Software Asset Management Selection Criteria

Brass Tacks by David Torre

Software Asset Management Overview

Software asset management, or “SAM,” is a toolset used to discover and quantify software usage within an organization. Although license management solutions have been around for years, SAM isn’t solely focused on license compliance. In the age of SaaS, where enterprises leverage hundreds of cloud applications, SAM goes beyond financial spend and provides deep insights into software usage, risks, and vendor analysis.

SAM goals may sound familiar, as many different tools make the same promise to save dollars, reduce risk, and optimize software footprint. In fact, choosing a SAM solution is extremely difficult given the amount of overlapping functionality among tools such as SaaS management platforms (SMPs) and identity and access management (IAM) solutions:

Software Asset Management Tooling Feature Overlap

While selecting a SAM solution is less than straightforward, SAM tools are invaluable today. To manage SaaS at scale, IT and business departments can no longer manage each application individually. Holistic portfolio management of SaaS apps is the new norm, and SAM is one of several tools needed to get the job done. 

The Need for Software Asset Management

The business value of software asset management may be summarized with one of my favorite quotes: “if you can’t measure it, you can’t manage it.” 

When a small business has five or six applications, software asset management is easy. You know which apps you have, who your vendors are, and the approximate spend; all off the top of your head. But scale to five of six hundred applications, and the game changes entirely. The initial one-by-one view of application governance must give way to portfolio management-based techniques. 

With so many SaaS applications key insights become hidden, and macro-level issues harder to spot. By default, most business users think about applications first, then the business process. (“I go to Gmail to send an internal memo. I go to Marketo to launch a marketing campaign. I go to Salesforce to see current sales opportunities.”) Portfolio management, on the other hand, flips this paradigm on its head and looks at the business capabilities first, then asks “which applications power this swath of the business?” Interesting insights soon emerge with this type of approach. For example, looking at email campaign management between sales and marketing, you may discover that there are four different email service providers in use; two of which from the same vendor. This one insight can lead to several advantageous opportunities: consolidating tools, and renegotiating fees with the vendor charging you for two different instances of the same email tool. 

Software ownership isn’t without risk; and the more apps you have, the more risks you introduce. Managing applications individually traditionally required getting human subject matter experts to examine SaaS solutions on a routine basis, then discover app-specific nuances that create risks. (A wide-open Google Drive here, an overly-permissive Slack add-on there.) Yet this approach obviously doesn’t scale. There simply aren’t enough human experts to go around, and this type of work can be codified and automated with the help of software asset management tooling.

To summarize, SAM enables portfolio management at scale. Specifically, SAM tools produce money-saving insights, reduce risks, and lend general visibility into software usage and adoption throughout the enterprise; regardless of how it was purchased or by whom.

Software Asset Management Use Cases

It’s advantageous to collect and categorize use cases by stakeholder persona, as this approach kills a few birds at once. First off, stakeholders are clearly defined by type. Second, requirements and use cases can be decoupled from each other; simplifying requirements gathering. Finally, requirements can be prioritized by persona. In many cases, the CIO spearheads the SAM program, and thus her requirements are met first and foremost. Alternatively, if the CFO is driving the program, his fiscally-focused goals would instead be met first. When the chief security officer (CSO) drives the program, it’s likely all about security goals.  

Here are nine examples of software asset management use cases, by persona:

CIO Persona

  1. Automated discovery of SaaS applications
  2. Basic risk scoring / profiling of SaaS applications
  3. Some degree of non-SaaS visibility; such as desktop and server application footprint

CSO Persona

  1. Reconciled list of applications not under corporate single sign on (SSO)
  2. List of applications with permissive OAuth delegations (apps granting access to other apps)
  3. Data sensitivity profile among various SaaS applications

CFO Persona

  1. Overall software spend
  2. Spend by vendor, by business unit, by cost center
  3. Alternative analysis and vendor negotiation insights

This is only a small subset of potential use cases. Yet use cases are a great way to structure your search for a SAM tool, as they easily convert to success criteria. In other words, if the SAM vendor can achieve these use cases, the need to create lower-level technical requirements may become redundant. 

