What are Software Audits, and Why Are They On The Rise?

Recent years have seen an uptick in software audits, with more companies being asked to provide evidence of licensing compliance. This is largely due to the fact that organizations are now using more software than ever before, with an increasing number of employees working remotely.

Watchdog groups like the Business Software Alliance (BSA) and the Federation of Software Theft (FAST) serve the sole purpose of ensuring the protection of software vendors’ intellectual property. These groups and software vendors are dedicated to discovering and auditing non-compliant organizations every single day with little to no notice. According to Gartner, the likelihood of an assessment for a medium to a large firm over the next two years is predicted to be 40%, which is expected to rise by 20% annually.

But why do software vendors act in this manner? 

Simply put, the main motivator is money. Revenue from software sales fell when the American economy saw a downturn and software expenditures were slashed. Software vendors were forced to hunt for alternative income sources when these profits started to decline. Audit fines and penalties of several hundred thousand dollars to even millions of dollars appeared as lucrative options for these vendors. According to the BSA, 25% of businesses that operate in the US are non-compliant in some way, costing software vendors an estimated $6 billion in the loss. 

 

What is a Software Audit?

A software audit is an assessment of a company’s compliance with software licensing agreements. Organizations that use pirated or unlicensed software can be subject to expensive penalties, including fines and damages. In some cases, they may even be required to forfeit their business’ computers and other equipment. 

 

How Do Organizations Fall Out of Compliance?

 The truth is that conformity is not simple. It involves more than just purchasing adequate licenses. Even techies typically struggle to completely comprehend software licensing laws because they are so sophisticated, and even when they do, modifications to the regulations occur so often that it is challenging to stay up to date. 

Most businesses lose their ability to comply with the rules when they lack proper record keeping and miscomprehend software usage rights. Both parameters are equally crucial to stay in compliance. The first approach is to have clear visibility into your integrated software usage. In the unfortunate case of your company being audited, this can be an added benefit because you will be able to provide records immediately and demonstrate your good faith efforts to adhere to the regulations.

Furthermore, it’s crucial to have an attorney or specialist who excels in contract negotiations. They can elaborate to you how you can lawfully utilize your software, saving you from involuntary non-compliance. Avoid attempting to resolve this on your own, as it is easy to misinterpret or fail to notice crucial facets of software use terms and conditions. For instance, there have been instances where a business has expanded internationally and had staff members using software in other countries. They believed this was acceptable since they had many licenses, but since those licenses were only intended for use in the United States, they were in violation without even recognizing it. 

 

How to Lower Your Risk of Being Audited

  1. Exhibit a Sound Understanding to the Software Auditors 

To show that you have a good grasp of your software agreements, it is crucial that you respond to any inquiries the auditors pose in an efficient and thorough manner. In order to achieve this, you’ll need a workforce in control of the project, a SAM solution in place to oversee your software inheritance, and frequent internal audit findings to get a complete picture of your software assets utilization. 

This is especially true if your business has just undergone a merger or acquisition or if it is a large corporation with numerous branches. Such circumstances will make you prone to disorganization, which in turn raises the possibility of overlooking factors important for compliance.

  1. Stay Prepared

Inform your staff on the importance of software asset management, and prepare a defense plan in case a software inspection occurs. Even if a software audit is conducted, a quick assessment with a few fines will show the software provider that you are not an easy catch. Preparing includes having your licenses in order, appointing a specific person to oversee your company’s software audit, and having an audit defense strategy in place. Knowing what to do will ensure that every software audit of your company proceeds without incident and with the least amount of damage possible.

  1. Be aware of your Software Architecture

Establish an efficient asset life cycle, along with a streamlined procedure to purchase and retire software resources to keep a close check on them. Failure to do this can lead to the acquisition of numerous unnecessary licenses, which quietly drain the company’s IT budget. Keep track of what licenses you have and how many licenses you need so that you can stay compliant. Additionally, make sure that only authorized users have access to your organization’s software. Implement user controls and set up alerts so that you can immediately spot any unauthorized access or usage. 

Often, the majority of software audits search in the company’s Active Directory (AD) to assess compliance. A company’s AD contains all devices and accounts—not just those that are currently in use—that have ever used their software resources. There will be ex-employees in your Active Directory, along with devices that have been gathering dust in the company’s store, and the auditors will claim that each of these entities needs a license.

 

Conclusion 

Monitoring your software resources will cost much less than having them audited. In addition to achieving compliance, successfully managing your software and how they are used also ensure that your software resources are used to their full potential. You may delete shelfware and restructure your agreements to ensure that every software program you have is being successfully utilized. Efficient asset administration has no drawbacks because the added administrative costs will eventually result in equal cost reductions. By making sure all of your organization’s software is properly licensed and keeping track of who is using it and when, you can help your company avoid costly penalties associated with non-compliance.

Bring Your Own License (BYOL) Rules on Third-Party Cloud Providers

Bring Your Own License (BYOL) Rules on Third Party Cloud Providers

Software licensing is ridiculously confusing, and its hyper complexity is not slowing down anytime soon. This confusion can easily lead to overspending, which equates to more money in the software vendor’s pockets, taken at the expense of your company’s software budget. how does overspending occur? One key reason behind our client’s overspending stems from the complexity of Bring Your Own License rules (BYOL) on their third-party cloud providers. 

At MetrixData360, we have helped hundreds of companies save millions of dollars, in this article, we will clear the waters by showing you the steps you can take to mitigate any potential areas of overspending in your software licensing environment.

 

 

 

Rule Change 

Microsoft changed its rules as of 1st October 2019 around how Microsoft products are licensed in 3rd party hosting scenarios.  These changes primarily impact AWS, Google, and Alibaba clouds (although others are affected).  The concept of Bring Your Own Licenses (BYOL) is influenced significantly by these changes.  Before these changes, as long as you had hardware dedicated to your use (i.e., were not using shared infrastructure), you could BYOL now.  With these changes, you may be required to purchase subscription licenses for these products through the hoster (e.g., Windows Servers, Office).  Specific versions may still be licensed via BYOL if licenses were acquired for those products before October 2019 or on a contract still active as of October 2019. 

