The point when a Software Vendor chooses to perform a software review (an ‘audit’ in old money) of their software deployed within an organisation can be triggered by many different actions.
Audits are a fact of life now and another revenue stream for Vendors along with new sales. The chances of you facing an audit are now increasing, but is your organisation ready?
ITAMS’ Lead Consultant Monica explains why it is important to properly coordinate your internal resources and licensing knowledge for any forthcoming software re-negotiations.
“With licensing, as you will already know, things are never black nor white. So before signing a deal with a software vendor, ensure that you are aware of the key relations between your organisation’s internal departments and that the right environment exists to help manage the complex world of software licensing and usage. This is half the battle and definitely a large step in the right direction.
So what does this mean? Allocating the right resources to, and coordinating the collaboration between the different departments in your organisation such as IT Licence Operations, IT Procurement and the Legal department is of uttermost importance. However, if you are a small company, you need not worry about this too much, so long as you have a process for tracking the purchase and use of licences from requisition to disposal.
If you think and act smart, you will soon realise that if you have the right tools, knowledge and a clearly defined processes in place, entering into software negotiations and facing off an audit doesn’t need to be a stressful experience.
The above situation applies to all vendors. If we look more closely at Oracle, there are 2 possible scenarios when buying and managing your software.
The first one may be that you are stuck in standard contractual terminology. For example, using a decentralised purchasing model or having your price holds attached to the ordering documents. This will translate in, what I like to call “licensing chaos”. People will not read the contracts correctly, will misuse licences and will find that they are breaching standard licensing agreements, purely by not being organised internally, nor being able to track usage properly to ensure that compliance is met.
The second is where you prepare in advance to sign a licensing agreement. In this situation, you will have a non-standard contract and a centralised purchasing model. By properly coordinating your internal resources and licensing knowledge, you will be on the safe side, especially if you have a strong legal representative in your company to deal with any software re-negotiations.
My advice to you is, to get the right resources and expertise in place and prepare for your software negotiation thoroughly by:
– understanding what your existing and planned and software usage is,
– having a consolidated master agreement to govern all purchases and
– standardising the terms of your agreement before signing the deal.
If you need help, then you will be pleased to know that there is plenty out there, however you will need to know where to look! For more advice and help, please do get in touch!”
Oracle Unlimited Licence Agreements (ULAs) – the facts!
The Oracle ULA is generally offered to larger customers as a convenient option to purchase unlimited licences, for a pre-defined list of products and for a limited term. Licence fees are paid up-front, along with the first year of technical support, with the cost often amounting to millions of pounds.
So what are the advantages and disadvantages of this type of deal and how can you ensure that you are making the right decision before choosing to sign a ULA?
ITAMS’ Senior Licensing Consultant Anemaria provides an informative overview
of the Oracle ULA.
“First of all, let me summarise the characteristics of this type of contract. In simple terms, an Oracle Unlimited Licence Agreement (ULA) is a contract that gives you the right to use an unlimited quantity of a pre-defined list of products but for a limited period of time, usually 3 years.
Another characteristic of the deal is that, at the end of the term, you decide whether to follow Oracle’s certification process and waive your right to deploy an unlimited number of licenses or to continue with the arrangement and renew the deal.
The two big advantages of the ULA are cost savings and simplicity. Cost savings can be realised if you anticipate a future growth in usage during the contractual term. If so, then a ULA deal will be a good choice.
In addition to this, if you are looking for a single deal for different categories of Oracle products bundled together, or if you prefer simplified support management (of previous Oracle agreements), then a ULA deal will also prove to be a good choice.
However, you will need to be aware of some risks you may be exposed to if you opt for a ULA.
A common problem that customers face during the ULA’s contractual term is that they have made a wrong estimation of their future deployment and that the financial investment in the ULA was not a cost-effective choice.
If you are a large organisation this could be the right option. However, if you are about to enter into a period of mergers, acquisitions or divestments, this can be a very complex situation to manage under a ULA. Furthermore, if the expected growth in usage is not realised, you will most definitely over-pay for the licences your organisation actually uses during the term.
Even if the usage declines during the ULA, you will still be required to pay the same amount of maintenance that was in effect at the beginning of the deal, otherwise you are a non-compliant customer.
