Thoughts and discourses on software licensing - Software Compliance

Software Vendor Performance FY2020

24/2/2021

Vendor results can be a telling indicator of what might lie ahead

We regularly connect with the ITAM Review as a reliable source of information in the software domain and of interest this month is a comprehensive report from Rich Gibbons on the financial performance of some key software vendors - from the $5.6B loss of Google Cloud to the 29% rise in operating income (Q2) of Microsoft.

You'll find the full report here.

In summary ...

AWS saw revenue increase 29% to $45.3 billion, with income up 47% to $13.5 billion;
Google Cloud reached $13.1 billion for the financial year, an increase of 47% however incurred loses every quarter with an overall loss of $5.6 billion for the financial year;
IBM's overall revenue was down 5% to $73.6 billion however cloud revenue was up 19% to $25.1 billion well supported by Red Hat revenue up 18%;
Not a great year for Micro Focus with an annual revenue of $3 billion (a 10% drop on 2019) with a $3 billion loss for the financial year ($2.8 billion of which was a write down on a large chunk of the ill-fated HPe purchase from 2017);
At the midway point for Microsoft revenue was up 17% to $43.1 billion with operating income up 29% to $17.9 billion - a very healthy start to their financial year;
SAPs total revenue was €27.3 billion 1% down year on year, with cloud revenue €8.08 billion, representing a rise of 17%.

Some marked differences in performance - particularly in the cloud space, with a watch and ready advice for some of the poorer performers - we all know where they head when times are tight ...

... the perceived quick gains of the audit trail.

PVU Sub-Capacity Traps with ILMT

25/4/2020

All might not be as it seems - check this list of ILMT gotcha's

In order to get the benefit of PA sub-capacity licensing, running IBM's free License Management Tool (or the enhanced, licensable version, BigFix Inventory - now owned by HCL) is mandatory...

... but could it be misleading and costing you money?

Here are out top five tips for trimming your PVU sub-capacity report counts:

1. Incomplete Vitualisation - the 'TVM' predicament

If your ILMT configuration is not fully or properly implemented you're likely to find incomplete virtualisation heirarchies in your VM Manager connections, which result in every affected VM being treated as a stand-alone physical machine at the highest PVU rating of 120 PVUs per core). This can quickly add up where you might otherwise be entitled to the likes of 70 PVUs per core.

2. Missing Software Classifications

Central to the accuracy of ILMT reporting is the much dreaded 'Software Classification' process. If you choose to ignore this painstaking requirement you can be sure you'll pay the price either in real terms or in time-draining dispute at your next audit. Essentially, every exempt PVU count in your environment needs to be catagorised as such, meaning instances that are to be excluded from PVU counts (which depending on the License Terms are likely Developer, DR, or Test installs) need to be individually identified as such via this (ongoing) activity.

3. Unrecognised Bundling

As a follow-on to the Software Classification issue above, you'll then likely notice that where you have installed Supporting Programs on a different server - where entitled to do so under the License Terms - the program will magically form part of the PVU count, ie. bundling is not recognised across servers. So once again you'll need to identify these instances and exclude them from the relevant count, making sure you add comments to qualify the classification.

4. Reallocation High-Water Marks

So you dutifully maintain your vCPU's to your level of entitlement, which, as you're permitted to do, includes the occasional reallocation across servers to match processing and performance needs. Given you've balanced the core counts out all is good - right? Well ... no, ILMT will track the high-water mark for each server in the 90-day reporting period, so for example a taking a core from a 4 vCPU server to assign to a 3 vCPU server will see both reporting as 4 vCPU servers for that period.

To be in a position to challenge this make sure you have or take - and keep - separate records that evidence the reassignment of cores to negate any double counting.

5. Ghost Decommissioning

Similar to the above, you might think that decommissioning one server to deploy another would be quite within your rights as long as you (as always) don't exceed your level of entitlements. Well ... no, the decommissioned server will also report within the same 90-day period as the new server - potentially a bigger problem than the issue with high-water marks. So again you'll need to either classify the server accordingly, or ensure you have the right artefacts to contest any double recognition, or both.

... a lot of overhead right?

Yes.

And that's where a secondary source of truth can prove essential ...

Invoke your BCP, stay compliant.

28/3/2020

As the effects of Covid-19 and advice to isolate sees many workers staying home, compliance can be an after-thought

... and later,

a big problem.

The world is certainly a different place than it was just weeks ago. From what was a normal days work to stay-at-home advisories, self-isolation and lock-downs, business and workers face enormous challenges.