 

To understand these rights, you must review the Microsoft Product Terms.  Below are the relevant sections: 

 

 

  1. Customers may use the server software on a Licensed Server, provided it acquires sufficient Server Licenses as described below. 

 

A Licensed Server is: 

A Licensed Server means a single Server, dedicated to the Customer’s use, to which a License is assigned.  Dedicated Servers that are under the management or control of an entity other than the Customer or one of its Affiliates are subject to the Outsourcing Software Management clause.  For purposes of this definition, a hardware partition or blade is considered to be a separate Server. 

 

 

The Outsourcing Software Management clause states: 

Customers may install and use licensed copies of the software on Servers and other devices that are under the day-to-day management and control of Authorized Outsourcers, provided all such Servers and other devices are and remain fully dedicated to Customer’s use.  The customer is responsible for all of the obligations under its volume licensing agreement regardless of the physical location of the hardware upon which the software is used.  Except as expressly permitted here or elsewhere in these Product Terms, the Customer is not permitted to install or use licensed copies of the software on Servers and other devices that are under the management or control of a third party. 

 

Authorized Outsourcer means any third-party service provider that is not a Listed Provider and is not using Listed Provider as a Data Center Provider as part of the outsourcing service. 

 

AWS is a Listed Provider.  Next, we need to determine if we have a right to utilize software at the Listed Providers through Microsoft License Mobility through Software Assurance right: 

 

License Mobility through Software Assurance 

Under License Mobility Through Software Assurance (SA), Customer may move its licensed software to shared servers under any of its Licenses which are designated as having License Mobility for which it has SA, subject to the requirements below.  Products used for Self-Hosting may be used at the same time under License Mobility through SA rights, subject to the limitations of the Self-Hosting License Terms.  

 

Permitted Use: 

With License Mobility through SA, Customer may: 

      • Run its licensed software on shared servers;  
      • Access that software under access licenses and for which it has SA, and under its User and Device SLs that permit access to the Products;  
      • Manage its OSEs that it uses on shared servers; and/or  
      • Manage its OSEs that it uses on its servers using software that it runs on shared servers. 

 

Requirements: 

To use License Mobility through SA, the Customer must: 

      • Run its licensed software and manage its OSEs on shared servers under the terms of its volume licensing agreement;  
      • Deploy its Licenses only with Microsoft Azure Services or qualified License Mobility through Software Assurance Partner; and 
      • Complete and submit the License Mobility Validation form with each License Mobility through Software Assurance Partner who will run its licensed software on their shared servers. 

 

License Mobility allows for use on a shared server.  Products that have this right associated with them allow BYOL (as long as you have active Software Assurance).  Next, we need to see if a product has Server Mobility.  For Windows Server: 

 

4. Software Assurance 

 

Windows Server does not include License Mobility rights.  For Windows Server (or any product without License Mobility), this means BYOL is only available for versions that were released before October 2019 and for which licenses were acquired prior (or on active contracts as of October 2019) to October 2019 

 

 

Please refer to the current Product Terms to ensure this info is still accurate as Microsoft makes changes frequently to their licensing rules. 

 

Start Saving on Your Software Licensing

Being able to cut software licensing costs will mean money back into the IT department for smarter and more innovative investments. This can be done by tracking the life cycles of your assets through the successful deployment of an inventory tool (along with someone who can effectively read it), through having a clear understanding of usage during contract negotiations, carefully considering your migration to the Cloud, and by conducting internal audits to ensure compliance.

At Metrixdata360, we can help you cut down your costs to save you from unnecessary drains on your budget and potentially heavy audit penalties. Don’t put off saving money, get your free consultation today!

Information About IBM Licensing

IBM licensing can easily overwhelm you, with so many different definitions and rules, it’s like learning a more complicated and even nerdier version of Klingon.

Where do you even begin?

At MetrixData 360 , we pride ourselves in diving deep into complicated licensing issues and understanding even the most complex scenarios. We often help our clients successfully navigate these complex terms. So, in this blog post we will go through a quick overview of IBM licensing for beginners because despite how it looks, software contracts don’t have to be a confusing affair.

Types of IBM Users

There are many different types of users in IBM’s books:

Authorized User

An Authorized User is someone who is given access to the Program. The Program in question may be installed on multiple computers or servers and the Authorized User can access multiple instances of the Program at once.
As an Authorized User, you are not limited to a single device or a single instance of the program. If I wanted to open a piece of IBM software that I was an Authorized User to on every desktop in my workspace at the same time, I could.

Each Authorized User must have their own separate entitlements in order to access the Program in any manner directly or indirectly, such as through a multiplexing program, device, or application server. Authorized User entitlements cannot be shared with other people unless permanently transferred.

However, some IBM programs license devices so that they are considered users. In which case, any device that “requests the execution of or receives for execution a set of commands, procedures, or applications from the Program or that is otherwise managed by the Program” must be licensed as if that device were a person.

Takeaway Points:

  • Authorized Users can access the Program from multiple computers and can access multiple instances of the Program at the same time.
  • Authorized Users cannot share their entitlements with another person.
  • In certain programs, devices that interact with the program must be licensed as if they were a person.

Concurrent Users

A Concurrent User is defined as any person who is accessing the Program at any given time. A Concurrent User may access the Program multiple times, they still only count as one Concurrent User.

While the program may be installed on multiple servers, what‘s important is that you license your program based on the maximum number of Concurrent Users that have accessed the program.

So, if you have 1,000 employees — 500 working days and 500 working nights — as long as there’s no way they could overlap, then you only need to license for 500 Concurrent Users.

Just like with Authorized Users, there are programs that are licensed so that devices are considered users. Any device that “requests the execution of or receives for execution a set of commands, procedures, or applications from the Program or that is otherwise managed by the Program” needs to be licensed as if it was a person.

