See how Karolinska Institutet optimizes its software estate and mitigates GDPR risks with Snow’s SAM Platform
Karolinska Institutet is one of the world’s leading medical universities, offering the broadest range of education in medicine and health sciences in Sweden. The Institute accounts for the single largest share of all academic medical research conducted in Sweden. The Nobel Assembly at Karolinska Institutet selects the Nobel laureates in Physiology or Medicine.
Karolinska Institutet has 24 departments, based on medical specialization. Historically, these departments were independently run with each school having its own discrete IT function. No one knew what the overall software landscape looked like, and there was no central control of licensing, compliance, procurement and data security. Issues around academic freedom and a long history of independence make the integration of IT services a slow process, today 10 departments have been brought together.
Snow was brought in as part of an ambitious project to centralize IT. Inventory of all installed software and usage across Karolinska Institutet has enabled license owners to consolidate Enterprise Agreements, resulting in cost savings of hundreds of thousands of dollars. Karolinska Institutet has also rolled out Snow Device Manager to control and standardize mobile use. Snow’s GDPR Risk Assessment highlighted which applications in Karolinska Institutet’s estate contain personal data and therefore GDPR risk, starting them on their path to GDPR compliance and creating a process for continually monitoring personal data risks.
ANTICIPATED BUSINESS BENEFITS AND ROI
- Visibility across 10 formerly decentralized departments
- Switching EAs to campus or on-site licenses, saving hundreds of thousands of dollars
- Simplifies and speeds up compliance with GDPR
- Mobile ready to be brought under control
Marcus Isberg, Project Manager, says: “We now have power to negotiate with vendors. It used to be: ‘Where did you get this figure from?’ ‘Oh, I don’t know.’ But with the data from Snow, We can say: ‘In the contract you say we used 5,000 applications, but we’re just using 1,500 so we’re not going to pay that much’.”
SOFTWARE OPTIMIZATION & GDPR COMPLIANCE
Snow was brought in as part of an ambitious project to centralize IT. It has brought visibility, and all the surprises that come with visibility. Data out of Snow identified 2,000 unexpected clients on the system. “We have no idea what they’re doing,” admits Marcus Isberg, Project Manager. “We just see them. We don’t know what they bought. We have no connection to any agreements at all. So we need to work on it.”
As well as flagging up potential compliance issues, Snow insight is shining a light on the costly inefficiencies of Karolinska Institutet’s decentralized purchasing. Each department had its own relationship with the software vendors, or – much more often – procured software on an ad hoc basis. “Now we’re looking into it, we’re realizing how expensive this is. So we now get site or campus licenses instead of buying one by one, saving a lot of money,” comments Isberg.
Karolinska Institutet scientists use a lot of expensive logistic programs. By consolidating its agreements into a site license, the cost of certain pieces of software has fallen from $700 to as little as $45. “And we had thousands of them so it’s lots of money being saved. Not by being compliant but just visibility. Seeing what we’re doing and why and how much it costs us.”
Isberg puts the savings at “millions of Swedish kronor” – several hundred thousands of dollars.
Karolinska Institutet already had site licenses in place with Microsoft and others, but here too insight from Snow will be bearing down on cost. Under a site license, Karolinska Institutet pays the vendor according to an agreed number of employees – however, before Snow, this number was never in correlation to the number licenses actually used. “Instead of asking for a round 400, we can now actually go to the site supplier and say: ‘Okay, we need exactly 347 of this. Give us a quote’.”
Scientists are very sensitive about the safety of their research data, for obvious reasons. But when it comes to the security of their mobile devices or the software they use, improvements are possible. Snow gives insight into who is using what software at which Karolinska Institutet department has been alerting Isberg to potential vulnerabilities.
The new EU directive on data security – the General Data Protection Regulation (GDPR) which comes into force on May 25, 2018 – has brought about a tightening up of processes within the Karolinska Institutet. Isberg supplies data thru Snow GDPR Risk Assessment to the GDPR project so they can pinpoint which applications contain personal data and therefore must to be managed and secured as per the regulation.
Out of 5,000 applications installed across the centralized Karolinska Institutet departments, Snow identified just a few hundred hold personal data – a job that would eat up a lot of time if it had to be carried out manually, with all the risk of error that involves. As Isberg says: “If you don’t know which software to look for it’s like finding a needle in a haystack. Now we get an accurate view of these applications, where they reside and who’s accessing or processing them.”
AUTOMATING MOBILE MANAGEMENT
The implementation of Snow Device Manager will bring process and uniformity to the procurement of mobile devices, and what is installed on them. At the moment, the departments buy “whatever brand, whatever version – old, new, whatever”, with the role of IT limited to providing SIM cards.
The goal is to manage the devices from the moment they are requested for deployment until they are decommissioned. The first step is to use Snow Automation Platform as the client interface for ordering mobile devices. The Karolinska Institutet business applications will be containerized using Snow Device Manager functionality. “We plan to split their phones in half,” Isberg explains. “We will give them the business part with the VPP account. If they still want to use iTunes and download personal apps, we will let them do that, although we might add some kind of blacklist.”
The aim is to have a no-touch policy: an employee requests a phone, and the device – totally Karolinska Institutet branded – is sent on directly to the user who switches it on and is ready to start working. License and usage data from the mobile devices will be pulled through Snow License Manager, imposing compliance and license optimization on the mobile business apps, often the Achilles heel of Software Asset Management.
“With Snow, we found out some individual licenses which we have now transferred to a site license and have made over a 15-fold cost saving”
Marcus Isberg, Project Manager
Snow consultants were brought in via Snow’s Premium Services Program to help with Karolinska Institutet integration project. It is a dynamic, collaborative process. “Snow’s experts really helped us get the most out of the platform. Their professionalism and ability to help us succeed has made a huge impact, ensuring we hit our deadlines for implementation, as well as having a positive effect on the ROI of the project.” Isberg explains.
As the institute-wide understanding grows, Isberg’s brief expands. “They ask you, ‘Okay, make it easier for us to “be compliant” but then you start implementing this and they go: ‘Oh, this is not just license, this is inventory. Can you do this with the inventory? Great. Oh, I would like this report because I want to know which department to charge. Please help me with that.”
As the project progresses, Snow’s role within Karolinska Institutet becomes ever more important – and will continue to be so as the remaining 14 institutes are integrated over the next three years.