Research

Publication Date: 5 December 2003 ID Number: DF-21-0956

Five Steps to Stay Compliant With Your Software

Licenses
Patricia Adams, Ronni J. Colville

If you can't fully invest in IT asset management tools, there are alternative measures you
can take to control the installation of unauthorized software on your PCs.

© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior
written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no
liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader
assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed
herein are subject to change without notice.
WHAT YOU NEED TO KNOW

License management is a comprehensive process that begins with upfront contract negotiation.
Wherever possible, attempt to remove the audit clauses from your contracts and pass the burden
and cost to the vendor. This alone this will not prevent the proliferation of inappropriate use of
licenses. Documenting corporate policies, maintaining a media library of approved applications
and implementing lockdown, policy-based management and embedded license keys are steps
that can assist enterprises with software compliance without embarking on a comprehensive IT
asset management initiative.

ANALYSIS

Given the array of software vendors and the myriad licensing terms and conditions available, it's
no wonder that software license compliance continues to be a perpetual driver for IT asset
management programs. However, knowing what you have installed and have the right to use is
difficult in environments that do not have controls in place to prevent users from making
unauthorized changes. Vendors retain the right to audit their customers, and they endorse third-
party companies (such as the Business Software Alliance, the Federation Against Software Theft
and the Software Information Industry Association) that generate revenue from enterprises that
need to purchase additional licenses to pay for licenses that they may have installed but have not
yet purchased. However, these audit clauses are expensive to exercise, from both the vendor
and customer perspectives. Additionally, audits antagonize customers that don’t have IT asset
management programs and can’t afford the time or the resources to respond to them.
Recognizing the risks, enterprises attempt to mitigate the effects of software audits by:

• Putting corporate policies in place around ad hoc purchasing and the use of corporate
assets

• Centralizing control of software

• Implementing tools that monitor employee actions

• Negotiating better audit and use terms upfront to minimize the cost of an audit
A combination of these methods can control the computing environment more tightly and reduce
unforeseen compliance expenses. There are several steps you can take to control your software
environments without investing in a full-fledged IT asset management program.
1. Develop corporate policies that define approved uses of IT assets.
It is imperative that you have a standard policy to control the introduction of unlicensed software
into the corporate environment. Take into account how employees use IT assets and create a
policy stating that employees have a legal obligation not to expose the company to any
compliance risk, whether knowingly or through casual piracy. The policy should clearly state that
only authorized, purchased, licensed software that is approved by the IS organization can be
installed and used on corporate systems.
Additionally, software, even if it is already licensed to a specific system, cannot be shared
between computers, because this may be a violation of the licensing agreement. Employees
mistakenly believe that because the application has been paid for they can install it on all of the
systems they use, including a home computer that is occasionally used for work purposes. Often,
we have seen cases where the licensing agreement "fine print" on downloadable or off-the-shelf

Publication Date: 5 December 2003/ID Number: DF-21-0956 Page 2 of 4

© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
applications has been agreed to because it is more expeditious than wading through the legal
terminology.
The policy should also state that employees cannot install software that they have purchased for
their personal use (for example, games and tax software) on corporate-owned hardware because
the corporation is liable if there is no proof that the application has been paid for. Additionally, if
the asset is used at home on a permanent basis, the policy is still in effect. Describing the
potential penalties that will result to the company (for example, fines) and the employee (for
example, disciplinary action and termination) if the policy is not adhered to can be incentives for
employees to adhere to the policy.
Creating a policy without the appropriate communication channels to inform employees makes it
a useless undertaking. We recommend that you communicate policies at the start of employment,
and annually thereafter, to ensure that all employees know their responsibility.
2. Create a central media library to control and track purchased software.
A central media library is a physical fire-safe location that is separate from where the corporate
software and any necessary documentation to prove ownership are stored. Gold disks, master
copies, license keys, manuals and any other ownership materials are distributed to users by an IT
asset manager who tracks the number of installs, versions and upgrades to ensure compliance.
Information about software that has been recovered from retired systems for reuse is stored
physically or virtually in the media library. Depending on the size of the organization, the media
library may be one central location or multiple locations, based on region. You may choose to
store all of your purchased software or only those applications for which the risk of an audit by the
vendor is greatest in this location.
3. Lock down the desktop to prevent users from making changes.
This is not an easy option, and it will not make the IS organization popular with users. Lockdown
is two parts cultural and one part technical. It often fails because of how the IS organization goes
about it (see "Steps to Lock Down Desktop Standards"), not because of technical issues. The IS
organization alone cannot accomplish the daunting task of locking down users' systems simply by
eliminating add/remove capability or access to the Internet. Lockdown must begin with corporate
sponsorship and requires partnering with users for buy-in. It must include interviews and
assessments of where and how much lockdown is prudent.
"One-size-fits-all" does not work ubiquitously for standardization across an entire enterprise.
Some users (for example, application developers) require the capability to make modifications to
their systems as part of their job functions. Many enterprises have tried to control or lock down
desktops using a single image throughout the enterprise. This is costly and fleeting. Limiting
users' capability without justification causes an increase in support costs. Additionally, the images
are often outdated (for example, new drivers, patches or application changes) before they are
fully deployed.
4. Implement policy-based management to control the unauthorized installation of
software.
Even with the correct balance of standardization, lockdown alone is not enough to control
unauthorized software installations. You must have a way to manage the diversity. Configuration
management tools must be used to enforce standardization and make any modifications needed
for application upgrades or user role changes. Beyond simple targeting for deployment with
discovery and inventory information, configuration management vendors have added the
capability to leverage the policies defined in directory stores (for example, Active Directory or e-

Publication Date: 5 December 2003/ID Number: DF-21-0956 Page 3 of 4

© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Directory) as a means of matching resources (for example, applications) with roles. This enables
dynamic changes to be made.
Configuration management tools also are being used to enforce license allocation by marrying
what is installed to what should be installed. This facilitates the removal of unauthorized or
underused applications to enable the harvesting of an application license for future use, and
eliminates overspending.
5. Request that your software vendor embed software license key tracking technology.
It's often small software publishers that cannot afford the costs associated with conducting audits
that look for alternatives to prevent casual software piracy of their applications. These vendors
are taking steps to help their customers remain compliant by embedding software license key
counting technology. If a customer purchases 500 licenses, distributes the software and then
determines that it needs additional licenses, an alert will be sent that the organization has
reached its license threshold. This gives customers enough advance notice to purchase
additional licenses to meet their needs. Examples of vendors that sell this functionality to software
publishers are Agilis and Macrovision. With this tracking technology, you can control overbuying
and gain an accurate idea of license count requirements.

Key Issues
How will IT asset management evolve into a core IT management practice?

REGIONAL HEADQUARTERS

Corporate Headquarters European Headquarters Asia/Pacific Headquarters Latin America Headquarters

56 Top Gallant Road Tamesis Level 7, 40 Miller Street Av. das Nações Unidas 12.551
Stamford, CT 06902-7700 The Glanty North Sydney 9 andar—WTC
U.S.A. Egham New South Wales 2060 04578-903 São Paulo SP
+1 203 964 0096 Surrey, TW20 9AW AUSTRALIA BRAZIL
UNITED KINGDOM +61 2 9459 4600 +55 11 3443 1509
+44 1784 431611

Publication Date: 5 December 2003/ID Number: DF-21-0956 Page 4 of 4

© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.