Software audits: What can go wrong – 3?

20 Feb 2017 | SAM/SLO

Device based licensing and access control

In the third of our articles on the factors that can cause problems during a software vendor audit, we look at device based licensing and controlling access.

Certain vendors, like Microsoft, license their software (such as Microsoft Office, Project and Visio) on a per-device basis, rather than by user. This requires a license for every device which has the ability to access the application – even if they never do.

A device can be anything from a PC, PDA, notebook, thin client, terminal, workstation or any digital electronic device. Normally, this isn’t a problem. But, if you have implemented a thin client environment such as a Citrix farm or Terminal Services, if not properly managed, it can cause costly license compliance problems.


Locking down at user level will not make you compliant

Many organizations assume that by locking down a software application, such as Microsoft Project, at a user level through group policy or software restriction policies, it will keep you compliant with your license agreement. This is not correct.

As a result, publishing an application to a restricted user group is not an effective approach to license compliance, as these users have the ability to access the application from any device, thus breaching the licensing agreement.

If, for example, you have implemented a Citrix server farm to deliver application access to 1,000 devices in your organization and one user needs Microsoft Project, you will still need to buy 1,000 licenses to remain compliant. This is because that one user has the ability to access this application from all 1,000 devices within your organization.

So, if Microsoft Project costs you $200 a licence, you will need to pay $200,000 to remain compliant – just for one user! Faced with this problem, organizations have 3 options:

1. Choose to install such software on individual user’s PCs, avoiding the Citrix infrastructure. Whilst this may seem to be the obvious choice, if only a few users require access, it would in effect, mean circumventing the policies and procedures put in place to control software acquisition and potentially leave a security hole for future patching and updates. In addition, if you are using thin client devices across the organization, you will need to invest in fat clients for these few users. This will also cause problems for your overall IT strategy as well as increasing cost.
2. Buy licenses for all users in the organization – irrespective of whether they will ever use the software or not. This is an expensive option.
3. Utilize one of the few software solutions that are capable of managing this problem.


Find out how AssetStudio AccessCtrl can help you prevent this problem