Enterprise Recon 2.5.0

Licensing

This section covers the following topics:

Subscription License

Enterprise Recon 2.5.0 software is available as a subscription in three editions - Enterprise Recon PRO, Enterprise Recon PII, and Enterprise Recon PCI.

Each licensing option offers access to certain features and services in ER 2.5.0, as described in the Feature Comparison table below.

Feature Comparison

Key Features / Capability
Built-in PCI Data Types
Full Suite of Built-in Data Types  
Custom Data Types  
OCR & Audio Scanning
All Target Types
Remediation
Basic Reporting
Access Control Lists
Notification & Alerts
Investigate Page
API Framework  
Data Access Management    
ODBC Reporting    
Risk Scoring and Labeling    
Data Classification with MIP    
Delegated Remediation    

Master Server License

For more information, see our End User License Agreement.

Target Licenses

There are two Target licensing models for ER 2.5.0:

  1. Sitewide License
  2. Non-Sitewide License

For information on the legacy licensing model, see ER 2.0.31: Target Licenses.

Sitewide License

A Sitewide License specifies the maximum data volume that can be scanned cumulatively across all Targets per ER2 instance. This license model permits an unlimited number of Targets to be scanned with ER2 and applies to all Server & DB License and Client License Targets.

The total Sitewide License data usage is calculated as the sum of scanned data across all Targets. See License Usage and Calculation for more information.

Non-Sitewide License

A Non-Sitewide License specifies the maximum number of Targets and the maximum data volume that can be scanned cumulatively across all Server & DB License and Client License Targets per ER2 instance.

Server & DB License

Server & DB Licenses specify the maximum number of Targets and the maximum data volume that can be scanned cumulatively across all locations on Server & DB License Targets.

Category Target
Server Operating Systems

  • Windows Server
  • FreeBSD
  • HP-UX
  • IBM AIX
  • Linux
  • Solaris

A server is a local computer running on any of the Server Operating Systems on a physical host machine or virtual machine. The same license terms apply to any accessible storage that can be scanned remotely with ER2.
Databases

  • IBM DB2
  • IBM Informix
  • InterSystems Caché
  • MariaDB
  • Microsoft SQL
  • MongoDB
  • MySQL
  • Oracle Database
  • PostgreSQL
  • SAP HANA
  • Sybase/SAP Adaptive Server Enterprise
  • Teradata
  • Tibero

Database Targets require only one Server & DB License per host machine.
"My-DB-Server" is a Windows Server that hosts a MariaDB and a PostgreSQL database. Only one Server & DB License is consumed as both databases reside on the same host machine.
Cloud Enterprise

  • Amazon S3 Bucket
  • Azure Storage
  • Rackspace Cloud
  • Salesforce
  • SharePoint Online

Other

  • Hadoop
  • SharePoint Server
  • Websites

The total Server & DB License data usage is calculated as the sum of scanned data across all Server & DB License Targets. See License Usage and Calculation for more information.

Client License

Client Licenses specify the maximum number of Targets and the maximum data volume that can be scanned cumulatively across all locations on Client License Targets.

Each Client License permits the scanning of one Target from each category (e.g. desktop / workstation operating systems, email, and cloud storage) as described in the table below.

Category Target
Desktop / Workstation Operating Systems

  • Windows Desktop
  • macOS

Email

  • Exchange Domain
  • Exchange Online / Exchange Online (EWS)
  • Google Mail
  • HCL Notes
  • IMAP / IMAPS Mailbox
  • Microsoft Exchange (EWS)

Cloud Storage

  • Box Enterprise
  • Dropbox Business
  • Dropbox Personal
  • G Suite
  • OneDrive Business

One Client License allows you to scan:
  • One desktop / workstation Target (e.g. Windows Desktop),
  • One user email account (e.g. Google Mail), and
  • One user cloud storage account (e.g. G Suite)

Client License usage is taken as the maximum number of consumed Client Licenses across all categories.

The total Client License data usage is calculated as the sum of scanned data across all Client License Targets. See License Usage and Calculation for more information.

License Usage and Calculation

License Assignment

Adding Targets in the Web Console or via the API does not consume licenses or data allowance. Data usage is calculated only after a scan has completed successfully, and Non-Sitewide Licenses are only assigned to a Target when it is scanned.

Data Usage

Data usage is the maximum scanned data volume on a Target or Target location, and is based on the actual file size in bytes. This applies to all Target types and file formats. A detailed log of data usage across all ER2 Targets can be obtained from the Data Allowance Usage section in the System > License Details page.

