The devil is in the details with VMware audits

Transcription

1 The devil is in the details with VMware audits Author: Roxana Zegrean It is said that in this world nothing is certain, except for death and taxes. But, as license management experts, we can tell you that software audits are a certainty as well. Since virtualization software faces increasing competition, becomes more commoditized in the industry and software vendors are looking for opportunities to boost their sales, audits have also been on the rise. The objective of this white paper is to walk you through all the major phases of a VMware audit and offer advice on how to make sure you're prepared in case of an audit.

2 Contents Introduction... 3 Phase 1: Notification... 4 Phase 2: Self-declaration and validation... 5 Phase 3: Closure... 6 What to pay attention to?... 7 Risk Control Strategies... 8 Conclusion... 9

3 Introduction It is said that in this world nothing is certain, except for death and taxes. But, as license management experts, we can tell you that software audits are a certainty as well. You might hope and keep your fingers crossed for the publishers to skip your organization, but that s not how it works and if there is something to worry about, this will definitely not help. Properly managing your software licenses, on the other hand, is the action you would want to take. Software audits quite frequently reveal license gaps that translate into big amounts of money that need to be paid to the publishers. Oracle, IBM, SAP and Microsoft are usually the most feared publishers in terms of audits. However, VMware should not be ignored either. This since audits have been on the rise as virtualization software faces increasing competition, becomes more commoditized in the industry, and VMware is looking for opportunities to boost their sales. One would think that VMware licensing is simple since it is based on CPUs, and the keys are stored on the vcenter server. But when you deal with intricate license metrics, complex IT infrastructure and virtualization, the risk to fail an audit grows every day. The best defense is a strong preparation. Therefore, it is useful to know what the process of a VMware audit entails, what the auditors look for, and to be aware of a few issues around license compliance and that is what we will cover in this whitepaper. A VMware audit will consist of three major phases: notification, self-declaration and validation, and closure.

4 Phase 1: Notification You will first receive a notification letter announcing that your organization will be under audit. In the letter, the auditor will describe the overall process and expected timelines (which vary depending on the size of the company). VMware states the following in its audit clause: audit is subject to reasonable notice by VMware and will not unreasonably interfere with your business activities and will not conduct more than one (1) audit in any twelve (12) month period, and only during normal business hours. Typically, either KPMG or Deloitte are selected to conduct the audit on behalf of VMware.

5 Phase 2: Self-declaration and validation You are then typically requested to declare your current use of VMware programs, including vcenters, ESX/ESXi hosts, VMs and licenses. High level questions about your company will be asked - how many locations you have, how you conduct internal audits, how you track licenses (using third party tools, vcenter, etc.), when you initially deployed VMware in your company, as well as contact information for the auditors. After the declaration is completed, the auditor will want to validate the information. This can be done in multiple ways depending on the size of your estate, location, and the auditor itself. Data can be collected using your in-house auditing tools, data from directories like Active Directory or a scan of your network switches for a list of VMware MAC addresses. Keep in mind that you will perform the actual collection of all data, not the auditors, even if they re on-site. Ideally, the collected information matches the information you have declared. Any discrepancies will need to be investigated and explained. It is good practice to ensure you keep track of any changes to the VMware environment after the audit process kicks off since historical usage logs may also be collected by the auditors. You should also keep in mind that VM kernel ports (special adapters used by the vsphere host to communicate with the outside world) also have VMware MAC addresses, not just the VMs, and take into account that even if you re over-entitled (you have more licenses than you re using) you ll probably have to justify it, just for them to make sure you re not hiding some part of your installation.

6 Phase 3: Closure The outcome of an audit can take two forms you are either compliant, or you are found to be non-compliant. If the audit finds you under-licensed, the next step is the commercial negotiation. But before entering any negotiations, the organization should review the final report to ensure that the results are correct and, if there is any conflict, to solve it. Some organizations accept the auditors verdict on penalties, which can sometimes be a mistake. The settlement always leaves room for negotiations, so you should come with a counteroffer. VMware will have to consider this offer for two reasons: 1. A fast settlement is in their best interest. 2. VMware wants to keep you as happy as possible. No matter the extent of the non-compliance, it pays to use all your cards. You should not just sit back and passively accept the proposed settlement terms, processes and results. In addition to the financial cost, passivity can result in fishing expeditions that serve to identify additional violations and increased settlement costs. You can negotiate the starting penalty down by offering to implement a SAM solution to prevent further issues, for example.

