GLOSSARY
In this license glossary, we explain technical terms and buzzwords that are used in different areas of the License Library and that you may encounter in your daily work in your software asset management projects.
a
- AES 256 The abbreviation AES stands for "Advanced Encryption Standard", a worldwide standard for the encryption of data. The number 256 refers to the key length of 256 bits. The longer the key, the higher the number of possible keys.
- Asset Items, things, or entities that have potential or actual value to an organization.
- Asset Management Coordinated activity of an organization to realize value from assets.
- Audit Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria have been met. An audit can be an internal audit or an external audit (second or third party), and it can be a combined or integrated audit (combination of two or more disciplines). An internal audit is performed by the organization itself or by an external party on its behalf. See also Software Audit.
- Audit-proof documentation/control In the audit, the software manufacturer checks the compliant use of the applications it provides. This is based on standard terms of use - see EULA - or individual contractual agreements that specify how an acquired right of use is to be documented and how the application may be used. For efficient audit processing, proof of compliant use and risk assessment, appropriate records must be kept in accordance with the applicable terms and conditions of the software manufacturers. See also documented information.
b
- Blacklist The blacklist contains software that is not or no longer included in the scope of the software portfolio and whose use in the company is not desired or not permitted. See Software Portfolio.
- BPaaS Business Process as a Service, or BPaaS for short, is the outsourcing of business processes.
- BYOL Bring Your Own License (BYOL) is the ability to use your own licenses in other environments, such as a public cloud. Often, the licenses can also be managed and monitored on a separate platform.
c
- CAL A Client Access License that gives a user or a device the right to access the services of a server. CALs are used primarily for Microsoft Server products with a server/client licensing model.
- CCPA The California Consumer Privacy Act (CCPA) is a California state privacy law that governs how companies around the world may handle the personal information of California residents.
- Change Adding, modifying, or removing an item that could have a direct or indirect impact on Software and Services.
- Cloud Computing Compliance Controls Catalogue (C5) The Cloud Computing Compliance Criteria Catalogue (C5) specifies minimum requirements for secure cloud computing and is primarily aimed at professional cloud providers, their auditors and customers.
- Commercial data See license inventory.
- Compliance See License Compliance.
- Container Virtualization Container virtualization is a method of allowing multiple instances of an operating system to use the kernel of a host system in isolation from each other. This method of virtualization is therefore considered to be particularly resource-efficient.
- CSA STAR The STAR Registry (Security, Trust, Assurance, and Risk) is a publicly available registry that documents the security and privacy controls of common cloud computing offerings. It is managed and published by the CSA (Cloud Security Alliance).
d
- Digital Asset IT asset that is expressed electronically in a digital format. Digital assets include software assets and digital information content assets.
- Discovery Tool A discovery tool (also inventory tool) identifies the software used on a device and provides support through automatic discovery. The tool establishes a connection to the individual devices to be monitored. It can be executed locally and also externally.
- Documented information Information controlled and maintained by an organization and the medium on which it is contained. Documented information can be in any format and medium and from any source. Documented information may refer to: The management system, including associated procedures; Information created for the organization's operations (documentation); Evidence of results achieved (e.g., records, key performance indicators).
- DoD Cloud SRG, DoD IL The U.S. Department of Defense (DoD) has specific information protection requirements that go beyond the general requirements of the Federal Risk and Authorization Management Program (FedRAMP). Based on the FedRAMP requirements, the U.S. Department of Defense has defined additional security and compliance requirements for cloud computing in its DoD Cloud Computing Security Requirements Guide (SRG). Cloud service providers (CSPs) supporting US DoD customers must comply with these requirements.
- Downgrade right A downgrade right allows a software product to be installed in a previous/older version even though a license for the most current version of the software has been purchased.
e
- ECCN The Export Control Classification Number (ECCN) is used to regulate export goods of U.S. origin, as not every such good may be exported to every country in the world.
- ECLASS ECLASS is a cross-industry product data standard for the classification and description of products that is widely used in ERP systems as a standardized basis for a product group structure in Germany.
- End User License Agreement (EULA) An End User License Agreement, or EULA for short, contains guidelines that prescribe the standard use of a software. In some cases, the guidelines of an EULA are extended or restricted by individual contracts. The EULA is often displayed during the installation of a software, which must be agreed to in order for installation to be possible at all.