Another area of risk comes at the time of exiting the ULA. You must provide Oracle with accurate information about your current deployment to certify the number of licences installed and running at the contractual end date and to sign the Certification letter.
At this moment, the Oracle licence management consultants or the account manager will contact you with lots of technical questions about the actual deployment of the ULA programmes, wanting to ensure that you are not presenting an over-declaration of usage and at the same time, wanting to identify any future upsell opportunities. So, always keep in mind that the over-declaration or the over-deployment of your software is a non-compliance situation.
Declaring a high number of licences in use at the end of the deal, will always raise a question mark. In addition to this, if you are not ready to respond and to defend your certification, you will be very exposed to the risk of being audited.
The ULA deal is a suitable option for larger customers, and so the complexity of the system environment will also be discussed. For this reason, best practice requires that if you have already entered into this type of agreement, please ensure you have the processes and tools in place to accurately manage your Oracle deployment.
To conclude, it is best to manage your ULA in time and before Oracle comes knocking on your door to mitigate any potential risks!”
For more information please contact ITAMS or request to download Anemaria’s webinar on, “Oracle Unlimited Licence Agreements (ULAs) – Benefit or Risk?”
This week I approached Alin, one of ITAMS’ resident Oracle experts to help me understand more about the impact of virtualisation/partitioning technologies on Oracle licence assessments. Alin worked within Oracle’s Licence Management Services department for several years and now works in ITAMS’ technical team.
As the need for optimisation grows along with the cost of technical requirements, it seems that most companies choose to use virtualisation/partitioning technologies on their infrastructure, often without considering licensing implications and rules that may impact upon their environment.
Having worked for over three years within Oracle’s Licence Management Services department, Alin observed that key compliance issues were mostly centred on virtual environments. After taking a closer look at Oracle licensing rules, virtualisation and partitioning technologies were being split into two major categories:
- Hard Partitioning: Technologies that enforces the binding of resources and limits them to a virtual machine. (LPAR, vPar, nPar, Solaris containers, etc.)
- Soft Partitioning: Technologies (like VMware) where the virtual machine resources are flexible, covering the needs of each VM. Oracle VM: A “Soft” Partitioning technology behaviour that has a “special” licensing treatment from Oracle, so when the proper settings are made it is considered to be a “Hard” Partitioning technology.
Here are some tips from Alin:
- Try avoid using Oracle products inside a VMWare cluster. Even if you’re using a single product on a single virtual machine of that cluster, Oracle doesn’t recognise VMware so you’ll end up having to licence every single physical machine that is part of that cluster.
- If there’s no alternative and you need Oracle in a VMWare Cluster, try to avoid using Oracle in a multi-VMWare cluster-linked environment or at least try to limit the vMotion option where possible. Having the vMotion option enabled in such an environment could put you in an adverse non-compliance situation. I recently saw a case where a customer had four VMware clusters in separate locations and only a few Oracle products running on a few servers that were part of a single cluster. Oracle asked the customer to licence all four clusters just because vMotion was enabled.
- If you have a VMWare Cluster where Oracle is running, another alternative would be to have a separate “Oracle Cluster” where you could move the physical machines with Oracle to.
- Beware, of using SAN disks with Oracle products installed on them and especially in a Virtual environment, as everything that has access to a SAN disk must be licenced. So for example if you have a VMWare cluster that has access to that SAN disk, the entire cluster must be licenced for all the products that are installed on it.
“I do believe that it’s every company’s right to protect against licence non-compliance scenarios and even though Oracle licensing rules have many aspects and particularities, I would recommend at least, to consider the following in regards to Soft Partitioning, especially with VMware:
While setting up the technical architecture for Oracle products, a thought should go to Oracle VM as an alternative to VMWare or even to Hard Partitioning technologies where possible. Even if Oracle VM is pretty similar to VMWare re: partitioning concept (as it’s Xen based), being owned by Oracle gives them more control over the product, so they are way more permissive with it in terms of licensing, especially with the “binding settings” that somehow limits the resources allocated to a Virtual Machine.”
A sneak peek into Oracle’s auditing process.
Ever wondered why you’re being targeted by Oracle for an audit and what makes you an easy target?
You may have recently received an e-mail saying “You’ve been “randomly” selected by Oracle to perform a review of your Oracle estate. The Oracle License Management department is here to assist you?”