About Software Lifecycle

Before delving further into software asset management tooling, it’s important to call out that tooling is only a piece of the puzzle. Software lifecycle management is a capability, not a tool. That is to say that software lifecycle management requires a combination of people, processes, and technology. 

Software, and to a broader extent portfolio management, should be viewed from a lifecycle perspective. Applications are “born” into the organization, leveraged over time, enhanced, and eventually removed and/or replaced. During their tenure, applications will power specific segments of the business. But in return, applications require care and feeding, budgets, and risk management. To do this with any semblance of maturity, applications should have controlled introductions to the enterprise. This means assigning application owners, specifying cost owners, securing the application, and clearly aligning the application to business outcomes. 

Poor application lifecycle management is apparently when systems lack ownership. For instance, the original system owner may leave the organization effectively orphaning the app. New, redundant applications are then introduced, creating overlaps and poor user experience. (Anyone who has had to search Confluence, Google Drive, Sharepoint, and Slack for a file can attest to this situation.) 

Getting software lifecycle management right is a heavy lift. It starts with procurement, and continues for the lifetime of software operation:

Software Lifecycle Process

The good news is, organizations can iterate their way to the right balance of governance and agility. The apex of maturity doesn’t need to be obtained overnight. Moreover, even a modest amount of application lifecycle rigor will contribute to a better understanding of the portfolio-level view of enterprise software. With some basic application ownership and sunset planning, an enterprise-level roadmap will start to emerge:

Enterprise Software Roadmap View

The enterprise application lifecycle diagram above may be simplistic, but it conveys an important paradigm: the organization’s application portfolio is being intentionally managed as a whole. Rather than piling on duplicative solutions, there’s a deliberate rationale for which solutions are onboarded, why they were chosen, and what solutions they replace over time. 

How Software Asset Management Works

Software asset management tools utilize a cyclical process of first discovering software, analyzing usage and spend, and continuously reconciling the portfolio of discovered applications over time. Both discovery and analysis require specific integration types, or “choke points” throughout the enterprise. Most, if not all SAM vendors leverage one or more of the following choke points:

Software Asset Management – Software Discovery Choke Points

Each of the four choke points may be summarized thusly:

  1. Software spend – Perhaps the broadest choke point of all, this area focuses on collecting applications employees purchase. If a piece of software is on the corporate purchase radar– be it through a formal PO or less formal expense report– a record of the spend will live in one or more corporate systems. In this case, the SAM tool will crawl the ERP and/or the expense reporting systems to extract software spend and other attributes such as vendor, purchase date, and potentially cost center owners. 
  2. Authentication stats – Modern single sign on (SSO) systems such as Okta, Auth0, and Ping Identity log user authentication and access to federated SaaS applications under SSO. This gate is narrower than the software spend choke point, as only applications under SSO are identified. However, at this stage, we can start to collect coarse-grained software usage such as number of users authenticating to an application, and login frequency. 
  3. Direct API connections – Direct API connections directly connect the SAM solution to SaaS endpoints, and can enable deep application insights such as feature usage and potential security misconfigurations. For example, the SAM tool may convey that pricey enterprise features are being underutilized, which may equate to overpaying for the solution. Similarly, CASB-like features such as alerting to public shared folders in Google Drive or Microsoft OneDrive are common features as well.  
  4. Software agents – While the aforementioned choke points satisfy the majority of software discovery needs, they miss one critical area of software usage: shadow IT. Not all software used within the enterprise is purchased, and (unfortunately) many applications aren’t under corporate SSO. If capturing “freemium” solutions is a requirement, then deploying software agents may be needed. However, be mindful of privacy, as agents may capture personal / non work-related web activity such as a personal Yahoo Mail login or a lunchtime purchase on Amazon.com. 

