Microsoft, Oracle, IBM, and Adobe Software Audits at a Glance

The Top Four Software Vendors Sending Out Software Audits

It is likely that your software budget is shrinking yet your software vendors are looking for you to spend more money with them every year. When software companies can’t get the revenue they expect from you, they will often turn to software audits as a way to make up the difference. Software audits are many things: stressful, frustrating, leave you thinking that living in a cave, herding goats might have been an easier career path. But for the software publishers’ audits are quite profitable, and they have come to exploit this as a way to make their annual revenue growth targets.

Gartner has said that there is a 60% or greater chance that enterprises will be audited by at least one software publisher in any given year. The best way for you to handle the rising tide of software audit requests is by knowing your software environment and performing routine health checks to uncover areas of exposure. We cover the top areas where a company is exposed to in a software audit in our article Software Audit Preparation: What You Need to Know.

The Biggest Companies Performing Software Audits Are:

  • Microsoft
  • IBM
  • Oracle
  • Adobe

At MetrixData360, we have extensive experience working with all of these vendors, and we know how to handle an audit from each. In this post we’ll discuss some of the things you need to know about each of the software vendors and how to handle them during a software audit.

Microsoft Audit

Microsoft often claims that their audits are simple, short, and painless. In our eight years of defending companies during their software audits, we’ve yet to see a Microsoft audit that has matched this description.

Instead, we have seen audits that take almost 18 months to finalize as customers try to dig through rising mountains of data that are required as part of a Microsoft Audit (or SAM Engagement). Here are just a few tips for dealing with a Microsoft software audit:

    • SAM Audit or Review?

From our experience, Microsoft can either offer you SAM reviews or audits. SAM reviews are technically optional but refusing will likely result in getting audited. For a full breakdown of the difference between a Software Audit and a SAM review, visit our post Software Asset Management (SAM) Review vs Audit: What’s the Difference?

    • Respond to Your Vendor

We are often asked if you need to respond to an audit or a SAM letter. The short answer is yes, it is highly advisable that you respond to both. Not responding to a software audit, can find you in breach of your contract and leave you facing potential legal ramifications and hefty fines up to $100,000 USD. Although you could technically refuse a SAM Engagement, you could also find yourself running the risk of being in breach of your contract.

It has been our experience that refusing a SAM review will often result in Microsoft responding by sending you a full audit that you can’t refuse. Therefore, it would be more beneficial for you and your company to negotiate with Microsoft to perform a self-assessment as opposed to having a Microsoft partner perform the audit. A SAM engagement will be nearly identical to an audit after the data collection stage has begun and you will struggle to see the difference between the two processes until the negotiation stage has been reached.

    • Software Reviews vs Software Audits

The real difference between a SAM review and an audit can be seen when examining the penalties of each and how they are resolved. In a SAM review, you will be allowed to purchase your missing licenses at your contracted prices or at your historically discounted rate. In an audit, on the other hand, Microsoft has the right to charge any shortfalls at List Price in addition to a 5% penalty, although this may vary depending on your contract.

    • Paying For An Audit

Another difference between a SAM review and full audit appears when asking who will pay for the whole process. Microsoft will pay for the cost of the SAM engagement themselves whereas in an audit if you are found to be greater than 5% out of compliance you will be responsible for paying for the audit yourself in addition to any penalties you are incurred during the audit.

IBM Audit

IBM audits can be especially tough, since many of their license metrics require you to accurately have installed their ILMT tool in order to effectively capture your estimated license position (we have found that the majority of IBM’s customers have not done this correctly). Here are some things to consider that can help in the case of an IBM audit:

    • True Up Costs

Once your software audit has concluded, IBM will often let you settle at your discounted price with an additional fee for the maintenance that was used for the upkeep of the product when it was unlicensed.

    • Watch For Licensing Changes

IBM is also prone to make licensing changes which can apply to a wide range of their products in the wake of acquiring a new software company to their profile or releasing new versions of their software. When these events occur, be sure to look at your licenses with IBM to check for relevant updates.

