Software Licensing Compliance & the ISO 19770-2 Standards

Software publishers have many ways to license and price their product – for example they can change the underlying revenue model by throttling between a perpetual license and time-based license, as well as offer different metrics to apply product pricing, such as named user, instance, number of managed devices, number of CPU’s etc. The duration and metric can be combined to offer pay-per-use or usage-based models. Various combinations of duration and metric can enable a software publisher to bring a variety of price points to market.

One issue faced by most every software publisher in offering such a variety of software license models is how to they ensure that their products are being used within the bounds of their license agreement? The goal is to balance the revenue capture for all usage, without being a nuisance to the end-user. For some software publishers, the use of embedded technology such as a license manager to make the products “compliant aware” is one approach that has proven successful, especially in science and engineering vertical markets and high-tech equipment markets (e.g. medical, telecom and industrial control).

For other companies who sell enterprise software to large enterprises, the goal is not to embed any technology but to allow Software Asset Management (SAM) tools to detect the forensics of installed software and to gather this information into a consolidated report. This information can then be used by the customer SAM manager, and, the software publisher for a fact-based discussion on usage and fees. The rub is that virtually no software among software vendors has the same installation (or usage) “fingerprint” to make the process simple. SAM tools have to be configured to a complex set of rules that determine installation characteristics and license agreement rules to provide useful reports.

The emergence of the ISO 19770-2 standard is a leading contender to bring simplicity to this matter. By creating “software tagging” standards, it becomes easier for all stakeholders in the software production and usage chain to create, read and consume information vital to ensuring compliance to license models and agreements. This in turn leads to more standardized processes, technologies, and trained practitioners.

So far, industry adoption has been underwhelming. I often tease my colleague, David Wright, an industry compliance expert from VeriTag, that about 50 people in the world care about the ISO 19770-2 standard. I tell him that the ISO standard seems to be more of a vitamin than a medicine, a reference to an expression I hear VC’s tell people when they want to tell you that you have “an interesting idea”, but it’s not a very compelling business proposition.

But, perhaps ISO 19770-2 is on its way to becoming a compliance medicine? Symantec and Adobe are beginning to adopt it as a standard method to tag software. I see other software publishers looking to use a software tagging methodology, and see it as an intriguing possibility. There are efforts by the Federal ITAM group within the GSA to create a standard for the consumption of software, requiring the government to adhere to this standard. Perhaps this could be the tipping point?

Anyone out there feel the same way?

One comment on “Software Licensing Compliance & the ISO 19770-2 Standards

  1. Steve Klos on

    I won’t say that 19770-2 is a medicine that cures all ills in the licensing space, but it does cure a few symptoms. (the non-profit organization that ensures tags use normalized terms, provide a specified minimum set of data beyond the minimum, and fosters working groups to further the market efforts in the standard) is making big steps to make software identification authoritative and not based on an archeological dig.

    We need to make changes in licensing environment in order to allow purchasing organizations to automate their compliance process. This requires -2 tags, but will also require entitlements to be provided in a structured fashion. Problem is, without authoritative identification (a foundational data element), entitlement tags can’t provide an effective automation of the compliance process.

    We are seeing progress – many purchasing entities are going to start to require SWID tags in software they purchase (as the GSA and Department of Defense are doing). Adobe and Symantec are on the front lines of this process and are in good shape to provide products into this set of requirements. has working groups that are defining the certification and digital signing requirements for this process and is developing tools and technology to make this process automated, consistent and significantly cheaper (note the tools is providing are focused in a different area from those provided by VeriTag).

    We’re also seeing multiple discovery tools that already support SWID tags. With the Best Use of Tags contest sponsored by The ITAM Review and last year, every vendor that entered the contest now fully supports tags because they see the value. Take a look at the video from the contest on the website to see why tags make such a clear difference and the responses we received from the vendors. Since that time, 2 additional vendors have added tagging support to their products, so now we have – Aspera, CA Technology, MagniComp, Sassafras Software, and Symantec with product support for 19770-2 SWID tags. Note, the 2011 contest is now getting underway…

    Add to that – every presentation I’ve ever given on this subject (and a few that I’ve attended and had questions thrown my way while I’m in the audience) is packed with people who want to know more about SWID tags. Why? Because end-users have a really difficult and resource intensive problem in managing software discovery yet this discovery data is a fundamental data feed to the compliance process. These customers won’t admit this to their publishers often because of a fear of an audit (imagine telling your vendor you can’t tell which of their products you have installed knowing that they have the rights in their license with you to audit your organization).

    Based on what I see, there are more like thousands of people interested in tagging, but many of those are knowledgeable enough not to ask their software vendors anything, so they come to, IAITAM, David Wright and others. SWID tags provide a cure for one symptom, future standards will work with SWID tags to cure the disease. SWID tags can be implemented now by publishers and by end-users. They will match up automatically with entitlement tags to lower the cost of compliance dramatically for everyone in the software ecosystem.

    Publishers – what are you waiting for? Help your customers and show them you actually want to make compliance something they can manage without a huge infrastructure and resource cost.


Leave a Reply

Your email address will not be published.