7 What to pay attention to? When performing an audit, VMware is (like any other publisher) usually looking for evidence that your company has installed more licenses than it has purchased. VMware, however, is more concerned with the interpretation of documents. They are looking for any indication that the licenses are not being used in the way they are intended or where they are intended to be used. Country restrictions You have to manage the product use rights acquired through the VMware Enterprising Purchasing Program (EPP) and Volume Purchasing Program (VPP). This since these VMware licensing agreements require licenses to be used for devices in the country where the license was purchased. You should scope the license in such a way that only devices from a specific location or set of locations can consume it. Consistent coverage VMware uses a so-called 'consistent coverage' policy which means that every functional environment must use the same Support and Subscription Services (SNS) level. For example, if you use VMware for production as well as development and test environments, then all production hosts should have the same support level, and all development and test hosts should have the same level too. Support status VMware does not grant rights to any updates, upgrades, extensions or enhancements to the software developed unless you separately purchase VMware support or subscription services. Sufficient license coverage VMware obviously requires you to maintain sufficient and accurate records of your use of the software to show compliance with the terms of the End User License Agreement (EULA) that you signed, during the License Term for Software (the period of the agreement) and for two years after expiration or termination. VMware tools & third parties You have to make sure you distribute the VMware Tools to third parties solely when installed in a Guest Operating System (an operating system residing on a virtual machine) within a Virtual Machine and also you should ensure that those third parties comply with the terms and conditions of your EULA. Penalty for non-compliance VMware has built strong licensing controls into their software, so it s not the most difficult supplier for which to effectively manage software compliance. Their standard End User Licensing Agreement (EULA) provides for audits no more than once per year, with a penalty (fee) to apply if a license gap exceeds 5%, or if the customer materially failed to maintain accurate records of its use of the software.

8 Risk Control Strategies It's possible to pass an audit successfully and to actively control the process throughout. In fact, you can get long-term value from this one-time effort with three simple steps: Take a close look at your Proof of Entitlement Be it an ordering document, a license agreement or a product guide you should make sure you have a full understanding of what your rights are because the more educated you are, the better the position your company will be in. And you should also make sure you act according to your rights. Detailed and comprehensive knowledge of your license agreement will help you avoid making costly mistakes with your software licenses. If you want to find out how VMware defines Proof of Entitlement, read our article on this topic. Be prepared Prevention is better than curing so the best thing to do in order to be prepared for a software audit is to conduct a self-audit before the vendor starts an audit. Even if you already have an effective system for managing your licenses, a periodic internal audit tests the reliability of your current software license management policy. This way you also have the chance to fix any issues, before a vendor audit. Moreover, if you discover any discrepancies between your software entitlements and your usage, you can act on this information proactively and contact the vendor and work together to solve the problem. This way you avoid the hefty fines and legal issues. Also, an internal audit can give more insight into how your licenses are being used and if needed help figure out how to use them more effectively. Keep your information organized Very often we see organizations that have information on their software licenses scattered throughout the company. Software license data should be kept in one place. This makes it easier to keep track of your licenses and it also makes the audit process easier, whether that s done by yourself or with the help of a third party. In addition to that, keeping track of software licenses purchased by your organization helps you to prevent non-compliance and will make license reconciliation easier.

9 Conclusion Software audits are an important part of the life cycle for the acquisition and use of software by end users. They might have a significant and often unpredictable cost impact. You will save yourself a lot of time and hassle by starting to take action today to ensure you are compliant instead of waiting for the audit notification to arrive.

10 About the author Roxana Zegrean Do your best until you know better. Then do better! - Maya Angelou Roxana is our software entitlement specialist focused on the education of clients on licensing issues with Oracle, SAP and Microsoft. In her role, she works with customers to assist them in understanding and improving their Software Environment by reviewing their software license agreements and provide them advice regarding legal and financial risks. Contact Roxana: roxana.zegrean@b-lay.com We share our knowledge, so you can focus on the facts! Do you want to know more about different related license management topics, we have a selection of white papers available through If you are in need of extra expertise and a structured approach, feel free to contact B-lay. We will help you make software compliance an exciting opportunity to improve your business! About B-lay B-lay is a specialist in software license management and provides services around software compliance, software audits, software asset management tools and insight in software spend. Our services offer organizations worldwide insight into the risks associated with software licenses, help prevent license compliance issues and help create considerable cost savings by optimizing their licensing position. B-lay was founded in 2008 and has offices in the Netherlands, Romania and the US. B-lay BV Maliebaan CG Utrecht The Netherlands info@b-lay.com B-lay BV. All rights reserved.