Software Compliance
  • Home
  • What We Do
    • Services
    • Tools
    • Experience
    • FAQ
  • Resources
    • Company >
      • About Us
      • Careers
    • Agreements
    • Documentation >
      • Brochure
      • Datasheet
      • Security Measures
      • ComplianceWare >
        • Software
        • Hardware
        • Cloud Configuration
  • Contact Us
  • Latest
  • Search

Vendors Performing Your System Installs?

26/3/2022

0 Comments

 

A caution when relying on vendors to deliver projects with software installs.

Picture
Many projects require the expertise of vendors to install, configure and productionize their software and systems, however as the client and end-consumer you need to be aware of what exactly is making its way into your environments.
All too often following discovery we'll find unaccounted for vendor software, which typically after an onerous investigation is found to be remnants from the vendor-led project, anything from desktop clients to entire VM's, each of which can have dire compliance implications and cost.
But "hold-on - we didn't install it - the vendor did" is the common response, however a quick pointer to the relevant contracts will soon expose that this does not offer any defense - the customer is always responsible for compliance, even if it is the very vendors software in question.
At a more concerning level is when a vendor installs another vendors software - while this is not uncommon with the extent of partnerships and interoperability in the modern industry, it still needs to be clearly and formally covered, ideally contractually or by reference to the vendors right to distribute and use any IP they don't own. These artefacts need to be registered and retained in the event of an audit that questions your usage rights - in the worst case scenario  if the vendor has breached another parties IP rights you too could end up subject to an infringement claim, and that's no place you want to be.

So, while the vendor might be responsible for the project, you'll still be accountable for the end product.

That means ensuring your project team stays across all vendor activities - enforce your BAU practices and protocols for distributing and installing software - in all environments - for traceability and tracking purposes. The project shutdown then needs to include a close-out phase where what's been installed (anywhere) is reconciled to what you've acquired, and also what you're actually entitled to use (aka Read The Contract). Where there are gaps you'll need to either recalibrate, purchase, decommission, or have the vendor explain and resolve - all before the project can be declared finished and complete.
And never rely on the vendor's personal emails or assurances that 'all is well' - none of that will hold-up under audit (even if they are still there). When it comes to IP all bases need to be formally covered, and if that's proving to be a problem, well you might want to be even more wary.
0 Comments

IBM's Compliance Relaunch

25/2/2022

0 Comments

 

Hats Off to IBM for it's new dedicated Licensing and Compliance site.

Picture
​Covering everything from licensing basics through measurement to managing SAM assets, IBM's new site is a welcome source of information ​... and serves to reiterate that licensing and compliance is still a serious matter with vendors.

​Launched on the 17th February
the site is a comprehensive, easily navigated resource for both SAM beginners and experienced personnel alike.

Quoting Wes Mantle from the Licensing and Software Sales division: "​We hope our Licensing & Compliance website will be a go-to resource for IT executives and SAM/license managers, providing clear guidance for measuring deployment effectiveness and navigating software verification process in an efficient, fair and timely manner."

The 'Licensing' section offers a good starting point with links to related subjects and material, and also provides particularly good graphical representations of IBM's many agreement structures along with key terms and clauses, while the 'Measurement' section covers the array of metrics and topics across on-premise, cloud and mainframe platforms.
If short on time, on everyone's list should be a read and review of the new licensing Guides that include:
  • Licensing guides, which aim to inform clients about the detailed licensing rules commonly encountered in licensing IBM software
  • and User guides, aiming to help clients manage their deployment of IBM software.
The guides have been re-written in a much more readable and informative style covering all fundamental licensing subjects including the often misunderstood virtualization, backup and recovery, and non-production environment rules and obligations.
Of course the site wouldn't be complete without covering IBM's Verification  approach, which includes audits, self-declarations and the IASP program. Interestingly, the section doesn't make reference to IBM's new, hosted, software management tool ESMT.  The Enterprise Software Management Tool is described as an enhancement over the functionality currently provided by PA Online, providing "a full software inventory which details the number of licenses currently deployed and the number of licenses available to deploy. This can be updated in real-time to reflect any changes in requirement, meaning you always have a contemporaneous view of your IBM license position". 
What's not clear is how  the tool will actually operate in order to provide the view of "how many licenses have been used, where and by whom". This seems to imply some degree of discovery across the client landscape - on an ongoing real-time basis - which would come with its own complexities and certainly, concerns. We'd be keen to hear from anyone who has or is looking to adopt this approach - please comment below or get in touch!
What's not raised cynical eyebrows though  is IBM's view of the benefits of being in compliance:
  • Maximizing the business value of your IT investment - purchase what you need and when you need it to optimize license procurement and deployment
  • Better awareness of your entitlements, the terms relating to these, and a better ability to avoid unnecessary software spend such as 'shelfware'
  • Reduced risk of unbudgeted license compliance expenditure
  • Being better prepared for corporate events such as M&A, reorganizations and outsourcing
  • A more positive and engaged relationship with vendors

... we can all agree on that! ​

So set aside some reading time and work your way through the site - it will be a valuable use of time, and ensure you bookmark it as you'll no doubt have cause to return on numerous occasions!
0 Comments

Adobe Reader Distribution Rights

10/1/2022

0 Comments

 

Does your company distribute Adobe Reader to employees? ... if so, make sure you have a valid Distribution License.

Picture
Many companies are unaware of their obligations when they distribute Adobe Reader software within their organisation, that is ...
 ... even though it's free it still needs a license arrangement with Adobe.
Now it's not as onerous as it sounds - it can all be done online, so lets look at some of the detail.

When do I need it?

A Distribution License Agreement is required for:

  • ​Corporations and organisations that want to distribute Acrobat Reader or the Acrobat Reader mobile app on a company intranet site or local network.
  • Commercial vendors that want to bundle Acrobat Reader or the Acrobat Reader mobile app on physical media such as a CD or DVD, on OEM hardware such as computers and mobile devices or with OEM hardware such as scanners.
Individuals interested in the software for personal use can download it free without applying for a Distribution License.
​

Note: You do not need to apply for a Reader Distribution License if you prefer to direct users from your website to Adobe.com to download Reader.

What does the Agreement allow me to do?

You will be authorised to:
  • Distribute the current version of Adobe Reader within your organisation, for internal use only, from ​a copy of the software installed on a file server for the purpose of downloading and installation to computers within your internal network.
  • Distribute the software on a standalone basis on physical media including a hard drive.

What are the key restrictions?

You must:
  1. Only distribute the version of Adobe Reader stated in your confirmation email.
  2. install only one copy of the software on a file server for the purpose of allowing use via NFS, Citrix or other virtualisation technologies.
  3. Within 6 months of the release of a major new version by Adobe, cease distributing the current version and move distribution to the new version.
  4.  Not configure or distribute the software for use without installation, other than as provided for under (2) above.

Ok, got it ... what do I do now?

You'll need to apply for a desktop license which will take just a few minutes and is required to determine how you intend to use Reader. After you complete the short online form, you'll receive an email with a link to the installers. You'll also need to mark a renewal date 12 months from receipt to reapply - the agreement is only valid for one year.
0 Comments

Free Open Source Software  + Compliance?

26/11/2021

0 Comments

 

The Software Freedom Conservancy sues Vizio, Inc. for alleged violations of the GNU GPL covering software incorporated into certain Vizio smart TVs.