In such adverse times it's not possible to predict what the landscape will look like in the months ahead, but with the unfortunate loss of jobs and closure of businesses all we can know is that it will be a dramatically different place.

Those that can and do keep operating are an imperative for the economy, both now and through recovery, and whilst it would be reprehensible of vendors to audit companies when the corner is turned, there are those that inevitably will still do so.

So while there is much to contemplate and deal with in just keeping your business running, a quick check on some basic principles could avert some later issues. Consider some of the most common licensing pitfalls with typical BCP scenario's:

Working From Home

Working from Home means mobility - if you are allocating laptops and notebooks be wary of installation or device based licenses, all of which might be overlooked with the rapid deployment of SOE's and new devices. There may even be restrictions on what category of device the software can be installed on, or even where physically it can be used (eg. designated offices or specific geographic locations). Where applicable, check you mobility rights cater for your intended use, and are current (eg. Microsoft SA Benefits).

Remote access can be another minefield where in the rush to get staff connected controls that would normally be in place might get overlooked. While solutions like an F5 BIG-IP Edge Gateway provide user based licensing to their own resources via secure VPN, other storefront and virtualisation products such as Citrix Gateway with VDI if not properly administered can be at greater risk of exposing applications unintentionally - make sure your access controls eg. AD Groups etc) are aligned to your licensing, and any additions to those secure groups have corresponding entitlements.

Invoking DR

If you are in the position of having to invoke your DR (or partial DR) things will undoubtedly be more complicated. License transfer rights, powering servers up, or moving capacity from cold to hot can easily lead to over use. Migrating (or worse, extending) production workload to DR will certainly have conditions and constraints that if over-looked will leave you visibly non-compliant at a later date via audit trails such as SCRT or license server logs. Keep appropriate records that will help to mitigate any action you needed to take, and make sure you enable/track license migration alongside any workload you move.

While we'd like to think some leniency would be afforded through these difficult times, keeping a good handle on your compliance position just makes good business sense.

So stay compliant, but mostly, stay well, and stay safe.

A Revised Approach to Compliance By IBM

29/9/2019

IBM Announces its new "Authorised SAM Provider" Offering (IASP)

While it appears the disgruntled messaging from clients is finally starting to register with some major vendors, a recent announcement from IBM (outlined here by the ITAM Review) by no means makes it an all clear.

We're all for any move to make software licensing compliance simpler, and the IASP program for some large IBM customers might just do that - although by invitation only and accomplished by engaging one of just four designated IBM partners:

KPMG
EY
Deliotte
AnglePoint

OKAY, SO WHAT's THE OBJECTIVE?

In a nutshell, to offer those select few an alternative to IBM's License Reviews by operating a managed service that brings SAM expertise, tools, and knowledge to organisations who are perhaps struggling with those skills themselves - which happens to be exactly what we at Software Compliance have been offering our valued clients since 2016!

HOW ABOUT the APPROACH?

Once invited, an organisation selects an authorised partner who will then - through a defined scope of paid work - follow the standard licensing compliance process to create a baseline (using ILMT), perform an initial reconciliation, resolve any issues, and implement an ongoing management and control program, all done under an IASP Agreement that must be executed with IBM (covering a term of up to 3 years).

... And THE Benefits?

The major attraction is that any licensing shortfalls discovered in the initial baseline can be resolved at the customers entitled price without any back-dating of S&S - and - an apparent waiver of any sub-capacity issues (tbc).

... and we all know how problematic (ie. costly) issues in this space can be!

On the surface perhaps an admirable new direction from IBM, but does it really differ to how customers operating under the likes of an Enterprise Services & Software Offering (ESSO) have been treated for the last 10+ years? We think not - baselines were created, shortfalls resolved (albeit perhaps not as transparently), regular reporting was mandatory, etc ... so the only difference seems to be that the customer is required to engage one of just four designated partners.

OUR VIEW?

As with many IT functions companies are finding that they need help - they just don't have the in-house skills to perform every role, task and responsibility they need to cover.

... nor should they have to.

While the IASP program from IBM targets large, specially invited customers with just 4 select partners, our purpose is to assist all organisations - small, medium or large - with the same goal:

Provide the skills, tools, knowledge and process to solve your software licensing issues.

Contact Us ... (before your Vendors do)

Don't be Caught Out By Oracle DB Feature, Option, and Management Pack Usage

28/4/2019

All might not be what You think - It's time to Check

So all's fine with your Oracle Database - it's been installed for some time now, had a few upgrades, tweaks and tune-ups, you're across your NUP and Processor entitlements, so why have any concerns from a licensing perspective? Well, what about all of those Feature, Option, and Management Packs that lurk quietly in the background - have you checked on the status of those lately?