- EUTL, EU Trusted List The European Union Trust List (EUTL) is a publicly available list of over 200 active and legacy trust service providers (TSPs) with official accreditation for the most comprehensive compliance with the EU's eIDAS regulation on electronic signatures. These service providers offer certificate-based digital IDs for individuals, digital seals for enterprises, and timestamp services that can be used to create Qualified Electronic Signatures (QES) based on digital signature technology.
f
- FedRAMP Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
- FERPA FERPA (Family Educational Rights and Privacy Act) is a U.S. federal law that protects the privacy of student education records, including personally identifiable information and directory information.
- FINRA The Financial Industry Regulatory Authority (FINRA), as a licensing authority in the U.S., is primarily responsible for the supervision of persons involved in the securities industry.
- Framework agreement Various software manufacturers offer framework or individual agreements or commit to such. Framework agreements (also volume license agreements) grant, among other things, extended rights of use during the term compared to the EULA and open up more favorable procurement or management options.
- Freeware Freeware refers to complete and functional software for which no license fees are charged for private use. For use in the commercial sector, license fees may be charged as specified in the respective EULA, so that a license-related assessment should be carried out in accordance with the planned usage scenario before use.
g
- GDPR The General Data Protection Regulation is a European Union regulation that unifies the rules governing the processing of personal data by most controllers, both private and public, across the EU.
- GLBA Also known as the Financial Services Modernisation Act, the Gramm Leach Bliley Act (GLBA) applies to U.S financial institutions and governs the secure handling of non-public personal information including financial records and other personal information.
h
- Hardware Hardware includes physical devices used to process, store, or transmit computer programs or data.
- HIPAA HIPAA stands for Health Insurance Portability and Accountability Act. This 1996 U.S. law regulates the security and privacy of protected health information (PHI) and patient access to medical records.
- Hyperscaler Hyperscalers are computing networks for achieving massive scaling in the area of cloud computing and big data. The infrastructure of hyperscalers is designed in such a way that horizontal scalability is possible. Accordingly, hyperscalers provide a very high level of performance and throughput as well as redundancy.
i
- IaaS Infrastructure as a Service (IaaS) provides the hardware for cloud services, including servers, networking and data storage.
- IAASB The International Auditing and Assurance Standards Board, usually abbreviated as IAASB, is an international private sector body in the field of auditing that acts as a standard setter and, in particular, develops and publishes the International Standards on Auditing and International Standards for Assurance Engagements.
- ILMT You must use the IBM License Metric Tool (ILMT) to inventory IBM software if you have opted for sub-capacity licensing. This tool is provided by IBM free of charge.
- Indirect use Indirect use is when software is not directly operated by a human user, but computing operations are triggered by other computer programs.
- IPsec Internet Protocol Security is a protocol suite designed to enable secure communications over potentially insecure IP networks such as the Internet.
- ISAE 3402 The International Standard on Assurance Engagements 3402, usually abbreviated as ISAE 3402, is an international auditing standard published by the International Federation of Accountants (IFAC), which regulates the audit of an internal control system at a service company including reporting by an auditor. It is particularly relevant for the audit of service companies that take over tasks for other companies in the course of outsourcing and the corresponding commissioning companies. The subject of an ISAE 3402 audit is the description to be prepared by the service provider of the service-related accounting-relevant internal control system.
- ISO 9001 ISO 9001 is a standard for quality management systems and specifies the requirements for such systems.
- ISO/IEC 19970-1 ISO/IEC 19770-1 defines the requirements for an IT asset management system in the context of the organization. It specifies the general asset management requirements of the ISO/IEC 55000 series.
- ISO/IEC 27001 ISO/IEC 27001 is the leading international standard for information security management systems (ISMS) and therefore the most important cyber security certification. It provides organizations of all sizes with clear guidelines for planning, implementing, monitoring and improving their information security.
- ISO/IEC 27002 ISO/IEC 27002 is an international standard that contains recommendations for various control mechanisms for information security. The focus is on security against attacks.
- ISO/IEC 27017 ISO/IEC 27017 is a security standard designed for cloud service providers and users to create a more secure cloud-based environment and reduce the risk of security issues.
- ISO/IEC 27018 ISO/IEC 27018 is a security standard that is part of the ISO/IEC 27000 family of standards. It was the first international standard for data protection in cloud computing services to be promoted by the industry.