Picture
Companies are often unaware of their obligations when it comes to Open Source licensing with solutions they develop that include distribution of software built on the likes of the GNU General Public Licensing terms, and that can leave them exposed to lawsuits just as it can with commercial software ...
An early and widely publicised example of the impacts of such non-compliance was the 2008 lawsuit initiated by the Free Software Foundation (FSF) against Cisco Systems that alleged several of Cisco's consumer network routers used GPL licensed code. The litigation was settled with Cisco releasing the source code, making a contribution to the FSF, and appointing a compliance officer. Quite the kicker.
In this latest action SFC asserts that all consumers of copyleft code deserve the opportunity to know, access and modify the code on their devices and is seeking the release of the complete, corresponding source (CCS) for all GPL’d components on Vizio TVs. The benefit? Well much as it was with the older analogue hardware TV's that would be repaired by technicians, coders would have the option to repair the software when the supplier potentially stops support for their older models (surely not from 'built-in obsolescence'?) 
And lets not forget the ethics involved given the FOSS history and the principles that underpin it. From its fruition in the 1990s and early 2000s when Linux and other GPL’d software was considered nothing more than experimental. From those curious beginnings grew the community of enthusiastic developers whose software has benefited and furthered the rights and freedoms of individual users, consumers, and developers around the globe. It is a culture worth preserving and that means keeping organisations who benefit from that culture honest.  (SFC refers to this as 'Ethical Technology' meaning technology that serves its users rather than the corporations who profit from it and preserves and promotes the rights of those impacted by it). 
So if you are an organisation using open-source software, and in particular, incorporating it in proprietary commercial products, make sure you understand your compliance obligations with the relevant open source licenses. If you don't, you might soon find that letter arrives requiring you to release all of the IP you've built on top of the most excellent Free and Open Source Software that we all benefit from.
The Software Freedom Conservancy is a 501(c)(3) nonprofit organization that is supported largely by individuals who care about technology and advocates for software that has been designed to be shared (using copyright licensing that allows users to freely use and repair it, and, in particular, forms of software licensing that use the restrictions of copyright to promote sharing called “copyleft”, such as the GPL).
0 Comments

Insights on SAM from a CIO perspective

29/9/2021

0 Comments

 
Picture

A recent webinar provided some CIO insights on SAM in the IT landscape today.

Participating in a recent webinar with industry CIO's presented an opportunity to evaluate what has - or hasn't - changed in terms of SAM in the technology space today. Perhaps most interesting - and reassuring - is that CIO's still recognise compliance as the major driver for a SAM function in their organisations, closely followed by the incentive of cost optimisation and savings as represented in the poll below:
Picture
Why reassuring? Well we believe that gaining a robust compliance discipline should be front and foremost in implementing SAM in any organisation - the benefits of properly managing your software assets results in two significant outcomes to your business:
  1. When vendors recognise that you have your software space under control their desire to review and audit is outweighed by the probable lack of return, meaning you save valuable time and resources not having to respond to an exercise that can potentially take months to complete; and
  2. Having tangible oversight of important assets and clear record keeping enhances your business reputation overall - if you can't manage these basic fundamentals for your own purposes how confident can your customers be that you can deliver for them?

Where does the future take us?

When asked to consider the landscape three years from now the supplier risk element was significantly superseded by cyber-risk, and cost and productivity elevated to the major returns:
Picture
For these results we'd point back to the present - dealing with compliance should be the priority and the returns will follow. Cost optimisation and productivity gains should quite simply be a by-product of properly managing your software domain rather than the core driver - there is an inherent danger in  putting finances ahead of compliance just as in the case of regulatory requirements ... 
 ... you can't opt-out.
0 Comments

SAM Foundation Series - (#2) Compliance Reporting

24/6/2021

0 Comments

 

In this second part of our SAM Foundation series we look at Compliance Reporting and the importance of understanding your deployment position.

Picture
In part one of this series we covered the importance of a full data collection across your data sources and contract and licensing information, now we look at how to bring that together into a compliance position.
The first realisation is - wow! - that's a lot of data we have out there! So just as we needed tooling to perform the data gathering exercise we are going to need analytics to decipher not only what's important but how to interpret it all, for which there are two aspects:
  1. Scale Reporting; and
  2. Direct Examination and Querying.
Now what exactly do we mean by 'Scale Reporting'? Basically this means a reporting facility that enables you to stipulate variable parameters from product to vendor to company, with the output organised by device in a concise and easily readable form - for example ComplianceWare's powerful python & pandas based analytics engine that slices and organises the data into output as a familiar Excel workbook.
A snapshot of the output as below:
Picture
The analytics should also consider base licensing metrics such as server core and PVU minimums, apply relevant bundling rules  to avoid double counting, and recognise non-chargeable installations such as clients and free-edition software.
So we now have our first view of what's deployed where - and that's a good start, but it doesn't mean the jobs done. You'll want to perform some spot / sanity checks across the report, and that's where the 'Direct Examination and Querying' comes in. Here, your tool should allow you to easily interrogate your data collection (which can span many millions of rows) for further review and confirmation, and that's accomplished via smart features that enable you to slice, limit and target the fields and items of interest. Again, with ComplianceWare as an example you can easily navigate through the data by vendor, product, data source, and perform smart searches with inclusion and exclusion parameters to dynamically find exactly what you are after.

ok ... we're happy with our deployment report - now what?

Now it gets interesting - does what's reported as deployed match what we're actually entitled to? While some products can be automatically tallied (eg. products with simple install or device metrics) others will require more effort such as resource based metrics like cores or logical licenses such as users, and those in more complex environments such as virtual environments where physical v virtual considerations must be taken into account.
Here there are no short-cuts - it will require a knowledgeable individual (preferably with prior experience in the environment) to work through each product in a methodical and calculated manner to (a) derive the optimal licensing construct and then (b) reconcile against the recorded (and evidenced) level of licensing. As this progresses it is imperative to capture your findings and ensure they are lodged as an artefact for audit readiness and as a baseline for future reporting cycles (again with ComplianceWare this can be stored as 'Verification' material alongside the updating of actual usage figures).
And just how often should the whole exercise be performed? We'd recommend that you cover your major vendors at least annually, and institute a program of work that targets a select number of products or vendors quarterly. The good news is that once you've completed one cycle others become easier as you'll have a baseline to compare or commence from.
So to summarise:
  • Make sure your tooling includes a specific and effective software analytics engine;
  • Ensure results (and data) can be reported, interrogated, and manipulated as required;
  • Look for built-in smarts that alleviate some of the licensing complexity (eg. core / PVU counts, bundling);
  • Invest in at least one knowledgeable and experienced individual assigned fully to your SAM function;
  • Ardently track results and store the output of each exercise;
  • and as with Part One - repeat as necessary!
0 Comments

SAM Foundation Series - (#1) Data Collection

27/5/2021

0 Comments

 

In this series we'll cover the foundations of SAM, and what they mean.

Picture
and firstly...

​you can't derive anything meaningful unless you can measure it.