You might think there's no need to - nothings changed, configurations haven't been updated - well, consider setting selections during those updates and upgrades - perhaps revised defaults came into play (depending on version, database options and management packs are installed and many are enabled automatically!)

Worth checking to be certain before that next, friendly ... 'Oracle License Review'.

To facilitate this Oracle provides a script - options_packs_usage_statistics.sql - which enables you to check Oracle Database feature usage, option usage, and management pack usage. The script lists, in two distinct sections:

Oracle Database option and Oracle management pack usage
Features used by each option and management pack

The script can be run manually on an individual database or you can use Oracle Enterprise Manager Job System to automatically run the script on multiple databases, giving output like the below (with formatting added):

Now with insight into the actual system settings a simple reconciliation to your licensing / entitlements will give you assurance that everything is in order, or alternatively highlight what needs to be resolved.

A simple task well worth scheduling at least annually.

and it's always good to keep a record for later comparison / compliance requirements (with ComplianceWare you can easily register the output as 'Verification' material alongside your licenses).

– ALERT ADVISORY –

31/3/2019

ADVERSE VIRTUALISATION TERMS

Could You Be At Risk From Covert LICENSING TERMS?

While some vendors are well known for their hostile terms towards specific forms of virtualisation (consider Oracle with VMware), others are not, slyly waiting for sufficient time to pass before issuing that dreaded ‘license review’ (aka audit) letter, hoping they can trap you with their archaic, antiquated, yet bizarrely enforceable terms that could see you severely punished if you have virtualised systems that fall under these conditions.

Two current protagonists are coming to the fore in this space for their equally aggressive – and global – onslaught, hounding their loyal customers with totally unreasonable findings and outrageous demands for compensation. The problem emerged from the days of licensing physical installations by cores – easily managed when applications ran in their own dedicated servers, but with the shift to now omnipresent server farms, be it on-premise or cloud based, where their terms have not changed and don’t automatically recognise virtualisation as a means to limit the licensable metric (cores) you are at risk of paying for all of the physical cores in your entire Host estate.

Consider the terms below extracted from the respective vendor agreements:

Micro Focus End User License AgreemenT

MICRO FOCUS® ENTERPRISE DEVELOPER, MICRO FOCUS ENTERPRISE SERVER, MICRO FOCUS ENTERPRISE SERVER FOR .NET, MICRO FOCUS ENTERPRISE TEST SERVER, MICRO FOCUS ENTERPRISE TEST SERVER PREMIUM, VISUAL COBOL® , COBOL SERVER, DATABASE CONNECTORS

"Server License for CPUs. Licensed Software provided under this License Option gives Licensee the right to install the Licensed Software on a single machine or server ("Host Server"), or one or more Containers on the Host Server, and have the Licensed Software executed by up to the total number of CPUs, Cores, Integrated Facility for Linux processors ("IFLs"), Blades or other processing devices specified for the license in the applicable Product Order ("License Specification"). If the number of Cores is not specified for a CPU in the event a CPU is specified in the License Specification, such CPU shall be considered to be single-Core. A Server License for CPUs license covering all CPUs, Cores, IFLs, Blades and other processing devices that are contained in and/or can be accessed by the Host Server ("Total Processors") is required with all applicable license fees paid, even if one or more of such CPUs, Cores, IFLs, Blades or other processing devices are not accessing or running the Licensed Software. For example, if 32 Cores are the Total Processors on the Host Server, but only 16 Cores are utilized to execute the Licensed Software, a 32-Core Server License for CPUs license is required notwithstanding the fact that 16 of the 32 Cores may not actually be accessing the Licensed Software. Each Core on a multi-core CPU requires a Server License for CPUs license covering each such Core. For example a Host Server with Total Processors consisting of a single quad-core CPU will require a 4-Core Server License for CPUs license and payment of the license fees applicable to all 4 Cores."

OPEN TEXT – ECD Central Processing Unit (“CPU”) ModeL

Affected products are any of those on your Order From that have a UOM code of ‘ZA’:

"Licensing and pricing is based upon the total number of CPU cores present in the computer upon which the ECD Software will operate. The ECD Software is licensed per physical dual-core device (“Dual-Core CPU”). Licensee must purchase an individual Software License for each Dual-Core CPU on which the ECD Software is executed or made available to execute."

