When it comes to software giants like SAP, Oracle, and IBM, we all know the risks and pain of software audits. But what about those smaller publishers on your estate?
Managing software assets can be challenging, perhaps more so when it comes to smaller or “tier 2” publishers that are not as well-known or talked about. In addition, “longtail publishers" offer niche software products that are not as widely used. Many organizations overlook the compliance risks associated with their tier 2 and longtail publisher software assets, potentially leading to legal consequences and financial penalties. Tracking and managing these software products carefully will reduce unnecessary spend due to auto-renewals and software audit risk.
In this article, we’ll explore the current audit risk associated with tier 2 publishers and hear from one of our audit experts on which ones to look out for and why. For a deeper dive on managing audits, see our eBook, Managing a Software License Compliance Audit.
Who are these vendors?
We use the term “tier 2” broadly to describe any of the non-major software publishers but this group also includes those that develop and sell software for specific industries or niche business functions, such as design packages for architects or appointment management systems for healthcare organizations. These publishers have fewer customers than larger publishers, but their software still carries significant compliance risk if inadvertently misused. In some cases, tier 2 software publishers may also be more aggressive in pursuing license compliance, as they may rely on license revenue more heavily than the major vendors.
As with the major publishers, these longtail publishers often have their own unique licensing terms and it’s important to understand these clearly. As these licensing changes and things to look out for aren’t as well publicised, you will be required to do a little research and seek out assistance from the experts that have experience working with these publishers.
This particular client reached out to Anglepoint for support with three such vendors that audited at the same time.
The 80/20 rule
We like to refer to the 80-20 rule when it comes to managing software. The 80-20 rule, also known as the Pareto principle, states that roughly 80% of the effects come from 20% of the causes. It is a common rule of thumb that can be applied in various fields, from business and economics to personal productivity.
When it comes to software asset management, it’s likely that 80% of your organization’s software spend sits with 20% of your publishers. But is 80% of the risk sitting within the 20% of spend on tier two publishers? Often the focus is so heavily fixed on the tier-one publishers that risk with these publishers is overlooked.
A measured approach balancing risk and spend management will best suit your Software Asset Management (SAM) program as you look to optimize your resources and efforts. Anglepoint frequently supports our enterprise clients with the prioritization of publisher activities to ensure that spend and risk are both considered and proactively managed.
Which software publishers are auditing and why?
In Q1 2023, we polled our audit teams to get an idea of who was auditing our customers. It turned out that many had been approached by tier 2 software publishers for a hard or soft audit.
- ASG Technologies
- Micro Focus
- Dassault Systemes
Today we spoke with our audit specialist and Senior Lead Consultant, Chris Hayes, to get his insight on the tricks of some of these smaller software publishers and what to look out for when it comes to their audits:
- Dassault Systemes—You should have a very active key and piracy management function if using Dassault. Is your team out there downloading and utilizing trial keys? Depending on the method of license key deployment, you may have ‘phone home’ technologies at play so Dassault will have visibility to those inauthentic keys if you are using them. The challenge is that they will have all of this information ahead of time and will leverage this in a compliance review scenario.
- Adobe—It’s been some time since Adobe made their full migration to cloud services but this is definitely something to look out for. While compliance isn’t a huge issue because of subscription-based license metrics, you need to make sure you are optimizing the estate in your migration from on-prem to cloud services. However, Adobe has had an enterprise-level compliance program for many years so you can expect that they will also question your legacy on-prem footprint.
- Quest—The back maintenance and fees in Quest’s existing audit practice is extremely aggressive. Their main product lines are in database optimization and some of the calculations of these license consumption metrics can be complex with specific rules of what you can and can’t do. The trick is understanding these rules and requirements and having a license expert look at your license usage. If you’re using Quest products incorrectly for development purposes all over your organization, for example, you could be in trouble.
- SUSE—A big concern with SUSE is potential usage in the cloud. For example, if you spun up a cloud image and you’re using Linux or that specific flavor of SUSE and it’s bundled with AWS, GCP, or Oracle Cloud, you have to understand what your licensing requirements are if you buy it in the cloud marketplace versus deploying in the cloud with your own license. If you don’t have clarity in your Cloud environment you’ll need to bring in your DevOps and FinOps teams to clarify how they are deploying and purchasing software.