​
Lets take a look at the essential data required for an effective  SAM programme.
Data is the essence of SAM, much as it is with most of technology. It's all there, somewhere, amassed over time, stashed away in the recesses of the organisation. It may exist (hopefully) in electronic form, or (lamentably) physical records filed and stored, most typically both. So we know the data's out there, the question is how - and where - do we start?
The first step is to determine what data sources you can tap into, from the raw systems themselves through other collection platforms you might run such as CrowdStrike, Microsofts SCCM, IBM's ILMT, HCL's Bigix Inventory etc. With larger organisations the issue is always completeness - be it running agents or agentless via remote extracts - how do we know we're capturing everything we should ... and that can be a much more difficult proposition than it seems.
The approach is to source as much data as possible and compare it, merge it, blend it, and massage it to get the best quality information you can - the issue today is not so much sourcing the data, its how to filter through it to find what's important, and to do that you'll need tooling.
That means firstly figuring out what is most workable - and also most repeatable. This could be as simple as providing system logins to run application specific extracts, or remote connectivity as a centralised administrator, or even integrated access via API's. All act as feeds to your SAM system that will then do the hard data crunching and reporting work for you (for which ComplianceWare's pandas driven analytics engine is purposely designed).
So that covers the inventory side of things - collecting the deployment information and associated identifiers (ie. the editions, statistics, capacities etc) necessary to derive your consumption levels, but then you'll need the associated Contracts and Licensing material as well to compare to your entitlements and establish your compliance position, and that's where things can get tricky.
Most organisations - even those that are largely centralised - have some degree of local procurement (all the way down to problematic credit-card purchases) that make it difficult to collate the full and complete record of ownership. So you'll need to start with what is known, match that to the inventory you have identified exposing the shortfalls and gaps, and go looking for those great unknowns.
This can be a long and even fruitless exercise at times, sometimes reliant purely on the knowledge of individuals (if they're still with the organisation that is), extending from business to technology teams, from legal to procurement, all depending on how controlled and robust the procurement processes are. The key here is to capture that information so its recorded and available from there on, and the whole exercise doesn't have to be repeated (as it would in the case of audits). 
Ideally your SAM system then allows you to maintain that connection of inventory to entitlements, organised by the contracts they were acquired (and operate) under. Any compliance issues can then be dealt with in a managed and controlled way, along with the potential benefit of savings from license consolidation, decommissioning, harvesting, or reuse,  but we'll cover that in Series (#2).
And the kick - data collection isn't a one-off, its an ongoing process that should be repeated as often as necessary based on the frequency and fluidity of change in your environment. On the plus side, once you have established the process it becomes much easier and efficient to rerun, and depending on your SAM system gain more intelligence each time (for example, ComplianceWare can compare different data captures and report the differences so that you can quickly identify what's changed, and what might need attention).
Key takeaways then are:
  • Identify your data sources;
  • Implement effective and efficient processes to repeatedly access and source the information you need from them;
  • find and capture the associated contract and licensing information;
  • repeat as necessary.

Keep in touch for the upcoming SAM Foundation Series (#2) - Compliance Reporting.

0 Comments

Licensing DR Environments

30/5/2020

0 Comments

 

Vendor DR licensing requirements can be vague ...

... here's some insight into a select few with differing views and terms across their infrastructure software.

Picture

Picture
Oracle's approach is pretty easy to sum up - you pay for everything because ...
​it's installed!
Refer the extract below from the Oracle paper 'Licensing Data Recovery Environments':
Picture
Data Recovery Environments using Copying, Synchronizing or Mirroring Standby and Remote Mirroring are commonly used terms to describe these methods of deploying Data Recovery environments. In these Data Recovery deployments, the data, and optionally the Oracle binaries, are copied to another storage device. In these Data Recovery deployments all Oracle programs that are installed and/or running must be licensed per standard policies documented in the Oracle Licensing and Services Agreement (OLSA). This includes installing Oracle programs on the DR server(s) to test the DR scenario. Licensing metrics and program options on Production and Data Recovery/Secondary servers must match.

Picture
Some recent changes to SA Benefits have extended DR for SQL Server ...
... but you still need Software Assurance to take advantage of DR Rights 
Picture
Servers – Disaster Recovery Rights: For each Instance of eligible server software Customer runs in a Physical OSE or Virtual OSE on a Licensed Server, it may temporarily run a backup Instance in a Physical OSE or Virtual OSE on either, another one of its Servers dedicated to disaster recovery, or, for Instances of eligible software other than Windows Server, on Microsoft Azure Services, provided the backup Instance is managed by Azure Site Recovery to Azure. The License Terms for the software and limitations apply to Customer’s use of the backup Instance. 

Picture
You might think the friendly types at VMware would be lenient when it comes to DR ...
... thats not the case.
If its installed, it needs a license.
Picture
If its not specifically called out in the VMware Product Guide it will need licensing, and that means everything other than Continuent and vRelaise for Log Insight. Surprisingly, VMware deem an install to be 'use' of the software - yep - just binaries sitting on a disk.

Picture
With RHEL its nice and simple ...
... if its deemed COLD 
But it can't update until its run.
Picture
RHEL ​Linux Subscription Guide: Cold backups: The server has software installed and configured, but it is turned off until the disaster occurs or for periodic disaster recovery procedure tests. For Red Hat Enterprise Linux, this means that the customer is allowed to preload the bits as a courtesy. However, Red Hat Content Delivery Network cannot be used to update the system until the disaster happens. Then, the paid subscription on the failed machine transfers to the cold backup sever. In this case, a customer does not need two subscriptions. The customer will consume only one subscription at any point in time. Red Hat will allow the customer to pre-provision the software bits onto the cold backup machine as a courtesy. If a customer is found to be running more units of Red Hat Enterprise Linux than the customer has subscribed for because the customer has found a use for these pre-provisioned servers other than this cold backup use case, the customer is obligated to pay Red Hat. 

Picture
IBM's DR Policy has not changed since 2003 ...
... ​ for PA products Cold & Warm DR is no-charge
But don't run any 'Productive' work.
Picture
Backup Use Defined: For programs running or resident on backup machines, IBM defines 3 types of situations: “cold”; “warm”; and “hot”. In the “cold” and “warm” situations, a separate license for the backup copy is normally not required, no additional charge applies, and IBM does not need to be notified. In a “hot” backup situation, the customer needs to acquire another license. All programs running in backup mode must be under the customer’s control, even if running at another enterprise’s location. 
0 Comments

PVU Sub-Capacity Traps with ILMT

25/4/2020

0 Comments

 

All might not be as it seems - check this list of ILMT gotcha's


In order to get the benefit of PA sub-capacity licensing, running  IBM's free License Management Tool (or the enhanced, licensable version, BigFix Inventory - now owned by HCL) is mandatory...

... but could it be misleading and costing you money?
Picture

Here are out top five tips for trimming your PVU sub-capacity report counts:

1. Incomplete Vitualisation - the 'TVM' predicament

If your ILMT configuration is not fully or properly implemented you're likely to find incomplete virtualisation heirarchies in your VM Manager connections, which result in every affected VM being treated as a stand-alone physical machine at the highest PVU rating of 120 PVUs per core). This can quickly add up where you might otherwise be entitled to  the likes of 70 PVUs per core.

2. Missing Software Classifications

Central to the accuracy of ILMT reporting is the much dreaded 'Software Classification' process. If you choose to ignore this painstaking requirement you can be sure you'll pay the price either in real terms or in time-draining dispute at your next audit. Essentially, every exempt PVU count in your environment needs to be catagorised as such, meaning instances that are to be excluded from PVU counts (which depending on the License Terms are likely Developer, DR, or Test installs) need to be individually identified as such via this (ongoing) activity.

3. Unrecognised Bundling

As a follow-on to the Software Classification issue above, you'll then likely notice that where you have installed Supporting Programs on a different server - where entitled to do so under the License Terms - the program will magically form part of the PVU count, ie. bundling is not recognised across servers. So once again you'll need to identify these instances and exclude them from the relevant count, making sure you add comments to qualify the classification.

4. Reallocation High-Water Marks

So you dutifully maintain your vCPU's to your level of entitlement, which, as you're permitted to do, includes  the occasional reallocation across servers to match processing and performance needs. Given you've balanced the core counts out all is good - right? Well ... no, ILMT will track the high-water mark for each server in the 90-day reporting period, so for example a taking a core from a 4 vCPU server to assign to a 3 vCPU server will see both reporting as 4 vCPU servers for that period.
To be in a position to challenge this make sure you have or take - and keep - separate records that evidence the reassignment of cores to negate any double counting.

