How to Limit Security Lapses and Financial Waste Through Enterprise License Management by GovLoop

How to Limit Security Lapses and Financial Waste Through Enterprise License Management RESEARCH BRIEF

Executive Summary Government agencies rely on unprecedented levels of third-party IT applications to maintain operations and pursue missions, yet most of those agencies do not manage software licenses effectively. The consequences of this failure go far beyond the obvious shortcomings that arise from inefficient management. At the federal, state and local levels, government organizations frequently don’t know what licenses they’ve paid for, including licenses for software they no longer use, or whether they’re paying for more licenses than they need. Agencies may unknowingly be using unapproved software, software that has reached the end of its useful life or software that is no longer sold or supported by a vendor. The accelerating migration of applications to the cloud only exacerbates the peril of imprecise license management. To learn more about the complex issue of software licensing, GovLoop partnered with Flexera to survey the government community. That survey found that agencies’ management of software licenses hasn’t kept pace with the knotty challenges arising at a time of rapidly evolving IT enterprises. Indeed, many government organizations will need help catching up to licensing requirements that in all likelihood will only become more complex. *Chart percentages may not add up to 100 due to rounding.

Research Brief

The High Stakes of License Management The discipline of license management and the broader imperative to improve IT asset management is challenging to many government agencies, particularly at the state level. Not so many years ago, government organizations relied on simple spreadsheets to track the lifecycles of hardware and software. That was before modernization rewrote the rules of engagement – and the fast-growing complexity of IT enterprises irreversibly altered the technological ecosystem. The upshot is a new demand for specialized tools that manage IT assets and their licenses. Awareness of licensing and its importance to government agencies is growing. On the legislative front, the Making Electronic Government Accountable By Yielding Tangible Efficiencies (MEGABYTE) Act of 2016 requires federal agencies to develop software licensing policies to manage, inventory and analyze the use of software.

The survey found that agencies at all levels of government continue to fall short of adequately managing software licenses in accordance with the demands of the modern enterprise. Asked about the extent to which their agencies pay for software that is no longer in use, 57% of respondents affirmed that the practice happens, either “in some cases” or “a lot.” The same percentage of respondents said their organizations have more licenses than are needed for some products.

FIGURE 1 To what extent do you think your agency is still paying for software that is no longer in use? 14% A lot

43% In some cases

Also, the Federal Information Technology Acquisition Reform Act (FITARA) calls for a governmentwide inventory of IT assets. Enacted in 2015, FITARA scores agencies’ total portfolio savings relative to total IT budget and compares the ratio to other agencies’ scores. Both laws essentially challenge agencies to improve their programs of license management. Agencies sometimes improve license management following an event that compels them to action, such as an audit, a cloud-first mandate or another trigger. As a result, “RFPs are coming out where there’s asset management called out” as a parameter of the procurement process, said Paul Borror, a Major Account Manager at Flexera, an IT company that helps organizations gain visibility into and maximize the value of technology investments. “That’s good news, and we’re starting to see an uptick in the value that agencies put on knowing where all their assets lie,” he said.

43% Not much or not at all

FIGURE 2 To what extent do you think your organization has more licenses than it needs for some products? 11% A lot

46% In some cases 43% Not much or not at all

How to Limit Security Lapses, Financial Waste Through Enterprise License Management 3

Asked about license tracking, 64% of people who answered the survey said their IT teams track the usage of licensed software, either at the enterprise level (40%) or the division level (24%). Yet more than a third of respondents said their IT teams don’t track usage or they (surveytakers) don’t know if the IT team does tracking.

