Enterprise Recon Cloud 2.12.0

Download ER Cloud 2.12.0 User Guide (PDF)

All Documentation > ER Cloud 2.12.0 User Guide > Getting Started > Licensing

Licensing

This section covers the following topics:

Subscription License
- Feature Comparison
- Bring Your Own License (BYOL)
Master Server License
Target Licenses
- Sitewide License
- Non-Sitewide License
  1. Server & DB License
  2. Client License
License Usage and Calculation
Download License File
View License Details
Upload License File

Subscription License

Enterprise Recon Cloud 2.12.0 software is available as a subscription in three editions - Enterprise Recon Cloud PRO, Enterprise Recon Cloud PII, and Enterprise Recon Cloud PCI.

Each licensing option offers access to certain features and services in ER Cloud 2.12.0, as described in the Feature Comparison table below.

Feature Comparison

Key Features / Capability
Built-in PCI Data Types	✓	✓	✓
Full Suite of Built-in Data Types		✓	✓
Custom Data Types		✓	✓
OCR & Audio Scanning	✓	✓	✓
All Target Types	✓	✓	✓
Remediation	✓	✓	✓
Basic Reporting	✓	✓	✓
Access Control Lists	✓	✓	✓
Notification & Alerts	✓	✓	✓
Investigate Page	✓	✓	✓
API Framework		✓	✓
Data Access Management			✓
ODBC Reporting			✓
Risk Scoring and Labeling			✓
Data Classification with MIP			✓
Delegated Remediation			✓

Bring Your Own License (BYOL)

For existing customers, Enterprise Recon Cloud introduces the Bring Your Own License (BYOL) option. This means you can use your existing Enterprise Recon license to access product images via AWS.

Contact Ground Labs Support Team if you need assistance regarding your license.

Master Server License

For more information, refer to our End User License Agreement.

Target Licenses

There are two Target licensing models for ER Cloud 2.12.0:

Sitewide License
Non-Sitewide License

Sitewide License

A Sitewide License specifies the maximum data volume that can be scanned cumulatively across all Targets per ER Cloud instance. This license model permits an unlimited number of Targets to be scanned with ER Cloud and applies to all Server & DB License and Client License Targets.

The total Sitewide License data usage is calculated as the sum of scanned data across all Targets. For more information, refer to License Usage and Calculation.

Non-Sitewide License

A Non-Sitewide License specifies the maximum number of Targets and the maximum data volume that can be scanned cumulatively across all Server & DB License and Client License Targets per ER Cloud instance.

Server & DB License

Server & DB Licenses specify the maximum number of Targets and the maximum data volume that can be scanned cumulatively across all locations on Server & DB License Targets.

Category	Target
Server Operating Systems	Windows Server FreeBSD HP-UX IBM AIX Linux Solaris A server is a local computer running on any of the Server Operating Systems on a physical host machine or virtual machine. The same license terms apply to any accessible storage that can be scanned remotely with ER Cloud.
Databases	IBM DB2 IBM Informix InterSystems Caché MariaDB Microsoft SQL MongoDB MySQL Oracle Database PostgreSQL SAP HANA Sybase/SAP Adaptive Server Enterprise Teradata Tibero Database Targets require only one Server & DB License per host machine. "My-DB-Server" is a Windows Server that hosts a MariaDB and a PostgreSQL database. Only one Server & DB License is consumed as both databases reside on the same host machine.
Cloud Enterprise	Amazon S3 Bucket Azure Storage Google Cloud Storage Rackspace Cloud Salesforce SharePoint Online
Server Applications	Confluence On-Premises SharePoint Server
Other	Hadoop Websites

The total Server & DB License data usage is calculated as the sum of scanned data across all Server & DB License Targets. For more information, refer to License Usage and Calculation.

Client License

Client Licenses specify the maximum number of Targets and the maximum data volume that can be scanned cumulatively across all locations on Client License Targets.

Each Client License permits the scanning of one Target from each category (e.g. desktop / workstation operating systems, email, and cloud storage) as described in the table below.

