The number of software audits continues to rise and every company needs to be prepared. There are a number of challenges which companies can face during an audit and Certero have produced a series of articles to address what could go wrong. This is the second one which will address challenges surrounding virtualization and monitoring software usage.
What is the licensing risk with virtualization?
Virtualization means to create a virtual version of a device or resource, such as a server, network, storage device or even an operating system where the framework divides the resource into one or several execution environments. Virtualization is a mature technology that is widely used, and has caused software vendors to evolve their licensing metrics repeatedly to maintain revenues, whilst the definitions of what a ‘virtual machine’ or environment actually is have changed, with the emergence of new hardware and new virtualization technologies.
Therefore, it is again complex and there is a major issue with virtualization that many organizations overlook – the impact it has on your software licensing. Unless you are fully aware of these implications and are able to manage your license position, you could end up paying more for additional software licenses (and fines if the shortfall is discovered during a vendor audit) than you saved through adopting virtualization in the first place.
Therefore, it is again complex and there is a major issue with virtualization that many organizations overlook – the impact it has on your software licensing. Unless you are fully aware of these implications and are able to manage your license position, you could end up paying more for additional software licenses (and fines if the shortfall is discovered during a vendor audit) than you saved through adopting virtualization in the first place.
Most software vendors’ licensing rules differ between physical and virtual environments and between vendors and respective virtualization technologies, the terminology differs, metrics differ, definitions differ. Even vendors own rules may differ over time as they’ve needed to make amendments, so it is imperative to have a thorough understanding of your licence agreement and how each vendors rules apply to each environment. It’s also advisable to have more than one SAM expert’s interpretation of your contract and the rules.
Your SAM solution needs to have out-of-the-box connectors to all virtualization platforms in use, as understanding the relationship between virtual machines and physical hosts is critical to control.
The common theme however, is that small changes to the virtual environment can have a large impact on licensing requirements. Typical examples include:
Hardware – e.g. additional servers or CPUs in a cluster
Server Mobility within server farms – e.g. DRS / v-Motion enabled can exponentially multiply licensing requirement
Converting a physical device to a virtual device changes the licensing requirements and you need to check your license agreement to discover what the full implications are and do modelling scenarios where possible ahead of making changes, as evidence of simple mistakes can remain.
You also need to consider maintenance. Some vendors, such as Microsoft, now require active maintenance on server applications deployed within server farms (Microsoft Exchange server etc.).
Monitoring usage
Dependent on the terms of your license, the need to measure the usage of your software could be important in ascertaining whether you are compliant and also what you have to pay. Certain software vendors, like SAP and Oracle, charge for software based on metrics that can be unique to your business. For example, if you are a car manufacturer, the metric could be based on the number of cars you have built.
Obviously, you will need some verifiable and easy way to measure this metric. Firstly, so that you are aware of what you will need to pay and, secondly, to ensure that you do not exceed any pre-set limits or conditions within the license agreement. Monitoring usage can also identify where there is non-use which could indicate that you are paying for too many licenses and can downgrade the amount you have and therefore have to pay for.
The ability of SAM solutions to measure software usage for identifying unused assets and optimization varies, with some requiring manual direction to measure the usage of specific applications and with limitations as to how many applications can be measured at one time. This leads to an extremely lengthy process of gaining insight into usage of applications a handful at a time, and with potentially hundreds or thousands of pieces of software to measure, each for months at a time, it’s clearly not an effective approach. The best SAM solutions however can automatically measure the usage of all software at all times, straight out of the box.
Measuring datacentre vendors like SAP, IBM and Oracle should be done using specialist solutions for these vendors – again the best SAM solutions have options for everything you will need that can be activated within the single platform.
Indirect access
As if the licensing agreements of the likes of Oracle, SAP and Microsoft were not complicated enough already, many user organizations fall foul of something called indirect usage and end up owing significant amounts as a result of licensing non-compliance.
Indirect usage, indirect access, or multiplexing as it is sometimes called, is where your software (be it Oracle, SAP, Microsoft etc.) is accessed indirectly by a non-named third party, which can either be a person or machine. For example, an organization has created a system that allows all their employees to enter their expenses. That system then sends all that employee expense information to a second system using a single named user account.
All users of the expense system are indirect users of the second system and should be considered when licensing the second system by a user-based metric. As SAP and Oracle utilize ‘Named User’ type licenses, you will be non-compliant if each and every one of these users is not fully licensed.
Key to getting to grips with indirect access is the ability to correctly classify users of your software as direct or indirect and so make sure they are given the correct license type. Identifying indirect access can be tricky without the help of an automated monitoring tool.
However, there are tell-tale signs that make indirect access easier to spot. These include things like a user accessing a system all day long (no human user would do that) or a very large volume of work processed within a set period by one user (again, no human could conceivably process such a volume within that time).
One way to avoid indirect access problems in the Oracle world, for example, is to license via processor, rather than Named User. Sadly, there is no such corresponding license in the SAP world, where you are limited to Named User.
Solving the audit challenges of virtualization and monitoring usage
How can you ensure virtualization and monitoring usage does not influence your vendor audit?
Fortunately, there are tools available specifically designed to support organizations and ensure they are compliant. With these tools developed with software audits in mind, they have the capability to understand virtualization, monitor usage and identify where there is indirect access.
Certero for Enterprise SAM can help you make sure you do not have problems with virtualization, usage monitoring and indirect access. Get in touch with Certero to find out how we can help you.