Data usage will only count towards the data allowance limit for successfully scanned locations. Erroneous locations (e.g. inaccessible locations) do not contribute to the data allowance limit. See Data Allowance Limit for more information.

Example 1

The actual file size for the PDF file "My-File.pdf" is 3 MB, while the size on disk for "My-File.pdf" on a compressed drive is 1 MB. When "My-File.pdf" is scanned, the data usage count is 3 MB.

Example 2

The file size for the archive file "My-Data.zip" is 5000 bytes, while the size of the uncompressed file content is 7000 bytes.
When "My-Data.zip" is scanned, the data usage count is 5000 bytes, and the scanned bytes value is 7000 bytes.

Data Usage Calculation

The total data usage for a Target is defined as the peak scanned data volume for the Target, and is obtained by adding the total data usage for each scan root path within a Target. Scanning a sub-location that is contained wholly within a scan root path does not consume additional data allowance.

Take for example the following directory structure in D:\ drive on a Windows desktop:

Windows desktop (host name: My-Windows-Machine) +-- D:\ (data size: 5 GB) +-- D:\FolderA (data size: 3 GB) +-- D:\FolderA\FolderA-1 (data size: 2 GB) +-- D:\FolderA\FolderA-2 (data size: 1 GB) +-- D:\FolderB (data size: 1 GB) +-- D:\FolderC (data size: 1 GB)

"My-Windows-Machine" is added as a new Target in ER2 and the following scans are executed on the Target.

# Scanned Locations Scan Root Path Total Data Usage Comments
1
  • D:\FolderA
  • D:\FolderA
3 GB -
2
  • D:\FolderA\FolderA-1
  • D:\FolderA
3 GB The scan root path and total data usage is unchanged as D:\FolderA\FolderA-1 is a sub-location that is contained wholly within D:\FolderA.
3
  • D:\FolderA
  • D:\FolderB
  • D:\FolderA
  • D:\FolderB
4 GB D:\FolderA and D:\FolderB are two distinct scan root paths and the total data usage is the sum of data usage for D:\FolderA and D:\FolderB.
4
  • D:\
  • D:\
5 GB The new scan root path is D:\ as all previously scanned locations are contained wholly within D:\ drive. The total data usage is now 5 GB as additional data is scanned in the D:\FolderC.

Re-scans of the same locations and data do not count towards additional data usage.

You can view a detailed log of data usage in the Data Allowance Usage section of the System > License Details page.

Data Allowance Limit

Each Target licensing model specifies the maximum data volume that can be scanned across all applicable Targets. This is also known as the data allowance limit.

For Sitewide Licenses, all scanned Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, data is consumed from the Server & DB License or Client License data allowance limit, depending on the scanned Target platform.

For example, a scan is completed successfully for the following Targets:

Target Non-Sitewide License Type Data Size (GB)
1 MySQL database Server & DB License 4
1 SharePoint Server Server & DB License 8
1 Google Mail account Client License 1
1 Dropbox Personal cloud storage account Client License 1

For a Sitewide License, total of 14 GB data is consumed from the Sitewide License data allowance limit.

For a Non-Sitewide License, a total of 12 GB data is consumed from the Server & DB License data allowance limit, and a total of 2 GB data is consumed from the Client License data allowance limit.

Exceeding License Limits

The following scenarios will cause ER2 license limits to be exceeded:

Scenario Impacted Licensing Model
Scanned data volume exceeds the data allowance limit available for the corresponding license pool.
  • Sitewide License
  • Non-Sitewide License
Scanned Targets exceeds the maximum number of allowed Targets or platforms that can be scanned per ER2 instance.
  • Non-Sitewide License

When the license limit has just been exceeded:

  • Scan results for the scan that caused the license limit to be exceeded will be processed and available for viewing.
  • All ongoing scans will be completed but scan results are added to a backlog and will not be processed.

Once the license limit is exceeded, ER2 will operate in reduced-functionality state as below:

  • Scans that were scheduled prior to exceeding the license limit will continue to be executed. However, scan results are added to a backlog and will not be processed until a new, valid license is uploaded to ER2.
    See Processing Blocked for more information.
  • Users are able to set up and schedule new scans but scan results are added to a backlog and will not be processed.
  • Users are able to view and download existing compliance reports but reports will include a watermark to reflect the exceeded license limit state.
  • Users are able to view match results for all scans that were processed before or when ER2 license limit was exceeded.
  • All remediation actions will be disabled.

ER2 will continue to run in reduced-functionality state until a new, valid license is uploaded to ER2.

