7 Reasons Why SAM Tools Fail

While SAM tools are powerful, they are not perfect, even if the sales reps claim otherwise. Software publishers continually create new ways to license their software, making it more difficult to manage entitlements. SAM tools do not always stay up to date with these constant licensing changes, leaving those who rely on them exposed to compliance risk.

In a recent ClearEdge client survey, for example, we learned that 75% of those with Flexera (the market leading SAM tool) paid $3M-$10M in audit fees in just the past year. That’s not to say Flexera is an inadequate tool; rather that customers have developed a false sense of security around modern day SAM tool functionality and don’t consider the limitations and risks.

To fully convey the limits of SAM tools, we’ve composed a list of the seven main scenarios where they fall short in protecting against compliance exposure and how you can address these limitations.

1. Remote Server Access

When you use remote server access software like Citrix to provide applications to end users remotely, your SAM tool will only count one single installation of the software. But when remote server access is used, applications can be utilized by any users that have potential access to that server. Most software publishers have contract clauses that require you to pay for users who have access to the application, locally or remotely, even if there’s no evidence that they’ve ever launched it. In this instance, your SAM tool will only count one instance of a software license on a server, but hundreds or thousands of users could be utilizing it -- and you’d be liable for an enormous true-up in an audit.

What you can do: Use a manual workaround to properly identify remote server access compliance exposures to fix before an audit occurs. You could hire a 3rd-party services provider with expertise in SAM tools or have your own SAM team configure the tool to pull users with remote access from Active Directory into a user-based license record within the tool itself. Only when you can generate a list of users that can remotely access the server can you accurately count the number of entitlements needed to remain in compliance.

2. Environment Designation

Missing environment designations may result in over-reporting of license requirements by SAM tools, leading to over-spending. Software publishers offer customers lower priced licenses for non-production, disaster recovery, or failover environments that are popular among customers. However, when SAM tools scan the environment, they assume that any device where licensed software is found is being used for production purposes unless configured otherwise and thus requires a more expensive license. As a result, customers can fall victim to buying additional production entitlements to cover the gap the tool is reporting.

What you can do: SAM tools can label specific devices as non-production, but the process requires manual user intervention. You will need a dedicated SAM team to consistently update the tool with the correct information to protect against over-spending (or over-paying in the event of an audit and the auditor uses your SAM tool information to generate the findings report). If an organization is unable to complete these time-consuming tasks in house, we urge them to retain outside SAM services to mitigate these risks.

3. Unmeasurable Licensing Metrics

SAM tools are good at counting the common licensing metrics such as users, devices, processors, or cores. But software publishers commonly create new, complicated, and custom licensing metrics that the SAM tool may not be able to accurately count.

What you can do: You need to manually monitor the environment for custom licensing metrics to ensure compliance. The difficulty here is that custom licensing metrics are sometimes intentionally complex, which maximizes the chances for software publishers to find compliance gaps. Subject matter expertise for a particular software publisher is typically needed to accurately count custom licensing metrics, and outside service providers with this experience is often required.

4. Microsoft’s Active Directory

To illustrate the limitations of using a software tool to manage Microsoft’s Active Directory, let’s look at Quest Software’s tools. Quest Software is one of the most aggressive auditors, and they commonly exploit customers’ SAM tools to maximize audit findings. Quest has a couple of different products that aid in managing accounts in Active Directory. These products are licensed based on the number of accounts in Active Directory, including disabled and inactive accounts. In most cases, the SAM tool is unable to pull the information necessary from the Active Directory into the usage counts and map it against the license record for these products. The tool will likely only pull one deployment of that product, providing a false sense of compliance.

What you can do: Although this example relates to Quest Software, pulling accurate information from Active Directory is a challenge for many SAM tools. A tool may be configured to import information from Active Directory, though it’s generally configured to only pull information regarding active devices and users, whereas Quest Software may require all user accounts to be licensed (including disabled and inactive). The best way to account for this is to create a record within the SAM tool and to manually update it on a regular basis, using an Active Directory extract as the data source.

5. Activated Features

SAM tools work well at counting the number of licenses and where they may exist, but they struggle in identifying which features of a product are activated. Some software publishers like Oracle sell licenses with certain restrictions at a lower price than full-use licenses. However, Oracle puts little to no limitations in place for the customer to “turn on” additional features of such licensing that exceeds the restrictions specified in the contract. The SAM tool will only count if a license is active, not what features are activated. When the publisher audits the customer and discovers additional functionality is turned on, hefty true-up fees will apply.

What you can do: You must keep track of specific license edition types, set user permissions on licenses, and advise users to not activate any restricted functionality without proper approvals. This is another limitation that is not necessarily solved by utilizing a SAM tool with higher effectiveness, but rather putting processes in place to prevent this from happening in your organization. We counsel clients to make sure anyone charged with managing software licenses understands all contractual restrictions, and to establish clear, strict rules surrounding user permissions, so no user accidentally exceeds feature compliance.

6. Personal or Pirated License Keys

You may have software license keys that a user brought into your organization from a personal purchase, which could be considered an invalid key. Most organizations work hard to communicate that only company-bought licenses are permissible for use, but there remains some risk that a user brings a “pirated” license into the environment. SAM tools cannot distinguish if a license key is valid, or it was brought into the organization by an individual. However, software publishers will be hyper-sensitive about any invalid keys and will pull them for review in an audit because it could be a sign that an organization is illegally duplicating or pirating their software.

What you can do: To identify invalid keys, your SAM team must create custom scripts to pull key license data into the SAM tool, then tag the keys that are potentially invalid. This is a complicated workaround and is best accomplished by those with previous experience in audits that have revealed these keys.

7. Cloud Portal User Assignment

Many publishers are switching to cloud-based software subscriptions, where access can only be assigned through a log-in into a publisher’s web portal. In some cases, a SAM tool may have a connector to access these portals and be able to pull that data back in, but this is rare and often error prone. Many organizations will assume that the data pulled by the SAM tool is correct when it may be far from accurate.

What you can do: You will have to log into the publisher’s portal, export the list of users, and go back to your SAM tool to manually add these users to that license record. Depending on the size of the organization, this could be a very arduous process. To assure that this compliance data is accurate, we encourage clients to run a monthly report that checks the portal user assignments – which can take a great deal of time – or bring in a 3rd-party service firm to help.

SAM tools are powerful and helpful, but none offers a one-stop solution. Organizations that continually monitor their license positions and run self-audits of their environment will find the most success in reducing noncompliance instances. If you’re under the threat of an audit or want to stress-test your SAM program, download our Top Limitations of SAM Tools guide or view our SAM Managed Services page to set up time to meet with an expert.

- This article is based on information in our Top Limitations of SAM Tools guide, which was created by the ClearEdge software compliance team.