ITAMS’ consultant Madalina (ex-Oracle LMS consultant), provides an interesting insight into why you may be targeted, what you should watch out for and why you should keep a close eye on your Oracle estate.
“The reason why end users should be particularly cautious about how they manage their Oracle estate is mostly because Oracle does not sell licenses with a utilisation key but rather allows companies to deploy the software according to their business needs. Therefore, you could for instance buy 10,000 employee user licenses of “Identity and Access Management Suite (IDM)”, but as your business expands and you employ another 2,000 people, they too can utilize the software from day one.
If you have processes and tools in place to periodically check your license position, then you’re on the safe side as you will be well aware of the necessity to place a new order for an additional 2,000 employee user licenses of IDM; if not you will be left exposed to a compliance gap of 2,000 licenses in the eventuality of an audit.
In order for you to avoid being the lucky winner of one of these e-mails, here is what you should know about Oracle Audits…
An Oracle audit is typically conducted by the Oracle License Management Services (LMS) department. They start from 2 main initiatives.
The first and most common one is the LMS department conducting its own risk analysis. On a yearly basis, LMS will run a selection of their Install Base (the Oracle license repository of all customers) and make a selection of customers identified as presenting a high risk. The high risk profile is based on a variety of factors:
- The size and performance of your company, as well as industry trends and future projections. This means that the more profitable you are as a company, the more exposed you are to a threat of a software audit.
- The time elapsed since the last purchase plays a big part in this risk analysis because, depending on the evolution of the company, not having purchased software for a period of more than 3 years, can tell Oracle it’s high time you did!
- Oracle also scans for things like older metrics that are no longer in their price list because then, there is a high probability that you have to migrate your licenses, which, in most circumstances, means an additional cost for your company.
- Decommissioned products might also be an alarm signal. Let’s suppose you’re under an enterprise type agreement that locks you under a requirement to license all your users under a certain product and 3 years ago you purchased 10,000 user licenses of product “x” which is now decommissioned and replaced by product “y”. Currently the requirement is that you buy 2,000 more user licenses but because the initial product is no longer available, in addition you will also be required to migrate all your 10,000 existing licenses to the new product.
The second initiative for starting an Oracle audit may be identified by the Sales Account Manager who might identify a lead after spotting a risk factor with a particular customer. He may hear of a customer deploying VMWare or who is deploying software in an environment for which they may have not bought licenses, or a merger/acquisition in place which might leave the customer exposed. The Account Manager would then come to LMS and ask them to contact the customer regarding its licensing position.
In either case – by itself or together with the Account Manager, LMS performs a risk assessment and decides which customers should be targeted. In case the lead is not originally identified by sales, the LMS department will notify sales about their intention to begin conducting an auditing process. This happens because any potential opportunity that may be the result of the LMS review would need to be translated into an order by sales and because this is an engagement that requires a good communication plan with coordinated effort to maintain a commercially-driven relationship with the customer.
The process is then initiated by LMS sending an introductory letter to the customer that reveals their intention for conducting a ‘license review’ process. A soft approach that Oracle is trying to position for most of its audits. The legal framework for conducting the audit is provided by the audit clause found in the OLSA (Oracle License Software Agreement), which in general terms states that within a number of days’ written notice (usually 45 days), Oracle might audit the customer’s software use.
In addition to the LMS department and in countries where the SAM market is more developed (the UK in particular), there is often a dedicated sales organization (Compliance Optimization License Sales (COLS)). This is a sales-driven department which seeks to get a better understanding of the customer’s deployment, often finding any potential compliance issues they can commercially resolve without waiting until a full audit of three to six months to take place.
Coming from the auditing world and only having placed myself recently into better shoes, I thought it would only be fair that customers know what they should watch out for and why they should keep a close eye on their license estate.
So don’t walk around with a target on your back, make sure you have the bull by the horns! ;)”
Whilst on client site, ITAMS’ consultants come across a lot of software that is not officially authorised for use in a business environment. With the increasing emergence of freeware, shareware and trial software being used in businesses across the UK, I decided to ask our Pre-Sales Consultant Matt about some of the common instances he has come across, what organisations need to do in order to stay compliant and how these new instances of software should be treated.
“As a certified auditor in software compliance I found some strange responses to why they use so much of this licensing type in their organisation, it appears many are oblivious to the risks.