Takeaway Points

  • Concurrent User metric is based on the number of users at any given time
  • A Concurrent User can access the program multiple times and still be considered only one Concurrent User.
  • For some programs, devices that interact with the Program will need to be licensed like a person.

Floating Licences

A floating license is connected to either a hostname/ID or a machine’s address.

A Floating License is for a single software product, which can then be shared between team members, with the number of concurrent users not allowed to exceed the number of floating licenses you have.

To use the floating license, you need to have a floating license key, which then any user of the organization can use to access the product at any given time. The server will then respond to the request of the key and then grants access based on the number of licenses the organization has.

A Floating User is a unique person who can access the program in question from a variety of different points, however, to simultaneously access the program from multiple points will require separate entitlements.

Takeaway Points

  • Floating licenses can be shared between users.
  • If the number of users matches the number of licenses the organization owns, anyone else wishing to use a floating license must wait until one of its current users has logged off.

Resource Value Unit (RVU) and Processor Value Unit (PVU)

Resource Value Unit (RVU) is a unit of measurement with which IBM licenses its Programs. RVU Proofs of Entitlement revolves around the number of units of a specific resource that is used or managed by the program in question. Each program has specific RVU entitlements and in no way can you exchange, interchange, or aggregate RVU entitlements with that of another program.

Processor Value Unit (PVU) on the other hand is a unit of measurement used to determine the cost of licensing IBM middleware products, based on the type of processor that is on the server where the software is held.

The number of PVUs required is unique to the specific server and is based on the processor’s technology and the number of processor cores on a chip in the server. It is used for licensing at Sub-capacity, which brings us into our next topic.

Capacity and Sub-Capacity: ILMT and Me

IBM’s Sub-capacity licensing is an excellent way for businesses to save money. Essentially, using a PVU count will allow you to only partially license a server with an IBM product installed on the server. You will only need to license the individual processors that the product will use, based on the number of chips that each processor carries.

However, in order to make sure that the product doesn’t cross that invisible line and is installed across the whole server, IBM makes it mandatory for those using sub-capacity licensing to have ILMT installed.

ILMT is a tool designed to help companies conduct inventory and maintenance of PVU-based software that is licensed at sub-capacity. ILMT is a delicate dance and failing to play by all the rules when it comes to ILMT will leave you being licensed at full capacity during your next IBM software audit:

  • You need to have ILMT installed within 90 days of the first use of products eligible for sub-capacity licensing.
  • ILMT must be maintained and up to date in order to determine consumption. If ILMT is not maintained, not fully or incorrectly deployed across your products, then you could lose your sub-capacity status.
  • You need to generate and keep quarterly reports from ILMT.
  • ILMT also has its limits on the accuracy of its reporting capabilities.

More information about ILMT and IBM Software Audits.

Common IBM Licensing Mistakes

As confusing as IBM licenses its products, it no wonder that there are a few common slips ups people always fall into, such as:

Messing up Sub-Capacity Licensing

Sub-Capacity Licensing proves to be one of the easiest mistakes for IBM customers to fall into. Sometimes customers do not realize they need to have ILMT installed in order to use sub-capacity licensing or if they have ILMT installed it is easily not accurately deployed or not deployed in all the areas it needs to in order to keep your company safe during an IBM audit.

Underestimating the Complexity

This article only covers the tip of the IBM licensing iceberg, with so many licensing types and metrics, it can easily get overwhelming, which is why it is important that you don’t give the management to these licenses to just a single person, or worse yet, a single person who is already has a full-time role.

To effectively get the job done, you’ll need someone who can fully own the project (or a team depending on the size of your company).

Related: Hire a Software Asset Management Expert or Do it Yourself? The Pros and Cons of Each.

Get Your IBM Licensing Under Control

IBM licensing can be a tricky business but as confusing as it can be, it is important to understand these licensing requirements in order to adhere to them to the best of your company’s ability. Of course, there is no shame in feeling overwhelmed because this isn’t a one-person job.

Software asset management, especially for companies of larger sizes, can easily become the full-time job of a team of people.

At MetrixData 360, we’ve helped our clients out of the toughest software related issues, IBM being only one of our major successes. To learn more and find out how we saved one of our clients nearly 20% of their IBM budget, you can check out our IBM page.

Book a Meeting with Our IBM Licensing Specialist

IBM DB2 vs Oracle Database

With a constantly growing IT infrastructure, it is important to know how your company plans on managing data storage and data management. At MetrixData 360, our customers are taking an interest in IBM’s DB2 and Oracle’s Database, although there seems to be a bit of confusion about which one is right for their system. While we are unaffiliated to any software vendor, we aim to empower our customers to make smarter IT spending decisions for their business and so today, we’d like to go over what IBM DB2 and Oracle Database are and some things to consider before signing any contracts around either.

IBM DB2 Databases

IBM DB2 is a collection of relational database management systems (RDBMS). First commercially released in 1983, DB2 offers its clients a means to manage their structured and unstructured data that is stored both on-prem and in the Cloud. These hybrid data management products are powered by AI capabilities to create an efficient means of providing data insights while being both flexible and scalable. It is one of the three most popular databases available in the market today, alongside Microsoft SQL Servers and Oracle’s Database.

Features of DB2

The reviews for this product rank it highly for its ability to work with substantial amounts of data without reducing its performance by any means. Clients also report receiving very little downtime from the product. IBM’s DB2 is praised for its stability, customers reporting that both its hardware and software have proven reliable. DB2 is also proven to have excellent storage capabilities, and claims to be especially SQL server compatible, so if you have experience with similar products, you won’t be starting from square one.

Disadvantages of DB2

Reviews on Gartner from IBM’s clients reveal that the setup of DB2 can be quite laborious and there is a risk that queries would produce the wrong results if the DB2 fails to interact correctly with other products. There is also a learning curve to be found with DB2 and it requires a skilled team for the product to reach its full potential. The tools for queries have also been reported to be a bit lacking.

