This week I approached Alin, one of ITAMS’ resident Oracle experts to help me understand more about the impact of virtualisation/partitioning technologies on Oracle licence assessments. Alin worked within Oracle’s Licence Management Services department for several years and now works in ITAMS’ technical team.
As the need for optimisation grows along with the cost of technical requirements, it seems that most companies choose to use virtualisation/partitioning technologies on their infrastructure, often without considering licensing implications and rules that may impact upon their environment.
Having worked for over three years within Oracle’s Licence Management Services department, Alin observed that key compliance issues were mostly centred on virtual environments. After taking a closer look at Oracle licensing rules, virtualisation and partitioning technologies were being split into two major categories:
- Hard Partitioning: Technologies that enforces the binding of resources and limits them to a virtual machine. (LPAR, vPar, nPar, Solaris containers, etc.)
- Soft Partitioning: Technologies (like VMware) where the virtual machine resources are flexible, covering the needs of each VM. Oracle VM: A “Soft” Partitioning technology behaviour that has a “special” licensing treatment from Oracle, so when the proper settings are made it is considered to be a “Hard” Partitioning technology.
Here are some tips from Alin:
- Try avoid using Oracle products inside a VMWare cluster. Even if you’re using a single product on a single virtual machine of that cluster, Oracle doesn’t recognise VMware so you’ll end up having to licence every single physical machine that is part of that cluster.
- If there’s no alternative and you need Oracle in a VMWare Cluster, try to avoid using Oracle in a multi-VMWare cluster-linked environment or at least try to limit the vMotion option where possible. Having the vMotion option enabled in such an environment could put you in an adverse non-compliance situation. I recently saw a case where a customer had four VMware clusters in separate locations and only a few Oracle products running on a few servers that were part of a single cluster. Oracle asked the customer to licence all four clusters just because vMotion was enabled.
- If you have a VMWare Cluster where Oracle is running, another alternative would be to have a separate “Oracle Cluster” where you could move the physical machines with Oracle to.
- Beware, of using SAN disks with Oracle products installed on them and especially in a Virtual environment, as everything that has access to a SAN disk must be licenced. So for example if you have a VMWare cluster that has access to that SAN disk, the entire cluster must be licenced for all the products that are installed on it.
“I do believe that it’s every company’s right to protect against licence non-compliance scenarios and even though Oracle licensing rules have many aspects and particularities, I would recommend at least, to consider the following in regards to Soft Partitioning, especially with VMware:
While setting up the technical architecture for Oracle products, a thought should go to Oracle VM as an alternative to VMWare or even to Hard Partitioning technologies where possible. Even if Oracle VM is pretty similar to VMWare re: partitioning concept (as it’s Xen based), being owned by Oracle gives them more control over the product, so they are way more permissive with it in terms of licensing, especially with the “binding settings” that somehow limits the resources allocated to a Virtual Machine.”
A sneak peek into Oracle’s auditing process.
Ever wondered why you’re being targeted by Oracle for an audit and what makes you an easy target?
You may have recently received an e-mail saying “You’ve been “randomly” selected by Oracle to perform a review of your Oracle estate. The Oracle License Management department is here to assist you?”
ITAMS’ consultant Madalina (ex-Oracle LMS consultant), provides an interesting insight into why you may be targeted, what you should watch out for and why you should keep a close eye on your Oracle estate.
“The reason why end users should be particularly cautious about how they manage their Oracle estate is mostly because Oracle does not sell licenses with a utilisation key but rather allows companies to deploy the software according to their business needs. Therefore, you could for instance buy 10,000 employee user licenses of “Identity and Access Management Suite (IDM)”, but as your business expands and you employ another 2,000 people, they too can utilize the software from day one.
If you have processes and tools in place to periodically check your license position, then you’re on the safe side as you will be well aware of the necessity to place a new order for an additional 2,000 employee user licenses of IDM; if not you will be left exposed to a compliance gap of 2,000 licenses in the eventuality of an audit.
In order for you to avoid being the lucky winner of one of these e-mails, here is what you should know about Oracle Audits…
An Oracle audit is typically conducted by the Oracle License Management Services (LMS) department. They start from 2 main initiatives.
