In the past 12 months, the spotlight on corporate behavior has reinforced and refreshed a software inventory issue that is as old as the software industry itself - software license compliance. Through the years, a steady stream of software inventory products has been available to those organizations who were concerned enough to perform a software audit to ensure they were legally entitled to run all of the software installed on their network. Today, it has become clear that the legal obligations of misusing software licenses extend to the officers of an organization and therefore, the stakes for accuracy in software inventory management just got a lot higher.

There are a number of software audit techniques available in the industry. Some software inventory tools provide huge listings of every executable item found on a hard drive. This type of exhaustive software inventory report might be of interest to some, but is of little direct use to the Compliance Officer who needs not just accuracy and comprehensiveness, but also relevance and succinctness in the data produced. Facilitating software license compliance is not about producing mile-high piles of printout; it is about providing accurate and timely data that starts at the organization summary level and facilitates drill-down examination into the inevitable compliance anomalies.

A Compliance Officer can take several approaches to selecting a software audit tool - including samples of software inventory analyses from a representative selection of desktops.

First generation software inventory products

Early software inventory products relied on file names and sizes to identify applications. In some, multiple versions of the same application were classified as separate packages to inflate the apparent number of packages recognized. Of course, listing versions of the same application as different packages complicated the job of the Compliance Officer trying to prepare for a software audit by compiling relevant information on application ownership.

Although recognition techniques have expanded, Compliance Officers should be watchful for any software inventory tools that still contain this hangover from earlier days. Instead, one should look for software audit tools that record the detail of multiple application versions installed, and also consolidate that information as drill-down detail within an overview of a single known licensed application.

The Add/Remove programs generation

A second generation of software inventory products came onto the market relying on reading data in the Add/Remove programs section of the registry to perform a software audit. This was attractive to tools vendors looking for a quick and easy entry to the growing market for software inventory, as it bypassed the need to build a library of file-based recognition rules.

For a while, 'Add/Remove Programs' became fashionable, but the data held in the registry was often incomplete and unreliable, or just plain inconsistent. Total reliance on this software audit technique is mainly seen at the lower end of the market.

It is, however, a handy technique for establishing the identity of previously unrecognized applications, around which a relevant application recognition rule-set can be based.

The file headers generation

The third major software inventory technique is the interrogation of file headers ('VersionInfo') in which application vendors provide application, vendor and version information. This is a voluntary practice, and there are inconsistencies in the way it is applied which must be overcome to generate succinct and usable results.

Multiple executable files (DLLs as well as EXEs) in an application directory tree will contain differing VersionInfo; individual programmers in the vendor's development team may have adopted cryptic versions of their employer's name. In an ideal world, this variability would not exist, but since when has desktop computing been an ideal world?

The Compliance Officer, still embroiled in selecting a tool on which this career-critical software audit exercise is going to be based, should look for a software inventory tool which addresses this problem by applying intelligence to the VersionInfo interrogation process to generate a complete and accurate picture of the application, the vendor and the version.

Mature software audit products

The existence of multiple approaches to software identification increases the challenge of choosing a software audit tool. All three software inventory techniques described above have strengths and weaknesses. There are, however, a handful of mature software audit products that have grown up through all three eras and have evolved to combine the three identification techniques in the pursuit of producing data that is comprehensive but concise.

These are products which have matured to address the software audit needs of the CIO and Compliance Officer, while not forgetting the needs of the original software auditors - the front-line network administrator daunted by the task of maintaining hundreds or thousands of desktops in a stable but up-to-date condition.

A software audit tool should provide precise, uncluttered comprehensive asset data that can be accessed from a browser, combined with access to the precise version information of one DLL in thousands, which is critical to smooth operations and productivity.

As a Compliance Officer, once you are into a detailed assessment of a short list of software audit tools, why not get the vendor to take the wraps off the underlying database structure, if they don't already publish it? Look for the ability to hook into the data in the future to use it in ways you or the tool vendor haven't even thought of yet. Is it easy to generate and run queries against the data? Is it accessible to your favorite reporting tool? How easy is it to extend the database with other tables to attach characteristics appropriate to your organization?

Future considerations

Finally, before making a software inventory tool selection based solely on performance in a compliance context, determine what your next priority is going to be. When the software audit reveals applications that are installed in excess of the number of licenses you own, what action are you going to take? Simply purchasing more licenses to match up with the copies installed is laudable and great news for the application vendors, but it's not very savvy.

That's where software utilization measurement comes to the rescue. Suitably integrated with the software inventory data, application usage ('metering') data identifies the rarely or never used copies of expensive application software. These copies can become your first target for reducing the number of installed copies of an application down to the purchased level to achieve compliance. And, although a Compliance Officer may be pleased to find the installation count of application X is below the number of licenses owned, the CIO is still going to want to know how and when these copies are used and if the scope exists to de-install software and reduce the annual maintenance contract on the application.

Conclusion

So, when looking for a software audit tool to support the drive for license compliance, it makes sense to team up with colleagues charged with minimizing desktop ownership costs.

Historically, license compliance has carried the image of provoking massive additional costs in buying more copies, but experience shows that broadening the scope of a compliance exercise to what Vector Networks terms "Software Asset Optimization" can result in massive annual cost savings as desktop application deployment is brought back into line with the organization's true requirements.