Example 1

User A adds a MySQL database and workstation Target to a scan schedule and sets the scan to "Scan Now". The scan for the workstation Target completes first and causes the data allowance license limit to be exceeded. The scan results for the workstation Target will be processed fully. However, results for the MySQL database scan will be blocked from being processed and added to a backlog as the scan completed after the license limit had been exceeded.

Example 2

User A starts a scan for 11 Windows Server Targets for an ER2 instance that has 10 Server & DB Licenses and 10 Client Licenses. This causes the ER2 license limit to be exceeded.

The scan for the 11 Windows Server Targets will run to completion, and results will be processed and available for viewing.

However all other scan results will stop being processed, even for scan schedules that only contain Client License Targets.

Processing Blocked

When the license limit is exceeded and ER2 operates in reduced-functionality mode, all scheduled scans will continue to be executed according to schedule. However, results for completed scans will be blocked from being processed until a valid license is uploaded.

Indicator

Targets that have unprocessed scan results will be indicated by the "Processing blocked" status in the Targets page.

Notifications and Alerts

You can create a notification policy to receive alerts and/or emails for the Processing Blocked event, which is triggered when ER2 license limit is exceeded and unprocessed scan results are added to the backlog.

See Notification Policy for more information.

Suppress Scheduled Scans

To prevent building up a huge backlog of unprocessed scan results once the ER2 license limit is exceeded, you can stop all scheduled scans from being executed by enabling the Suppress scans setting from the Scans > Schedule Manager.

Once a new, valid license is assigned to ER2, all scheduled scans will resume starting from the next scheduled date and time.

Download ER2 License File

You must download a license file to activate ER2.

  1. Go to Ground Labs Services Portal and log in.
  2. In the Home tab, scroll down to the Enterprise Recon 2 Licenses section.
  3. Find Enterprise Recon 2.5.0 in the Product column and click Download License.
  4. (Optional) If you have enabled the Services Portal Complex UI, download the ER2 license by going to License > Enterprise Recon 2.5.0 in the navigation menu at the top of the page.

View License Details

You can view the licensee details, get data allowance usage information and manage licensed Targets in ER2 from the System > License Details page in the Web Console.

License Information

The top left of the License Details page displays information on the current ER2 license:
Licensee and expiry date information in the License Details page.

  • Licensed To: The name of the company or organization that the ER2 license is registered to. This is also the name of the Ground Labs Services Portal account.
  • Contact: The full name of the primary contact person for the company or organization.
  • Expires: Date on which the subscription license expires.

License Summary

The License Summary table displays a list of Master Server and Target licenses that are available for this installation of ER2.

Column Description
Type Describes the Target license pool.
Total "x/y" where
- x is the consumed data allowance, and
- y is the total data allowance available.

License Usage

The License Usage table displays a list of Targets and the license pools they are assigned to. This section is not applicable for Sitewide licensing model.

Column Description
License License pool from which the Target is assigned a license (e.g. "server", "client").
Target Name Licensed Target name.
Target Type Target type or platform (e.g. "Dropbox Business", "G Suite").
Location Target location path.
Release License Releases the license for a Target or Target location back to the corresponding license pool (e.g. Client or Server & DB License). The Release License function does not reset or nullify the already-consumed data allowance associated with the Target or Target location.
Releasing the license for a Target, Target location, or scan root permanently removes all scan data and records associated with the corresponding Target, Target location, or scan root from ER2.

Releasing the license for a host Target permanently removes all scan data and records for

  • the host Target (e.g. Server or Desktop / Client Target), and
  • all Target locations (e.g. local storage, local memory, emails, databases, network storage) under the host Target.

You can display specific license usage records by using the following filter options:

  • License
  • Target
  • Type
  • Location

Data Allowance Usage

The Data Allowance Usage table provides a detailed log of data allowance usage in ER2. Each record in the table describes the data usage or total scanned data volume for a distinct Target, Target location, or scan root.

Column Description
License Data allowance license pool.
Target Name Licensed Target name.
Target Type Target Type (e.g. "All local files", "OneDrive Business", "Amazon S3", etc).
Location Target, Target location, or scan root for which the data usage is calculated.
Data Used Total amount of data allowance consumed for the corresponding Target, Target location or scan root.

You can display specific data usage records by using the following filter options:

  • License
  • Target
  • Type
  • Location

To download the Data Allowance Usage log in CSV file format, click Download Data Usage Log.

See Data Usage Calculation for more information.

Upload License File

Expired or expiring licenses must be replaced by uploading a new license file.

To upload a new license file:

  1. On the top right of the License Details page, click + Upload License File.
  2. In the Upload License File dialog box, click Choose File.
  3. In the Open window, locate and select the License File and click Open.
  4. In the Upload License File dialog box, click Upload.