    • Properly Set Up and Use ILMT

Our CEO Mike Austin says that you need to understand ILMT and how it works to effectively manage most IBM Software Audits.
According to Mike, “IBM isn’t typically auditing their Passport Advantage program, they are going after the complexity of sub-capacity and PVU based licensing. In order to pass an audit if you are licensing at sub-capacity, you need to have ILMT up and running. You will also need a have a history of reports. Installing and configuring ILMT is tricky and not many companies have done it correctly. In a lot of our work around IBM Audits, we are fixing ILMT reporting before we even start the work of defending an audit.”

    • ILMT Does Not Hold All The Answers

However, installing ILMT doesn’t mean you are 100% safe from IBM’s audits, you can still be found out of compliance.

    • Avoid Scope Creep

Our IBM Audit teams says to make sure you define the audit scope, as IBM is quite notorious for scope creep. You will want to ensure you know which products and contracts are included (and excluded) from the audit.

    • Put The Onus On IBM

You need to get an agreement with IBM (not the reseller- they can’t promise this) stating that IBM will take on the responsibilities to ensure that the product being deployed is correctly licensed. If they fail to then deploy ILMT after such a deal has been reached, then it might be possible to get a concession during an audit.

    • Defend Yourself With Data

Even if IBM doesn’t take responsibility for the licensing of deployed software, you might have a case to circumnavigate adverse findings that can come up due to ILMT’s failures, if you can collect historical system-generated reports that demonstrate the following things:

1) the processor resources that were allotted to the VMs running the PVU-licensed products have been or are capped and are not subject to any automated augmentations-based on system demands and

2) the historical usage of these products never exceeded licensed levels. However, this data has proved difficult for companies to obtain in the past.

Oracle Audit

From our observations, Oracle Audits incur the largest compliance findings typically. We’ve dealt with Oracle many times in the past, and here are some things you should know about how Oracle conducts their audit.

    • Only Pay For What You Use

According to the ITAM Review’s article Oracle Audit: Top 20 Frequently Asked Questions, for Oracle, the installation of software and the licensing of that software are two different events, with the exception of Database Enterprise Editions, so be careful when initially deploying software as it will likely be the cause of issue during an audit. For example, Oracle optional features, such as RAC, get turned on by default when installing databases, these options may only be licensable if you actually use them, not if you have them installed. This is a subtle difference, but it can have a profound impact and it is an area that is often found as being licensable by LMS. However, we have often found that it can be negotiated out with usage data.

    • Oracle Software Review vs Oracle Software Audit

Oracle has Oracle License reviews and Oracle License audits. These are the exact same thing – “review” just sounds friendlier. Both should be treated with the same level of severity.

    • Understand Your Contract

According to Scott & Scott, LLP’s article, Seven Lessons I Learned Representing Clients in Oracle Audits, take extra care to understand Oracle’s policies around usage. Since many of Oracle’s policies will not be included in the license’s documents, there tends to be a lot of confusion generated around this topic. Some areas that produce the largest findings in an Oracle Audit are VMWare and Oracle’s policy stating that all Processors in a cluster must be licensed. This policy has caught many organizations off guard and is the crux of the major lawsuit between Oracle and Mars Corporation.

    • More Gaps Cost More Money

As with Microsoft, if you are found out of compliance on a Oracle Audit you will have to cover the expense for the audit.

    • Use Your Own Tools

Our Oracle Audit Experts state that you are not required to use Oracle’s scripts to collect your data, especially if you have your own methods in place for gathering your data. LMS will try very hard to get you to use their scripts. We recommend, however, that you use your own processes first, if possible.