What is the Future of DB2

In June of 2019, IBM released DB2 11.5, which is praised for its AI capabilities. This new database is powered by and run by AI. The benefits of this can be found in the database’s high-speed queries, and its ability to handle natural language querying, which are styled after search engines and can provide a similar user experience.

Can IBM DB2 be Taken to the Cloud?

IBM does offer a Cloud solution, IBM DB2 on Cloud, which presents tempting features like quick and easy installation, compatibility with Oracle’s database, and even a free tier available if you’d like to try it out – though we always advise caution around free software and exposure to shadow IT. Although reviews have claimed that it lacks the regional options of larger Cloud platforms, so it is always best to check the availability of IBM Cloud capabilities in your particular region, as it could easily influence its overall performance and your user experience.

Oracle Database

Another popular option that many businesses are opting into is the highly reputable Oracle Database. Oracle Database appeared in 1979 with Oracle v2 being marked as the first commercially available SQL-based RDBMS.

Features of Oracle Database

Oracle comes with many wonderful features, such as their high quality support, scalability, and the ability to track sophisticated architecture. It has also been reported to be extremely reliable, with very little down time and applying new instances to Oracle can be relatively painless.

Disadvantages of Oracle Database

Some of the disadvantages of having Oracle as your database is, according to reviews on Gartner, that the system needs an experienced administrator at the helm in order to properly manage it. The product is also very expensive, with the tool proving out of reach for most start-up businesses on a budget.

The Future of Oracle Database

Oracle has been tentatively looking into things like having algorithms embedded directly into microprocessors and integrating big data storage with the data their customers have already accumulated when installing Oracle Database. Oracle’s database also wishes to make its product able to more easily integrate with other products like SQL Server and JSON.

Can Oracle Database be Taken to the Cloud?

Oracle can be taken to the Cloud thanks to Oracle Cloud for Database Management, which offers a variety of features including the ability to easily implement it, easily creating backups and restore processes and easy patching. One of the main appeals of Oracle Database, according to Oracle’s own website, can be found in in the fact that you can move to the Cloud seamlessly, using the same technology that you had on-prem and claiming to have zero downtime during the transition (although reviews have tracked the installation time to anywhere between 2.5-3.5 hours). The product has also been praised in Gartner Reviews for being able to handle a large workload (one review even claims to run a million daily transactions through Oracle). Although, more critical reviews have said that the auto-extend data storage needs to be improved, and the DB monitor alerts are not exactly effective.

Which Works Best for You?

At MetrixData 360, we want you to make as an informed decision as possible about your next purchase with IBM or Oracle as both have reputations of frequently auditing their customers’ compliance with their difficult to read contracts. It is important that you get a fair deal that best suits your business’s unique software profile. At MetrixData 360, we have saved our clients millions of dollars through successful contract negotiations with IBM, Oracle, Microsoft, and Adobe, just to list a few of the vendors that we have handled in the past. Get the Software Contract Negotiation Experts on your team and save big on your next software contract.

IBM Software Audit: How to Prepare a Defense and Handle it Like a Pro

IBM Software Audit: How to Prepare a Defense and Handle it Like a Pro

An IBM Software Audit can be an utterly grueling experience. While there is no way to completely eliminate your risk of incurring an audit from IBM as long as you have their products, being prepared for an audit, should one occur, is your best means of defense. We at MetrixData360 have helped countless clients prepare for an IBM audit and successfully defend themselves against IBM auditors. Here are our recommendations for making sure you’re properly prepared for your IBM audit.

Our Process and Recommendations:

Have a Non-Disclosure Agreement (NDA) At The Ready

IBM strives to have an audit engagement with their customers at least once a year as outlined in the terms of their contracts. Due to this, it is advisable to put in place a Non-Disclosure Agreement (NDA) or confidentiality agreement for IBM’s auditor to sign so you can protect the data that will be collected from your environment. This step is essential in every audit situation.

Have IBM’s License Metric Tool (ILMT) Properly Deployed

ILMT comes with many benefits, namely providing you with protection when faced with an IBM software audit. To summarize, IBM’s License Metric Tool (ILMT) is a software asset management tool freely available to IBM’s customers that is used to monitor consumption of IBM’s products.

It is compulsory for any customer who wishes to benefit from IBM’s sub-capacity licensing and its primary function is to make sure a customer is within compliance and using the products efficiently.

Most organizations do not adequately configure, manage, or maintain their IBM License Metric Tool (“ILMT”) and are relaxed about Sub-Capacity (“SC”) reporting. The current IBM Passport Advantage Agreement (“IPAA”) relevant language is:

“For Sub-Capacity usage of EPs, Client agrees to install and configure the most current version of IBM’s license metric tool (ILMT) within 90 days of Client’s first Sub-Capacity-based Eligible Sub-Capacity Product deployment, to promptly install any updates to ILMT that are made available, and to collect deployment data for each such EP”

“Reports (generated by ILMT or manual if Client meets manual reporting exemptions) must be prepared at least once per quarter and retained for a period of not less than 2 years. Failure to generate Reports or provide Reports to IBM will cause charging under full capacity for the total number of physical processor cores activated and available for use on the server.”

Not having ILMT puts a huge target on your back for a software audit from IBM as it will make IBM suspect that you have no way of tracking your consumption without it. Unless you meet the criteria that exempts you, you will have to license all IBM products under Full-Capacity terms if you don’t have ILMT.

Organizations that fail to meet their contractual obligations will have an IBM Licensing conundrum. Not meeting these obligations exposes your organization to IBM’s Full-Capacity (“FC”) licensing, which bloats the Processors Value Units (“PVU”) and consequently exposure to financial risk.

If you are found to have IBM’s software that has been deployed for 90 days and it doesn’t have ILMT on the same virtual server, then it is no longer eligible for Sub-Capacity licensing. If it is not licensed at Full-Capacity either, then it can be subject to heavy penalties. This is where many IBM customers find compliance issues during a software audit.

