In many of my discussions with software producers relating to software licensing and machine fingerprinting, almost all are using hardware MAC address, the UUID (Universally Unique Identifier) of the motherboard and/or CPUID information. However, should software licensing be completely based off of the hardware MAC, UUID of the mother board or CPUID information? This process worked very well before the introduction of virtualization but now that virtualization has become more mainstream in the corporate and enterprise environment, software producers really need to reconsider how they are going to license their software.
Machine-based fingerprinting is a typical security model that almost all software licensing is based off (and still exists today). This model breaks down when applications and operating systems are being virtualized and running simultaneously on the same physical machine. Often times, these virtual machines are a complete replica of one another running on multiple and sometime across different data centers. It is however, fairly straight forward to detect and prevent the movement of a virtual machine through various licensing strategies including:
- The ability to detect and deny running in any virtual environment
- Proxy approach to gain access to the physical host identity
- The use of a security dongle
- External proprietary hardware
However, many of these approaches are not ideal solutions in an enterprise environment where mobility of virtual machines plays a key role and an integral part of enterprise IT operations. For example, they are not ideal for addressing:
- Maintenance period without downtime
- Disaster recovery requirements
- High availability
- Server migration and consolidation without downtime
- Data center expansion
- Workload balancing across multiple and heterogeneous data center
As virtualization technology becomes more mainstream across the enterprise environment, the ability to detect and determine whether a clone virtual machine exists across multiple network segments; but at the same time allow the mobility of a virtual machine is a challenging problem to solve.
Perhaps an ideal solution would be to allow the virtual machine to "call home" and register itself to a trusted source, typically the software producer back-office entitlement management system. This model would require network connectivity to the outside world that would allow the enterprise to move and make a clone of a virtual machine without being out of software license compliance. What are your thoughts on this approach, would this model work in your environment?