Category	Target
Desktop / Workstation Operating Systems	Windows Desktop macOS
Email	Exchange Domain Exchange Online / Exchange Online (EWS) Google Mail HCL Notes IMAP / IMAPS Mailbox Microsoft Exchange (EWS)
Cloud Storage	Box Inc Dropbox Business Dropbox Personal Google Workspace OneDrive Business
Productivity	Microsoft OneNote Microsoft Teams

One Client License allows you to scan:

One desktop / workstation Target (e.g. Windows Desktop),
One user email account (e.g. Google Mail), and
One user cloud storage account (e.g. Google Workspace)

Client License usage is taken as the maximum number of consumed Client Licenses across all categories.

Scanning two desktop / workstation Targets (e.g. Windows Desktop), and five user email accounts (e.g. Google Mail) consumes five Client Licenses.

The total Client License data usage is calculated as the sum of scanned data across all Client License Targets. For more information, refer to License Usage and Calculation.

License Usage and Calculation

License Assignment

Adding Targets in the Web Console or via the API does not consume licenses or data allowance. Data usage is calculated only after a scan has completed successfully, and Non-Sitewide Licenses are only assigned to a Target when it is scanned.

Data Usage

Data usage is the maximum scanned data volume on a Target or Target location, and is based on the actual file size in bytes. This applies to all Target types and file formats. A detailed log of data usage across all ER Cloud Targets can be obtained from the Data Allowance Usage section in the System > License Details page.

Data usage will only count towards the data allowance limit for successfully scanned locations. Erroneous locations (e.g. inaccessible locations) do not contribute to the data allowance limit. For more information, refer to Data Allowance Limit.

ER Cloud calculates the actual size of files using the decimal (base-10) system, where 1 MB = 1,000,000 bytes, 1 GB = 1,000,000,000 bytes, and so forth. This may result in a discrepancy when compared with the data / file size reported by operating systems that use the binary (base-2) system. For example, 1,000,000 bytes would be reported as 1 MB data usage in Enterprise Recon Cloud 2.12.0, and be displayed as 0.9537 MB in base-2 operating systems.

Example 1

The actual file size for the PDF file "My-File.pdf" is 3 MB, while the size on disk for "My-File.pdf" on a compressed drive is 1 MB. When "My-File.pdf" is scanned, the data usage count is 3 MB.

Example 2

The file size for the archive file "My-Data.zip" is 5000 bytes, while the size of the uncompressed file content is 7000 bytes.
When "My-Data.zip" is scanned, the data usage count is 5000 bytes, and the scanned bytes value is 7000 bytes (refer to Scanned Bytes in the Scan History Details section).

If the same location is recognized and scanned by ER Cloud separately as a different location and/or as a different protocol, ER Cloud will count the licensed data usage separately for each individual location. For more information on how to prevent redundant scanning and increased counting of licensed data usage, refer to the Increased Counting of Data Usage section.

Data Usage Calculation

The total data usage for a Target is defined as the peak scanned data volume for the Target, and is obtained by adding the total data usage for each scan root path within a Target. Scanning a sub-location that is contained wholly within a scan root path does not consume additional data allowance.

Take for example the following directory structure in D:\ drive on a Windows desktop:

Windows desktop (host name: My-Windows-Machine) +-- D:\ (data size: 5 GB) +-- D:\FolderA (data size: 3 GB) +-- D:\FolderA\FolderA-1 (data size: 2 GB) +-- D:\FolderA\FolderA-2 (data size: 1 GB) +-- D:\FolderB (data size: 1 GB) +-- D:\FolderC (data size: 1 GB)

"My-Windows-Machine" is added as a new Target in ER Cloud 2.12.0 and the following scans are executed on the Target.

#	Scanned Locations	Scan Root Path	Total Data Usage	Comments
1	D:\FolderA	D:\FolderA	3 GB	-
2	D:\FolderA\FolderA-1	D:\FolderA	3 GB	The scan root path and total data usage is unchanged as D:\FolderA\FolderA-1 is a sub-location that is contained wholly within D:\FolderA.
3	D:\FolderA D:\FolderB	D:\FolderA D:\FolderB	4 GB	D:\FolderA and D:\FolderB are two distinct scan root paths and the total data usage is the sum of data usage for D:\FolderA and D:\FolderB.
4	D:\	D:\	5 GB	The new scan root path is D:\ as all previously scanned locations are contained wholly within D:\ drive. The total data usage is now 5 GB as additional data is scanned in the D:\FolderC.

Re-scans of the same locations and data do not count towards additional data usage.

You can view a detailed log of data usage in the Data Allowance Usage section of the System > License Details page.

