Licensing management has become one of the most important aspect in SAM implementation. Why is it so important? It is obvious. We have to take control over costs of software licenses in our organization so there is no place for over-licensing. In large organization Software licenses costs are significant and huge savings are available. What is more we can prevent organization from under-licensing and in case of external audit we can sleep calmly.

Other questions which comes to my mind are if we can trust Software License Management tools? Is data reported from the tool reliable? Is our organization really software compliant?

Unfortunately, we cannot be so sure about it. Tools are not very often reliable and it could turn out that we are not compliant while the tool reports us that we are and the opposite. Software Licensing Management solutions are part of few processes:

·    Software detection process
·    Process of matching and comparing installed software and existing software licenses

Whereas process of matching and comparing is relatively simple, software detection process is much more complex.  This is why most of the Software Licensing tools are not reliable.

Problem with software detection, which seems to be the most serious, is that it is not really so accurate. In case it is not able to identify majority of the software, tool reports incompliance. Many software detection tools are basing on the data like registry entries, file headers, file attributes or any other code which can be helpful to identify software. However this is not enough. Basing only on this data, discovery tools are not able to identify each of the software. They are also not able to deliver detail information about application like version, products name, edition and language of the software. In case of Licensing Management, version is crucial information, so it makes license management even more complicated if the process of software identification is poor. We can notice that even if the software is identified there are incomplete information about application. 

Right software detection process is what we have to focus on while choosing the comprehensive tool.  Hopefully, there is accurate software detection process which makes Licensing Management possible and reliable.  Software Detection process is to be based on signatures and its accuracy level depends on the quality of the signature library. Application signature creation is a very difficult challenge but this is the only equitable method so that Licensing Management can really fulfill its role. Signature which is a set of multiple data enables high degree of accuracy while software products identification. Multiple data which form kind of detection rule points out with high accuracy which application we are dealing with. For this moment this is the only solution which can guarantee the accuracy of the software detection process.

The process described above is very complicated and needs additional, very often manual effort of creating signatures. The complexity relies on the fact that particularly big organizations often use thousands of various applications. There is a need  to create one single set of software signatures that works correctly for all organizations in the world and contain any single signature of the software which appear on the market. There are thousands of Indipendent software Vendors producing thousands of products and hundreds of thousands of their versions. That is also why signatures library has to be continuously updated, neatly categorized for all new software products/versions day after day, week after week. It is to keep them consistent with older signatures. What is more, updates are inevitable to avoid duplicates and clashes.

How does the process of creating signatures look like? Generally first step is automatic process that collects raw data for analysis. Basing on the data collected by agents data are to be analyzed and signatures which are often called detection rules, are created.  Process of creating is more or less manual task that has to be done, however it is not the customer who is responsible for it but tool vendor. It is like additional service which vendor is supporting.

This is the difference between reliable and unreliable tools. Unreliable tool presents raw data which were just received from agents. Reliable software detection process needs a little more effort than just scanning and presenting raw data.  Unreliable Software detection tools just show automatically transformed raw data like which are useless for real objectives.  Reports based on the signatures compared to this based on raw scan data, are much more accurate. What is result for poor discovery tools is the input for tool basing on the signatures only to be analyzed. It converts raw data into an accurate list of applications (packages) found in your network, and it delivers an increase in the accuracy of software inventory recognition up to 98%.

Of course each company using discovery tool based on raw scan data can create its own library and increase the level of software identification. However it requires huge effort of dedicated team and it could takes few years to reach satisfactory level of hundreds of thousands signatures.  What is more we can not be 100% sure that the knowledgebase of signatures will be good enough because process of creating signatures is a matter of experience so they probably would never be good enough because of lack of knowledge in this domain. Apart from experience, what they need are best practices knowledge, statistics and special kind of tools to create, add and update signatures. This is the way very few companies have decided to practice.