The first and most common one is the LMS department conducting its own risk analysis. On a yearly basis, LMS will run a selection of their Install Base (the Oracle license repository of all customers) and make a selection of customers identified as presenting a high risk. The high risk profile is based on a variety of factors:
- The size and performance of your company, as well as industry trends and future projections. This means that the more profitable you are as a company, the more exposed you are to a threat of a software audit.
- The time elapsed since the last purchase plays a big part in this risk analysis because, depending on the evolution of the company, not having purchased software for a period of more than 3 years, can tell Oracle it’s high time you did!
- Oracle also scans for things like older metrics that are no longer in their price list because then, there is a high probability that you have to migrate your licenses, which, in most circumstances, means an additional cost for your company.
- Decommissioned products might also be an alarm signal. Let’s suppose you’re under an enterprise type agreement that locks you under a requirement to license all your users under a certain product and 3 years ago you purchased 10,000 user licenses of product “x” which is now decommissioned and replaced by product “y”. Currently the requirement is that you buy 2,000 more user licenses but because the initial product is no longer available, in addition you will also be required to migrate all your 10,000 existing licenses to the new product.
The second initiative for starting an Oracle audit may be identified by the Sales Account Manager who might identify a lead after spotting a risk factor with a particular customer. He may hear of a customer deploying VMWare or who is deploying software in an environment for which they may have not bought licenses, or a merger/acquisition in place which might leave the customer exposed. The Account Manager would then come to LMS and ask them to contact the customer regarding its licensing position.
In either case – by itself or together with the Account Manager, LMS performs a risk assessment and decides which customers should be targeted. In case the lead is not originally identified by sales, the LMS department will notify sales about their intention to begin conducting an auditing process. This happens because any potential opportunity that may be the result of the LMS review would need to be translated into an order by sales and because this is an engagement that requires a good communication plan with coordinated effort to maintain a commercially-driven relationship with the customer.
The process is then initiated by LMS sending an introductory letter to the customer that reveals their intention for conducting a ‘license review’ process. A soft approach that Oracle is trying to position for most of its audits. The legal framework for conducting the audit is provided by the audit clause found in the OLSA (Oracle License Software Agreement), which in general terms states that within a number of days’ written notice (usually 45 days), Oracle might audit the customer’s software use.
In addition to the LMS department and in countries where the SAM market is more developed (the UK in particular), there is often a dedicated sales organization (Compliance Optimization License Sales (COLS)). This is a sales-driven department which seeks to get a better understanding of the customer’s deployment, often finding any potential compliance issues they can commercially resolve without waiting until a full audit of three to six months to take place.
Coming from the auditing world and only having placed myself recently into better shoes, I thought it would only be fair that customers know what they should watch out for and why they should keep a close eye on their license estate.
So don’t walk around with a target on your back, make sure you have the bull by the horns! ;)”
Over the past few months ITAMS’ consultant John has encountered two customers who do not understand the full implications of accessing VDIs (Virtual Desktop Infrastructure) via a Thin Client device. He notes that the potential risk of not understanding this, is that VDIs may not be licenced correctly and may incur an unexpected cost.
This confusion is compounded when a user uses either XenApps or XenDesktop. The reason being that the licence models are different.
For XenApps. When the windows application opens using XenApps, there will be a server name in the bottom left corner of the screen. This indicates that it is running on a Windows Server OS. With XenDesktop, when the user logs in through a Thin Client the computer name will be in the bottom left corner of the screen.
If you are just focusing on the XenDesktop Thin Client situation, Microsoft licenses Windows for virtual desktops by access device: 122
• Virtual desktop access rights are a benefit of Windows Client Software Assurance (SA). Customers who intend to use PCs covered under SA have access to their Virtual Desktop Infrastructure (VDI) desktops at no additional charge.
• Customers who want to use devices that do not qualify for Windows Client SA, such as thin clients, will need to license those devices with Windows Virtual Desktop Access (VDA) in order to access a Windows VDI desktop. Windows VDA is also applicable to third party devices, such as contractor or employee-owned PCs.
