tiero - Fotolia
IT asset management strategy: License compliance and beyond
In this Q&A on IT asset management strategy, read up on what it's like to run afoul of software companies' license compliance requirements and how IoT will impact ITAM.
An IT asset management strategy, if implemented correctly, can protect a company against license compliance audits by software vendors, provide a picture of what systems and software the organization has paid for, as well as how much is being used, and help IT justify a particular strategy. If, on the other hand, a company doesn't implement an IT asset management (ITAM) strategy -- or if it does, but not properly -- the biggest risk is that it can open itself up to a host of problems and potential fines from technology vendors.
The penalties for being out of licensing compliance by software companies can be extraordinarily high -- as much as $30,000 per "instance," or device registered to run a particular application -- according to George Spalding, vice president of IT service management consultancy Pink Elephant, based in Burlington, Ont. And a finding of licensing noncompliance by one vendor can lead to an audit by another, since vendors communicate about customers that are not in compliance, he said. In this Q&A, Spalding describes the perils of being audited by a software company for licensing compliance issues, why an IT asset management strategy is important in terms of hardware, how strategic asset management tools are integrated with discovery and service desk tools, and how the Internet of Things will impact ITAM.
Editor's note: The following interview has been edited for clarity and length.
What happens when there's a finding of licensing noncompliance following an audit?
George Spalding: Usually, the [audited] companies hire a bunch of lawyers, and the lawyers from the software vendors sit down, and, basically, they come to an agreement. They negotiate the fines down. But it's painful. It's expensive when [an audited company is] found out of compliance. I sincerely believe that most companies really don't have any desire to be out of compliance. They're not trying to screw the software companies. They kind of discover themselves out of compliance. It's like, "Whoa. How did that happen? I thought we were buying that. We have policies in place that say we're supposed to buy this."
It's not like the [audited] companies are trying to be criminal, [but] that's what this is considered: criminal activity. This is fraud, basically. This is stealing intellectual property without proper fees, without renting it. So it is actually criminal activity, which is why the [audited] companies certainly don't want, in any way, shape or form, to ever be involved in it, or part of it, or be known for it, or any of that stuff.
So that part of things, without question, instantly takes care of the ROI of asset management. People say, "Well, we can't really afford to do an asset management program." Really? No, you can't afford not to do an asset management program. You basically have to have [an asset management system] so that you can have somebody immediately [respond to a] request [from a] software company that says, "Could you please demonstrate that you have X amount of licenses and how many employees you have that would be using them?"
If you can respond instantly with not just "Yes, we have the licenses," but actual proof and documentation, they don't come in and audit you. You just respond and everything's good. But as soon as there seems to be some sort of hedging or question, then suddenly, they're sending in actual auditors and people on-site and surprise, surprise.
How often do vendors audit IT organizations for license compliance?
Spalding: It certainly happens, [but] it's not something that the [IT shops] publicize, and it's not something that the software companies publicize. Because that would be [the equivalent] of a bank having a breach. They fix it and they don't tell anybody. They don't want the damage to their reputation. Truthfully, no one actually knows how often [companies are audited and fined].
One of the solutions [for an IT shop to ensure license compliance is to] buy an enterprise license. The really huge companies never have [to deal with license noncompliance issues] because they just buy an enterprise license.
It's the midsize companies that are trying to save a dollar or two by buying 100 licenses for their 100 people. That's where they get in trouble.
Financing an IT asset management strategy
It would seem midsize companies are less likely to be able to or want to invest in an IT asset management plan.
Spalding: They don't see the need for it. They can't seem to afford what we would call an asset management department. They might have an asset manager, a human being, one person, who [uses] discovery tools [to determine what the assets are]. But there's no one discovery tool that solves everything. They end up buying multiple tools to do multiple things.
What are the financial implications of not knowing what IT assets a company has -- besides the license compliance concern?
Spalding: As an example: A big company in the Twin Cities had [been leasing] 30 servers. In comes the leasing company saying, "Hi, nice to see you. Listen, you know those 30 servers that you've been leasing? The lease is up, so we'd appreciate it if you'd give us back the servers." I was there when this happened. My contact, who's kind of the head of the department, said, "We've decided to buy those leases out." The leasing company said, "Really? Wow, that's fantastic. OK, let me prepare that invoice and you can pay that." And they did.
I turned to my contact at the company and said, "Why are you buying the leases out?" He said, "Because we have no idea where that equipment is. We can't find it." Suddenly, the concept of asset management and configuration management takes on a whole new element. It becomes a large financial issue, not just from the physical buying of it and then the maintaining of it, and then managing where this stuff is. If you're leasing, that's a whole 'nother conversation.
What about the data that's on the servers that they can't find?
Spalding: Bada-bing. You get it. Of course, nobody tells you these stories because nobody wants anyone to know that that kind of stuff goes on, but it goes on all the time. They just can't find stuff.
So we've got the acquisition part and we've got the disposal part. And the disposal part is a big deal because of the data, and then also because of environmental concerns.
And then, there's the whole discussion around identifying the asset with asset numbers, and policy management and all of those types of things.
Asset management involves an incredible amount of data, spreadsheets and mind-numbing detail that people have to do in order to protect the organization from harm in terms of the licensing, but also to protect the investment and the various assets as well.
ITAM discovery tools and functionality
Let’s talk a bit about how discovery tools are integrated within IT asset management systems.
Spalding: Well, every standalone asset management system should have discovery. That should be part of it, or you wouldn't buy it. But let's think about what "discovery" really means. First of all, the only way I can discover something is if it's on. That's step one. So it has to be on.