FIGURE 3 Does your IT team track the usage of licensed software? 7% No

24% Yes, at the division level

29% I don’t know

Research Brief

40% Yes, at an enterprise level

The consequences of ineffective license management fall into three main categories: fiscal, security and operational. “The first thing is being transparent about the taxpayer dollar … an extraordinarily important piece of information,” Borror said. “The second thing is the security component,” including awareness of who has access to licenses. “If you’re using an application that contains citizens’ data and you don’t effectively manage access to it, you could inadvertently compromise citizens’ privacy and the security of their data,” Borror said. Third, organizations need to know where assets are to function well. In a hybrid environment, a state agency might have several cloud providers as well as access to the state’s IT cloud, plus applications on AWS, Azure and Google, and possibly a couple of on-premises servers in the basement. “This environment doesn’t look anything like it did 25 years ago, when most of the processes used to track hardware and software were put in place,” Borror said. “That’s problematic.”

Software Licensing and Security: Help or Hindrance? To appreciate the security risk of inadequately managed software licenses, one need only skim news stories about organizations that fell prey to known vulnerabilities exploited by cyber attackers. In 2017, there was the Equifax breach and the WannaCry attacks, which targeted government and private sector organizations that were using the Microsoft Windows operating system. In 2019, cyber attackers breached security and compromised data held by Capital One and First American banks. That same year, ransomware attacks against the governments of Greenville, N.C., and Baltimore, Md., locked up IT systems. The list goes on and on. Failure to adequately manage IT systems and remediate potential vulnerabilities was a factor in the attacks – but organizations can’t patch vulnerabilities in software that’s hidden from view. Unfortunately, many agencies don’t have reliable processes in place to identify and reduce systemic vulnerabilities. Moreover, there often is a time lapse between identifying and fixing problems. That gap, created in part by poor license management, is an opportunity for attackers to infiltrate and exploit systems. When license management is substandard, organizations are more likely to experience security issues stemming from software that has reached its end-of-life (EOL) stage (at which it is no longer supported by vendors), as well as software that has reached end-of-service (EOS) and is no longer sold.

FIGURE 4 To what extent is your organization using software that has reached end-of-life, i.e., that is no longer being supported by the vendors? 20% A lot

36% In some cases

FIGURE 5 To what extent is your organization using software that has reached end-of-service, i.e., that is no longer being sold? 13% A lot

43% Not much or not at all

In the survey, 56% of respondents indicated that their organization is using applications that are no longer supported by vendors, either in some cases (36%) or a lot (20%).

44% Not much or not at all

44% In some cases

Asked about the extent to which their organization uses end-of-life software, 44% agreed that applications no longer being sold are used “in some cases.” Another 13% reported that end-of-service software is used “a lot.”

How to Limit Security Lapses, Financial Waste Through Enterprise License Management 5

A robust license-management solution can mitigate security risks associated with endof-life and end-of-service applications by aggressively removing and replacing hardware and software nearing their EOL and EOS dates.

“Every time you introduce a human [into the process], you introduce a potential problem, mistake or issue,” Borror said. “If you have to rely on spreadsheets and people playing the telephone game, you’ve got a real issue.”

“It’s about discovering inventory, understanding what you have and where it is and who’s using it. You’re proactively looking at what you have installed and managing things, as opposed to it being a secondary thought,” said David Haddad, Senior Solutions Engineer at Flexera.

A robust management tool will automatically account for new employees, new vendors, new publishers and hardware, as well as the departure of people, vendors, hardware and software licenses.

In the simpler era when licenses could be managed with spreadsheets, oversight efforts relied on humans to analyze data and take appropriate action to mitigate security risks. The complexity of the current IT environment calls for using automated tools to manage large numbers of licenses dispersed among multiple environments.

“You let the zeros and ones do what they’re supposed to do, and that frees up your smart people in IT to do the smart things you hired them to do instead of trying to figure out how to delete a line off your Excel spreadsheet,” he said.

