Four years ago, Yale New Haven Health System began planning to move its doctors, nurses and staff to single sign-on,...
a technology that promises to allow users to quickly access their various accounts with a single set of credentials, fostering greater security than forcing users to memorize a bevy of passwords.
Yet licensing issues -- and the lack of budget to pay for the hefty per-user fees asked for by vendors -- scuttled the project from the get-go.
"We wanted to pay per concurrent user, and [the vendors] wanted to do unique users, and they wouldn't budge," said Steve Bartolotta, director of GRC programs in the YNHHS's Office of Information Security. "Without the money and the budget to pay for that licensing, we had to put the project on hold."
Left to manage their own passwords, the delay dragged on for four years and left the healthcare organization's 25,000 users less secure. Now, at long last, the organization was able to secure favorable licensing terms and has begun its SSO implementation.
The enterprise security licensing issues experienced by Yale New Haven Health Systems are not uncommon. Inflexible and impractical vendor licensing models for years have subtly undermined enterprise security by not only arbitrarily adding to the cost of badly needed security technologies, but also indirectly by tacitly encouraging employees to seek out unsupported security solutions.
Even worse, these problems have led to an increase in unsanctioned information technology, more widely known as shadow IT, which by its very nature is not adequately secured since IT security groups rarely know about its use.
The inflexibility in the licensing terms of many information security software companies, service providers and network and security appliance vendors has left some enterprises forced to do without or choosing to secure some of their employees and not others. Single sign-on providers are not the only companies whose costs may outweigh the benefits. Data loss prevention (DLP) is another security technology that focuses on per-seat licensing, a model that is expensive and difficult to manage.
Other companies that specialize in enterprise software, such as Microsoft and Oracle Corp., have complex licensing programs that result in expensive software acquisitions costs, according to security professionals and analysts. Oracle, for example, charges per-physical CPU in virtual environments, which can make the cost for its database software wildly different depending on the underlying infrastructure, according to market research firm Gartner.
"While these technologies give new ways to innovate, they also bring additional software costs," said Stewart Buchanan, research vice president for Gartner's IT Procurement and Asset Management group.
Growth in insecure shadow IT
The tug-of-war between companies looking to minimize their licensing costs and software vendors looking to increase their revenues is a natural offshoot of the business. While some firms have adopted more flexible enterprise-wide licensing models, other providers charge more for essentially the same services that are hosted on virtual platforms. Too many vendors take a combative approach, looking to reap as much profit per customer as possible, said Mathieu Baissac, vice president of product management for Flexera Software LLC, an Itasca, Ill.-based maker of licensing-management applications.
"This is one of the most dysfunctional channels to work with," Baissac said. "I can't think of another channel that has more contention than software licensing."
Other companies find that, while enterprise security product licensing can be hurdle, it is not an insurmountable one.
Symmes Township, Ohio-based payment-processing technology provider Vantiv LLC, for example, has not had problems working with software and security companies to establish, if not enterprise licensing, "banded" licensing terms that work for a range of users.
Yet Kim L. Jones, chief security officer at Vantiv and an advisory council member for the Information Systems Security Association (ISSA), stresses that companies have to be willing to walk away if their vendors do not meet their terms. Jones has scuttled six- and seven-figure deals because software vendors were not cooperative, which is generally not a problem because no one firm in the security world has a lock on a particular feature or technology, he said.
"My money is green, so I will walk away," Jones said. "I need partners; if you are unwilling to be a partner, then I will find someone else."
Revisit licensing terms
When moving to a new platform, especially one based on virtualization, companies need to revisit their licensing agreements.
"Ultimately, cost depends entirely on the vendor’s licensing model," security analyst firm Securosis said in a recent report on virtual infrastructure. "Customers often forget, when moving from hardware to virtual appliances, to renegotiate pricing with the vendor. If you’re paying on a per-appliance or per-database model, you don’t realize the cost reduction benefit of software."
Avoiding licensing costs by using unlicensed copies of software can be a hazard. Some 43% of software used worldwide is not properly licensed, according to the most recent survey by the Business Software Alliance. But pirated software increasingly comes with unwelcome hitchhikers, such as adware or malware -- another security pitfall.
Licensing problems that lead to budget issues and thus become security issues are, in many ways, a sign that the information-technology and information-security groups are not communicating nor working with the business, said Yale New Haven Health System's Bartolotta.
"CISOs are often so focused on cybersecurity that they are not building the business relationships that they need to," he said. "They are not getting in front of CEOs and executives and the board, and by doing that, they are not getting the budgets that they need."
In 2005, before YNHHS established its security team, shadow IT was rampant. The requirements to comply with the Health Insurance Portability and Accountability Act of 1996, however, forced the company to invest in better security and focus on reining in its software assets. The result, Bartolotta said, was a much more secure business.
Companies also have to look beyond the licensing issues to what the real resource requirements of security technologies can be. More than half of companies have at least 10% of their licensed software unused, according to a study by Flexera and market research firm IDC. Known as shelfware, such waste could be a sign of companies signed into a multi-year agreement, but it could also be a sign that companies are not managing their software assets very well.
In the end, while licensing is not the main reason that companies do not have the security technology they need, budget pressures combined with overlooked licensing expenses and intransigent vendors can result in enterprises getting less security for their money.
Check out Mike Rothman's eight steps to buying an information security product without losing your shirt.