- IT Asset An IT asset is an item, thing, or entity that can be used to acquire, process, store, and distribute digital information and has potential or actual value to an organization. IT assets include: Software;Media (physical and digital);IT equipment (physical and virtual);Licenses (including proof of license);Contracts; andITAM system management resources (including ITAM systems and tools and the metadata required to manage all IT assets). Services to meet IT asset management requirements, typically provided externally, can also be considered IT assets, e.g., "software-as-a-service," hardware maintenance, software support, and training.
- IT Asset Management IT Asset Management (ITAM) is the coordinated activity of an organization to realize value from IT assets. IT Asset Management is a subordinate practice of Asset Management, specifically aimed at managing the lifecycles and total cost of IT equipment and infrastructure. ITAM can include hardware asset management, software asset management, and information asset management. The purpose is to plan and manage the full lifecycle of all IT assets to assist the organization in the following: Maximize valuesControl costsManage risksSupport decision making regarding purchase, reuse, decommissioning and disposal of assets.Meet regulatory and contractual requirements When IT asset management interfaces well with other practices, including service configuration management, incident management, change enablement, and deployment management, asset status information can be maintained with less effort.
- ITSM IT service management (ITSM) refers to the totality of measures and methods required to achieve the best possible support of business processes by the IT organization. In this respect, ITSM describes the transformation of information technology to customer and service orientation.
l
- LDAP The Lightweight Directory Access Protocol (LDAP) is a standardized access protocol that is used for queries and changes in directory services. It is considered the de facto industry standard for applications that need to handle user data.
- License In SAM, the term license is understood exclusively as a software license. A license covers the right to use software. The purchase of a software license does not mean the purchase of the software itself, but only the right to use the software product. The owner of the license thus acquires the right to use the software product in compliance with the conditions defined by the software manufacturer in the EULA or individual contract. In general, the software license is a combination of a detailed description of the software usage rights in the End User License Agreement (so-called EULA) and a license certificate proving the ownership of the software license. The software license can be provided in a variety of ways on physical paper or, more commonly, as a digital copy via email or PDF. These documents may also include a software license key to activate the software product and links to software media such as the installation file.
- License balance The license balance sheet is a cut-off date reconciliation of license inventory and software inventory. See also License Compliance.
- License Compliance License compliance is only fulfilled if all conditions defined by the manufacturer in the form of contracts and terms of use are fulfilled at all times or if this fulfillment can be verified and proven at any time upon request. Condition in which neither a surplus nor a shortage of the required usage rights prevails.
- License compliant Compliance or conformity with the requirements from the terms of use of the respective software manufacturer.
- License inventory The license inventory contains all rights of use for a product version at a specific point in time. The basis of the license inventory is formed by the usage rights of the individual licenses. These rights consist of the total number of licenses and contracts per product version and the regulations on permitted use. These usage rights also include, for example, update and downgrade rights, special usage rights resulting from maintenance agreements or framework agreements (e.g. scope). Licenses that are time-limited and have lost their validity are not counted in the license inventory.
- License management See Software Asset Management.
- License Metric The license metric (metric) is a unit of measure for licenses that is used to count software usage and thus license requirements. Software usage and the license inventory required to support it must be counted based on the same metric. Examples of license metrics: Count per installation, per named user, per concurrent user, or per CPU/core.
- License requirement The license requirement for a software product results from the software usage and minimum licensing requirements from the respective EULA. An example of this is the minimum licensing requirement for Microsoft SQL Server Standard 2019.
- Load balancing In computer science, load balancing is used to distribute extensive calculations or large quantities of queries among several systems working in parallel with the aim of making their overall processing more efficient.
m
- Major Release A major release is a software product that requires its own license (full license or update license). Usually, software versions without a decimal place are major releases (for example, version 1 or 4). In a few cases, software versions with one decimal place are also understood as major releases (for example, version 1.5 or 4.5).
- MDM MDM (Mobile Device Management) is an industry-specific term for the management of mobile devices such as smartphones, tablet computers, and laptops.
- Metric See License Metric
- Minor Release Minor releases are software versions that do not require their own license. Minor releases always refer to the license of the corresponding major release. Examples are patches or hotfixes that fix program errors. Minor releases are counted with the first or more decimal places (example version 1.5.2 or 4.1).
