Where is SAM in 2020?
SAM, as we know it, may have become irrelevant. Is it dead, as many hoped about ten years ago? It's not. But if we continue with the compliance-first, licence-centric, audit-defence-only approach, we may soon become extinct like Kodak with its film cameras.
Cloud is the reason
Of course, there are local economies where businesses are reluctant to adopt the Cloud, but the progressive world has already embraced it.
It did not become "The Death of SAM", though. Completely dismissing SAM would be reckless. But instead, it is affecting the way we think about our software assets. It has introduced zero-day risks. Moreover, it did not alleviate the traditional compliance risks but introduced new ones and increased complexity.
More excitingly, It is forcing us to effectively transition from pure SAM to a more ITAM-like approach as both are now more intertwined. Strictly speaking, you don't manage hardware assets in the Cloud. Cloud resources and cost categories are your IT assets now. However, resources like the number of HTTPS requests or cloud storage space are not software licences either.
Cost management is paramount
One of the positive trends of the past ten years that has paved the way to a smoother transition to modern SAM is a significant shift in SAM programme goals from compliance to cost management. Some organisations have set up SAM roles or transferred them to procurement. Not that I support procurement's ownership of SAM, but if you're selling managed services in 2020 and not targeting procurement first, you might want to reconsider your sales strategy.
Are we finally free from licence compliance worries?
Unfortunately, not.
Rich client devices, e.g. laptops, tablets, smartphones
There is still legacy software on the client devices, which requires a traditional approach as the risks stay the same. Of course, shifting to cloud-based licensing similar to Adobe CC simplifies it, but I am yet to see a purely subscription-licensed organisation, regardless of its size. Thinking of Adobe, there are still plenty of device-based licences and legacy apps here and there.
With their subscription-based M365, Microsoft isn't helping either, although they may have good reasons for that – compatibility and customer retention. You may be entitled to deploy legacy Visio and Project under respective M365 subscriptions. So you may maintain compatibility, business continuity, and a positive user experience. However, the instances of legacy software become more challenging to manage than under their legacy licences. Subscriptions are per user, so you must ensure that only the licensed users are permitted to access the legacy instances, as there is no built-in activation. And by all means necessary, keep it off your Citrix farms!
Software may have commercial and other use limitations. Think Oracle Java, Oracle VirtualBox, and Microsoft Visual Studio Community.
Free software is not necessarily freeware. Open Source is not necessarily free of freeware. We cannot discount these issues.
Is all the above less of an issue on tablets and smartphones? Yes and no. There may still be licensing limitations, e.g. a licence is free unless your screen is 10 inches wide, then it's not, and you have to pay.
Dedicated servers, on-premises and hosted
Unless you have just recently set up a new company with a Cloud-only IT policy, there's a good chance that you have on-premises servers or some dedicated hardware in third-party data centres. Traditional SAM still applies here.
In addition, you may rent some licences from a provider monthly. Both Microsoft SPLA and Microsoft CSP permit the usage of licences on-premises. It is not a prominent feature of SPLA, but it introduces additional management and security complexity, so please read the terms carefully before you rush for it.
And in regards to "Private Clouds", which are fundamentally just servers dedicated to your use in someone else's data centre, there may also be special licensing terms. Microsoft has had relevant special terms for the major Private Cloud providers since 2019.
IaaS
If you have access to the operating systems, you open yourself up to all the traditional compliance risks, and your existing SAM processes still apply here. In addition, terms, conditions and metrics may differ between on-premises and IaaS. They may even differ from cloud to cloud. So before you "BYOL" something to the Cloud, please read the terms; you may have to watch your maintenance renewals to remain compliant.
There are different flavours of IaaS, so let's touch on a few examples.
As mentioned above, special terms apply to Microsoft licences deployed to Private Cloud environments rented from major providers like AWS, Google, and Azure. And here is another complexity, the terms apply or not depending on when you purchased a licence. Regardless if you enjoy micromanaging single licences, the financial impact may force you to reconsider.
Oracle have special core factor tables for the Cloud, which are simpler than on-premises.
PaaS
Some PaaS providers permit bringing your own licences (BYOL). What does it entail? In many cases, you are required to have these licences under active maintenance. In all cases, you must make sure you have the licences. Do not forget to deduct them from your on-premises pool.
Oracle generally allows the use of on-premises licences in their PaaS, but will they certify such use at the ULA exit? The community's experience is negative, but as this is only taking off, let's watch this space. I would undoubtedly recommend discussing it with Oracle well beforehand.
SaaS
Some vendors (and Salesforce is a good example) treat their SaaS subscriptions like licences. There may be fewer risks from the traditional licence compliance point of view, but in some countries, there may be tax-related complications and contractual requirements in the statutory law. That's certainly the case in Russia.
Of course, as already mentioned, a SaaS provider or Cloud vendor may permit installing something on your rich client devices.
And the list continues. But let's finally turn to what's new in SAM.
Zero-day risks
While in the on-premises world, we could somewhat afford to neglect non-compliance or potential cost impact until a specific event like an audit, going public, acquisition, or simply an agreement renewal or Oracle ULA exit. We don't have that luxury in the Cloud anymore.
First and foremost, SAM is no more about compliance; it is not only about cost management but the more you are "cloudified", the more you think about costs.
In the Cloud, it's like a taxi standing behind your door with a ticking meter. Although this is an allegory that is often brought up to describe resource costs, it applies to compliance, too. There shall be traces and evidence, and you shall have to rectify (read: pay for) it back to the deployment date. Users will be counted, and if your user directory is not maintained regularly, still has leavers, or access is not tightened, expect to be charged back to the service or user creation date.
User access management also applies to service costs. If you give a user too much, expect to be billed even if you rectify the error immediately. Services are often, although not always, billed based on monthly high-watermarks or unique "authorised user" counts in a calendar month. Make sure your Oracle Fusion privileges are under control.
Continuous renewal cycle
The Cloud, especially SaaS, and licensing programs like Microsoft CSP have enormously impacted our approach to renewal management. Instead of dealing with a wave of annual renewals or true-ups of selected vendors' licensing agreements, we now have to deal with a continuous cycle of cost management and analysis, service renewals, monthly reports and payments. It has become a day-to-day task, especially considering that the number of SaaS services an average organisation uses, knowingly or unknowingly, is in the hundreds.
And let's mention SaaS again.
SaaS deserves not just a dedicated article but a series of them.
Firstly, as mentioned, it is the number of applications and vendors we now need to manage, along with varying terms and conditions, metrics, plans, etc. Hundreds of them.
Secondly, how do you discover all the SaaS in use? What about BYOD? What about SaaS usage by remote workers? And then, even if you discover all those assets (that I seriously doubt), you need a recognition catalogue updated regularly. And when I say "regular", I mean almost daily.
Then, we have security and compliance complications per app.
So, where is SAM in 2020?
It's still here, but it's different. It is cost-management and software-portfolio-centric.
It still has to deal with compliance issues. The processes and ISO 19770 standards are still relevant.
It is increasingly merging into ITAM, although the more I think about it, the more it seems like ITAM is transforming into SAM.
I feel that there will be an urge for a new name for it soon. There are already ideas that may sound more relevant, e.g. "Software Portfolio Management" or "Digital IT Optimisation". Even more, they are emerging. Watch this space.
For us professionals, as long as we evolve, there is still a load to do.