Increased Counting of Data Usage

ER Cloud offers the capability to scan files in different protocols (local storage, network storage locations, etc.). As such, if the same location is recognized and scanned by separately as a different location and/or as a different protocol, Enterprise Recon Cloud will count the licensed data usage separately for each individual location.

To prevent redundant scanning and increased counting of licensed data usage, please take the following precautions during location selection:

For Local Storage and Network Storage scans

Ensure that the same location is not selected for scanning using both Local Storage and Network Storage protocols.
Maintain consistency in the type of scan protocol used for specific files or folders.

For Windows Share Network Storage scans

Do not include multiple shared folders (all pointing to the same physical location) in the scan.
Avoid selecting both a shared folder and its subfolder for scanning if the subfolder is also shared separately.

For more information and detailed scenarios, refer to Mitigate Increased Counting of Licensed Data Usage in ER2.

Data Allowance Limit

Each Target licensing model specifies the maximum data volume that can be scanned across all applicable Targets. This is also known as the data allowance limit.

For Sitewide Licenses, all scanned Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, data is consumed from the Server & DB License or Client License data allowance limit, depending on the scanned Target platform.

For example, a scan is completed successfully for the following Targets:

Target	Non-Sitewide License Type	Data Size (GB)
1 MySQL database	Server & DB License	4
1 SharePoint Server	Server & DB License	8
1 Google Mail account	Client License	1
1 Dropbox Personal cloud storage account	Client License	1

For a Sitewide License, total of 14 GB data is consumed from the Sitewide License data allowance limit.

For a Non-Sitewide License, a total of 12 GB data is consumed from the Server & DB License data allowance limit, and a total of 2 GB data is consumed from the Client License data allowance limit.

Exceeding License Limits

The following scenarios will cause license limits to be exceeded:

Scenario	Impacted Licensing Model
Scanned data volume exceeds the data allowance limit available for the corresponding license pool.	Sitewide License Non-Sitewide License
Scanned Targets exceeds the maximum number of allowed Targets or platforms that can be scanned per ER Cloud instance.	Non-Sitewide License

When the license limit has just been exceeded:

Scan results for the scan that caused the license limit to be exceeded will be processed and available for viewing.
All ongoing scans will be completed but scan results are added to a backlog and will not be processed.

Once the license limit is exceeded, ER Cloud will operate in reduced-functionality state as below:

The ER Cloud reduced-functionality state applies to the whole system regardless of the license or Target type that caused the license limit to be exceeded.

Scans that were scheduled prior to exceeding the license limit will continue to be executed. However, scan results are added to a backlog and will not be processed until a new, valid license is uploaded to ER Cloud. For more information, refer to Processing Blocked.
Users are able to set up and schedule new scans but scan results are added to a backlog and will not be processed.
Users are able to view and download existing compliance reports but reports will include a watermark to reflect the exceeded license limit state.
Users are able to view match results for all scans that were processed before or when ER Cloud license limit was exceeded.
All remediation actions will be disabled.

ER Cloud will continue to run in reduced-functionality state until a new, valid license is uploaded.

The same reduced-functionality behaviour in ER Cloud applies to expired licenses.

Example 1

User A adds a MySQL database and workstation Target to a scan schedule and sets the scan to "Scan Now". The scan for the workstation Target completes first and causes the data allowance license limit to be exceeded. The scan results for the workstation Target will be processed fully. However, results for the MySQL database scan will be blocked from being processed and added to a backlog as the scan completed after the license limit had been exceeded.

Example 2

User A starts a scan for 11 Windows Server Targets for an ER Cloud instance that has 10 Server & DB Licenses and 10 Client Licenses. This causes the ER Cloud license limit to be exceeded.

The scan for the 11 Windows Server Targets will run to completion, and results will be processed and available for viewing.

However all other scan results will stop being processed, even for scan schedules that only contain Client License Targets.

Processing Blocked

When the license limit is exceeded and ER Cloud operates in reduced-functionality mode, all scheduled scans will continue to be executed according to schedule. However, results for completed scans will be blocked from being processed until a valid license is uploaded.

Indicator

Targets that have unprocessed scan results will be indicated by the "Processing blocked" status in the Targets page.

Notifications and Alerts

You can create a notification policy to receive alerts and/or emails for the Processing Blocked event, which is triggered when ER Cloud license limit is exceeded and unprocessed scan results are added to the backlog. For more information, refer to the Set Up Notification Policy section.

