Do you know how virtualization and monitoring software usage can impact a software audit?
The number of software audits continues to rise and every company needs to be prepared for their next software audit. There are a number of challenges which companies can face during an audit and Certero have produced a series of articles to address what could go wrong. This is the second one which will address virtualization and monitoring software usage.
What is virtualization?
Virtualization means to create a virtual version of a device or resource, such as a server, network, storage device or even an operating system where the framework divides the resource into one or several execution environments. Virtualization is a mature technology that can help you save money, time and carbon emissions. Consequently, just about every major organization has adopted it in one form or another, somewhere on their IT estate.
However, there is a major issue with virtualization that many organizations overlook – the impact it has on your software licensing. Unless you are fully aware of these implications and are able to manage your license position, you could end up paying more for additional software licenses (and fines if the shortfall is discovered during a vendor audit) than you saved through virtualizing in the first place.
Most software vendors’ licensing rules differ between physical and virtual environments. But, a common theme is that small changes to the virtual environment can have a large impact on licensing requirements. Typical examples include:
- Hardware – e.g. additional servers or CPUs in a cluster
- Server Mobility within server farms – e.g. DRS / v-Motion enabled
Converting a physical device to a virtual device changes the licensing requirements and you need to check your license agreement to discover what the full implications are. You also need to consider maintenance. Some vendors, such as Microsoft, now require active maintenance on server applications deployed within server farms (Microsoft Exchange server etc.).
Dependent on the terms of your license grant, the need to measure the usage of your software could be important in ascertaining whether you are compliant and also what you have to pay. Certain software vendors, like SAP and Oracle, charge for software based on metrics that can be unique to your business. For example, if you are a car manufacturer, the metric could be based on the number of cars you have built.
Obviously you will need some verifiable and easy way to measure this metric. Firstly, so that you are aware of what you will need to pay and, secondly, to ensure that you do not exceed any pre-set limits or conditions within the license agreement. Monitoring usage can also identify where there is non-use which could indicate that you are paying for too many licenses and can downgrade the amount you have and therefore have to pay for.
As if the licensing agreements of the likes of Oracle, SAP and Microsoft were not complicated enough already, many user organizations fall foul of something called indirect usage and end up owing significant amounts as a result of licensing non-compliance.
Indirect usage, indirect access, or multiplexing as it is sometimes called, is where your software (be it Oracle, SAP, Microsoft etc.) is accessed indirectly by a non-named third party, which can either be a person or machine. For example, an organisation has created a system that allows all their employees to enter their expenses. That system then sends all that employee expense information to a second system using a single named user account.
All users of the expense system are indirect users of the second system and should be considered when licensing the second system by a user based metric. As SAP and Oracle utilize ‘Named User’ type licenses, you will be non-compliant if each and every one of these users is not fully licensed.
Key to getting to grips with indirect access is the ability to correctly classify users of your software as direct or indirect and so make sure they are given the correct license type. Identifying indirect access can be tricky without the help of an automated monitoring tool.
However, there are tell-tale signs that make indirect access easier to spot. These include things like a user accessing a system all day long (no human user would do that) or a very large volume of work processed within a set period by one user (again, no human could conceivably process such a volume within that time).
One way to avoid indirect access problems in the Oracle world, for example, is to license via processor, rather than Named User. Sadly, there is no such corresponding license in the SAP world, where you are limited to Named User.
Solving the audit challenges of virtualization and monitoring usage
How can you ensure virtualization and monitoring usage does not influence your vendor audit?
Fortunately, there are tools available specifically designed to support organizations and ensure they are compliant. With these tools developed with software audits in mind, they have the capability to understand virtualization, monitor usage and identify where there is indirect access.
Don’t miss the other articles in the series: