An Approach for Addressing Software License Compliance in Virtual Environments

In many of my discussions with software producers relating to software licensing and machine fingerprinting, almost all are using hardware MAC address, the UUID (Universally Unique Identifier) of the motherboard and/or CPUID information. However, should software licensing be completely based off of the hardware MAC, UUID of the mother board or CPUID information? This process worked very well before the introduction of virtualization but now that virtualization has become more mainstream in the corporate and enterprise environment, software producers really need to reconsider how they are going to license their software.

Machine-based fingerprinting is a typical security model that almost all software licensing is based off (and still exists today). This model breaks down when applications and operating systems are being virtualized and running simultaneously on  the same physical machine. Often times, these virtual machines are a complete replica of one another running on multiple and sometime across different data centers. It is however, fairly straight forward to detect and prevent the movement of a virtual machine through various licensing strategies including:

  • The ability to detect and deny running in any virtual environment
  • Proxy approach to gain access to the physical host identity
  • The use of a security dongle
  • External proprietary hardware

However, many of these approaches are not ideal solutions in an enterprise environment where mobility of virtual machines plays a key role and an integral part of enterprise IT operations. For example, they are not ideal for addressing:

  • Maintenance period without downtime
  • Disaster recovery requirements
  • High availability
  • Server migration and consolidation without downtime
  • Data center expansion
  • Workload balancing across multiple and heterogeneous data center

As virtualization technology becomes more mainstream across the enterprise environment, the ability to detect and determine whether a clone virtual machine exists across multiple network segments; but at the same time allow the mobility of a virtual machine is a challenging problem to solve.

Perhaps an ideal solution would be to allow the virtual machine to "call home" and register itself to a trusted source, typically the software producer back-office entitlement management system. This model would require network connectivity to the outside world that would allow the enterprise to move and make a clone of a virtual machine without being out of software license compliance.  What are your thoughts on this approach, would this model work in your environment?

 

2 comments on “An Approach for Addressing Software License Compliance in Virtual Environments

  1. Chris on   # Reply

    The challenge my software company is facing now is with large enterprises that virtualize servers, require VM portability across physical locations (i.e., no dongles), and lock down datacenters to prevent direct Internet access by servers (e.g., government, military, high-security corporations). We don’t really want to get into the business of selling a LAN license server product, nor do we wish to rework our current online license server model (although that seems like a key requirement when bringing in a third-party licensing package).

    I’d love to find a strong, flexible, multi-factor, node-locking licensing solution.

  2. Tu Le on   # Reply

    In a disconnected use case (like your scenario above), having a “root of trust” is paramount. Adding virtualization into the equation then also makes trust even more difficult and challenging. For example, some common scenarios:

    1. A user clones a VM and copies it to another physical data center and each data center is unique and unconnected to one another.

    2. In many enterprise environment, multiple hypervisors are being deployed (e.g., Citrix Xen and Microsoft Hyper-V), so users can clone a VM and import it into a another hypervisor environment.

    3. A user clones a VM and runs it in an isolation mode on a workstation (e.g., VMware Workstation, Parallel, Oracle VirtualBox).

    4. A user clones a VM and copies it into two different and isolated environments, and each environment has the same network configuration (hot standby redundancy environment).

    From a licensing perspective and depending on your trust model with your customer and assuming a hostile (intentional misusage) environment – a few effective measures would be:

    1. Deploy a license server where your application in a VM would require to check out a license.

    2. A dongle or other external hardware with a unique identifier embedded is still an effective measure to prevent VM cloning.

    a. Concerns about mobility of the VM can be mitigated by the enterprise user with deployment a dongle server (http://www.seh-technology.com/products/usb-device-servers/myutn-80-dongle-server.html) where it can facilitate the movement of the dongle without having to physically attach the dongle to the host.

    3. TPM or trusted platform module is by far the industry standard for hardware root of trust. TPM usage is accelerating (e.g., Windows 8 and 2012, Microsoft BitLocker, Intel TXT framework) and TPM ensures systems are in a secure state before allowing any application or OS to run. A licensed application can leverage TPM to generate a unique and secure host fingerprint.

    If you want to discuss further, feel free to contact me: tle (at) flexerasoftware (dot) com

Leave a Reply

Your email address will not be published. Required fields are marked *