5. Ghost Decommissioning

Similar to the above, you might think that decommissioning one server to deploy another would be quite within your rights as long as you (as always) don't exceed your level of entitlements. Well ... no, the decommissioned server will also report within the same 90-day period as the new server - potentially a bigger problem than the issue with high-water marks. So again you'll need to either classify the server accordingly, or ensure you have the right artefacts to contest any double recognition, or both.

... a lot of overhead right? 

Yes.

And that's where a secondary source of truth can prove essential ...

Picture
0 Comments

Invoke your BCP, stay compliant.

28/3/2020

0 Comments

 

As the effects of Covid-19 and advice to isolate sees many workers staying home, compliance can be an after-thought

... and later,

a big problem.

Picture
The world is certainly a different place than it was just weeks ago. From what was a normal days work to stay-at-home advisories, self-isolation and lock-downs, business and workers face enormous challenges.
In such adverse times it's not possible to predict what the landscape will look like in the months ahead, but with the unfortunate loss of jobs and closure of businesses all we can know is that it will be a dramatically different place.
Those that can and do keep operating are an imperative for the economy, both now and through recovery, and whilst it would be reprehensible of vendors to audit companies when the corner is turned, there are those that inevitably will still do so.
So while there is much to contemplate and deal with in just keeping your business running, a quick check on some basic principles could avert some later issues. Consider some of the most common licensing pitfalls with typical BCP scenario's:

Working From Home

Working from Home means mobility - if you are allocating laptops and notebooks be wary of installation or device based licenses, all of which might be overlooked with the rapid deployment of SOE's and new devices. There may even be restrictions on what category of device the software can be installed on, or even where physically it can be used (eg. designated offices or specific geographic locations). Where applicable, check you mobility rights cater for your intended use, and are current (eg. Microsoft SA Benefits).
Remote access can be another minefield where in the rush to get staff connected controls that would normally be in place might get overlooked. While solutions like an F5 BIG-IP Edge Gateway provide user based licensing to their own resources via secure VPN, other storefront and virtualisation products such as Citrix Gateway with VDI if not properly administered can be at greater risk of exposing applications unintentionally - make sure your access controls eg. AD Groups etc) are aligned to your licensing, and any additions to those secure groups have corresponding entitlements.

Invoking DR

If you are in the position of having to invoke your DR (or partial DR) things will undoubtedly be more complicated. License transfer rights, powering servers up, or moving capacity from cold to hot can easily lead to over use. Migrating (or worse, extending) production workload to DR will certainly have conditions and constraints that if over-looked will leave you visibly non-compliant at a later date via audit trails such as SCRT or license server logs. Keep appropriate records that will help to mitigate any action you needed to take, and make sure you enable/track license migration alongside any workload you move.  
While we'd like to think some leniency would be afforded through these difficult times, keeping a good handle on your compliance position just makes good business sense. 
So stay compliant, but mostly, stay well, and stay safe.
0 Comments

New in ComplianceWare - Hardware

27/1/2020

0 Comments

 

Announcing ComplianceWare 3.0 with the addition of Hardware Discovery and Inventory

As a logical extension to the extensive Software and Licensing functionality of ComplianceWare we've now added the capability to track Hardware as well. Using the familiar script extract and load process across hardware devices you can now inventory your IT assets by site, view associated attributes, and generate reports based on specific templates.
Picture
For companies with sub-entities there is also the ability to create a hierarchy of related sites to provide a holistic view across all assets - a valuable insight into what refreshes might be necessary and coordinated across all sites enabling:
  • optimisation of cost through bulk orders;
  • planning efficiencies for rollout projects;
  • visibility of warranty expiry dates to assist with maintenance programs etc.
Future planned enhancements include the ability to interrogate failure rates to assist in determining which products and models are performing better than others, enabling procurement of least costly and more reliable IT assets.
Want to know more - check out the documentation or contact us for more information.
Picture
0 Comments

Clarifying Microsoft 365 On-Premise Rights

7/10/2019

0 Comments

 

 Lets Straighten out On-Premise Rights Included with M365 

A quick internet search is likely to find conflicting views on what on-premise rights you are granted with your M365 Subscription particularly in relation to server software. Many sites will state that you gain only user access rights with your USL licenses, ie. essentially a CAL license entitlement, and that you are still required to acquire the server licenses for the likes of Exchange and Sharepoint.
Simply, that's not correct.
Firstly though, be sure of the M365 Subscription you are dealing with as each will offer different content and scope. The CAL/ML equivalency table of the Product Terms provides a good overview to this:
Picture
Note for example that the common business E3 and E5 plans provide both Base and Additive access rights for Exchange and SharePoint Server. But what about the Server Licenses?
​A quick browse through the FAQ of the M365 Site provides the first hint that certain Server software is indeed included:
Picture
But we all know that relying on commentary - even on the Microsoft site - is not enough ...
... so where to?
The Product Terms of course.
The definitive descriptor of Microsoft's Software licensing terms.
While the respective sections covering the likes of Exchange or SharePoint Server software don't provide any clues, the Microsoft 365 section clearly articulates the entitlement (page 57 of the October 2019 document):
Picture
Assuming all of your users are properly licensed (and they should be) your on-premise Exchange, SharePoint and Skype for Business Server installations are covered!
... and that includes back-versions of course under the Universal License Terms part 3 - "Rights to Use Other Versions and Lower Editions".
So no need to True-Up those on-premise Server licenses for Exchange or SharePoint, and who isn't keen for less overhead and more funds right?!
0 Comments

A Revised Approach to Compliance By IBM

29/9/2019

1 Comment

 

IBM Announces its new "Authorised SAM Provider" Offering (IASP)


While it appears the disgruntled messaging from clients is finally starting to register with some major vendors, a recent announcement from IBM (outlined here by the ITAM Review) by no means makes it an all clear.
We're all for any move to make software licensing compliance simpler, and the IASP program for some large IBM customers might just do that - although by invitation only and accomplished by engaging one of just four designated IBM partners:
  • KPMG
  • EY
  • Deliotte
  • AnglePoint

OKAY, SO WHAT's THE OBJECTIVE?

In a nutshell, to offer those select few an alternative to IBM's License Reviews by operating a managed service that brings SAM expertise, tools, and knowledge to organisations who are perhaps struggling with those skills themselves - which happens to be exactly what we at Software Compliance have been offering our valued clients since 2016!

HOW ABOUT the APPROACH?

Once invited, an organisation selects an authorised partner who will then - through a defined scope of paid work - follow the standard licensing compliance process to create a baseline (using ILMT), perform an initial reconciliation, resolve any issues, and implement an ongoing management and control program, all done under an IASP Agreement that must be executed with IBM (covering a term of up to 3 years).

... And THE Benefits?

The major attraction is that any licensing shortfalls discovered in the initial baseline can be resolved at the customers entitled price without any back-dating of S&S - and - an apparent waiver of any sub-capacity issues (tbc).
​... and we all know how problematic (ie. costly) issues in this space can be!
On the surface perhaps an admirable new direction from IBM, but does it really differ to how customers operating under the likes of an Enterprise Services & Software Offering (ESSO) have been treated for the last 10+ years? We think not - baselines were created, shortfalls resolved (albeit perhaps not as transparently), regular reporting was mandatory, etc ... so the only difference seems to be that the customer is required to engage one of just four designated partners.

OUR VIEW?

​As with many IT functions companies are finding that they need help - they just don't have the in-house skills to perform every role, task and responsibility they need to cover. 
... nor should they have to.
While the IASP program from IBM targets large, specially invited customers with just 4 select partners, our purpose is to assist all organisations - small, medium or large - with the same goal:
Provide the skills, tools, knowledge and process to solve your software licensing issues.
Contact Us ... (before your Vendors do)
1 Comment

New Sub-Capacity Licensing Directions

5/5/2019

0 Comments

 

Could the Change to IBM's PVU Core Table Signal a Refreshing SHIFT in Sub-Capacity Licensing?