In short, unless there is some form of control of the Thin Client devices, using a product such as AppSense, each and every device will require a VDA subscription license. With 2000 Thin Clients this can be in the region of £160,000 per annum.
ITAMS’ Training and Delivery Operations Coordinator Catherine shares her experiences and observations for resourcing skilled SAM/ITAM staff.
“Starting recently in a role that deals with internal resourcing, I have noticed that within the niche industry we work in, finding the right candidates in ITAM & SAM can be very difficult. The skills needed in this industry are so diverse that it is often difficult to find someone who incorporates both the technical and business skills needed for ITAM.
There is a real shortage of ITAM professionals in the market, and this coupled with the increasing attention organisations are starting to pay to their ITAM and SAM environment, means that finding candidates with the right skills to meet the demand is a tricky task.
As organisations start to notice the importance of ITAM and bring it in house, we have noticed a trend in the recruitment for permanent ITAM positions and a decline in contracting opportunities. Having a team to manage your software licenses and hardware assets can be a great way for a company to make sure this is a constant area of focus within IT.
There is still a lot to be said for the contract market. At ITAMS we have seen how bringing in short term resources to fill a gap in skills and knowledge can often be a very efficient and cost effective way for a company to deal with issues, especially during a SAM/ITAM project when skills need to be specific.
So, in an industry where there is high demand and the right skills are scarce, how can you ensure you meet the criteria?
1. Training – this is often not at the top of an IT Manager’s agenda but a lot can be said for investing in your staff to ensure success. In the recent ITAM Review Salary Survey, it was shown that those with ITIL Foundation qualifications and CSAM (Certified Software Asset Manager) certifications were the highest paid in the industry.
2. Gaining the right skills – It is one thing saying you have worked in SAM/ITAM but quite another to gain in-depth knowledge of specific vendor licensing, experience in analysing data, working with different tool sets and running SAM projects. Taking the time to get your head around these aspects can reap great benefits when looking for opportunities.
3. Network – in a small industry like ours, you need to make contact with as many people as possible. Everyone knows everyone and good first impressions can often impact on where you end up in the next 5 years, make sure you attend ITAM/SAM related events and get networking! A good starting point is the BCS SAM networking evenings.”
Whilst on client site, ITAMS’ consultants come across a lot of software that is not officially authorised for use in a business environment. With the increasing emergence of freeware, shareware and trial software being used in businesses across the UK, I decided to ask our Pre-Sales Consultant Matt about some of the common instances he has come across, what organisations need to do in order to stay compliant and how these new instances of software should be treated.
“As a certified auditor in software compliance I found some strange responses to why they use so much of this licensing type in their organisation, it appears many are oblivious to the risks.
Just because it’s an application in freeware it doesn’t mean that there aren’t any associated terms and conditions of use. A software environment can sometimes be made up of 60% freeware but the question is, can that application be used in a corporate environment?
This is one such ‘grey area’. Other examples include the use of iTunes and Google Earth in a corporate environment. The iTunes application for example can sit on your work machine and be used for synchronising a business iPhone but when you start downloading files, where does the responsibility for that file lie? You can install the private version of Google Earth at work but you must only use it for personal use. Once you start using the application for business, the corporate version must be purchased and this carries a substantial per installation cost, so beware!
Trial software is another area of contention. Some licenses have so many hooks it is sometimes difficult to know what you can and can’t do! There are some vendors that allow you to download the trial software but have a fair few stipulations around usage even though they provide you with access to the full version.
The vendor may also state that you have to remove the software from machines when the trial expires. If you don’t, regardless of whether you have accessed it since expiration, then you are liable to pay for the full application license.
WinZip is one such vendor that leads this policy on trial software. I have lost count of the number of organisations I have audited where their trial software is still sat on their computers even after it has laid dormant for months. An audit would expose that weakness, and something innocuous like that could mean a substantial bill!
There is a whole raft of similar examples and without education and guidance; misinterpretation of usage rights in a business environment could prove to be a liability.