Just because it’s an application in freeware it doesn’t mean that there aren’t any associated terms and conditions of use. A software environment can sometimes be made up of 60% freeware but the question is, can that application be used in a corporate environment?
This is one such ‘grey area’. Other examples include the use of iTunes and Google Earth in a corporate environment. The iTunes application for example can sit on your work machine and be used for synchronising a business iPhone but when you start downloading files, where does the responsibility for that file lie? You can install the private version of Google Earth at work but you must only use it for personal use. Once you start using the application for business, the corporate version must be purchased and this carries a substantial per installation cost, so beware!
Trial software is another area of contention. Some licenses have so many hooks it is sometimes difficult to know what you can and can’t do! There are some vendors that allow you to download the trial software but have a fair few stipulations around usage even though they provide you with access to the full version.
The vendor may also state that you have to remove the software from machines when the trial expires. If you don’t, regardless of whether you have accessed it since expiration, then you are liable to pay for the full application license.
WinZip is one such vendor that leads this policy on trial software. I have lost count of the number of organisations I have audited where their trial software is still sat on their computers even after it has laid dormant for months. An audit would expose that weakness, and something innocuous like that could mean a substantial bill!
There is a whole raft of similar examples and without education and guidance; misinterpretation of usage rights in a business environment could prove to be a liability.
The main aspect to learn from this is to treat all software the same, whether it is purchased officially, freeware, shareware or trial software. Follow the same process and have the same fundamental software lifecycle and recording strategy. This will stand you in good stead and help you control your ‘non – standard’ software estate. Alternatively place stringent conditions on the use of non-authorised software in the corporate environment.”
I’m on a mission at ITAMS. I want to get under the skin of our experienced consultants that work mainly on site with some of our most important clients. So I’ve decided to spend a little time talking to them and understanding some of the daily challenges they face. We have a range of consultants working at ITAMS, from data specialists to technical gurus and project managers.
This week I decided to catch up with John who is currently working for a large insurance provider. He is in the middle of a VMWare licence entitlement assessment. Whilst his current observations are centred on VMWare products, many of these are also common for other popular software vendors where licensing support is being provided by a third party.
I asked him what observations and tips he may have that he would like to share with our community. Here’s a round-up of his thoughts:
When a VMWare licence is purchased, a support or maintenance contract is usually insisted upon to be purchased and used at the same time (these are usually valid for 12 months at a time). However, the support contract can be with a third party and doesn’t have to be with VMWare, subsequent contracts would be agreed on the anniversary.
So John’s observations are mostly about the way in which some licence vendors treat the data that identifies each licence, when they are also the third party support contract supplier.
When a licence is issued by VMWare it is identified by both a VMWare ‘Instance’ number and a VMWare Licence Key. Each support contract is acknowledged by VMWare who provides a contract identification number. Each contract may contain a number of licences, so each licence is also identified by the support contract on which it is listed.
Because licences are purchased at various times during the year, the contracts tend to have different start and end dates. VMWare allows contracts to be Co-termed, where common start and end dates are agreed and two or more contracts are combined, usually under a different contract number or the number of the ‘dominant’ contract (which has the most licences listed against it).
This Co-terming continues to be practiced as more and more licences are purchased and as the list of licences becomes bigger, it is very easy to lose the audit trail of each individual licence, from purchase through to the latest support contract, if the identification numbers are not carried forward.
John has observed that the invoices and contract paperwork issued by most of the third party support entities fail to maintain audit trails by not keeping each licence identified by the Licence Key, Instance number or even the contract from which they were Co-termed. The Licence Key must be the most important piece of information that should identify each licence, but this is invariably missing on every support contract he has ever seen. In some cases incorrect duplication has occurred where Licence Keys have been guessed at by the third party support supplier, when required by the Client.
So John’s top suggestion is that as licence owners, we need to insist on better, clearer audit trails for our licences and on all subsequent contracts with third party suppliers, so that each licence can be traced back to purchase records for the purpose of identifying the Proof of Entitlement. If software has to be re-installed for whatever reason, without the Licence Key it will prove to be quite difficult. Also the added advantage of keeping a firm handle on entitlement records is that it will save time hunting for the correct documentation when this is required for an audit event.
Do you have any tips or advice you would like to share? If so please leave a comment.