The High Cost of Low Oversight Failure to account for software licenses can lead to undesirable outcomes, financial losses chief among them. At the root of the problem is complexity and confusion that makes license management difficult under the best of circumstances – and almost impossible using traditional management methods. Aside from the inherent complexity of enterprise IT in an environment shaped by hybrid cloud and massive mobility, the business practices of vendors often exacerbate the challenge of license management. For one, some of the major vendors have a practice of labeling “the same thing three or four or five or six or eight different ways,” Borror said. “Nobody begrudges the publisher bill as long as it’s the right bill. What becomes an issue is if you’re paying for 1,000 licenses, you only really wanted 700 and you’re only using 632 of those.”

Research Brief

FIGURE 6 To what extent do different divisions in your agency have their own licenses for the same software products? 13% A lot

41% In some cases

46% Not much or not at all

One reason for organizational oversight is poor communication or coordination among departments within an agency. The survey found that more than half of agencies (54%) represented by respondents have multiple licenses for the same software products in different divisions of the agency. It happens “a lot,” according to 13% of survey-takers.

FIGURE 7 Has your organization recently conducted a license compliance initiative, that is, bringing software licenses in line with actual software use? 20% No

Despite the significant number of redundant licenses, unused licenses and licenses that simply aren’t accounted for, agencies haven’t rushed to close the gap between the licensing of software and its use. Almost three of five survey respondents said their organization hasn’t recently conducted a license compliance initiative to determine alignment between software licenses and actual software use – or they didn’t know the status of initiatives intended to determine the gap. This lack of visibility increases the likelihood that agencies will overpay or underpay for software licenses. Unexposed accounting errors tend to persist, compounding losses over time. People might think that overpayment causes the biggest headaches, when in fact underpayment can be worse. Publishers that suspect something is amiss will conduct an audit, often with great success, Borror said. “Those audits are very, very difficult to go through,” he said. And costly. Not infrequently, a department or agency will retain a firm such as KPMG or Deloitte to help navigate the process or “throw a bunch of their own people at it.” In Borror’s experience, “the publisher knows exactly what it’s doing coming in. It’s usually the department or agency that’s back-peddling.” Even if the organization has been underpaying by just a few percentage points, “it’s still going to cost a ton of money in hard dollars to make that right,” plus the soft expense of time, effort and energy, he said.

41% I don’t know 39% Yes

The best protection against audit losses is scrupulous license management. Lacking such rigor, an agency could “wind up on the wrong end of a million dollars on an audit here, or three or four hundred thousand on an audit there,” Borror said. “When tax dollars are down and states are furloughing employees, sending Microsoft or Oracle or Salesforce a big check is kind of foolish.” Simply put, vendor audits are a routine condition of running a modern IT enterprise. Almost three of four respondents (73.8%) who took the survey reported one or two vendor audits per year. Fourteen percent reported three or four a year, and 12% five or more.

FIGURE 8 How many vendor audits do you have in a year? 12% 5 or more

14% 3-4 74% 1-2

How to Limit Security Lapses, Financial Waste Through Enterprise License Management 7

The Path to Better License Management In an ideal world, government organizations would procure IT from a single source, vastly simplifying the onerous task of license management. That’s not likely to happen anytime soon. “You can't buy all your software from one place, and you can’t buy all your hardware from one place,” Borror said. “The world is not that standardized. There are going to be different ways to buy things, and there are going to be different ways to pay for things. There are going to be different ways to write the contract, and different ways to honor the contract. It’s just not a neat environment.” Environments tend to become less neat over time as organizations expand, contract or merge, further complicating license management. At the local level, police and fire departments independently purchase IT products and manage their own licensing. “It’s a systemic division that government agencies are realizing they need to pull together, and organizations are going through a painstaking process to get there,” Haddad said. Agencies start that process when they acknowledge the enormity of the challenge and the necessity of using some type of automated system to manage licenses. Pressure to do so is coming from government mandates and the desire to avoid financial losses, security lapses and compromised IT operations. The bottom line: Poor license management is costly. “If I don’t know what I’ve purchased and what I’m using, I can’t go into negotiations for maintenance agreements, contracting, those kinds of things, knowing how to negotiate better terms,” Haddad said.