 While some vendors prefer to wallow in the mire of antiquated and irrelevant licensing regimes others seem to be moving ahead with revised models that provide clarity and ease in establishing your licensing and compliance position.
A case in point - IBM - who flagged a rethink with a shift from the messy PVU to Virtual Processor Core metrics (example in the hyperlink).
Starting April this year the x86 PVU Table has been culled down to just 6 entries with the Intel category now much simplified for the Xeon chipset, basically all determined by the number of sockets at 2, 4, and >4 (with the lower models in the listed ranges remaining at 50 PVU's):
Picture
There is however one complication - Symmetric Multiprocessing Servers - which you need to factor per definition below:
The PVU requirement for the Intel processor technology indicated is dependent on the maximum number of sockets on the server. If sockets on two or more servers are connected to form a Symmetric Multiprocessing (SMP) Server, the maximum number of sockets per server increases. Example: 
  • When sockets on a 2 socket server with 6 cores per socket are connected to sockets on another 2 socket server with 6 cores per socket, this becomes an SMP server with a maximum of 4 sockets per server and 24 cores, and requires 2400 PVUs (100 per core x 24 cores).
Good news from our perspective - anything that removes ambiguity is welcomed (with reference to the linked post at the start of this blog: "oh but you have to count the Physical cores, not virtual, on the Host, in fact all Hosts in the complex, actually in the Data Center, well let's say the Cloud then, so basically ...
... everything, everywhere")
0 Comments

Don't be Caught Out By Oracle DB Feature, Option, and Management Pack Usage

28/4/2019

0 Comments

 

All might not be what You think - It's time to Check

So all's fine with your Oracle Database - it's been installed for some time now, had a few upgrades, tweaks and tune-ups, you're across your NUP and Processor entitlements, so why have any concerns from a licensing perspective? Well, what about all of those Feature, Option, and Management Packs that lurk quietly in the background - have you checked on the status of those lately?
Picture
You might think there's no need to - nothings changed, configurations haven't been updated - well, consider setting selections during those updates and upgrades - perhaps revised defaults came into play (depending on version, database options and management packs are installed and many are enabled automatically!) 
Worth checking to be certain before that next, friendly ... 'Oracle License Review'.
To facilitate this Oracle provides a script - options_packs_usage_statistics.sql - which enables you to check Oracle Database feature usage, option usage, and management pack usage. The script lists, in two distinct sections:
  • Oracle Database option and Oracle management pack usage
  • Features used by each option and management pack​
The script can be run manually on an individual database or you can use Oracle Enterprise Manager Job System to automatically run the script on multiple databases, giving output like the below (with formatting added):
Picture
Now with insight into the actual system settings a simple reconciliation to your licensing / entitlements will give you assurance that everything is in order, or alternatively highlight what needs to be resolved.
​A simple task well worth scheduling at least annually.
 and it's always good to keep a record for later comparison / compliance requirements (with ComplianceWare you can easily register the output as 'Verification' material alongside your licenses).
0 Comments

– ALERT ADVISORY –

31/3/2019

0 Comments

 

 ADVERSE VIRTUALISATION TERMS

Could You Be At Risk From Covert LICENSING TERMS?

While some vendors are well known for their hostile terms towards specific forms of virtualisation (consider Oracle with VMware), others are not, slyly waiting for sufficient time to pass before issuing that dreaded ‘license review’ (aka audit) letter, hoping they can trap you with their archaic, antiquated, yet bizarrely enforceable terms that could see you severely punished if you have virtualised systems that fall under these conditions.
Two current protagonists are coming to the fore in this space for their equally aggressive – and global – onslaught, hounding their loyal customers with totally unreasonable findings and outrageous demands for compensation. The problem emerged from the days of licensing physical installations by cores – easily managed when applications ran in their own dedicated servers, but with the shift to now omnipresent server farms, be it on-premise or cloud based, where their terms have not changed and don’t automatically recognise virtualisation as a means to limit the licensable metric (cores) you are at risk of paying for all of the physical cores in your entire Host estate.
Consider the terms below extracted from the respective vendor agreements:

Micro Focus End User License AgreemenT

  • MICRO FOCUS® ENTERPRISE DEVELOPER, MICRO FOCUS ENTERPRISE SERVER, MICRO FOCUS ENTERPRISE SERVER FOR .NET, MICRO FOCUS ENTERPRISE TEST SERVER, MICRO FOCUS ENTERPRISE TEST SERVER PREMIUM, VISUAL COBOL® , COBOL SERVER, DATABASE CONNECTORS 
"Server License for CPUs. Licensed Software provided under this License Option gives Licensee the right to install the Licensed Software on a single machine or server ("Host Server"), or one or more Containers on the Host Server, and have the Licensed Software executed by up to the total number of CPUs, Cores, Integrated Facility for Linux processors ("IFLs"), Blades or other processing devices specified for the license in the applicable Product Order ("License Specification"). If the number of Cores is not specified for a CPU in the event a CPU is specified in the License Specification, such CPU shall be considered to be single-Core. A Server License for CPUs license covering all CPUs, Cores, IFLs, Blades and other processing devices that are contained in and/or can be accessed by the Host Server ("Total Processors") is required with all applicable license fees paid, even if one or more of such CPUs, Cores, IFLs, Blades or other processing devices are not accessing or running the Licensed Software. For example, if 32 Cores are the Total Processors on the Host Server, but only 16 Cores are utilized to execute the Licensed Software, a 32-Core Server License for CPUs license is required notwithstanding the fact that 16 of the 32 Cores may not actually be accessing the Licensed Software. Each Core on a multi-core CPU requires a Server License for CPUs license covering each such Core. For example a Host Server with Total Processors consisting of a single quad-core CPU will require a 4-Core Server License for CPUs license and payment of the license fees applicable to all 4 Cores."

OPEN TEXT – ECD Central Processing Unit (“CPU”) ModeL

Affected products are any of those on your Order From that have a UOM code of ‘ZA’:
Picture
"Licensing and pricing is based upon the total number of CPU cores present in the computer upon which the ECD Software will operate. The ECD Software is licensed per physical dual-core device (“Dual-Core CPU”). Licensee must purchase an individual Software License for each Dual-Core CPU on which the ECD Software is executed or made available to execute."
​If you are in the unfortunate position of running any products that fall into the categories above, act fast. You will need to either move the affected applications to a right-sized physical box (with all of the accompanying issues that presents) or seek to agree with the vendor the appropriate virtualisation terms (and be wary – if they play this type of game that will likely just get their cash registers ringing).
We find it hard to believe that such terms remain in vendor agreements, more so even deemed enforceable. If you've had the misfortune to have gone through such an affront,​ or think you might be about to, get in touch - we'd like to hear of (or help with) your experience.
0 Comments

Audits - And What To Look Out For

23/2/2019

0 Comments

 

IT SEEMS AUDIT SEASON HAS STARTED EARLY ...