If you are in the unfortunate position of running any products that fall into the categories above, act fast. You will need to either move the affected applications to a right-sized physical box (with all of the accompanying issues that presents) or seek to agree with the vendor the appropriate virtualisation terms (and be wary – if they play this type of game that will likely just get their cash registers ringing).

We find it hard to believe that such terms remain in vendor agreements, more so even deemed enforceable. If you've had the misfortune to have gone through such an affront, or think you might be about to, get in touch - we'd like to hear of (or help with) your experience.

Audits - And What To Look Out For

23/2/2019

IT SEEMS AUDIT SEASON HAS STARTED EARLY ...

Revenue outlook must be a concern for a number of large, global corporates going by the number of audits we're aware of already this year - typically they seem to favour the mid to late part of the calendar.

And lets face it, an audit is the last thing you need when you're just getting back to those major initiatives that need focus. Of course often its that very focus that leads to compliance issues - lacking the necessary oversight and controls in your IT landscape its not uncommon for BAU changes to cause a world of difficulty - a simple server refresh that introduces more cores, a change in access permissions that broadens the user base, or perhaps just plain old virtualisation.

So what might target your organisation for attention by those loathed 'License Review Teams' waiting out there?

Well the answer is, more than you might think.

Typically something has got you to the top of the list. It can of course be within a common cycle such as at a contract renewal period, or an untimely prompt by one of those independent organisations whose entire income is through specialised and aggressive audits, but if not, what might cause it - and how might you prevent it?

First, consider the common triggers:

The innocuous supply of current state to the vendor (or partner) to scope and price a new project or programme of work;
A Vendor (or partner) who has been involved in one of your projects with access to your systems identifying and reporting a non-compliant situation;
An aggrieved employee aware of compliance issues who has recently left the organisation with a grudge to bare;
Failing to submit a required usage report;
An unfortunate listing with the BSA as a result of failing another recent audit;
Or perhaps just a naive and blissfully unaware employee contacting a vendor to ask for your own contracts or license information because "we don't have a copy".

If any of the above have you a little worried look for the most telling signal from your vendors of an impending audit - the unexpected communication that your "account team is going through some changes", which is simply a calculated, preemptive move to extricate any history and/or advocacy you might otherwise have had - prepare and get ready!

all of those "but" arguments will get you nowhere - "but we had an agreement",
"the account have known it was like this for years",
"it was the licensing sold to us", etc etc.

Alternatively, if you're feeling comfortable that you're not under any imminent threat its still a good idea to take stock and review your position against the common triggers. The best defense is without doubt a robust and competent software licensing function within your organisation that maintains the necessary level of control (and has the added benefit of warding off those vendors who would rather take on an easier, less capable target).

When it comes to licensing and compliance its good practice to not treat your vendors like 'trusted partners' - keep in mind who they're actually working for, and who's paying their salaries.

So - what to do:

Be cautious and restrict the information you provide to your vendors (and partners) - vet it carefully before releasing data that might expose you to further scrutiny;
Similarly, if you're letting the vendor gain access to your estate make sure they're only going to get what they need, and even go as far as to add contractual terms that ensure they only use the information they gain for a specific, permitted purpose, not to go back to the office and gleefully expose any failings they may have found;
If you have an employee leave on disagreeable terms it would be prudent to delve into their area of ownership and review your license position - resolve any compliance issues as a priority, just in case;
Always keep on top of your reporting obligations and ensure usage reports are delivered in full, and on time;
And lastly, remind your teams that interaction with your vendors is not something that just happens, nor is it a mandate or the responsibility of all. Instead, it is a specific role for those who are appropriately experienced and are vendor savvy. All communication should traverse this one path to be vetted accordingly, and lets just say that any unauthorised 'open invite to audit' emails to a vendor should be subject to appropriate 'education' (and repeat offenders - reprimands).

Concerns? if you need any help, we're just a phone call away.

2019 - Year of Compliance or Complacency?

1/1/2019

With a New Year ahead it's a good time to reflect on your IT Licensing status and Compliance Position - Are you confident that it's all under control?

While the costs of non-compliance are well documented companies continue to relegate software licensing and compliance to a 'will get to' task sometime in the future. With 2019 now upon us, is it time to perhaps resolve this once and for all?

Start by considering the reasons it's not been addressed as yet, or do you believe it is under control? Ask by whom - the respective teams who manage their software domain? Rarely do we see operational teams have an in-depth and expert understanding of the actual licensing requirements let alone an accurate deployment record. Unfortunately the only time this tends to become apparent is when the auditors roll in and put it to the test.

