Monday, January 07, 2013

Software Audits - Be Afraid...Be Very Afraid!

OK, so I know the title is a bit "doom and gloom" - but frankly I've seen too many companies over the years get seriously bitten during software audits because they didn't have a healthy respect for the risk when they first accepted the audit (and for the sake of this article...I'm calling it an audit any time you share your installation data with a publisher or anyone representing the publisher).

First, I do not recommend going through one alone. That would be like going to an IRS audit alone - there are far too many obscure rules that can come back to haunt you. Get professional help before it starts and keep that help around through completion...very few rules are "black and white" and you need an advocate on your side who fully understands the rules and can balance the publisher's interpretation of use.

Here are a couple of things to know before heading into an audit:
  1. Not all audits are the same - know when you have the right to refuse or limit and when you've already waived those rights.
  2. Make sure the scope is clearly defined - is it all subsidiaries, all geographies, etc.
  3. Require a project specific non-disclosure agreement (NDA) be in place with any third-party gaining access to your information and follow up at the end of the audit to require disposal of the records.
  4. Understand under what circumstances you'll be billed for the cost of the audit.
  5. Ensure that the audit is being conducted under the rules of your active agreement with the publisher and the pertinent product use rights for the products in use.
There are many more, but this is a start.  The ITAM Review has a number of useful articles on this topic that you should consider reading as well.

Pitfalls to be aware of to avoid audit problems:

The best possible situation is to avoid an audit altogether.  While this is becoming more and more difficult as publishers have realized that audits are a profitable activity that helps them meet revenue goals (most of the heads of software publisher compliance groups have revenue goals much the same as a sales group), there are steps you can take to reduce your chances of an audit.
  1. Regularly conduct your own audit. Know what you own, what and how you are using it. If contacted for an audit, be sure that your executive handling the conversation can speak knowingly and authoratatively on current usage by product and the timeliness of that data.  Software publishers don't want to throw their money away on an audit that is going to produce no licensing revenue. The more they feel that you already have things under control the less likely they are to require a full onsite audit.
  2. Watch your external access, make sure you are appropriately licensing clients, vendors and partners for their access to your computing resources.
    • If your customers are using your computing resources, make sure that you are covering that usage under the appropriate licensing agreement.  Most publishers have service provider agreements (Microsoft's SPLA or VMWare's VSPP program being two of the most common) allowing for you to host their products for use by others - there is a lot of gray area in determining when you need to license under these versus when you can use perpetual licenses so make sure you have a professional help you make this determination.
    • Licensing is typically entity specific. While everyone in my organization is licensed to use a Microsoft Windows 2012 server within my organization that licensing does not cover us for when we access a client's organization.
    • There are expensive ways of handling this and less expensive ways - having licensing advice when you're setting up access can help you avoid unnecessary costs.
  3. Minimize OEM and non-volume purchases. Frankly, publishers regularly mine their entitlements data on clients to determine inconsistencies for compliance issues.  If a publisher can't see a full picture of your purchases it can increase the chances of an audit.
  4. Keep your purchasing records. If you are still using the software (or it's successor if that successors licensing is based upon the original purchase), then you need to have ready access to your proof of purchase. Consider for example Attachmate the owners of some (current and) legacy emulation software.  They audit on a regular basis - can you demonstrate that you purchased the 50 copies of KEA or myEXTRA! that you still have running in your organization?  If not, the cost to buy new licenses can include interest based upon when the software was originally released.
  5. Pay attention to country of usage rules. Most publishers have some restriction on using software in a  country other than the one purchased.  Autodesk, VMWare and Microsoft (under the Open licensing program) all restrict usage across geographical boundaries.
  6. Understand transferability rules of licenses during mergers, acquisitions and divestitures. For example, Autodesk states that their licenses are typically not transferable and have the right to refuse a request for transfer, if they do accept the transfer they can require that subscription costs be added to the license.

Already in an audit:
Regardless of what stage the audit is in, get help.  Make sure you have someone working as your advocate that has experience in software audits, strong knowledge of the publishers current and historical agreements and product use rights and the frankness to give you an accurate picture of where you stand (this is not the time your management team wants anything sugar coated...they need to know the reality so they can prepare).

Double check everything the auditors present to you - math errors and mis-interpretation of product use rights and licensing terms are frighteningly common.