    • Tools Are Only As Good As The People Using Them

ITAM Review’s article Oracle Audit: Top 20 Frequently Asked Questions, states that Oracle has several approved SAM tools like Lime Software, Easyteam, BDNA, Hewlett-Packard, Flexera Software, Nova Ratio, and iQuate. However, these tools only collect raw data and won’t provide you with the interpretation of that data which will tell you what you need to license. Therefore, just because you have Oracle-approved tools, it doesn’t mean you’re completely safe in an Oracle audit.

    • Get A Paper Trail

In all audits, but especially ones with Oracle, it is highly recommended that you get a closing statement to close out the audit (indemnification is the most ideal). This is especially important with Oracle, as they are a very litigious vendor. You will be happy that you have a closing statement in case the audit ever goes to court and your company’s reputation is suddenly on the line.

Adobe Audit

Compared to the other heavy hitters, Adobe’s software audits can seem like little more than a friendly reminder. However, Adobe’s products can be quite expensive, so it’s important not to let this vendor slip from your mind. Here are some tips about Adobe licensing:

    • Friendlier, But Not Friendly

According to a study released by Gartner in 2016 and presented in their article What Does an End to Adobe Auditing and License Compliance Activity Really Mean?, Adobe has steadily moved away from auditing their customers, focusing instead on their Software as a Service platform and subscription-based licensing. That does not mean your company no longer has to deal with compliancy risks from Adobe, as Adobe still maintains the right to verify compliancy, giving their customers 30 days to provide data to ensure proper usage.

    • Buy What You Need, Not What You Want

The Gartner article also states that with a focus on SaaS and the subscription-based nature of Adobe, along with the lack of an “off-switch” for Adobe products, the main focus of Software Asset Management when it comes to Adobe should be proper sizing and monitoring usage.

    • For Adobe, It’s The Little Things That Count

According to TechRepublic’s article How to Prevent or Navigate an Audit by Adobe, Adobe monitors their customers differently from other vendors. Where Microsoft, Oracle, and IBM are interested in unlicensed software, Adobe is more interested in the protection of their intellectual property and making sure their product is used correctly. Are you correctly licensing any fonts with Adobe? These small questions can accumulate if they are not properly answered.

    • Adobe Does It Themselves

TechRepublic’s article also states that Adobe performs their own compliance verification review as opposed to hiring a third-party auditor, which can either be good or bad depending how far out of compliance you are.

    • Watch For Creative Suite License Changes

One best practice we advise our client’s to adhere to when dealing with Adobe says that you will have to pay particular attention to Creative Suite, as it is prone to change almost every year and these constant updates make it difficult to keep track of products. It will often leave programs as obsolete and the licensing for it makes it difficult to understand what is truly needed.

    • Upgrade Licenses Can Downgrade Your Compliance

Finally, according to TechRepublic’s article How to Prevent or Navigate an Audit by Adobe, Adobe also has no program in place to account for upgrades. Upgrade licenses, therefore, can sometimes stretch back several years – so, keep track of how far back these licenses go and be sure not to leave yourself over-confident (don’t forget that sometimes you can only go back three versions – so tracking that can also be very difficult).

How MetrixData360 Can Help

Software audits have been known to put a strain on any company’s software budget, so knowing about the software vendors that tend to resort to such methods will leave you with a better knowledge of what to expect. At MetrixData360, we believe that you should not have to pay the software vendors more than what you owe them, so it’s important to invest in software asset management long before you’re confronted with a software audit. By clicking the button below, you will be taken to our audit services page, where you can learn more about how we can help you survive a software audit.

IBM ILMT: Everything You Need to Know

It can be a struggle to manage your licenses when your software estate reaches a global scale and has hundreds, if not thousands, of users. When dealing with IBM licensing there are a number of license metrics that you need to manage including both Processor Value Units (PVU) and Resource Value Units (RVU).  In highly virtualized environments, IBM will license PVU and RVU based on Sub-Capacity, something that most other software tools do not measure.