Research Brief

FIGURE 9 How frequently does your organization push out patches for known vulnerabilities? 9% Rarely or not at all 9% Somewhat regularly 11% Infrequently

51% Regularly

21% As quickly as patches become available

About half of survey respondents said their organizations regularly push out patches for known vulnerabilities. The other half did so on a less-than-regular basis, including 11% that patched known vulnerabilities infrequently and 9% that did not do so at all. The goal is transparency, a 360-degree view of licenses, their usage, who has access, etc. Achieving transparency through automated license management limits errors that inevitably occur when organizations rely on manual processes performed by human workers. Organizations under audit often are amenable to new ways of managing licenses. “If there’s a compelling event, that’s an easier conversation. You have a problem; we have a solution. Easypeasy,” Borror said. In the absence of a compelling event, organizations often fall back on standard justifications for continuing to do business as usual – something along the lines of: “We’ve got a great IT department; Martha does a great job managing our licenses; we haven’t been audited in 20 years.”

“Some government agencies have discovered that they can’t do it alone,” Borror said. “They’re investing in software license optimization or asset management software, realigning how they look at software and licenses provided to them, and they are looking at being able to negotiate better rates for licenses.” The reality is that people leave jobs and change today happens “at the speed of software, at the speed of finance, at the speed of a pandemic, and you can’t continue to throw people” at the thorny challenge of license management,” he said.

FIGURE 10 Is application migration to the cloud a priority at your organization? 28% No

41% Somewhat 31% Yes

Change also is happening at the speed of cloud. More than seven of 10 survey respondents said application migration to the cloud is a priority (41%) or somewhat of a priority (31%).

“The cloud makes some things easier, but it makes tracking licenses harder.” - Paul Borror, Flexera

How to Limit Security Lapses, Financial Waste Through Enterprise License Management 9

How Flexera Can Help? Flexera’s software asset management solutions help organizations effectively purchase, deploy, manage, optimize and retire software assets and resources. Effectively managing software assets is an essential function of IT asset management, which seeks to administer, govern and reconcile IT resources used throughout the organization. In the current IT environment, license management has emerged as a critical function for minimizing financial losses and reducing compliance risk. Flexera’s specialized software optimizes license management to save money and increase operational efficiency. Software license optimization also helps government agencies manage vendor relationships and contracts for greater efficiency and superior results.

Flexera FlexNet Manager software and IT asset management solutions manage and optimize enterprise software regardless of location, from desktop to data center to the cloud. Flexera’s solutions provide organizations both a growth path and a roadmap for success by managing and reducing IT spending on applications from Adobe, IBM, Microsoft, Oracle, VMware, Symantec and SAP. To learn more, visit www.flexera.com

Conclusion Government agencies’ IT environments have become increasingly complex, mostly to their benefit. Availability of third-party applications across hybrid environments has transformed agencies’ enterprises, while making once routine management of software licenses a more critical endeavor. In years past, agencies have relied on manual processes and the best efforts of government workers to manage licenses. Often, they have turned to advanced license management solutions only when given a compelling reason, such as a potentially costly audit. But increasingly, agencies now realize that enterprise license management is about more than avoiding adverse events. Automated solutions can perform the necessary function of license management with greater speed and accuracy – and in the process deliver a range of welcome outcomes, from financial savings and greater operational inefficiency to more robust security.

Research Brief

ABOUT FLEXERA

ABOUT GOVLOOP

Flexera FlexNet Manager software and IT (information technology) asset management solutions manage and optimize enterprise software regardless of location, from the desktop to the data center to the cloud. We’ll give your organization a growth path and roadmap for success. Manage and reduce spend on applications from Adobe, IBM, Microsoft, Oracle, VMware, Symantec and SAP.

GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 300,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government. For more information about this report, please reach out to info@govloop.com.

1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 F: (202) 407-7501 www.govloop.com @GovLoop