 

IBM Virtual Host Server Core Diagram

Here is what an example of what this would look like:

The Road to IBM Audits are Paved with Good Intentions

It’s our experience that most organizations have intentions to abide by their contractual agreements; however, those intentions rarely manifest into reality. Some notable reasons for this are:

 

    • Shifting Sands: IPAA is ever-changing, and the standard agreement does not need two-party written consent to have the language. Thus, the agreement you reviewed when you entered into the contractual relationship with IBM is not the agreement you have now.
    • Effort vs. Reward: ILMT is only required for IBM’s Processor Value Units (“PVU”) and Resource Value Units (“RVU”) to gain Sub-Capacity rights. IBM has hundreds of other licensing metrics that require manual efforts outside of ILMT. Thus, operationality can at times become perceived as a lower priority or value.
    • Technical Complexity: ILMT was not designed with simplicity as a guiding principle. The installation, configuration, maintenance, and management require technical knowledge as well as dedication. Thus, most organizations may use the initial installation; however, ongoing maintenance and operation are forgotten.

Don’t Expect ILMT to Protect You from Everything

Even if you have ILMT, that doesn’t mean that you are safe from compliance issues during an IBM Software Audit. In fact, many companies experience a lot of technical issues surrounding ILMT’s deployment. For instance, you could be subject to any of the following issues that can result in the loss of your sub-capacity eligibility:

  • Not generating and properly keeping quarterly reports from ILMT
  • Having an outdated version of ILMT
  • ILMT agents can fail when it comes to agent scans and capacity scans because of incompatibility, lack of disc space, or credential issues
  • If you want to selectively deploy ILMT to only servers with IBM products on them, then ILMT might come across issues detecting and identifying which servers to monitor. Anything that is missed will lose its Sub-Capacity eligibility.
  • Having any IBM products deployed on Operating Systems that ILMT doesn’t support
  • ILMT can easily struggle with accurately bundling unique software signatures for reporting. To do this successfully requires knowledge of your specific license restrictions and entitlements.

Failure to remain compliant simply because of technical issues regarding ILMT may open a company up to the possibility of a concession regarding the adverse findings but such a case would be difficult to achieve since it is reliant on a number of factors.

These issues include when you first tried to deploy ILMT, if IBM support was ever contacted, if ILMT was set to deploy over your entire estate or simply over IBM’s products, if problems with ILMT were reported and how much effort you put into solving the issue.

For more information on IBM’s ILMT, you can check out our article: IBM ILMT: Everything You Need to Know.

Expect Either KPMG or Deloitte to be Involved

 

Software vendors each approach software audits a little differently. Some have an internal audit team, but IBM outsources the project to either KPMG or Deloitte. However, simply because the auditors are a third-party does not mean that they are neutral.

IBM hired them to find compliance gaps in your infrastructure, so they will take the worst-case scenario as reality when given the chance to make assumptions. Since they are outsourcing the project, you can (and should) have a Non-Disclosure Agreement (NDA) with the auditors so that neither your data, nor the estimated licensing position (ELP) that the auditors come up with can go to IBM without your approval first.

This will play to your advantage because the wide array of confusing and complex IBM products and their licensing will almost ensure that the initial ELP that auditors come up with will be far from an accurate depiction of what you actually owe.

If You’re Found Out of Compliance, Expect to Pay Retroactive Maintenance Fees

IBM sends out their audits roughly every four years. As nice as it may sound not having to worry about having auditors at your door every year, if you are found out of compliance, not only will you have to pay for your missing licenses, you will also have to pay retroactive maintenance fees going back years.

Watch Out for IBM Licenses Changes

You can expect IBM to change up their license metrics when they acquire a new software company or release new versions of their existing products.

IBM will continue to take maintenance fees based on old licensing models, so don’t let the fact that they are still taking your company’s money be any indicator that you are adhering to the correct licensing model. 

If you have an arrangement that allows for licenses to be used on an unlimited basis, you could very easily lose that privilege after IBM acquires the product and releases the first upgrade after the acquisition. So it is important you keep up to date on any industry updates concerning IBM and what that could mean for your company.

Preparing Your IBM Audit Defense

IBM is a massive company with complex products that can prove a challenge to keep track of but that doesn’t mean it is impossible to keep on top of your IBM licensing. Being prepared will keep you from potentially paying out expensive auditing penalties and losing your Sub-Capacity eligibility.

At MetrixData 360, we know how to defend our clients when they are facing off against IBM. They only pay what they actually owe. If you’d like to learn more about how you can get yourself ready for an audit, download our free Audit Risk Checklist today!

 

Take the IBM Licensing Quiz:

If you want IBM licensing professionals handling your IBM assets, take stab at our IBM ILMT Quiz:

Microsoft, Oracle, IBM, and Adobe Software Audits at a Glance

The Top Four Software Vendors Sending Out Software Audits

It is likely that your software budget is shrinking yet your software vendors are looking for you to spend more money with them every year. When software companies can’t get the revenue they expect from you, they will often turn to software audits as a way to make up the difference. Software audits are many things: stressful, frustrating, leave you thinking that living in a cave, herding goats might have been an easier career path. But for the software publishers’ audits are quite profitable, and they have come to exploit this as a way to make their annual revenue growth targets.

Gartner has said that there is a 60% or greater chance that enterprises will be audited by at least one software publisher in any given year. The best way for you to handle the rising tide of software audit requests is by knowing your software environment and performing routine health checks to uncover areas of exposure. We cover the top areas where a company is exposed to in a software audit in our article Software Audit Preparation: What You Need to Know.

The Biggest Companies Performing Software Audits Are:

  • Microsoft
  • IBM
  • Oracle
  • Adobe

At MetrixData360, we have extensive experience working with all of these vendors, and we know how to handle an audit from each. In this post we’ll discuss some of the things you need to know about each of the software vendors and how to handle them during a software audit.

Microsoft Audit

Microsoft often claims that their audits are simple, short, and painless. In our eight years of defending companies during their software audits, we’ve yet to see a Microsoft audit that has matched this description.

Instead, we have seen audits that take almost 18 months to finalize as customers try to dig through rising mountains of data that are required as part of a Microsoft Audit (or SAM Engagement). Here are just a few tips for dealing with a Microsoft software audit:

    • SAM Audit or Review?