Revenue outlook must be a concern for a number of large, global corporates going by the number of audits we're aware of already this year - typically they seem to favour the mid to late part of the calendar.
And lets face it, an audit is the last thing you need when you're just getting back to those major initiatives that need focus. Of course often its that very focus that leads to compliance issues - lacking the necessary oversight and controls in your IT landscape its not uncommon for BAU changes to cause a world of difficulty - a simple server refresh that introduces more cores, a change in access permissions that broadens the user base, or perhaps just plain old virtualisation. ​
So what might target your organisation for attention by those loathed 'License Review Teams' waiting out there?
Well the answer is, more than you might think.
Typically something has got you to the top of the list. It can of course be within a common cycle such as at a contract renewal period, or an untimely prompt by one of those independent organisations whose entire income is through specialised and aggressive audits, but if not, what might cause it - and how might you prevent it?
First, consider the common triggers:
  1. The innocuous supply of current state to the vendor (or partner) to scope and price a new project or programme of work;
  2. A Vendor (or partner) who has been involved in one of your projects with access to your systems identifying  and reporting a non-compliant situation;
  3. An aggrieved employee aware of compliance issues who has recently left the organisation with a grudge to bare;
  4. Failing to submit a required usage report;
  5. An unfortunate listing with the BSA as a result of failing another recent audit;
  6. ​Or perhaps just a naive and blissfully unaware employee contacting a vendor to ask for your own contracts or license information because "we don't have a copy".
If any of the above have you a little worried look for the most telling signal from your vendors of an impending audit - the unexpected communication that your "account team is going through some changes", which is simply a calculated, preemptive move to extricate any history and/or advocacy you might otherwise have had - prepare and get ready! 
all of those "but" arguments will get you nowhere - "but we had an agreement",
"the account have known it was like this for years",
​
"it was the licensing sold to us", etc etc.
Alternatively, if you're feeling comfortable that you're not under any imminent threat its still a good idea to take stock and review your position against the common triggers. The best defense is without doubt a robust and competent software licensing function within your organisation that maintains the necessary level of control (and has the added benefit of warding off those vendors who would rather take on an easier, less capable target).
When it comes to licensing and compliance its good practice to not treat your vendors like 'trusted partners' - keep in mind who they're actually working for, and who's paying their salaries.

So - what to do:
  • Be cautious and restrict the information you provide to your vendors (and partners) - vet it carefully before releasing data that might expose you to further scrutiny;
  • Similarly, if you're letting the vendor gain access to your estate make sure they're only going to get what they need, and even go as far as to add contractual terms that ensure they only use the information they gain for a specific, permitted purpose, not to go back to the office and gleefully expose any failings they may have found;
  • If you have an employee leave on disagreeable terms it would be prudent to delve into their area of ownership and review your license position - resolve any compliance issues as a priority, just in case;
  • Always keep on top of your reporting obligations and ensure usage reports are delivered in full, and on time;
  • And lastly, remind your teams that interaction with your vendors is not something that just happens, nor is it a mandate or the responsibility of all. Instead, it is a specific role for those who are appropriately experienced and are vendor savvy. All communication should traverse this one path to be vetted accordingly, and lets just say that any unauthorised 'open invite to audit' emails to a vendor should be subject to appropriate  'education'  (and repeat offenders - reprimands).
Concerns? if you need any help, we're just a phone call away.
0 Comments

2019 - Year of Compliance or Complacency?

1/1/2019

0 Comments

 

With a New Year ahead it's a good time to reflect on your IT Licensing status and Compliance Position - Are you confident that it's all under control?

While the costs of non-compliance are well documented companies continue to relegate software licensing and compliance to a 'will get to' task sometime in the future. With 2019 now upon us, is it time to perhaps resolve this once and for all?
Start by considering the reasons it's not been addressed as yet, or do you believe it is under control? Ask by whom - the respective teams who manage their software domain? Rarely do we see operational teams have an in-depth and expert understanding of the actual licensing requirements let alone an accurate deployment record. Unfortunately the only time this tends to become apparent is when the auditors roll in and put it to the test.

QUICK POLL

Or does effective management of IT licensing just seem too vast and perhaps cost prohibitive to implement and maintain? It can seem that way - there are numerous and ever changing products, platforms, and models to complicate the situation, so how do you keep up?
And what about the cost? - yes, Software Asset Management and Licensing Compliance to many executives can seem like an unnecessary spend, much like the early days of Disaster Recovery where the prevailing thinking was typically "why would we spend so much on hardware that's just going to sit idle?". Well compare that to the contemporary thinking today where Service Recovery is a given with any robust application - the spend is seen as a worthy investment, not just additional cost.
At Software Compliance we recognised these factors as the perplexing problems the majority of organisations with broad IT solutions faced, and we decided to develop a solution that would work - and scale - to a vast array of companies, particularly SME's.
​So how did we do it?
First and foremost we developed a tool to enable organisations to capture, contain and maintain that vast amount of software information important to them - their contracts, deployments, and licensing - the tool - ComplianceWare.
Not only does ComplianceWare discover and track your software deployments, but it removes layers of licensing complexity by automatically tallying installations, performing product bundling where appropriate, and providing direct links to vendor licensing information to help you decipher whats relevant - all kept current for you by the team here at SWC.
So if that solves the complexity issue, what about the next inhibitor - cost? 
Again, that was something we were very aware of. While there were existing solutions in the market they are typically high-end, bloated products aimed at large enterprises at a cost to match. We took a different approach - build a lean, cloud delivered, simplified application that organisations could subscribe to based on their requirements, and be there to provide ongoing  support and expertise as those ever-changing products and platforms emerge and evolve. All at a such a compelling cost you'll wonder why you paid such exorbitant remediation fees in the first place (or perhaps might be about to!). 
So as holidays come to an end and we embark on another year it's a good time to reflect and ask yourself, in 2019 will we be:
Compliant!
or
Complacent.
It's not nearly as hard or as costlier a problem as you might believe it to be - find out more - get in touch and let's see how we might be able to help you gain more success in 2019.
Picture
0 Comments

Ready And Prepared for Oracle JAVA Subscriptions?

16/12/2018

0 Comments

 

effective January 2019 ORACLE HAS ANNOUNCED THAT Java SE 8 public updates will no longer be available  for "Business, Commercial or Production use" without a commercial license.

What does this mean to your organisation?

... For Commercial Users (being those "entities other than Oracle Customers that use Java SE for free for business, commercial or production purposes as part of a Java application delivered by a third party or developed internally" Oracle will not post further updates of Java SE 8 to its public download sites after January 2019. If you need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 8 or previous versions you'll need a long term support subscription through Oracle Java SE Advanced Desktop, or Oracle Java SE Suite. 
Of course if Java is licensed for use under another Oracle or other third-party license you are exempt. You'd be entitled to ask - what exactly is Oracle's justification for this new charge, well simply put their contention is captured in this statement: 
"As the main contributor and steward of Java SE, Oracle is the only company that can guarantee long-term support and updates on a timely and predictable schedule. The Java SE Subscription from Oracle provides access to tools that consistently manage updates, enables enterprises to monitor their own Java platforms, and provides direct access to a specialized Java SE support team"
Where to next? ... What do I need to do??
Assuming you have broad use of Java SE like most organisations - noting the Java Platform, Standard Edition (Java SE) and Oracle Java SE Advanced and Suite products are currently shipping from Oracle in the form of the Java Development Kit (JDK), and Java Runtime Environment (JRE) - you'll need to inventory your entire software landscape to identify what installations you have, under what license. For those that aren't captured by an over-arching entitlement you will need to assess the level of support and currency you are willing to operate.
Put simply, that all means:
  1. If you're comfortable with rolling through six-monthly updates you can do so for free - there will be no additional requirement;
  2. but if you're not, you're going to need to purchase a subscription.
And what's that all going to cost? ... Well ​the latest Oracle Technology Global Price List (June 19, 2018) states the following under Fusion Middleware:
Picture
... however the literature surrounding the Subscriptions appears to indicate a more reasonable cost profile:
Picture
So with January 2019 looming the priority needs to be getting full clarity of your position:
  • what do I have deployed?
  • whats covered by Oracle or other third-party product licensing?
  • what do I need to do with those installations that aren't?
... and then quantify what that might cost.
It would be fair to predict that Oracle will no doubt scrutinise this space at some point in the near future ... best to be prepared.
... and that's where Software Compliance and our ComplianceWare tool can help ...
0 Comments

Launch of our SWC Partner Program

28/11/2018

0 Comments

 

READY TO WORK WITH US?
Software Compliance IS OPEN FOR BUSINESS!