George Spaldingvice president, Pink Elephant
Discovery tools operate using one of two basic technologies: either agent-based or agentless. With agent-based discovery, software needs to be loaded on every one of the assets. The tool queries the agent, and the agent is going to talk back to the discovery tool. With Agentless discovery, there's no agent on the individual component. [Instead, you have] profiles built into the discovery tool that I am looking for a match to. So it detects that this box exists. And it then compares what it sees in the box to the profile list. And when it finds a match, it reports that as a particular asset. That's an Exchange server, that's a file server, that's a straight file server and that's on SQL Server.
And then, you as the customer can add profiles over time, so that the tool finds more and more things on its own.
The next question is, how often do you run discovery? Of course, you want it to find every single thing; you want to find 100%. It never does. It won't do that because there's just always going to be something out of the profile, or there's going to be stuff out there that doesn't support agents, like routers. So you use the router monitoring system as the discovery tool for routers and switches and firewalls. It's a different tool.
So now, the issue is the discovery tools are bandwidth pigs. You've got this great, big company with thousands and thousands of devices, and you'd like to run discovery to find all the devices. Well, by God, you better do it on the weekend because we're going to be screwed otherwise. It'll take hours and basically robs most of the bandwidth from the network. And if you're trying to discover client devices like the laptops, and it's the weekend and people have shut their machines off, you won't find the devices via the discovery tools. Those machines also have to be connected to the VPN if you're remote. And the other piece is: Will the VPN support the discovery? Maybe, maybe not.
So when a company runs a discovery, does that then become the source of truth around what the IT assets are within the organization?
Spalding: It becomes the source of truth, and then they compare it with what they thought was there. And then, there's a conversation. So they said "Wait a minute. Where's that server? I know we had that server, it didn't show up on the list. Why isn't that showing up?" And they then try and figure out why it didn't show up.
So they compare with the previous one with the now-current snapshot of reality. And they say "OK, everything matches except these six things. [Here are] six things that we found that I didn't think we were going to find. And [here are] six things that we didn't find that I thought we were going to find. So now, let's talk about it."
What about service desk functionality? Can these tools plug in to the service desk?
Spalding: Certain tools do exactly that.
Let's say you're on the phone and you've got an issue. The help desk employee enters your corporate name and you pop up because first of all, you're an authorized user of the help desk -- that's step one. You're not just a member of the public calling for kicks -- that happens all the time at colleges, by the way. The next thing the help desk staff member wants to know is all the computer assets that you're about to ask me about that you have. I want to tie you, the human, to the assets. And so now, I want to know that you've got a corporate laptop, and it's this brand, and we bought it a year and a half ago, and it's got this level of Windows on it. And it's this and it's this, and it's this, and it's this. I want to know all that, and how did I find that out? Well, I found out that part through the asset management/discovery/configuration management stuff.
There are tools that tie all this together. But there has to be a connector, a way to connect the human being to the assets. So the first time you call is probably going to be a little cumbersome. But after that, we can have some pretty slick conversations.
So, in general, the integrated suites tend to have better functionality than a standalone product?
Spalding: Yes. The standalone products are what we often referred to in the old days as "best of breed." The question came up -- and it came up a lot -- as to whether I should pick a number of best-of-breed products. I want the best change management system, and the best service desk system, and the best discovery system, and all that stuff. Our feeling over time, because we kept seeing it, was best of breed doesn't solve the problem.
If you're buying a system, you should buy an integrated system that does everything you need. One system. Even if you can easily demonstrate that, perhaps, the change management module is not the best change management module, and you saw a better one. It's better to be integrated than it is to have the best. Literally, without question, you save the most time, you gain the most productivity. It's by far better.
How are things like Internet of Things impacting IT asset management strategy?
Spalding: It's going to drive them insane.
According to Gartner, we have 4.9 billion things connected right now on the Internet. And that will grow in five years to 25 billion, and that's basically the Internet of Things. And the conversation around there is, first of all, everybody is talking about thermostats and stoves and locks on your door, and your garage door opener and your refrigerator and your toaster and all of those types of things.
Basically, when you say the Internet of Things, you're saying a device with intelligence and a network connection -- an individually addressable device.
When we talk about IT asset management, we don't care about toasters. We don't care about refrigerators; we don't care about thermostats. But in an office environment, we do care about things like projectors. There are projectors that are going to be on the network with intelligence. I'm going to be able to query a data projector to find out whether it works. I'm going to be able to find out how many hours are on this bulb, and whether the bulb will actually go on. I'll know that remotely. I'm going to be able to query a printer, and find out whether it works, and find out all of its current data. And whether it's got enough toner, and whether it's got enough paper. That's almost there now.
And so, that'll mean that the perimeter of the network won't be hard. The concept of a firewall will almost be funny because the network is in the phone.
When you get into the world outside of the office world, you've got robots in manufacturing. Almost every device is computerized in almost every type of business outside of the office. There are trucks and whatnot that are running around that have GPS and that are reporting back [information].
And so certainly, trucks, delivery things, any kind of transportation, any kind of device within the truck, any kind of robot in a manufacturing world, all of the vending machines in the break room will be on the network.
All of that is going to happen. And some of it is already happening. So from a business standpoint, if it's a device that has power, it's probably going to have an IP address. And that address, therefore, is going to be able to allow it to be on the network, and it also requires it to have some form of intelligence in the device itself, so that it knows how to respond and talk and things like that.
From an asset management standpoint, all of that suddenly has to be kept track of. [Asset management] will explode. In the next five years, asset management has got to be automated. This stuff cannot be tracked in any sort of manual way.
So the asset management discovery tools and the automated version of asset management have to step up to the plate. IoT devices won't be able to be managed by actual human beings.