From our experience, Microsoft can either offer you SAM reviews or audits. SAM reviews are technically optional but refusing will likely result in getting audited. For a full breakdown of the difference between a Software Audit and a SAM review, visit our post Software Asset Management (SAM) Review vs Audit: What’s the Difference?

    • Respond to Your Vendor

We are often asked if you need to respond to an audit or a SAM letter. The short answer is yes, it is highly advisable that you respond to both. Not responding to a software audit, can find you in breach of your contract and leave you facing potential legal ramifications and hefty fines up to $100,000 USD. Although you could technically refuse a SAM Engagement, you could also find yourself running the risk of being in breach of your contract.

It has been our experience that refusing a SAM review will often result in Microsoft responding by sending you a full audit that you can’t refuse. Therefore, it would be more beneficial for you and your company to negotiate with Microsoft to perform a self-assessment as opposed to having a Microsoft partner perform the audit. A SAM engagement will be nearly identical to an audit after the data collection stage has begun and you will struggle to see the difference between the two processes until the negotiation stage has been reached.

    • Software Reviews vs Software Audits

The real difference between a SAM review and an audit can be seen when examining the penalties of each and how they are resolved. In a SAM review, you will be allowed to purchase your missing licenses at your contracted prices or at your historically discounted rate. In an audit, on the other hand, Microsoft has the right to charge any shortfalls at List Price in addition to a 5% penalty, although this may vary depending on your contract.

    • Paying For An Audit

Another difference between a SAM review and full audit appears when asking who will pay for the whole process. Microsoft will pay for the cost of the SAM engagement themselves whereas in an audit if you are found to be greater than 5% out of compliance you will be responsible for paying for the audit yourself in addition to any penalties you are incurred during the audit.

IBM Audit

IBM audits can be especially tough, since many of their license metrics require you to accurately have installed their ILMT tool in order to effectively capture your estimated license position (we have found that the majority of IBM’s customers have not done this correctly). Here are some things to consider that can help in the case of an IBM audit:

    • True Up Costs

Once your software audit has concluded, IBM will often let you settle at your discounted price with an additional fee for the maintenance that was used for the upkeep of the product when it was unlicensed.

    • Watch For Licensing Changes

IBM is also prone to make licensing changes which can apply to a wide range of their products in the wake of acquiring a new software company to their profile or releasing new versions of their software. When these events occur, be sure to look at your licenses with IBM to check for relevant updates.

    • Properly Set Up and Use ILMT

Our CEO Mike Austin says that you need to understand ILMT and how it works to effectively manage most IBM Software Audits.
According to Mike, “IBM isn’t typically auditing their Passport Advantage program, they are going after the complexity of sub-capacity and PVU based licensing. In order to pass an audit if you are licensing at sub-capacity, you need to have ILMT up and running. You will also need a have a history of reports. Installing and configuring ILMT is tricky and not many companies have done it correctly. In a lot of our work around IBM Audits, we are fixing ILMT reporting before we even start the work of defending an audit.”

    • ILMT Does Not Hold All The Answers

However, installing ILMT doesn’t mean you are 100% safe from IBM’s audits, you can still be found out of compliance.

    • Avoid Scope Creep

Our IBM Audit teams says to make sure you define the audit scope, as IBM is quite notorious for scope creep. You will want to ensure you know which products and contracts are included (and excluded) from the audit.

    • Put The Onus On IBM

You need to get an agreement with IBM (not the reseller- they can’t promise this) stating that IBM will take on the responsibilities to ensure that the product being deployed is correctly licensed. If they fail to then deploy ILMT after such a deal has been reached, then it might be possible to get a concession during an audit.

    • Defend Yourself With Data

Even if IBM doesn’t take responsibility for the licensing of deployed software, you might have a case to circumnavigate adverse findings that can come up due to ILMT’s failures, if you can collect historical system-generated reports that demonstrate the following things:

1) the processor resources that were allotted to the VMs running the PVU-licensed products have been or are capped and are not subject to any automated augmentations-based on system demands and

2) the historical usage of these products never exceeded licensed levels. However, this data has proved difficult for companies to obtain in the past.

Oracle Audit

From our observations, Oracle Audits incur the largest compliance findings typically. We’ve dealt with Oracle many times in the past, and here are some things you should know about how Oracle conducts their audit.

    • Only Pay For What You Use

According to the ITAM Review’s article Oracle Audit: Top 20 Frequently Asked Questions, for Oracle, the installation of software and the licensing of that software are two different events, with the exception of Database Enterprise Editions, so be careful when initially deploying software as it will likely be the cause of issue during an audit. For example, Oracle optional features, such as RAC, get turned on by default when installing databases, these options may only be licensable if you actually use them, not if you have them installed. This is a subtle difference, but it can have a profound impact and it is an area that is often found as being licensable by LMS. However, we have often found that it can be negotiated out with usage data.

    • Oracle Software Review vs Oracle Software Audit

Oracle has Oracle License reviews and Oracle License audits. These are the exact same thing – “review” just sounds friendlier. Both should be treated with the same level of severity.

    • Understand Your Contract

According to Scott & Scott, LLP’s article, Seven Lessons I Learned Representing Clients in Oracle Audits, take extra care to understand Oracle’s policies around usage. Since many of Oracle’s policies will not be included in the license’s documents, there tends to be a lot of confusion generated around this topic. Some areas that produce the largest findings in an Oracle Audit are VMWare and Oracle’s policy stating that all Processors in a cluster must be licensed. This policy has caught many organizations off guard and is the crux of the major lawsuit between Oracle and Mars Corporation.

    • More Gaps Cost More Money

As with Microsoft, if you are found out of compliance on a Oracle Audit you will have to cover the expense for the audit.

    • Use Your Own Tools

Our Oracle Audit Experts state that you are not required to use Oracle’s scripts to collect your data, especially if you have your own methods in place for gathering your data. LMS will try very hard to get you to use their scripts. We recommend, however, that you use your own processes first, if possible.