- BMC—Organizations like BMC who deal with storage array and remote monitoring software tend to audit more aggressively. The practice of system monitoring tends to bring large license consumption calculations with it by nature so the thing to look out for are their claims of non-compliance and how you can factually refute them with data. Work closely with your development teams to access how you are deploying and configuring BMC software, the impact of these configurations and developing a standardized, best practice process so that it is always being rolled out correctly.
- Autodesk—Autodesk is currently transforming their renewals model. They are moving to a system of tokenized software consumption measurement. In this model, their token management server will count the tokens of license consumption across all of your Autodesk instances. Of course, this means all instances need to communicate with their central server and potentially funnel this information back to Autodesk. The challenge is understanding the value of a ‘token’ and accurately predicting what your usage will be in this new and centrally-controlled unit of measurement. Autodesk may estimate you need 5,000 tokens, for example, but then return saying you have consumed twice that amount. Understanding exactly what these tokens are and what is bundled with them is key. We’ve had several clients successfully negotiate much better deals by taking the time to understand Autodesk’s compliance findings and rolling them into new agreements. Best practice is to push all of your software publishers to define any obscure license metrics or calculations utilized in determining compliance—vague definitions ALWAYS favor the software publisher. You should never be afraid to ask for clarification.
- Informatica—Informatica offers Extract, Transform, Load (ETL) solutions that take information from one database, transform or reorganize and recategorize the data, and load it into a target database. The challenge is to understand all of the different connectors and license models and licenses required. For example, if you have a license for one of their products in a development environment, you may license that environment via a bundled product, meaning that you get all of the different aspects and connectors to various target databases included. However, that may only apply to your development environment. Your production environment could be another story and may require a different license bundle including different database connectors. It’s essential to understand exactly what you are entitled to with each bundle which can be very complicated. Informatica are also keen on back maintenance and penalties so be careful. On top of it, they also have a cloud solution that is difficult to interrogate to understand license usage.
- Micro Focus—Microfocus, recently acquired by OpenText, has been part of a recent major acquisition strategy, themselves acquiring several legacy technology stacks including Attachmate WRQ and Legacy Hewlett-Packard Enterprise. These organizations have each had strong histories of aggressive auditing practices. Under the new management of OpenText, the organization is now looking across all of the legacy customers of their acquired companies and auditing their old contracts. It’s important to understand when your software vendors have been acquired so you can be prepared for these interrogations.
- Veritas—The challenge here is license consumption management. This is a data backup/data management solution that can be difficult to estimate usage and consumption and fall out of compliance if not proactively monitoring and leveraging a mature change management process. It’s important to have a strong relationship with your development infrastructure systems team so that you understand what’s happening in the organization that might create a compliance risk and encourage them to speak to the SAM team when they are making infrastructure or system changes.
- Broadcom—Broadcom recently bought VMware. Here you need to understand your digital infrastructure, how you are potentially consuming licenses, and how you’re enabling other technologies with it. Many times with VMware, customers get caught out because although they aren’t deploying the software across their enterprise, they have the ‘potential’ to and VMware will rely on that clause when it comes to audits. Be prepared to demonstrate how your organization controls the deployment of software including sub-sections of your IT environment. Lacking process documentation in this area could be a big risk.
- Tibco—We sometimes call this the ‘Oracle of Tier 2.’ Tipco is extremely complicated because of how they interpret virtualization and the potential to require restricted license migration. You absolutely need a license expert to understand your license consumption and challenge the claims they often make in audits. This is doubly threatening given the high cost of their licenses and typical system complexity involved in Tibco license deployments.
- iText—The challenge with iText comes if you are using it with a freeware license as opposed to a commercial license. A commercial license offers enterprise support and the usual requirements, but if you have a freeware license under General Public License (GPL) there are some very specific protocols to follow. As an open-source software offering, you have access to the base software for free but you can’t make any changes to that freely distributed code without making all of your modifications and updates public. It’s important to go through the license terms and conditions very carefully to understand what this might require, including accrediting the initial publisher of the software and making your updates publicly available.
Economic times are hard. That means all businesses, including smaller publishers, will be looking for opportunities to balance their books by auditing use of their software assets. It’s crucial that when it comes to audit preparedness, you don’t just focus on your large software publishers. By staying informed and taking a proactive approach to license compliance, you can ensure that your software environment is fully compliant and optimized.
Including tier 2 publishers in your Software Asset Management strategy is critical to ensure that your organization’s software environment is fully compliant. Don’t forget to review and manage renewals too as they will ensure that you are not auto-renewing software that you no longer require and that you are purchasing only the software that you need.