When it comes to information security in the cloud, security professionals are used to tricky problems. Whether
it's operational issues such as security monitoring of backplane traffic, compliance challenges such as auditing leased environments, or engineering problems such as VM sprawl, we're used to things being a little bit different and more complex in the cloud-enabled world.
But one often-overlooked issue that's a potential hornet's nest for security pros might surprise you: software licensing. Consider what happens when you virtualize a physical application server. For example, say you virtualize an existing application to an Infrastructure as a Service (IaaS) provider or on-premise virtual data center and clone the virtual image to support bursting. If your license for a critical middleware component is issued on a per-server or per-processor basis, how many licenses would you need right after you hit the "clone" button?
Recent changes to the way software providers issue licenses (e.g., Microsoft's License Mobility) help to alleviate some of these problems, but not every software vendor has thought this scenario through to cleanly support cloud. Granted, for the security professional software licensing management issues might seem more like a business problem than a security one. But since software license management has clear risk impacts (inappropriate use of licenses themselves can be a risk), and since responsibility for license assurance oftentimes winds up at the feet of the security organization, it becomes an important topic for security pros to care about.
Software license management in virtual environments
In cloud environments, complexity is introduced in the license management process because many of the automated tools that support traditional software asset management are of limited utility in the virtual space. Tools that work by remotely "crawling" the network looking for running software on live hosts won't necessarily catch virtual images that are offline or in a dormant (paused or suspended) state. Tools that use agents to "phone home" about software running on a particular server can have something of an identity crisis when multiple cloned images report back claiming to be the same host. Unless the software-inventorying tool is virtual-aware (most historically haven't been), an automated approach is likely to have blind spots.
On the manual side, processes that leverage inventories of physical assets to cross-map software license counts to physical assets can suffer just like automated tools can in virtual environments. Keeping an accurate and thorough inventory of virtual images is a pain point for most organizations. Even when software inventory processes do work as intended in a virtual environment, they can still have some unintended consequences. For example, metering tools that "gate" the use of software when a license cap is reached can cause unexpected (and difficult-to-debug) outages in bursting situations when dynamic clones are created in response to upticks in demand.
Software license management strategies in the cloud
Of course, it would be great if we could eliminate use of "per use," "per seat" or other restrictive licenses from scope entirely and only go with software that has flexible licensing. But pragmatists will realize the downfall of this approach: For a large-scale migration (where you're virtualizing waves of dozens or hundreds of machines per week), it's not likely that you can guarantee you've caught and flagged all instances of these types of licenses.
The reality is that an effective process (for everything but the most constrained migration scenarios) has to start with the assumption that at least some of these restrictive types of licenses are in place on the physical assets in scope. This means that you need two pieces of data to account for that: an understanding of what those licenses are and an understanding of what images are running them. With this information, you can find the images where constraints apply and define business or operational rules around their use.
To get a solid understanding of the licensing constraints, the process is the same as the license auditing you already do for physical assets. If you don't already track this, you'll need an assist from outside of information security. Bring in stakeholders from legal (who ideally have records of license parameters for legacy software) and purchasing. A review of your current licensing will help you compile a list of products you need to be most aware of for licensing constraints.
Once you have a list of products with challenging licensing requirements, you'll need to update your software inventory to account for the virtual side of your infrastructure. There are some tools that can help you do this. Commercial tools like Chicago-based Flexera Software LLC's FlexNet Manager Platform and Denmark-based X-Formation's License Statistics come out of the box virtual-aware. This means they know how to interrogate the hypervisor to get licensing-related data, even about dormant images. Traditional asset-management tools like the open source GLPI and FusionInventory can also play a role; they can inventory host assets such as those in VMware's vCenter and allow you to create scripts to help you automate license-collection information (for example, an inventory refresh when dormant images come online).
You won't accomplish these tasks overnight, but starting on software license management when cloud deployments are still small will give you a leg up on controlling this potentially challenging situation before it escalates.
About the author:
Ed Moyle is a senior security strategist with Savvis and a founding partner of Security Curve.