QUICK POLL

Or does effective management of IT licensing just seem too vast and perhaps cost prohibitive to implement and maintain? It can seem that way - there are numerous and ever changing products, platforms, and models to complicate the situation, so how do you keep up?

And what about the cost? - yes, Software Asset Management and Licensing Compliance to many executives can seem like an unnecessary spend, much like the early days of Disaster Recovery where the prevailing thinking was typically "why would we spend so much on hardware that's just going to sit idle?". Well compare that to the contemporary thinking today where Service Recovery is a given with any robust application - the spend is seen as a worthy investment, not just additional cost.

At Software Compliance we recognised these factors as the perplexing problems the majority of organisations with broad IT solutions faced, and we decided to develop a solution that would work - and scale - to a vast array of companies, particularly SME's.

So how did we do it?

First and foremost we developed a tool to enable organisations to capture, contain and maintain that vast amount of software information important to them - their contracts, deployments, and licensing - the tool - ComplianceWare.

Not only does ComplianceWare discover and track your software deployments, but it removes layers of licensing complexity by automatically tallying installations, performing product bundling where appropriate, and providing direct links to vendor licensing information to help you decipher whats relevant - all kept current for you by the team here at SWC.

So if that solves the complexity issue, what about the next inhibitor - cost?

Again, that was something we were very aware of. While there were existing solutions in the market they are typically high-end, bloated products aimed at large enterprises at a cost to match. We took a different approach - build a lean, cloud delivered, simplified application that organisations could subscribe to based on their requirements, and be there to provide ongoing support and expertise as those ever-changing products and platforms emerge and evolve. All at a such a compelling cost you'll wonder why you paid such exorbitant remediation fees in the first place (or perhaps might be about to!).

So as holidays come to an end and we embark on another year it's a good time to reflect and ask yourself, in 2019 will we be:

Compliant!

or

Complacent.

It's not nearly as hard or as costlier a problem as you might believe it to be - find out more - get in touch and let's see how we might be able to help you gain more success in 2019.

Audit Anxiety

26/5/2018

As the chatter of audits increases around the industry
the range of reaction can be outright fear to mild anxiety,
but ... sometimes - enthusiasm!

What I hear you say - Enthusiasm??

Well yes surprisingly - for those organisations who run a well informed and skilled software / licensing function - it offers the prospect of evaluating just how effective their investment in processes and tools has been, and make any adjustments as/if necessary. Similarly, it provides an opportunity for objective feedback to management in a discipline that is otherwise difficult to gauge - just think - how can you quantify ROI without having a relative measure to report against?

The contrary position - where organisations have no certainty at all of their compliance state - is not a great place to be and certainly does warrant some anxiety. Not only is there the likelihood of remediation (at $$?? cost), but when you don't have a position what can you actually contest? There's no doubt that the 'arms-length' engagement of external auditors allows just that much more vendor independence to put more onus on you the customer - the audit will deliver a straight deployment report, leaving it to you to clarify what might be chargeable, and what might not.

Examples .... development software that might be free, supporting products under one suite that might be dispersed across servers, or even bundles - permitted, but unless qualified by you will still be listed as chargeable installs.

So it's worth considering just where you are on the compliance scale.

Ask yourself these three key questions:

Do you have dedicated resources overseeing your software assets?
Do you have a current, accurate and accessible record of your entitlements?
Do you have the necessary software discovery and inventory tools to keep track of your deployments?

If you do - great! - check that the processes are running as expected and you can take any impending audit on without that gut-wrenching fear and anxiety.

If you're lacking on any front though some attention is warranted. Start with ownership - who will be responsible and held accountable for your software assets? Then, how will you keep a current and complete record across it all?

You'll no doubt arrive at the conclusion you'll need tools to help do it all efficiently and effectively, so the question becomes - which tool is right for you? What features and functions do I really need? What price do I then want to pay for it?

The very questions that led us to develop ComplianceWare - our full featured, cloud-based product designed to meet the needs of organisations who don't want those top-end highly integration reliant, distended suites offered by some more well known global providers. ComplianceWare offers just those essential functions in an easy to use web-based application such as software discovery and deployment reporting, customisation via configurations and conventions, and of course a contracts and license repository.

And by delivering just the essentials we can offer a price to match - that is, the most cost effective solution you will find in the market. Try it as a one-off managed service (perhaps even using that audit data you've just been asked to provide) and evaluate on your own estate, or as a term license have access when and as you need it. Take a look at the Documentation or request a Demonstration to find out more, and then we're always here to help you out as needed!