KPAs) and a set of best practices that assists IT Asset Managers with executing those processes. These identified best practices allow the ITAM program to be centralized, while the people they manage have appropriate empowerment and decentralized control.

For the model to work, the ITAM Program Manager has to be able to set up a program that tracks and stores information about specific IT assets with a centralized view of those assets as needed and required for future planning and compliance purposes. This includes being able to identify what software is in the environment and ensure that the software is licensed properly. The program begins with Acquisition Management and ends with Disposal Management. During that lifecycle, a Software Asset Manager needs to know that what the organization has in its environment remains compliant.

Software publishers regularly audit organizations and can levy heavy fines if they find software within the environment that does not comply with the Terms and Conditions (Ts&Cs) of the license agreement. When the ITAM program works, assets are identified as they enter the environment and can be tracked while in use. The information gathered allows the practitioner to be prepared with documentation that can prove the organization is in compliance with the license.

However, we believe that Microsoft’s announcement may change all of that.

Out of Control

Microsoft has said that on Nov. 19, 2019, it will begin allowing end-users to purchase Office 365 Power Platform low-code services, PowerApps, PowerBI and Flow. The user would be responsible for paying for the transaction and the applications themselves would be licensed to the user. The specific services are meant for business users and not IT administrators nor developers. The way most prior and existing licenses have worked, users would have to get permission from their administrators (to include the IT Asset Manager) to add those services.
From a user’s point of view, this would appear to be a good idea. The user can choose what he or she needs to perform job functions without having to go through an approval and management process. But from a control and ITAM practitioner’s perspective, it could totally change the paradigm of how to manage these licenses.

If an organization receives an audit letter from Microsoft, the software publisher will have information on what is installed or supposed to be installed in the environment as an outgrowth of the business driven transactions. Because the end-user would be in control of the license, the IT Asset Manager would have no way to prove what licenses are in the IT environment. This could lead to a serious financial crisis, as well as a security issue. If Microsoft finds that the organization or its end-users cannot prove software license compliance, the publisher could receive millions of dollars in penalties because the organization would be out of compliance.

This first step by Microsoft also could set a precedent for other publishers to allow end-users, to make more acquisitions on their own without following best practice requisition and procurement processes. It would trickle down through the best practices established in a mature program that include but are not limited to knowing what software to harvest, or who owns it, at the time of disposal.
In other words, the IT Asset Manager would lose control over the environment unless they shift their prior practices significantly to capture this business driven process and risk possibly no longer knowing what the organization has. That means the centralized control system would become decentralized.

In these instances, it complicates the dilemma in that when a publisher initiates this type of shift, there is normally not a lot an organization can do about it. The feature in Office 365 cannot be disabled. And even if an end-user violates an organization’s policy that prevents that user from downloading and installing unapproved software applications, that user still could be out of compliance with the Ts&Cs of their license. In the current state, the IT Asset Manager would have no way of knowing that.

Updating the Program

The job of an IT Asset Manager is to protect an organization from losing control over its IT assets. The practitioner does this in several ways: By identifying assets, streamlining acquisition processes, working with vendors, keeping an eye on the budget, ensuring regulations and agreements are being followed and disposing of assets properly, to name several.

But at the end of the day, an organization’s CXO or Board of Directors is concerned most about money. Remaining in compliance with software license Ts&Cs is a major money-saving opportunity to demonstrate the benefits of a mature ITAM program. Without being able to prove compliance, the program’s core competency would collapse and its value would become severely diminished.

As this trend has already started and may continue to develop, ITAM Program Managers will have to find a way to maintain a centralized control over their assets. It’s a problem that doesn’t have an immediate answer, and one that should make practitioners take notice that the way things have worked for years is about to change.

References:
[1] Anderson, T. (2019, October 22). Power to the users? Admins be warned: Microsoft set to introduce ‘self-service purchase’ in Office 365. Retrieved from https://www.theregister.co.uk/2019/10/22/microsoft_self_service_office_365/