The main aspect to learn from this is to treat all software the same, whether it is purchased officially, freeware, shareware or trial software. Follow the same process and have the same fundamental software lifecycle and recording strategy. This will stand you in good stead and help you control your ‘non – standard’ software estate. Alternatively place stringent conditions on the use of non-authorised software in the corporate environment.”
I’m on a mission at ITAMS. I want to get under the skin of our experienced consultants that work mainly on site with some of our most important clients. So I’ve decided to spend a little time talking to them and understanding some of the daily challenges they face. We have a range of consultants working at ITAMS, from data specialists to technical gurus and project managers.
This week I decided to catch up with John who is currently working for a large insurance provider. He is in the middle of a VMWare licence entitlement assessment. Whilst his current observations are centred on VMWare products, many of these are also common for other popular software vendors where licensing support is being provided by a third party.
I asked him what observations and tips he may have that he would like to share with our community. Here’s a round-up of his thoughts:
When a VMWare licence is purchased, a support or maintenance contract is usually insisted upon to be purchased and used at the same time (these are usually valid for 12 months at a time). However, the support contract can be with a third party and doesn’t have to be with VMWare, subsequent contracts would be agreed on the anniversary.
So John’s observations are mostly about the way in which some licence vendors treat the data that identifies each licence, when they are also the third party support contract supplier.
When a licence is issued by VMWare it is identified by both a VMWare ‘Instance’ number and a VMWare Licence Key. Each support contract is acknowledged by VMWare who provides a contract identification number. Each contract may contain a number of licences, so each licence is also identified by the support contract on which it is listed.
Because licences are purchased at various times during the year, the contracts tend to have different start and end dates. VMWare allows contracts to be Co-termed, where common start and end dates are agreed and two or more contracts are combined, usually under a different contract number or the number of the ‘dominant’ contract (which has the most licences listed against it).
This Co-terming continues to be practiced as more and more licences are purchased and as the list of licences becomes bigger, it is very easy to lose the audit trail of each individual licence, from purchase through to the latest support contract, if the identification numbers are not carried forward.
John has observed that the invoices and contract paperwork issued by most of the third party support entities fail to maintain audit trails by not keeping each licence identified by the Licence Key, Instance number or even the contract from which they were Co-termed. The Licence Key must be the most important piece of information that should identify each licence, but this is invariably missing on every support contract he has ever seen. In some cases incorrect duplication has occurred where Licence Keys have been guessed at by the third party support supplier, when required by the Client.
So John’s top suggestion is that as licence owners, we need to insist on better, clearer audit trails for our licences and on all subsequent contracts with third party suppliers, so that each licence can be traced back to purchase records for the purpose of identifying the Proof of Entitlement. If software has to be re-installed for whatever reason, without the Licence Key it will prove to be quite difficult. Also the added advantage of keeping a firm handle on entitlement records is that it will save time hunting for the correct documentation when this is required for an audit event.
Do you have any tips or advice you would like to share? If so please leave a comment.
All too often we see managed services that are just PAAS (platform-as-a-service) where the customer effectively leases a hosted tool (and even worse, they are sold on the contents of the future roadmap rather than current capabilities).
If your requirement is to simply outsource the management of a technology then this can work, however you must be clear that you understand the deliverables and that you have had a proof of concept demonstrating what you will actually get, followed by a statement of works or contract that puts this down in black and white.
If we take ‘generating an effective licence position ’ (ELP) as a normal (and probably now expected!) output of a licence management service, one way that an MSP (Managed Service Provider) can help you is by providing an ‘on-boarding’ service.
This is a dramatically different approach to simply ‘throwing data over the wall’ at your MSP. Onboarding involves generating a list of publishers and products (prioritised by the criteria that is important to you such as risk, spend, contract and maintenance anniversaries, vendor relationship and even ease of completing the task!) that will be properly managed, leading to an ELP that you understand and trust.
Onboarding includes the following main activities that ITAMS can deliver as part of its ELM360 (Enterprise Licence Management) service:
- Data requirements definition
Different products and licence metrics have greatly differing data requirements. There is no one size fits all approach. Your existing discovery tools may not be capable of tracking SQL server deployments correctly, mapping server farms or monitoring usage. ITAMS can identify the data requirements needed to produce a real ‘effective demand’ figure rather than a simple installation number.