Tuesday, July 10, 2012

Microsoft Windows Server 2012 - Licensing Changes

While much of the focus this year has been on Microsoft's planned release of Windows 8, Microsoft Windows Server also has a planned release this year.  Microsoft Windows Server 2012 is slated for general availability in September and has some significant licensing changes planned to accompany the release.

Even though you may have no plans to move to Windows Server 2012 at release, this will impact all Windows Server purchases made after General Release.
Summary of planned changes:
  1. All server licensing is changing to the per Processor model (no more “per server” licensing)
  2. They are eliminating the “Enterprise” edition (the only difference between the remaining editions of Standard or Datacenter will be how they license virtual OSEs…functionality between editions will be exactly the same).
  3. Each license will cover 2 processors on the same device. Existing licenses with Software Assurance will convert as follows:
    • Microsoft Windows Server Datacenter – 2 licenses will convert to a single Datacenter license
    • Microsoft Windows Server Enterprise – 1 license will convert to two Standard licenses
    • Microsoft Windows Server Standard – 1 license will convert to one Standard license
  4. Standard will now include the right for 1 physical or 2 virtual OSE’s per 2 processor box
Timing of release has not yet been disclosed (I’m betting September) – I recommend you analyze your environment and determine if you want to execute a purchase prior to general release so as to minimize the impact by maximizing the conversion ratios.
As always, if you need help or simply want to discuss this further let me know – I know Microsoft licensing (particularly when it changes) can be confusing…I’m happy to help explain it.
Please note, these changes are “planned” – by the time General Release occurs there could be more changes as the licensing terms are not set until release.

Thursday, March 22, 2012

Software Audits - Beware of the Unknown!

While most of our business is focused on helping companies optimize their licensing and avoid compliance risks there are times a company comes to us when they are in some stage of being audited (whether it's called an audit or not for purposes of this posting I will refer to it as an audit anytime a third party is reviewing your licensing not at your behest).  We come across a number of areas that "surprise" customers to find out it's a compliance issue.

Take a look at the following - if any of them apply to your company, take steps to resolve these:
  • Own one edition but a different edition is installed.  Do you own Microsoft Office Professional but have Microsoft Office Standard installed?  If so, you are out of compliance (and no, don't count on them to look the other way). 
  • Changing the hardware that you run your Oracle database on without checking to see what it does to your core factor in determining processor licenses required. Did you move to a Sparc 4 from a Sparc 3? You just doubled your core factor...Oracle US License Agreements
  • Not understanding the minimum number of users that need to be licensed (contractual requirement versus actual usage). What did that (above mentioned) increase in processors just do to the number of users you're required to license?
  • Server mobility in a virtual environment. For example, did you reassign your Microsoft Windows Server Standard licenses to your virtual environment? That's fine (assuming they weren't OEM licenses) as long as you are not using VMWare's V-Motion (or similar technology).  You can only reassign licenses once every 90 days in the Microsoft server operating system world - you might accidentally be drastically increasing your licensing needs by "harvesting" that Standard license versus appropriately licensing the virtual environment.
  • Did you turn on enterprise functionality in your Microsoft SharePoint Server? If so, are other instances of SharePoint inheriting that enterprise functionality without your knowing it?  The enterprise functionality in Microsoft Sharepoint requires a Microsoft Sharepoint Enterprise CAL (client access license, this CAL is also contained in the Microsoft Enterprise CAL Suite).
  • Do you have Mac's in your environment? Are they accessing a Microsoft Windows OS? How are you licensing that?
  • Are you on an Enterprise Agreement (Adobe, Microsoft, Oracle, etc) and not including all devices in your environment? Check your agreements, unless it specifically allows you to exclude something these agreements typically require you to license all devices - read your fine print!
  • Re-imaging devices using the wrong media. The quickest way to get out of compliance in a material way is to have the wrong media loaded to your image. Make sure this is in alignment and that a change control process is followed for any changes to the image including a licensing review.
  • Are you assuming downgrade rights? For example, most Attachmate products do not have downgrade rights unless you have maintenance. Don't assume this right.
If you are asked (or told) that someone will be reviewing your licensing - get help before it starts. This is not the time to rely on your internal team unless they are licensing experts and stay current on all the publishers in your environment.

The ITAM Review has a great article series on the topic of "What REALLY Happens During an Audit", I recommend reading it whether you're going through one or just looking for more information.