- Multi-factor authentication Multi-factor authentication (MFA) is a generalization of two-factor authentication in which access authorization is verified by multiple independent characteristics (factors).
n
- NIST NIST Cybersecurity Framework is a set of guidelines for mitigating enterprise cybersecurity risks published by the U.S. National Institute of Standards and Technology based on existing standards, policies and practices
- Non-Compliance Non-fulfillment or deviation from license compliance. I.e. the sum of the requirements from contracts and terms of use is not met. This can refer to both quantities and content. Failure to comply with the terms of use results in copyright infringement and may result in non-compliance and a violation of civil or criminal law.
o
- Oauth 2.0 OAuth 2.0 is the industry standard protocol for authorization.
- Open Source Software Open Source Software, or OSS for short. Refers to software products that are offered free of charge either by developer communities online or by distributors. No licenses are purchased or rented. Nevertheless, these software products are subject to certain restrictions and have their own terms of use. Examples include AGPL, Apache and GLP, each of which prescribe different publication obligations or handling of the copyleft. The source code of software products under open source is freely available and can be changed. Differentiation: Software that is subject to one or more licenses that meet the Open Source Initiative's (OSI) definition requirements for open source and are recognized by OSI as open source licenses.
p
- PaaS PaaS (Platform-as-a-Service) is a form of cloud computing in which the hardware and an application software platform are provided by a third-party provider. The solution, which is primarily intended for developers and programmers, enables users to develop, run and manage their own apps without having to build and manage the infrastructure usually required for the process.
- PCI, PCI DSS The Payment Card Industry Data Security Standard, usually abbreviated to PCI or PCI-DSS, is a set of rules in payment transactions that relates to the processing of credit card transactions and is supported by all major credit card organizations.
- Privacy Shield, EU-U.S. and Swiss-U.S. Privacy Shield The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.
- Private Cloud Cloud services offered over the Internet or private internal networks that are available only to defined users (not to the public).
- Proprietary software Proprietary software is characterized by the fact that its distribution is restricted for reasons of patent or licensing law. By definition, the term "proprietary software" covers all software whose copyright is held by a private individual or a company and whose source code is not published under a free license.
- Public Cloud Cloud services offered via the Internet that are available to everyone (possibly for a fee).
r
- Reinstatement A reinstatement generally refers to the subsequent resumption of a maintenance contract. This reinstatement usually incurs additional costs.
- Release A (software) release is the step after development with which the software is published.
- RSA RSA is an asymmetric cryptographic method that can be used for both encryption and digital signing.
s
- SaaS Software as a Service (SaaS) is a software distribution model in which a cloud provider hosts applications and makes them available to end users over the Internet. In this model, an independent software vendor (ISV) can contract a cloud provider to host the application. For larger companies, such as Microsoft, the cloud provider may also be the software vendor.
- SAML Security Assertion Markup Language (SAML) is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible because it can be used to authenticate a user once and then communicate that authentication to multiple applications.
- SAP LAW The SAP License Administration Workbench (LAW) is a system survey that must be performed once a year. This involves checking which licenses are used per SAP system. The LAW only describes the procedure in which different tools are used to measure the existing licenses.
- Second use right A second use right typically allows the additional use of the purchased license on a second (often mobile) device in addition to the actual use, without having to purchase another license for this use case. In most cases, however, both installations may not be used simultaneously.
- Single Sign-on Single sign-on means that after a one-time authentication at a workstation, a user can access all computers and services for which he is locally authorized from the same workstation without having to additionally log on to the individual services each time.
- SOC1 SOC 1 is divided into Type 1 and Type 2 reports. Type 1 reports on how adequate a service organization's controls are at a particular time or date, while Type 2 provides a statement on the effectiveness of the controls over a longer period of time.
- SOC2 SOC 2 (System and Organization Controls) reports are independent investigative reports that document how a company or organization implements essential compliance measures and objectives.
- Software Software means any or all programs that process or support the processing of digital information. For the purposes of this definition, software excludes assets with digital information content such as documents, audio and video recordings, graphics, and databases. There is both executable and non-executable software. The purpose of non-executable software is to control or support executable software and includes, for example, configuration information, fonts, and spell-check dictionaries. Digital information managed by executable software (e.g., the contents of documents and databases) is not considered software for the purposes of this definition, even though program execution may depend on data values.
- Software Asset Software that has potential or actual value to an organization. Software can be a collection of software components, e.g., a software product can be a collection of thousands of software files.