Suppress Scheduled Scans

To prevent building up a huge backlog of unprocessed scan results once the Enterprise Recon license limit is exceeded, you can stop all scheduled scans from being executed by enabling the Suppress scans setting from the Scans > Schedule Manager.

You can view suppressed scan schedules in the Schedule Manager page by selecting Deactivated Schedules in the Filter by… pane.

Once a new, valid license is assigned to ER Cloud, all scheduled scans will resume starting from the next scheduled date and time.

One-time scans that were scheduled to start during the window when the Suppress scans setting was enabled will not be resumed when a valid license is assigned to ER Cloud. You can view these schedules in the Schedule Manager by selecting Stopped Schedules in the Filter by… pane.

Download License File

You must download a license file to activate Enterprise Recon Cloud 2.12.0.

Go to Ground Labs Services Portal and log in.
In the Home tab, scroll down to the Enterprise Recon Cloud Licenses section.
Find Enterprise Recon Cloud <edition> in the Products column and click Download License.
(Optional) If you have enabled the Services Portal Complex UI, download the ER Cloud license by going to Licenses > Enterprise Recon Cloud in the navigation menu at the top of the page.

Do not click on manually assign | download to download your license file. This downloads a general license file which does not work with ER Cloud.

View License Details

You can view the licensee details, get data allowance usage information and manage licensed Targets in Enterprise Recon Cloud 2.12.0 from the System > License Details page in the Web Console.

License Information

The top left of the License Details page displays information on the current Enterprise Recon license:
Licensee and expiry date information in the License Details page.

Licensed To: The name of the company or organization that the Enterprise Recon license is registered to. This is also the name of the Ground Labs Services Portal account.
Contact: The full name of the primary contact person for the company or organization.
Expires: Date on which the subscription license expires.

License Summary

The License Summary table displays a list of Master Server and Target licenses that are available for this deployment of Enterprise Recon.

Column	Description
Type	Describes the Target license pool.
Total	"x/y" where - x is the consumed data allowance, and - y is the total data allowance available.

License Usage

The License Usage table displays a list of Targets and the license pools they are assigned to. This section is not applicable for Sitewide licensing model.

Column	Description
License	License pool from which the Target is assigned a license (e.g. "server", "client").
Target Name	Licensed Target name.
Target Type	Target type or platform (e.g. "Dropbox Business", "Google Workspace").
Location	Target location path.
Release License	Releases the license for a Target or Target location back to the corresponding license pool (e.g. Client or Server & DB License). The Release License function does not reset or nullify the already-consumed data allowance associated with the Target or Target location. Releasing the license for a Target, Target location, or scan root permanently removes all scan data and records associated with the corresponding Target, Target location, or scan root from ER Cloud. Releasing the license for a host Target permanently removes all scan data and records for the host Target (e.g. Server or Desktop / Client Target), and all Target locations (e.g. local storage, local memory, emails, databases, network storage) under the host Target. The Ground Labs End User License Agreement only allows you to delete or release the license for a Target if it has been permanently decommissioned.

You can display specific license usage records by using the following filter options:

License
Target
Type
Location

Data Allowance Usage

The Data Allowance Usage table provides a detailed log of data allowance usage in Enterprise Recon Cloud 2.12.0. Each record in the table describes the data usage or total scanned data volume for a distinct Target, Target location, or scan root.

Column	Description
License	Data allowance license pool.
Target Name	Licensed Target name.
Target Type	Target types (e.g. "All local files", "OneDrive Business", "Amazon S3", etc).
Location	Target, Target location, or scan root for which the data usage is calculated.
Data Used	Total amount of data allowance consumed for the corresponding Target, Target location or scan root.

You can display specific data usage records by using the following filter options:

License
Target
Type
Location

To download the Data Allowance Usage log in CSV file format, click Download Data Usage Log.

For more information, refer to Data Usage Calculation.

Upload License File

Expired or expiring licenses must be replaced by uploading a new license file.

To upload a new license file:

On the top right of the License Details page, click + Upload License File.
In the Upload License File dialog box, click Choose File.
In the Open window, locate and select the License File and click Open.
In the Upload License File dialog box, click Upload.

Uploading a new license file replaces the currently active license file in ER Cloud.