We may have reached the point where SAM, as we know it, is irrelevant. Is it dead as many hoped about ten years ago? Definitely not. But if we continue holding on to the compliance-first, licence-centric, audit-defence-only approach, we may soon become extinct like Kodak with their film cameras.

Cloud is the reason

Of course, there are local economies, in which businesses are reluctant to adopt Cloud but the progressive world has already embraced it.

It did not become "The Death of SAM" though. Completely dismissing SAM would be reckless. But instead, it is affecting the way we think about our software assets. It has introduced zero-day risks. Moreover, it did not alleviate the traditional compliance risks but instead introduced new ones, and increased complexity.

More excitingly, It is forcing us to effectively transition from pure SAM to a more ITAM-like approach as both are now more intertwined. Strictly speaking, you don't manage hardware assets in the Cloud. Cloud resources and cost categories are your IT assets now. But resources like number of HTTPS requests or Cloud storage space are not software licences either.

Cost management is paramount

One of the positive trends of the past ten years that has paved a way to a smoother transition to modern SAM, is a significant shift in SAM programme goals from compliance to cost management. In some organisations, SAM roles have been set up in, or transferred to procurement. Not that I support procurement's ownership of SAM but if you're selling SAM managed services in 2020 and not targeting procurement first, you might want to reconsider your sales strategy.

Are we finally free from licence compliance worries?

Unfortunately, not.

Rich client devices, e.g. laptops, tablets, smartphones

There is still legacy software on the client devices, which requires traditional approach as the risks stay the same. Of course, shifting to cloud-based licensing similar to Adobe CC simplifies it but I am yet to see a purely subscription-licensed organisation regardless of its size. Thinking of Adobe, there are still plenty of device-based licences and legacy apps here and there.

Microsoft with their subscription-based M365 aren't helping either, although they may have good reasons for that – compatibility and customer retention. You may be entitled to deploy legacy Visio and Project under respective M365 subscriptions. And so you may maintain compatibility, business continuity and positive user experience. But the instances of legacy software become harder to manage than under their legacy licences. Subscriptions are per user so you must make sure that only the licensed users are permitted to access the legacy instances as there is no built-in activation. And by all means necessary, keep it off your Citrix farms!

Software may have commercial and other use limitations. Think Oracle Java, Oracle VirtualBox, Microsoft Visual Studio Community.

Free software is not necessarily freeware. Open Source is not necessarily free of freeware. We cannot discount these issues.

Is all the above less of an issue on tablets and smartphones? Yes and no. There may still be licensing limitations e.g. a licence is free unless your screen is 10 inch wide, then it's not, and you have to pay.

Dedicated servers, on premises and hosted

Unless you have just recently set up a new company with a Cloud-only IT policy, there's a good chance that you have on-premises servers or some dedicated hardware in third-party data centres. Traditional SAM still applies here.

In addition, you may rent some licences from a provider on a monthly basis. Both Microsoft SPLA and Microsoft CSP permit usage of licences on-premises. It is not a well-known feature of SPLA but it introduces additional management and security complexity so please read the terms carefully before you rush for it.

And in regards to "Private Clouds", which are fundamentally just servers dedicated to your use in someone else's data centre, there may be special licensing terms as well. Microsoft have relevant special terms for the major Private Cloud providers since 2019.


If you have access to the operating systems, you open yourselves up to all the traditional compliance risks, and your existing SAM processes still apply here. In addition, terms, conditions and metrics may differ between on-premises and IaaS. They may even differ cloud-to-cloud. So before you "BYOL" something to the Cloud, please read the terms; and you may have to watch your maintenance renewals to remain compliant.

There are different flavours of IaaS so let's again just touch on a few examples.

As already mentioned above, there are special terms applying to Microsoft licences deployed to Private Cloud environments rented from major providers like AWS and Google, and Azure as well. And, here is another complexity, the terms apply depending on when a licence was purchased. Regardless of if you enjoy micromanaging single licences, the financial impact may force you to reconsider.

Oracle have special core factor tables for Cloud, which are actually simpler than on-premises.


Some PaaS providers permit bringing your own licences (BYOL). What does it entail? In many cases, you are required to have these licences under active maintenance. And in all cases you must make sure you actually have the licences. Do not forget to deduct them from your on-premises pool.

Oracle generally allow usage of on-premises licences in their PaaS but will they certify such use at the ULA exit? The community's experience is negative but as this is only taking off, let's watch this space. I would certainly recommend discussing it with Oracle well beforehand.


Some vendors, and Salesforce is a good example, treat their SaaS subscriptions like licences. There may be fewer risks in the traditional licence compliance way but in some countries, there may be tax-related complications and contractual requirements in the statutory law. That's certainly the case in Russia.

Of course, as already mentioned, a SaaS provider or Cloud vendor may permit installing something on your rich client devices.

And the list continues. But let's finally turn to what's new in SAM.

Zero-day risks

While in the on-premises world we could somewhat afford neglecting non-compliance or potential cost impact until a certain event like an audit, going public, acquisition, or simply an agreement renewal or Oracle ULA exit, we don't have that luxury in the Cloud anymore.

First and foremost, SAM is no more just about compliance. It is not just about cost management either but the more you are "cloudified", the more you think about costs first.

In the Cloud, it's like a taxi that is standing behind your door with a ticking meter. And although this is an allegory that is often used in relation to resource costs, it applies to compliance too. There shall be traces, there shall be evidence, and you shall have to rectify (read: pay for) it back to the deployment date. Users will be counted, and if your user directory is not maintained on a regular basis, or still has leavers, or access is not tightened, expect to be charged back to the service or user creation date.

The user access management also applies to service costs. Give a user too much, and expect to be billed even if you rectify the error immediately. The services are often, although not always, billed based on monthly high-watermarks or unique "authorised user" count in a calendar month. Make sure your Oracle Fusion privileges are under control.

Continuous renewal cycle

The Cloud, and especially SaaS, along with licensing programs like Microsoft CSP, have enormously impacted our approach to renewal management. Instead of dealing with a wave of annual renewals or true-ups of selected vendors' licensing agreements, we now have to deal with a continuous cycle of cost management and analysis, service renewals, monthly reports and payments. It has become a day-to-day task, especially considering that the number of SaaS services that an average organisation is using, knowingly or unknowingly, is in hundreds.

And let's mention SaaS again

SaaS deserves not just a dedicated article but a series of them.

Firstly, as mentioned, it is the number of applications and vendors that we now need to manage, along with varying terms and conditions, metrics, plans etc. Hundreds of them.

Secondly, how do you discover all the SaaS in use? What about BYOD? What about SaaS usage by remote workers? And then, even if you manage to discover all that, which I seriously doubt, you need a recognition catalogue updated on a regular basis. And when I say "regular", I mean almost daily.

Then we have security and compliance complications. Per app.

So where is SAM in 2020?

It's still here but it's different. It is cost-management and software-portfolio-centric.

It still has to deal with compliance issues. The processes and ISO 19770 standards are still relevant.

It is more and more merging into ITAM, although the more I think about it, the more it seems like ITAM is merging into SAM.

I have a feeling, there shall be an urge for a new name for it soon. There are already ideas that may sound more relevant, e.g. "Software Portfolio Management" or "Digital IT Optimisation". Even more are emerging. Watch this space.

But again, like in my other article back in 2013, I would conclude that for us, professionals, as long as we evolve, there is still a load to do.

Alexander GolevTimur Sabaev
Software Asset ManagementToolsCloudSaaSDiscoveryPoliticsTrumpVenezuelaWindowsMicrosoftLicensingTrends
© 2020 SAMexpert.com