There are so many kinds of risk that we address and must consider in IT systems it is easy to overlook risks that are non-technical, especially ones that we often do not address directly, such as licensing. But licensing carries risks, and costs, that must be considered in everything that we do in IT.
As I write this article, the risks of licensing are very fresh in the news. Just yesterday, one of the largest and best known cloud computing providers suffered a global, three hour outage that was later attributed to accidentally allowing some of their licensing to expire. One relatively minor component in their infrastructure stack, with massive global redundancy reduced to worthlessness in a stroke as their licensing expired. Having licensing dependencies means having to carefully manage them. Some licenses are more dangerous than others. Some only leave you exposed to audits, others create outages or dataloss.
Licensing may be a risk intentionally, as in the example above where the license expired and the equipment stopped working. Or they can be less intentional, such a remote kill switches or confusion of equipment with dates or misconfiguration causes systems to fail. But it is a risk that must be considered and, quite often, may have to be mitigated. The risk of critical systems time bombing or dying in unrepairable ways can be very dangerous. Unlike hardware or software failure, there is often no recourse to repair systems without access to a vendor. A vendor that may be offline, might be out of support, might no longer support the product, may have technical issues of their own or may even be out of business!
Often, licensing outages put customers into a position of extreme leverage for a vendor who can charge nearly any amount that they want for renewed licensing during a pending or worse, already happened, outage. Due to pressure, customers may easily pay many times the normal prices for licensing to get systems back online and restore customer confidence.
While some licensing represents extreme risk, and some merely an inconvenience this risk must be evaluated and understood. In my own experience I have seen critical software have licensing revoked by a foreign software vendor simply looking to force a purchasing discussion and causing large losses to environments for which there was little legal recourse, simply because they had the simple ability to remotely kill systems via their licensing even for paid costumers. Generally illegal and certainly unethical, there is often little recourse for customers in these situations.
And of course, many license issues can be technical or accidental. Simply that licensing servers go offline, systems break, accidents happen. Systems that are designed to become inaccessible when they cannot validate their licenses simply carry an entire category of risk that other types of systems do not. A risk that is more common than people often realize and often has some of the least ability to be mitigated.
Of course beyond these kinds of risks, licensing also carries overhead which, as always, is a form of risk which, in turn, is a form of cost. Researching, acquiring, tracking and maintaining licenses, even those that would not potentially cripple your infrastructure, takes time and time is money. And licensing always carries the risk that you will buy too little and be exposed to audits (or buy incorrectly) or that you will buy too much and overspend. In any of these cases, this is cost that must be calculated into the overall TCO of any solution, but are often ignored.
Licensing time and costs are often one of the more significant costs in a problem, but because they are ignored it can be extremely different to understand how they play into the long term financial picture of solutions – especially as they often later then impact other decisions in various ways.
Licensing is just a fact of life in IT, but one that is hardly cool or interesting so is often ignored or, at least, not discussed heavily. Being mindful that licensing has costs to manage just like any other aspect of IT and carries risk, potentially very large risk, that needs to be addressed are just part of good IT decision making.