Why is device-based licensing and access control important for license compliance?
In the third of our articles on the factors that can cause problems during a software vendor audit, Certero consider the role of device–based licensing and controlling access.
Device based licensing
Certain vendors, like Microsoft, license their software (such as Microsoft Office, Project and Visio) on a per-device basis, rather than by user. This requires a license for every device that has the ability to access the application – even if they never do.
A device can be anything from a PC, PDA, notebook, thin client terminal, workstation or any digital electronic device. Normally, this isn’t a problem. But, if you have implemented a thin client environment such as a Citrix farm or Terminal Services, if not properly managed, it can cause costly and entirely avoidable license compliance problems.
Risk: Access Control: Locking down at user level does not ensure compliance
Many organizations assume that by locking down a software application, such as Microsoft Project, at a user level via group or software restriction policies, it will ensure licensing compliance. This is not correct.
As a result, publishing an application to a restricted user group is not an effective approach to license compliance. This is because these users have the ability to access the application from any device, thus breaching the licensing agreement.
If, for example, you have implemented a Citrix server farm to deliver application access to 1,000 devices in your organization and one user needs Microsoft Project, you will still need to buy 1,000 licenses to remain compliant. This is because that one user has the ability to access this application from all 1,000 devices within your organization.
So, if Microsoft Project costs you $200 a licence, you will need to pay $200,000 to remain compliant – just for one user, who may never have actually accessed the software from any other machines…!
Faced with this problem, organizations have 3 options:
Option 1. Choose to install such software on individual user’s PCs, avoiding the Citrix infrastructure.
Whilst this may seem to be the obvious choice, if only a few users require access, it would in effect, mean circumventing the policies and procedures put in place to control software acquisition and potentially leave a security hole for future patching and updates. In addition, if you are using thin client devices across the organization, you will need to invest in fat clients for these few users. This will also cause problems for your overall IT strategy as well as increasing cost.
Option 2. Buy licenses for all users in the organization – irrespective of whether they will ever use the software or not.
This is an expensive option.
Option 3. Utilize one of the few software solutions that are capable of managing this problem.
There in fact a small number of solutions available that offer the ability to actively restrict access to software at a per-device level. Contrary to popular myth, In the case of Microsoft, there are no ‘approved’ solutions to do this, rather which ever solution is used, the evidence of control would need to be presented to the vendor. One such solution which has been successfully used in this application many times is Certero’s AccessCtrl – a feature that is unique within a SAM solution.