Picture

As our flagship ComplianceWare tool gains awareness and presence in the marketplace Software Compliance is excited to announce the launch of our new Partner Program!
Available to companies operating across the Australia/New Zealand region this opportunity is designed to leverage and augment capabilities with select IT organisations whose portfolio would benefit from the addition of a packaged offering covering Software Discovery, Inventory, and Tracking, customisable per engagement as a managed or licensed service delivered over the cloud, formulated to give your clients the benefit of the most comprehensive, price competitive solution available!
When you consider all fields and facets of industry face the ongoing issues of tracking software deployments, deriving the best value from their software assets, maintaining license compliance (and lets mention that ol'elephant in the room – responding to audits in a way that properly represents the clients position, not the vendors), it’s very easy to see how much of a saleable proposition this would be to any organisation.
So if you are looking to develop your business product line further why not partner with a fresh emerging tech that offers a unique solution for that often under-stated pain point for clients - software compliance.
Get on board!

Contact us at partners@swcompliance.com.au – we’d love to talk over options with you.

0 Comments

WINDOWS AND SQL SERVER 2008 END OF SUPPORT

23/9/2018

0 Comments

 

Extended Support for SQL Server 2008 and 2008 R2 will end on July 9, 2019.
Extended Support for Windows Server 2008 and 2008 R2 will end on January 14, 2020.

With many companies still running programmes of work to migrate from Windows Server 2003 news that the end of ES for Windows Server 2008 is less than 18 months away is sure to cause some angst, and more so if you're also reliant on SQL Server 2008 which ends in 10 months!
Picture
Picture
What will 'end of support' mean? ... it will mean the end of regular security updates, and with the extent of hacks and attacks going on at any time - and the (legitimately) tough regulatory position on data protection - that would be a concern to all.
Now there are of course some options available at this stage to address this exposure:
  1. If you are an Azure customer, Extended Security Updates will be available for free in Azure for 2008 and 2008 R2 versions of SQL Server and Windows Server to help secure your workloads for three more years after the end of support deadline.
  2. If you run on-premise installations, you will be able to purchase Extended Security Updates for three more years as long as you have Software Assurance or Subscription licenses under an Enterprise Agreement enrollment.​ 
So if it's free for Azure customers, what does it cost if I'm not? ... 
75 percent of the full license cost of the latest version of SQL Server or Windows Server,  purchased annually to cover only the servers that require the updates.
Ouch.
But wait, there's more. If you happen to run any IBM software under Windows Server, and you also run those servers in a virtualised environment, you need to be aware of an often overlooked limitation under IBM's sub-capacity rules. And that relates to 'Eligible Technologies'.
A quick glance through the regularly updated table by our ILMT development friends could come as a bit of a shock if you happen to still be running Windows Server 2003 - it's no longer an eligible technology - take a look at the snippet below under VMware:
Picture
You can view the entire list here. 
And if it's 'not eligible', what does that mean? Basically that you'll need to revert to manual counting for that environment, and for which IBM provides a particularly onerous method and template as an Excel workbook downloadable here.
So taking the Windows Server 2003 omission as an example it's fair to expect that we'll see Windows Server 2008 drop off in equally quick time. Not only then is there a compelling cost imperative due to Extended Support, but an equally expensive overhead with IBM sub-capacity tracking and reporting as well (remember - you need to generate your sub-cap domain usage quarterly).
​Time to act!
Microsoft have an advisory page here that is worth checking which also provides links to their end of support resource center for further advice and assistance. And if you're looking for a better tool than perhaps a spreadsheet for you IBM sub-cap reporting we have just the ticket with our ComplianceWare application - we recommend you check it  out here!
Picture
Picture
0 Comments

SOFTWARE ASSET MANAGEMENT AND Its ESSENTIAL PLACE IN A WELL RUN organisation

29/7/2018

0 Comments

 

The BSA, in collaboration with IDC, release their latest global study:
Software Management: Security Imperative, Business Opportunity.

This revealing June'18 study set out to quantify the volume and value of unlicensed software installed on personal computers across more than 110 national and regional economies, finding that although there has been a global two-point drop in unlicensed software installation rates during the last two years, an astonishing  37 percent of software installed on personal computers is still unlicensed. 
Of the six regions encompassed by the study, Asia-Pacific was one of four in which the majority of software deployed on personal computers was unlicensed, representing the largest commercial value globally:
Picture
And while the rates across both Australia and New Zealand have shown a decline over recent years there is clearly still room for improvement:
Picture
Compelling numbers - sure, but how does unlicensed software translate to an imperative to me and my organisation?
The answer can be summed up succinctly in just two words - Savings and Security.

savings.

IDC estimates that when companies take pragmatic steps to improve their software management they not only boost their bottom line by as much as 11 percent, but can also achieve as much as 30 percent savings in annual software costs by implementing a robust SAM and software license optimisation program.
They also calculated that by improving the software compliance rate by just 20 percent (for example, lowering an unlicensed software rate from 24 percent to 19 percent), an enterprise with annual revenue of $83 million (the average in the survey) could increase profits by an astounding 11 percent. This, along with other benefits stated by CIO's below, represent compelling reasons to adopt a strong SAM practice in any organisation, irrespective of size:
Picture

SECURITY.

In addition to the potential savings, the study highlights that organisations need to consider the security risks of running unlicensed software, in particular the heightened one-in-three chance of encountering malware, with the associated costs potentially more than $10,000 per infected computer, and a combined cost to companies worldwide of nearly $359 billion a year.
While the primary concern relating to malware was the theft of data (46 percent), there were also significant concerns with other key exposures of:
  • ​unauthorised network access (40 percent)
  • responding to potential ransomware (30 percent)
  • system outages and downtime (28 percent), and
  • the time and cost of disinfecting the network (25 percent).
 
Clearly, minimising malware exposure by avoiding unlicensed use is critical but, even when a company is using licensed software, the study reiterates that having an adequate SAM system in place is still essential.
The study concludes with the very relevant and often over-looked point that robust SAM also helps companies accelerate the transformational benefits they can achieve by migrating to the cloud by providing the foundational steps necessary to make a smooth transition - think how can I leverage the value of current software assets without knowing what those assets are?
A timely reminder (and prompt) for those with responsibility across their organisations commercial software. If you're unsure where to start just get in touch with us here, and if you're lacking the tools necessary to manage your IT landscape take a look at the most cost effective SAM tool on the market - ComplianceWare - here (where you can also request a demonstration login to try it out for yourself as well).
0 Comments

Audit Anxiety

26/5/2018

0 Comments

 
As the chatter of audits increases around the industry
the range of reaction can be outright fear to mild anxiety,
​but ... sometimes - enthusiasm!
What I hear you say - Enthusiasm??