- Software Asset Management Software Asset Management (SAM) is the coordinated activity of an organization to realize value from software assets. Software Asset Management is a specialization of IT Asset Management that focuses specifically on software assets. Management of software assets may or may not include management of non-software assets. For reference, the relevant industry definition: "the overall infrastructure and processes required to effectively manage, control, and protect software assets within an organization at all stages of its lifecycle." SAM specifically focuses on the management of acquisition, development, release, deployment, maintenance, and ultimately retirement of software assets. SAM processes enable software assets to be effectively managed, controlled and protected. The goal of SAM processes is to ensure that required data and information about licenses, associated entitlements, and usage are accurately recorded throughout the lifecycle; that compliance assessments between requirements and actual usage versus permitted usage are regularly performed and assessed; and verified. When digital information content is included in scope and subject to license terms, it is also covered by these requirements.
- Software Audit In a software audit, the software manufacturer verifies the compliant use of the applications it provides for an entire group/company or individual companies. A distinction is made between two types of audit: internal and external. An internal audit, for example, is performed by an internal auditor to identify potential savings or license compliance risks. An external audit of a software manufacturer is focused exclusively on the manufacturer's products. The software vendor evaluates the information provided by the company and verifies the license compliance situation. To ensure the sustainability of license compliance, the relevant processes are usually reviewed in addition to the relevant data as part of an audit.
- Software inventory The software inventory comprises the software usage data as of a key date or a specific point in time. This data is structured and summarized at the individual product level. The individual product level records different versions and editions of a software product as individual software products.
- Software Pooling Pooling in Software Asset Management (SAM) refers to the consideration of software compliance at the overall company level. In this case, the licenses that may be used throughout the company according to the software manufacturer's approach are also allocated in this way in SAM. This means that internal allocation regulations are partially overridden and licenses are "assigned" from cost area A to area B in order to compensate for a shortfall there with licenses that are not used in area A. This is done in the SAM. A strict relationship between asset and license is dissolved in order to distribute the total available licenses among the installations that actually exist when the installation metric is present. Unused licenses in an area flow into the pool so that new licenses are only procured if no compliant license is available in the license pool.
- Software portfolio The software portfolio comprises the applications in the scope of the organization. It contains applications of the various software classes that have undergone a functional, technical, data/security, and licensing review and have been released.
- Software usage Software usage describes the consumption of software. Determining the amount of software usage depends on the license metric. Information on software usage is often aggregated from different data sources. The extent of software usage is recorded in the software inventory. Failure to comply with the terms of use results in copyright infringement and may result in non-compliance and a violation of civil or criminal law.
- Software use right Software usage rights are part of the software license and describe how the software is to be used and which rights are granted to the licensee by the software manufacturer. The rights to use the software are usually defined in the software contract and the agreed End User License Agreement (EULA). See also License.
- Sourcing Sourcing refers to the drastic reduction of process costs and the economic use of software and cloud services.
- Strategic Spend Strategic spend is the term used to describe strategically shaped procurements, especially of software, IT services, and cloud services that are considered business-critical in companies.
t
- Tail Spend Tail spend generally refers to the portion of procurements that do not appear to be strategic, large, or particularly critical. This applies above all to the procurement of software, IT services and cloud services.
- TLS Transport Layer Security, also known by its predecessor name Secure Sockets Layer, is an encryption protocol for secure data transmission on the Internet.
- True-Up, True Down As part of an Enterprise Agreement, Microsoft enables the customer to determine and report the change in inventory of licenses retroactively once a year for the past contract year. At the beginning of the last period, the demand was estimated and is corrected upwards at the end by the true up, or downwards by a true down. If no change has taken place, zero usage can be reported.
- TRUSTe Companies displaying the TRUSTe 'Privacy Verified' seal have demonstrated that their privacy programs, policies, and practices meet the requirements of the EU-US Privacy Shield and/or the Swiss-US Privacy Shield.
- Two-factor authentication See Multi-factor authentication
u
- UNSPSC The United Nations Standard Products and Services Code (UNSPSC) is an internationally used commodity classification system.
v
- Virtualization right In the first step, virtualization right describes in general terms whether software may be used in a virtualized environment. In further consideration, finer differences may come into play here (depending on the manufacturer), e.g. whether the software may only be virtualized locally or in the data center, which technology may be used for virtualization, etc.