Creating an ITAM clean-up action plan will mean that, after any major change – particularly one that’s unexpected – you will have a checklist of steps to methodically take stock of the situation. What must you look at to try and ensure your compliance position hasn’t shifted too much? You need to be able to identify probable areas where compliance may have slipped and then work to identify your new situation.
This was written with the 2020 Coronavirus pandemic in mind but applies to a wide variety of scenarios.
What devices do you have, where are they, and what’s on them?
It’s likely that a bunch of additional laptops have been deployed – either those you had in stock and/or newly purchased machines to meet internal demand. For various reasons – including regulatory compliance – you’ll need to know about all of these, where they’ve been deployed, which users have them and, what data they hold, and last but not least, what software is installed on them.
If it turns out you don’t need all those devices in 6 months, what do you do then? Do you have the required process for bringing those devices back into the business, harvesting licenses, cleansing data, securely storing/disposing of the hardware etc.? Equally – can you find them all again in a few months?
You may also find a sudden spike in BYOD (Bring Your Own Device) usage. If a company doesn’t want to/can’t spend the money on laptops that they may not need in a few months, why not get staff to use their own devices? If this has happened, you will again need to discover them all and their contents – but also think about ongoing management. Who controls them? Is corporate data held on there? If so, can it be wiped etc.?
As well as the client side, what new server infrastructure – physical and/or virtual – has been deployed…and what’s installed on it?
Look at your Citrix/RDS servers – has new software been added? If so, review your contracts and find out if this makes you non-compliant in the eyes of the vendor? If it’s no longer needed, remove it and if it is needed, look at what may need to be purchased/negotiated.
What has been put on existing Citrix/RDS servers? Is it allowed to be there? Have new Citrix/RDS servers been created? Has software been put up into IaaS cloud machines? Is it allowed to be there?
What apps are being used now? Do you have a tool or system that enables you to see this?
It’s highly probable that you’ll find a lot of duplication when it comes to certain types of SaaS software – even more so than before! Video conferencing software is probably the number 1 culprit for duplication within an organisation anyway but now, with less oversight and more people able to choose, you’ll find Teams/WebEx/GoToMeeting/Zoom/Skype/Blue Jeans/Hangouts/Chime and more all in use I’m sure. Most may be on free plans, but some might be paid – check expense reports to identify any double spending where you already have corporate licenses.
If video conferencing software isn’t the #1 for duplication, it’s cloud storage – and usage of that too will explode during this mass working from home scenario. It’s unlikely that users will need to pay for any of the myriad cloud storage options out there – Microsoft, Google, Box, Dropbox et al all offer decent paid plans as well as SO many other providers – but this becomes a question of regulatory compliance. Where is your company data? Who controls it? Who has access to it? With regulations such as GDPR, CCPA, HIPAA, FISMA, and SHIELD all requiring companies to have better control of employee and customer data, this proliferation of cloud storage could be a real problem.
Look at your existing public cloud environments – have the bills increased significantly? Identify where the extra spend is coming from, how much of it is still required, and how much can be turned off immediately. Those additional resources still in use – are they now part of business as usual (if so, adjust budgeting etc. accordingly) or are they temporary (if so, set an end date and define a plan for their retirement).
Scan your IaaS environment for on-premises software installs to identify any potential non-compliance with licensing rules.
Finally, try and identify any new “shadow” public cloud environments that may have sprung up through necessity. The costs will be coming back to your organisation somehow, probably via p-cards/expenses and there’s also the concern around company data being outside of company control.
It may well be that a tool will be useful to help give you an overall picture.
Whether on-premises or SaaS; make sure you understand what the requirement is going forwards. Don’t assume that all licenses will still be needed as some staff make their way back into offices but equally, don’t assume it will go back to the exact number it was before this COVID-19 outbreak. I feel it is very likely that most organisations will see at least some staff continue to work remotely going forward, so there may well be an ongoing increase in license numbers. If you do need to reduce license numbers, can you do that immediately without penalty or is there a minimum period – say 12-months? If the latter, get negotiating!
Alongside this, I would advise reconciling numbers of datacentre software too – Oracle DB, SQL Server and so on. It is quite possible additional database resources have been required to handle increased workload and both those products (as well as plenty of others) can lead to an expensive audit bill.
Do any of your software vendors operate on a “high-watermark” basis? If so, it’s possible you will exceed that during the coming weeks of high levels of remote working – I would certainly look to negotiate around these limits, at least for a defined period of time while the situation is at a peak.
One would hope that software vendors will recognise the vast pressures faced by so many during these months and choose not to enforce certain licensing terms for a certain time period, but equally it’s best to be prepared for cases where they choose not to – or where the timing of the change cannot be proven.
Just as previous incidents such as H1N1, SARS, and Avian Flu are distant memories to most, so too will the confusion and unique circumstances around COVID-19 fade. Keeping records of what happened within your org, when, and why, and taking corrective steps asap will certainly help during any future discussions with software vendors and auditors.