Counting devices and software installations has been the foundation of SAM for decades. As with most things ITAM practitioners are being forced to look at it in a new way with the continued adoption of SaaS based solutions. Sometime in the not too distant future the current underlying technologies to provide SAM services will be obsolete. It is not surprising that some are questioning the need to manage software assets at all when they have gone to a SaaS model. The thinking is that there is no device and as such nothing being put on a device to count. This is not an unreasonable perspective. While this thinking reflects the proper understanding of the technology, it misses the point that we are moving from a license tracking model to a subscription service tracking model that incorporates the many subtleties inherent to SaaS SAM.
Clearly SaaS eliminates some of the issues associated with the traditional compliance management of software agreements. However, with the move to subscription agreements a whole new range of metrics and technology considerations must be understood and planned for.
The positive change for organizations by moving to SaaS models for their infrastructure revolves around software audits. SaaS eliminates the requirement for a detailed inspection of your use of a software product by an auditor authorized by a software vendor. The time consuming process of gathering contract data, entitlement data from your LAR, running reconciliation reports and spending hours sorting out the differences can clearly become a thing of the past. It can eliminate those notices, which highlights some audit provision in your license agreement and asks you to please be prepared to provide access to your software inventory and reporting tools; in the world of SaaS the vendor knows exactly what and how you are consuming the service at all times.
Another key difference is that SaaS subscriptions are very simple to enable versus their on premise brethren. In SaaS implementations, an IT administrator, or more problematic, anyone outside IT with a corporate credit card or expense authority, can easily add users without any trace of the additional liability being visible outside of the SaaS application itself. And the metrics can vary greatly. These metrics can be feature based; transaction based for ERP applications; defined as company divisions in accounting packages; number of leads in CRM and marketing automation systems; logins in support portals; number of database records: sub-function enablement and much more. Think about it. You are running a business on a SaaS solution that is charging on database size and your business is about capturing consumer purchase data that is extraordinarily dynamic. It changes and grows daily . . . and you want it to. However, being out of compliance can be significant if there is no way to monitor the metric.
Exceeding these metrics is relatively easy without any evidence appearing outside of the SaaS system, and in many cases without an employee explicitly enabling anything. When coupled with the fact that many SaaS environments do little to let you know in advance that you have in fact exceeded any limits, or more importantly placed no gates to stop or warn you, you have a recipe for breaching licensing agreements that far exceeds that of traditional on premise software.
All this metric information is maintained by the SaaS application, and is available through the SaaS administration portal. So “discovery” in the world of SaaS is just as important as in the classic approach of resolving software signatures and counting devices and users. It requires that the portal be accessed as well as the list of enabled users by application. This information is useful because it enables the reconciliation of who is licensed to use or create one of these metric features and who is actually using it. Perhaps, more importantly are the governance and risk implications. It can provide for the detection of SaaS usage that is outside of normal organizational control. These ‘shadow IT’ connections can mean gaining access to company and customer information along with the loss of proprietary or valuable intellectual information. Without this discovery information, company’s accrual of unbudgeted monthly services fees can create liabilities just as surprising as those resulting from an out of compliance SAM audit.
Of course that is not the end of the story. As companies add multiple cloud providers, the environment starts to become much more complex. Now one must consider the idea of Bring Your Own License (BYOL) and Apps as a Service (AaaS) models. Companies must have tools to ensure they are both subscribed correctly and managing costs efficiently within these cloud environments. If that is not reminiscent of the on premise world I am not sure what is.
What this means in this new world of SaaS SAM is that it is less about being prepared for an audit. It now becomes more about identifying various metrics SaaS services use and being able to monitor them. The complexity of various vendor licensing models will be replaced by a myriad of measurement metrics compounded by multiple cloud platforms and new trends such as BYOL and AaaS. What about the emergence of digital asset tracking as well? To monitor these metrics requires technology tuned to SaaS or SaaS like environments. Other than simple user account counting, each SaaS implementation maintains such information in a unique way that must be accounted for.
While SaaS tools may remove the need for what we traditionally label as Software Asset Management, they have actually added a different level of complexity. Many will feel the announcements such as that recently made by Adobe of no more audits will make their job simpler. It will not. Now you must try and track something that is outside your fire wall and where you have little technical access. The alternative is to just rely on the publishers billing cycle. Clearly, on premise products will exist for quite a while with device and user based license metrics requiring tracking and analysis. This creates a hybrid world, one which SaaS is additive, not something that reduces your overall IT complexity. The entire discipline continues to be important in terms of cost-management. It now just adds the need to manage a service with a new set of metrics instead of individual assets applied against a license metric.