    • Tools Are Only As Good As The People Using Them

ITAM Review’s article Oracle Audit: Top 20 Frequently Asked Questions, states that Oracle has several approved SAM tools like Lime Software, Easyteam, BDNA, Hewlett-Packard, Flexera Software, Nova Ratio, and iQuate. However, these tools only collect raw data and won’t provide you with the interpretation of that data which will tell you what you need to license. Therefore, just because you have Oracle-approved tools, it doesn’t mean you’re completely safe in an Oracle audit.

    • Get A Paper Trail

In all audits, but especially ones with Oracle, it is highly recommended that you get a closing statement to close out the audit (indemnification is the most ideal). This is especially important with Oracle, as they are a very litigious vendor. You will be happy that you have a closing statement in case the audit ever goes to court and your company’s reputation is suddenly on the line.

Adobe Audit

Compared to the other heavy hitters, Adobe’s software audits can seem like little more than a friendly reminder. However, Adobe’s products can be quite expensive, so it’s important not to let this vendor slip from your mind. Here are some tips about Adobe licensing:

    • Friendlier, But Not Friendly

According to a study released by Gartner in 2016 and presented in their article What Does an End to Adobe Auditing and License Compliance Activity Really Mean?, Adobe has steadily moved away from auditing their customers, focusing instead on their Software as a Service platform and subscription-based licensing. That does not mean your company no longer has to deal with compliancy risks from Adobe, as Adobe still maintains the right to verify compliancy, giving their customers 30 days to provide data to ensure proper usage.

    • Buy What You Need, Not What You Want

The Gartner article also states that with a focus on SaaS and the subscription-based nature of Adobe, along with the lack of an “off-switch” for Adobe products, the main focus of Software Asset Management when it comes to Adobe should be proper sizing and monitoring usage.

    • For Adobe, It’s The Little Things That Count

According to TechRepublic’s article How to Prevent or Navigate an Audit by Adobe, Adobe monitors their customers differently from other vendors. Where Microsoft, Oracle, and IBM are interested in unlicensed software, Adobe is more interested in the protection of their intellectual property and making sure their product is used correctly. Are you correctly licensing any fonts with Adobe? These small questions can accumulate if they are not properly answered.

    • Adobe Does It Themselves

TechRepublic’s article also states that Adobe performs their own compliance verification review as opposed to hiring a third-party auditor, which can either be good or bad depending how far out of compliance you are.

    • Watch For Creative Suite License Changes

One best practice we advise our client’s to adhere to when dealing with Adobe says that you will have to pay particular attention to Creative Suite, as it is prone to change almost every year and these constant updates make it difficult to keep track of products. It will often leave programs as obsolete and the licensing for it makes it difficult to understand what is truly needed.

    • Upgrade Licenses Can Downgrade Your Compliance

Finally, according to TechRepublic’s article How to Prevent or Navigate an Audit by Adobe, Adobe also has no program in place to account for upgrades. Upgrade licenses, therefore, can sometimes stretch back several years – so, keep track of how far back these licenses go and be sure not to leave yourself over-confident (don’t forget that sometimes you can only go back three versions – so tracking that can also be very difficult).

How MetrixData360 Can Help

Software audits have been known to put a strain on any company’s software budget, so knowing about the software vendors that tend to resort to such methods will leave you with a better knowledge of what to expect. At MetrixData360, we believe that you should not have to pay the software vendors more than what you owe them, so it’s important to invest in software asset management long before you’re confronted with a software audit. By clicking the button below, you will be taken to our audit services page, where you can learn more about how we can help you survive a software audit.

IBM ILMT: Everything You Need to Know

It can be a struggle to manage your licenses when your software estate reaches a global scale and has hundreds, if not thousands, of users. When dealing with IBM licensing there are a number of license metrics that you need to manage including both Processor Value Units (PVU) and Resource Value Units (RVU).  In highly virtualized environments, IBM will license PVU and RVU based on Sub-Capacity, something that most other software tools do not measure.

IBM’s ILMT is an excellent way to monitor Sub-Capacity environments but, while ILMT is an added feature to many IBM purchases, what is it good for? And should you be concerned now that IBM has sold the product to HCL? At MetrixData 360, we have spent many years helping our clients manage their IBM software licensing environments, including their ILMT, so in this blog, we’ll go into what ILMT is and its advantages and disadvantages to you as an IBM customer.

What is PVU Licensing?

Processor Value Units (PVU) were first brought out as a new licensing metric in 2006 and can be described as a license metric that uses the type of processor and number of cores that are available to the product as the key factors to determine the number of licenses that you need to purchase. IBM defines processors by the number of cores that are on the chip itself.

This definition is distinctively different from the definition given by middleware vendors and a few hardware vendors, who define the processor as simply the chip. A specific number of PVUs depends purely on the processing type. There are two types of PVU licensing types: Full and Sub-Capacity. ITAM’s Using Pizza to explain IBM’s Sub-Capacity describes Sub-Capacity like ordering a full pizza and only eating two slices. You paid for the full pie; the full pie is there should you want to eat it later, but you don’t need it now since you’re no longer hungry. When configuring your processors, some technologies allow you to limit the number of cores that are available to be used by the software. The actual cores may be there, but the software prevents it from being used.

According to IBM, Full Capacity licensing simply means you license all the processor cores that are available to or managed by the program, even if the program doesn’t end up using all of them. Sub-Capacity licensing is based on the highest cores assigned to the application within the virtual machine (VM), not the total number of cores that the physical server has.

Due to this difference, licensing Sub-Capacity usually requires fewer licenses and is, therefore, cheaper than licensing Full Capacity. Most inventory or SAM tools do not keep track of the metrics required to measure and record Sub-Capacity use. ILMT allows you to effectively capture your usage and gives you the ability to calculate your cost for either Full Capacity or Sub-Capacity, giving you the opportunity to pick the option that best suits your software budget.