It’s worth noting that “API connectivity” comes in a few flavors. Point-and-click API integration (traditionally called enterprise application integration or “EAI”) is by far the preferred means of connecting SAM to other solutions due to its simple approach which anyone can execute. Other approaches may involve software development kits (SDKs) and direct API interaction; both of which require software development skills. 

Software Asset Management Vendor Map of 2021

As noted in the introduction, software asset management tooling may have overlapping functionality with SMP, SIEM, and IAM solutions. Moreover, software asset management is a subset of IT asset management, which collects and analyzes both hardware and software; including on-premises software. 

Yet for many companies, managing SaaS spend is of primary interest. As such, this vendor map hones in on SaaS-focused SAM companies, and omits vendors who attempt to play beyond the SAM space itself. 

Software Asset Management Vendors of 2021

This diagram illustrates the top SAM players with a strong SaaS discovery featureset. The X-axis conveys how long the vendor has been in business, and the Y-axis showcases how many direct SaaS connectors the SAM solution provides. As shown, there is almost a perfect 50/50 split of new players (firms in business for less than eight years) from those who’ve been in business much longer. Additionally, the sweet spot of direct SaaS connectors hovers around 35.

Over the past few years, the software asset management marketspace has been lively. Multiple new entrants such as Productiv, Intello, and Torii have emerged in recent years. M&A activity has been ongoing as demonstrated by Apptio’s acquisition of SaaSLicense, Leanix’s acquisition of Cleanshelf, and Sailpoint’s acquisition of Intello. The former Aspera solution was rebranded to USU as well. 

Software Asset Management Scoring Criteria Considerations

Every SAM buyer is going to have slightly different criteria and associated weights. However, presented here are five general points to take in account when evaluating SAM solutions:

  1. Software coverage – As shown in the How Software Asset Management Works section, various choke points are used to collect software purchases and usage. Most of the tools covered here focus on SaaS. However, many go beyond SaaS and collect end-user device stats from configuration management tools such as JAMF and Microsoft System Center Configuration Manager (SCCM). Some SAM tools also inventory IaaS spend; competing directly with tools such as CloudHealth and CloudChekr. 
  2. API maturity – As is the case with many SaaS solutions, most SAM tools are walled gardens. They grab data from other systems, and require you to login to the SAM tool dashboard to analyze spend. But SAM data is better when it’s cross pollinated among systems; specifically contract lifecycle management (CLM) to gain contract start/end dates, and enterprise service management (ESM) systems such as ServiceNow to auto-populate software catalogs. Such advanced enterprise connectivity is dependent on a mature API within the SAM tool. 
  3. Pricing transparency – SAM tooling has a high value proposition as it can literally help  save millions of dollars. While the pricing model doesn’t need to be “cheap” it should be easy to understand. Some vendors charge based on the number of human users; others based on accounts in the SSO system, and still others based on dollars you save. The bottom line here is to fully understand the licensing paradigm and avoid costly licensing surprises in the future.  
  4. Automation and AI – Many vendors require manual processes to initially deploy and maintain their SAM solution. Shuffling the occasional CSV file (to update cost centers for example) may be acceptable but constantly requiring human bandwidth is not. The solution should go beyond automatically discovering software to also convey insights such as licensing recommendations. AI and complex heuristics can make your life easier by understanding the difference between Google Workspace licenses and Google Ads for example; cutting down on otherwise manual slicing and dicing of general data.  
  5. Time to market – Is the solution plug-and-play, or is custom development required? One simple question to ask vendors is if their SaaS connectors are point-and-click or require API and/or SDK development to realize full functionality. A point-and-click SAM setup should be completed in less than one week. More complex setups can take months if human processes and custom integrations are needed. 

Software Asset Management Selection Criteria Template

Attached is a template intended to serve as a starting point for software asset management tool selection. Click the image below to download the file in Microsoft Excel format. 

Disclaimer

All vendor-specific data points have been collected from public sources such as vendor websites and public press releases. Customers purchasing a software asset management solution must exert their own methodical due diligence to make informed purchase decisions.