Well yes surprisingly - for those organisations who run a well informed and skilled software / licensing function - it offers the prospect of evaluating just how effective their investment in  processes and tools has been, and make any adjustments as/if necessary. Similarly, it provides an opportunity for objective feedback to management in a discipline that is otherwise difficult to gauge - just think - how can you quantify ROI without having a relative measure to report against?
The contrary position - where organisations have no certainty at all of their compliance state - is not a great place to be and certainly does warrant some anxiety. Not only is there the likelihood of remediation (at $$?? cost), but when you don't have a position what can you actually contest? There's no doubt that the 'arms-length' engagement of external auditors allows just that much more vendor independence to put more onus on you the customer - the audit will deliver a straight deployment report, leaving it to you to clarify what might be chargeable, and what might not.
Examples .... development software that might be free, supporting products under one suite that might be dispersed across servers, or even bundles - permitted, but unless qualified by you will still be listed as chargeable installs.
So it's worth considering just where you are on the compliance scale.
Ask yourself these three key questions:
  • ​Do you have dedicated resources overseeing your software assets?
  • Do you have a current, accurate and accessible record of your entitlements?
  • Do you have the necessary software discovery and inventory tools to keep track of your deployments?
If you do - great! - check that the processes are running as expected and you can take any impending audit on without that gut-wrenching fear and anxiety.
If you're lacking on any front though some attention is warranted. Start with ownership - who will be responsible and held accountable for your software assets? Then, how will you keep a current and complete record across it all?
You'll no doubt arrive at the conclusion you'll need tools to help do it all efficiently and effectively, so the question becomes - which tool is right for you? What features and functions do I really need? What price do I then want to pay for it?
The very questions that led us to develop ComplianceWare - our full featured, cloud-based product designed to meet the needs of organisations who don't want those top-end highly integration reliant, distended suites offered by some more well known global providers. ComplianceWare offers just those essential functions in an easy to use web-based application such as software discovery and deployment reporting, customisation via configurations and conventions, and of course a contracts and license repository.
And by delivering just the essentials we can offer a price to match - that is, the most cost effective solution you will find in the market. Try it as a one-off managed service (perhaps even using that audit data you've just been asked to provide) and evaluate on your own estate, or as a term license have access when and as you need it. Take a look at the Documentation or request a Demonstration to find out more, and then we're always here to help you out as needed!
0 Comments

3 Licensing Tips to End The Year

27/12/2017

0 Comments

 
While these three little snippets might not seem particularly sensational they are worth noting precisely for that reason - they are likely lurking in the background, ready to cost you money when you least need it!
1. IBM License Management Tool (ILMT)
Picture
OK, so we all know that under the IBM sub-capacity rules we must produce a report from ILMT every quarter right? And we know that we must sign and date that record, and keep them all as an artefact that may be required during any audit too, right?

​All good, then the tip:
 Make sure you have configured ILMT correctly and fully for VM Management. ​
What's so important about VM Management in ILMT? If not properly configured it will default to 120 PVUs per core, so you could be over-reporting without being aware. How can you tell if its configured? Firstly, it shows a status on the Dashboard, and secondly, if not configured servers will be displayed with a serial-like number beginning with 'TLM_VM' or similar.
If you need more information on how to configure just look here.
2. Microsoft Subscription Licensing.
Picture
Microsoft in many ways have led the industry in a shift to SaaS offerings backed by subscription based licensing. While this may appear to have a favourable ROI initially, there are other Time-Value commercial components to consider.
Firstly, you need to be aware that your licensing is now not only visible but manageable real-time by Microsoft. So from a commercial perspective there is now no locked-in pricing for the typical 3 year term of an Enterprise Agreement, instead you will see price increases built-in year on year in your CPS. And more so, there is no 'True-Up' benefit whereby you would pay essentially half the cost in the year in which you deployed the product - you now 'reserve' the additional licenses you need to be drawn down, and you start paying from that month onwards.

​The tip?
Make sure you consider TVM with subscription changes in your ROI / Cost Comparisons.
And the last tip for 2017 ... a favourite topic here at Software Compliance ... processor to core conversion.
3. No 'unpacking' of Core Licenses​
So a quick tally of the number of core licenses across your Windows Server fleet divided by 16 gives you your number of 16 Pack licenses required right?
Picture
Wrong! ... A license pack is applied to a server, so where you have say a 12 Core server you need to assign 6 x 2 Core packs - you can't assign 12 from your 16 Core pack, and then apply the other 4 elsewhere. A nasty - and potentially expensive error - if not properly considered in determining your conversion.
And so ends 2017 ... we look forward to a busy and productive 2018 for us all!
0 Comments

Danger? ... Well, Yes.

22/9/2017

0 Comments

 
As a postscript to the May blog regarding the SAP-Diageo lawsuit that found in favour of SAP a further action has been lodged against Anheuser-Busch Companies in the courts of New York, this time a staggering claim of US$600M (which must be a very confronting scenario for a company running a $150M annual IT budget) alleging license deficiency and misuse as summed up in the Anheuser-Busch Form-20 below: 
On 21 February 2017, SAP America, Inc. (“SAP”) commenced an arbitration in New York against Anheuser-Busch Companies, LLC pursuant to the Commercial Arbitration Rules of the American Arbitration Association. The statement of claim asserts multiple breaches of a 30 September 2010 Software License Agreement (together with related amendments and ancillary documents, the “SLA”) based on allegations that company employees used SAP systems and data—directly and indirectly—without appropriate licenses, and that the company underpaid fees due under the SLA. The statement of claim seeks both reformation of the SLA in certain respects and also damages potentially in excess of USD 600 million. We intend to defend against SAP’s asserted claims vigorously. 
Given SAPs 65,000 customers globally there would appear to be a potential minefield of non-compliance that presents an unenviable opportunity – remedy via lawsuit (with resultant consequences), or go some-way to addressing customer issues. SAP have now at least started to clarify and evolve their licensing to accommodate the inherent issue of how broader access by external parties and devices should be authorised, in their words embarking:
“on a journey to move away from user-based licensing to a more transparent and predictable licensing model focused on outcomes related to our customers’ use of the SAP ERP system”.
 The fundamental principal though – changes or otherwise – remains that you cannot ignore the simple premise that accessing a system, or the data generated by the system, undoubtedly has a cost attached to it in the form of licensing. 
Consider SAPs own definition of ‘Use’ which is the central tenant of the misuse claims:
Use means “to activate the processing capabilities of the Software, load, execute, access, employ the Software, or display information resulting from such capabilities.” Additionally, “Use may occur by way of an interface delivered with or as a part of the Software, a Licensee or third-party interface, or another intermediary system.” Use is defined broadly to cover both direct and indirect access scenarios and any use of the SAP Software requires an appropriate license. 
​

In response SAP identified the three most common indirect access scenarios that they have defined new “transparent and predictable” policy for, being: (1) order-to-cash (meaning the number of sales & service orders processed by the Software annually), (2) procure-to-pay (meaning the number of purchase orders processed by the Software annually), and (3) indirect static read, as represented below: ​
Picture
While encouraging to see a major vendor respond to their customers in a progressive way there is no silver bullet – with any installation and any metric there is the potential (or more often likelihood) that changes in your environment over time will generate further exposure. 
​

 So whether your organisation runs a $5M or a $150M IT budget, any sizeable investment in software – and the reputation of your company – surely warrants a robust and regular compliance and review program. 
0 Comments
<<Previous
    • ​+
    • +
    • +
    <
    >

    Categories

    All
    Adobe
    Agreements
    Appliances
    Audit
    BCP & DR
    Cloud
    Compliance
    ComplianceWare
    Contracts
    Forums
    IBM
    Intel
    ITAM
    Licensing
    Mainframe
    Microsoft
    Negotiating Deals
    Open Source
    Oracle
    Partnering
    Red Hat
    Roles
    SAM
    Software Metrics
    SQL Server
    Support
    Windows Server

    Archives

    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016

Unravelling license complexity for Business
ACN 623 529 751

Privacy Policy | Terms of Use
Copyright © 2016-2022 (SWC) ​​

  • Home
  • What We Do
    • Services
    • Tools
    • Experience
    • FAQ
  • Resources
    • Company >
      • About Us
      • Careers
    • Agreements
    • Documentation >
      • Brochure
      • Datasheet
      • Security Measures
      • ComplianceWare >
        • Software
        • Hardware
        • Cloud Configuration
  • Contact Us
  • Latest
  • Search