Licensing for Hosted Application Services: Why it costs what it costs

Licensing for Hosted Application Services:

Why it costs what it costs

Application hosting services are experiencing resurgence in popularity these days, due to the prevalence of messaging about the benefits of a “cloud” technology model.  While hosted application services aren’t really cloud (according to cloud technology purists, anyway), they can look and feel and be paid for just like cloud solutions, so the name fits OK.  Hosted applications are desktop or network applications you access via the web, where the software is implemented and managed by a 3rd party application service provider (the host) rather than being installed on your local PC or LAN.  Some software products may be rental-licensed by the ASP, and when combined with the hosting service, the entire subscription service is more like SaaS (software-as-a-service) than the old “purchase and install” approach.

An important supporting program for application hosting service providers is the Microsoft Service Provider License Agreement program. Under a formal agreement with Microsoft or via an SPLA reseller, service providers and independent software vendors are able to license the latest Microsoft software to provide software services and hosted applications to customers. With the SPLA, service providers and ISVs can lawfully license Microsoft products on a monthly basis to host software services and provide application access for their customers. The SPLA supports a variety of hosting scenarios to help providers deliver highly-customized and robust solutions to a wide range of subscribing customers, and it’s the only valid means for obtaining subscription-based provider licensing for these products.

Because the software products being hosted are essentially desktop or LAN-based products, the underlying technology to “deliver” those applications is generally of a similar foundation.  In cases where the provider is offering hosting of Windows-based QuickBooks desktop editions or Microsoft Office applications, for example, the platforms and servers used by the service provider are almost certainly Windows-based.  This operating system, as well as the rights to allow remote user connections to it, is licensed to the provider from Microsoft under the SPLA.  These elements are referred to as “user” licensing elements.

An aspect of Microsoft reporting and licensing which is not well recognized (or frequently complied with) is the difference between user and application licensing.

User licensing, which includes the Windows server access license as well as the remote desktop user license, is a named user access license. This means that the provider need only report and settle for the user license if the user actually accesses the system during the reporting period (usually each month).  Not quite like a concurrent user model, where only the high count of users is reported, the named user model requires that the license for each user be paid if that user logged in at any time and remained logged in for any length of time during the reporting period.

Application licensing applies to the application software license acquired through and governed by the use-rights provided for and granted under the Microsoft SPLA. Rental application licensing is assigned to a specific, named user, and is to be reported fully on a monthly basis regardless of whether or not the user accessed the software. This is in direct contrast to the named user access licensing described above. Providers are required to report and settle on a monthly basis the total number of subscribed application licenses available to users, including Microsoft Office applications, Exchange, SQL and others, regardless of whether or not the user actually logged in and used the products.  The license is assigned to the user and is therefore required to be paid.

Being an application hosting service provider is a complicated business, and there is a lot to consider when developing subscription services for broad customer delivery.  Pricing is one of the complaints customers voice relating to these services, but the reality is that it takes quite a bit in terms of system resources and licensing to provide an acceptable hosted application experience.  This is one of the areas where SaaS and true cloud solutions benefit from a scale economy – where the application is designed for the platform, and one instance of the solution and platform can serve a large number of customers more affordably.

When working with a hosting service provider, it is wise to recognize that the platform and software licensing costs are there to support the type of applications being hosted.  If you have an SQL-based application, you will need the SQL licensing to support it, just like you have to pay for licensing of an Exchange mailbox or a hosted copy of Word.  Enabling only a portion of the total business software requirement may make it difficult to cost justify hosting just one solution.  However, if the business utilizes the host to manage all the desktop applications and data, the cost-efficiency of the approach can increase dramatically.  Regardless of whether the business elects to continue to run software on local PCs, or if it decides to outsource IT to a host and run it there, the company will have to pay the price for software licensing.

Make sense?


Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

rollingballNo retailer wants to become the next Target (pun intended).  Payment card fraud costs businesses and consumers billions of dollars every year.  What’s even more frightening, many of the breaches in the news are the result of innocent participants inadvertently granting access to the bad guys.  The Target breach in 2013 exposed the data of 110 million payment cards.  Hackers got into the network using perfectly good credentials of the HVAC company.  Sometimes password security just isn’t enough, which might bring in to question the security of all those SaaS subscriptions and online shopping sites folks use these days.

EMV chip technology, the standard around the world which has just recently become a standard in the United States, has done a lot to stem the tide of credit card fraud in other countries.  As it was implemented in various countries, guess where it pushed the fraudsters?  Where the anti-fraud technology wasn’t, of course! The United States was among the laggards in requiring EMV chip technology for payment cards, opening the door for bad guys and turning the US into a veritable haven for credit card fraud, “accounting for nearly 50% of global fraud losses, according to the Nilson Report[1]”.

EMV chip (or chip and pin) technology will go a long way to prevent credit card fraud for businesses accepting payment cards… in-person and counterfeit card fraud, anyway. Online retail, on the other hand, not so much.  A chip on the card doesn’t really help when the transaction is completed with the card not present (CNP).  Some industry analysts suggest that CNP fraud losses will exceed $6 billion within the next few years, making e-commerce and online payment security a high stakes game for even the smallest of retailers.  As it gets more difficult to hack the payment system when the card is presented, bad guys will fall back in even greater numbers to the card-not-present model to find their victims.

Online retailers and service providers must take additional steps to secure their systems and protect customers and business partners, and face the challenge with the understanding that effort must be ongoing as new threats emerge. Tokenization is a prime method of layering the system with security, making the merchant system somewhat less of a worthy target by not storing the card data in the system.  Even if the system becomes compromised, the bad guys wouldn’t find customer payment card information.  There are numerous other steps a business can take to secure the CNP sales, including applying behavioral analytics which might identify rogue activities, or using 3D Secure to authenticate a cardholder’s identity at the time of purchase.   The point is that CNP fraud is likely to spike as EMV technology takes a firm hold in the US.

Card fraud is already escalating rapidly for ecommerce retailers and other card not present channels – it didn’t take EMV to start on that roll but it will surely give it a push.  Paperless payment systems, SaaS subscription services and online application service usage are increasing dramatically and there’s no chip to get in the way of these transactions.  Sellers of any and every service utilizing online payments need to now pay particular attention to system and information security.  The risk has always been there, and EMV chips and other shifts in pay card technology simply give it a push.

jmbunnyfeetMake Sense?



[1] Chipping away at Credit Card Fraud with EMV; Information Week Tech Digest powered by Dark Reading, Nov 2015; NilsonReport