- Licence Clearing
Bringing all relevant entitlement and contract data together in the licence repository and modelling the licences which have adequate proof of purchase. This includes linking entitlement to contracts, contract relationships, renewals, upgrades and downgrade paths.
- Software Recognition
Where tools are required to detect the consumption of licences, working with those tools to configure them to recognise software and count it accurately. Verifying that the recognition patterns and rules in the solution are correct. Creating custom rules and patterns for customer specific deployment scenarios.
- Some products may need new discovery tools or data sources to provide accurate data such as physical / virtual relationships, editions, CPU data and usage tracking. These data sources often require combining before being ready for use in an ELP calculation.
- Exception reporting
Highlighting areas of data weakness, insufficient entitlement, data gaps and where assumptions have been made in the final calculations.
- Reaching Effective Licence Position (ELP)
As a result of the above activities, reconciling the installation/usage and entitlement/contract data to reach a known, provable Effective Licence Position.
According to the Gartner Group, “organisations can realise cost savings of between 5 – 35 % by implementing focused software asset management practices”. So how can you realise cost savings or even release value from your IT assets?
There are a number of ways this can be done. IT asset value can be ‘hard’ (monetary) and ‘soft’ (efficiency and effectiveness of operations). Hard value is realised by minimising spend and selling used assets. Soft value is reducing the cost of associated operations. Cost avoidance is a large component of this, avoiding the cost of buying more software than is actually needed and re-harvesting existing surplus software.
The following checklist provides a quick view on where value / savings can be derived:
- Sell unused software – selling software that is no longer required. To do this you must ensure that you have a good handle on your IT assets. Know exactly what licences you have, who is using them, how they are being used and on what hardware. Also whether you are likely to embark upon a software migration/upgrade project or a M&A that may result in unwanted licences. An ELP (Effective Licence Position) supported by good quality inventory and usage data will also help to pinpoint unwanted licences.
- Stay compliant – avoid unbudgeted / unforeseen audit costs (including internal resources, 3rd party, tools and fees), by being audit ready. Understanding natural licence renewal points and anticipating licence demand in the business can also help to stay compliant.
- Maximise product usage rights and entitlements – ensure you are exploiting the product usage rights that come with your software, (e.g. free 2nd installs on an allocated laptop which comes with some products).
- Provide the right application for the right user – ensure that users have access to what they need to perform their roles, improving efficiency and productivity. This includes the right edition and user type for a product – often the default position is to purchase the highest features which might not be needed. Target training requirements and improve collaboration.
- Reduce Support & Maintenance costs – ensure that only approved and standard applications are installed. This reduces infrastructure and support costs and related IT functions such as security costs. Support costs can be reduced significantly. A KPMG survey in 2008 stated that a 50% reduction in support costs can be achieved by managing software effectively.
Understanding your IT assets allows you to:
- budget and forecast effectively
- support and facilitate internal re-charging and cost allocation for services
- prepare and implement more effectively for upgrades/migration projects
- identify security vulnerabilities and apply fixes and patches
- use your existing assets more efficiently
Some of the services that ITAMS can help with include: building a business case for SAM, gap & risk analysis, audit defence, ELP generation, etc.
Achieving data accuracy can initially be unnerving. Not knowing this can hide a plethora of issues that do not come to light until a vendor, such as IBM, demands an audit. When this happens there is no window for any remediation work, nor investigation on how best to proceed.
On the other hand having good quality data can be a ‘win’ situation and can help with:
- planning for warranty – reducing maintenance budgets
- managing leases – reducing cost at end of life
- software optimisation – reducing licensing costs
- utilising asset reuse and increased reliability to provide maximum use of life
If IT Asset information is not accurate it can have a dramatic effect on the bottom line. In the two cases which come to mind, both relied heavily on accurate information. One client had an exposure of approximately £3 million whilst another made a saving of about £20 million.