The Advantages of IBM’s ILMT

Lowers Risk

The only way that IBM will allow you to license with Sub-Capacity is to have ILMT installed and to keep historic usage records.  By doing this, they allow you to utilize Sub-Capacity licensing metrics, and the audit records from the ILMT tool gives an accurate depiction of your license requirements for PVU products.

With IBM’s ILMT, you’ll always be ready for an audit since continual use of the product allows for an in-depth examination of your infrastructure. ILMT allows you to prove to IBM that you are organized and have the data to manage compliance with Sub-Capacity licensing.  Since audits are more likely to be sent to clients when the vendor has reason to believe that licensing and software compliance are not being effectively tracked, ILMT can be viewed as an audit insurance policy. By demonstrating to IBM that you have a system in place to account for your licensing position, it can decrease your chances of being audited in the first place.

 

Displays a Comprehensive Software and Hardware Inventory Management

The licensing metric tool also does an effective job of centralizing your software and hardware inventory. IBM Security explains that by having this data at your disposal, you can cut costs by using the licensing metric that is most cost-effective for you.

With your hardware inventory available to you, you can also have access to important details about your hardware infrastructure, including processor make, model and type, operating system, and the hostname. ILMT can also provide a list of all your virtual servers and VMs that are in public clouds, such as Amazon Web Services (AWS) or Microsoft Azure. This data is useful in the event of an audit but can also serve to help calculate the optimal software costs for your software environment.

Offers Other Features Beyond Inventory Management for Better Software Optimization

Although tracking your hardware and software is its primary usage, ILMT can also perform discovery tasks and report on the hardware in your environment.

ILMT can provide you with quality data on your deployed IBM software including the releases and the versions of various software installed within your IT environment. It also allows you to manage security (updates and patches) of the different IBM products and versions in your environment.

It’s a Free Addition to Your Purchase

There are few words that are sweeter than free. ILMT is free of charge, although it needs to be ordered and included via IBM’s Passport Advantage Site Agreement. Many organizations have come to view ILMT with suspicion, thinking that installing ILMT will mean that IBM will receive reports but ILMT is not a ‘Big Brother’ tool, since any and all reports ILMT creates only goes to the customer.

The Downside to ILMT

Complex Deployment and Maintenance

Going through installing ILMT for the first time is a quick way to learn how laborious and time consuming it can be. It may be a free purchase, but your company will still have to spend working hours getting it up and running. It is critical to ensure that ILMT is properly deployed throughout your software environment, it needs to be monitoring either every piece of IBM software or your entire architecture as it may be impossible to establish the difference. Making sure that ILMT has been properly deployed and making sure its reports (which will serve as ILMT’s most critical feature during an IBM audit) are accurate will be the most challenging part.

Even if the issue remains with ILMT as a product, it will be a very difficult case to defend during an audit, as you will have to prove a number of factors, including that you attempted to deploy ILMT and that you tried to contact IBM tech support concerning the issue.

ILMT is Mandatory for Sub-Capacity Eligibility

The main drawback of ILMT is that it is mandatory if you want to qualify for Sub-Capacity licensing. Sub-Capacity is not automatic after the installation of ILMT, in fact it is tricky to qualify for sub-capacity licensing. Unless you qualify for special exception, you’ll need ILMT installed or have everything licensed at Full-Capacity. If IBM finds that you have software that has been deployed for 90 days or longer and you have neither ILMT monitoring for Sub-Capacity or the software licensed at Full-Capacity, then you’ll be facing massive fines from IBM. You could be at risk of losing your Sub-Capacity eligibility if you are confronted with any of the following problems:

  • Not generating and properly keeping quarterly reports from ILMT.
  • Having an outdated version of ILMT.
  • ILMT agents can fail when it comes to agent scans and capacity scans, because of either incompatibility, lack of disc space, or credential issues.
  • If you want to selectively deploy ILMT to only servers with IBM products on them, then ILMT might come across issues detecting and identifying which servers to monitor. Anything that is missed will lose its Sub-Capacity eligibility.
  • Having any IBM products deployed on Operating Systems that ILMT doesn’t support.
  • ILMT can easily struggle with accurately bundling unique software signatures for reporting. To do this successfully requires knowledge of your specific license restrictions and entitlements.

Technical Issues with making sure that ILMT reaches everything that is licensed at Sub-Capacity and is reporting it properly is where we see a lot of our clients run into problems.

ILMT is also mandatory if you would like to avoid an audit, since if you do not have ILMT effectively installed, IBM takes that as an indicator that you are not properly monitoring your software environment, placing a huge auditing target on your back for later.

Under-Reporting and Over Reporting

Even after the hassle of properly installing ILMT throughout your software environment, your next hurdle is to make sure the data that it’s giving you is even accurate. ILMT can fail to give accurate reports due to network, firewall, or agent problems, which will directly affect your calculations.

On the flip side, with ILMT there is also the threat of over reporting, especially when it comes to bundling capabilities, which means you’ll have to manually correct specific scenarios to get an accurate reading.

HCL and What Does it Mean

Recently IBM sold ILMT along with their BigFix product to HCL.  What this means is that HCL is taking over all support of both products (along with a handful of other products that they purchased from IBM).  ILMT is being integrated into BigFix, which is mostly the same product, but it has different installation and management processes. Although IBM has not stated if ILMT will be the only SAM tool moving forward that allows you to manage Sub-Capacity licensing, we are speculating that IBM will have a certification process for other SAM Tool vendors soon.

IBM’s ILMT can be an effective tool in ensuring your software compliance. IBM is considered one of the heavy hitters in the software industry and their software audits can be quite challenging especially if you are licensing Sub-Capacity and do not have a correctly configured ILMT installation.  It is a recommended best practice that you take the steps necessary to be prepared and perform a self-assessment to assess that your data is organized in order to assure that you have ILMT accurately configured. At Metrixdata 360, we’ve helped numerous organizations with ILMT and have defended organizations in IBM audit, so if you would like to learn if you are exposed to an audit, you can check out our Audit Risk Checklist.