On another occasion, ITAMS was asked to conduct a due diligence audit for an outsourcing organisation. This involved an audit on all the hardware which was going to be managed under the contract. Initially we were told there were 10,000 desktops to audit. Within the first two weeks of the project, it soon became apparent that this number would be much higher. On completion, we audited approximately 17,500 systems. The implications were large and the atmosphere difficult, as many decisions, such as licensing and hardware maintenance budgets, had been made based on the assumed figure.
With all such undertakings there are generally more assets than anticipated. The norm is 10% to 15% extra. However, this can swing the other way when an outsourcer manages an audit, and reporting can often be overstated by 30%. A classic finding is, maintenance being paid on 10-15% of hardware assets which no longer exist, and approximately 20% of software assets that are no longer in use.
In summary, inaccurate data will affect the bottom line both negatively and positively. The effect may not necessarily be immediate, but the longer it is left, there is a greater risk that an event will expose any problems which could potentially be both embarrassing and expensive.
Traditionally walk-around or physical audits have been the main stay for IT Asset managers but in today’s technology rich climate there is a plethora of electronic network audit tools that can offer faster data collection capabilities.
Electronic audit tools are however complimentary to walk-round audits, not a replacement. Physical audits are expensive and if used, should only be used to kick-start a project. Drivers for physical audits might be the level of accuracy required, coverage of secure or not LAN-connected assets (e.g. stores), and the additional information they offer, e.g. location, assignment, asset tag, nearest phone, etc.). Cross correlation of physical and discovery data is now highly useful… especially when integrated with an asset lifecycle tracking system.
The table below sets out a brief overview of the two common data collection methods:
Data Collection Method
|Electronic Network Audit Tools
Discovers and scans all hardware devices on the IT network for detailed hardware attributes and all the installed software and operating systems
|Walk around / physical audit
Physically/Visually identifies the hardware device
Both data collection methods provide practical options for managing your hardware estate however neither method, standalone, can provide 98+% data accuracy.
So what is the best method?
From experience there are several obstacles that may get in the way of correctly managing your hardware estate. Firstly at management level, key decision makers tend to argue, “We know what we have, I do not see any problem, or why fix it when it is working?”. Lower in the organisation the case is different, “We have always done it this way, but we know the data is less than 70% accurate”. Eventually, as installs, moves, adds and changes occur the inventory repository (if there is one) is not kept current (old assets not removed), and the accuracy level falls even further.
Therefore there is often a need for a one off physical audit to re-initiate / validate a lifecycle system’s core data, but no one wants to keep doing that. Discovery and a slick barcoding add-on to the lifecycle system acts as a way of constantly refreshing and validating the data and avoiding the costly re-audit, as well as giving the rich benefits of cross-correlated physical and discovery info (great for maintaining the constantly changing hardware CI layer of CMDB for example).
So my message to Asset Managers is, are you sure you want to keep managing data you know is bad, or would you prefer to kick-start a new and more efficient mechanism which generates real value based on trustworthy records?
I recently visited an organisation, where due to their business sector, they had a “laissez-faire” attitude to tracking their assets. However recent changes from the Financial Reporting Council (FRC), means that this has to change. Below are key areas which have to be considered before committing to change, as it will affect the whole organisation and may conflict with existing cultures.
- Understand why IT Asset Management is import to the business.
- Demonstrate the ways in which this information is or could be used.
- Get Board level ‘buy-in’ to the above – crucial!
- Produce a business plan which clearly shows why this is needed, what the cost would be and how the returns will be realised.
- Have a clear roadmap / strategy over time, not just a single project.
- Have an IT Asset Policy which is clearly communicated and understood.
- Have solid lifecycle touch / capture points.
- Produce sound and tested procedures which are simple to follow, and automate using barcoding.
- Know what accuracy is required and why, and who your data customers are.
- Where is the data going to be held, who is responsible for it and who should have access to the data?
- Know what sources of data are currently available – and are they trustworthy?
- What other sources are required for your business purposes?
- Have a feedback system to test the accuracy, including a service compliance function in larger organisations.
Key: Clarify and align responsibility across the whole organisation.