IBM’s ILMT is an excellent way to monitor Sub-Capacity environments but, while ILMT is an added feature to many IBM purchases, what is it good for? And should you be concerned now that IBM has sold the product to HCL? At MetrixData 360, we have spent many years helping our clients manage their IBM software licensing environments, including their ILMT, so in this blog, we’ll go into what ILMT is and its advantages and disadvantages to you as an IBM customer.

What is PVU Licensing?

Processor Value Units (PVU) were first brought out as a new licensing metric in 2006 and can be described as a license metric that uses the type of processor and number of cores that are available to the product as the key factors to determine the number of licenses that you need to purchase. IBM defines processors by the number of cores that are on the chip itself.

This definition is distinctively different from the definition given by middleware vendors and a few hardware vendors, who define the processor as simply the chip. A specific number of PVUs depends purely on the processing type. There are two types of PVU licensing types: Full and Sub-Capacity. ITAM’s Using Pizza to explain IBM’s Sub-Capacity describes Sub-Capacity like ordering a full pizza and only eating two slices. You paid for the full pie; the full pie is there should you want to eat it later, but you don’t need it now since you’re no longer hungry. When configuring your processors, some technologies allow you to limit the number of cores that are available to be used by the software. The actual cores may be there, but the software prevents it from being used.

According to IBM, Full Capacity licensing simply means you license all the processor cores that are available to or managed by the program, even if the program doesn’t end up using all of them. Sub-Capacity licensing is based on the highest cores assigned to the application within the virtual machine (VM), not the total number of cores that the physical server has.

Due to this difference, licensing Sub-Capacity usually requires fewer licenses and is, therefore, cheaper than licensing Full Capacity. Most inventory or SAM tools do not keep track of the metrics required to measure and record Sub-Capacity use. ILMT allows you to effectively capture your usage and gives you the ability to calculate your cost for either Full Capacity or Sub-Capacity, giving you the opportunity to pick the option that best suits your software budget.

The Advantages of IBM’s ILMT

Lowers Risk

The only way that IBM will allow you to license with Sub-Capacity is to have ILMT installed and to keep historic usage records.  By doing this, they allow you to utilize Sub-Capacity licensing metrics, and the audit records from the ILMT tool gives an accurate depiction of your license requirements for PVU products.

With IBM’s ILMT, you’ll always be ready for an audit since continual use of the product allows for an in-depth examination of your infrastructure. ILMT allows you to prove to IBM that you are organized and have the data to manage compliance with Sub-Capacity licensing.  Since audits are more likely to be sent to clients when the vendor has reason to believe that licensing and software compliance are not being effectively tracked, ILMT can be viewed as an audit insurance policy. By demonstrating to IBM that you have a system in place to account for your licensing position, it can decrease your chances of being audited in the first place.

 

Displays a Comprehensive Software and Hardware Inventory Management

The licensing metric tool also does an effective job of centralizing your software and hardware inventory. IBM Security explains that by having this data at your disposal, you can cut costs by using the licensing metric that is most cost-effective for you.

With your hardware inventory available to you, you can also have access to important details about your hardware infrastructure, including processor make, model and type, operating system, and the hostname. ILMT can also provide a list of all your virtual servers and VMs that are in public clouds, such as Amazon Web Services (AWS) or Microsoft Azure. This data is useful in the event of an audit but can also serve to help calculate the optimal software costs for your software environment.

Offers Other Features Beyond Inventory Management for Better Software Optimization

Although tracking your hardware and software is its primary usage, ILMT can also perform discovery tasks and report on the hardware in your environment.

ILMT can provide you with quality data on your deployed IBM software including the releases and the versions of various software installed within your IT environment. It also allows you to manage security (updates and patches) of the different IBM products and versions in your environment.

It’s a Free Addition to Your Purchase

There are few words that are sweeter than free. ILMT is free of charge, although it needs to be ordered and included via IBM’s Passport Advantage Site Agreement. Many organizations have come to view ILMT with suspicion, thinking that installing ILMT will mean that IBM will receive reports but ILMT is not a ‘Big Brother’ tool, since any and all reports ILMT creates only goes to the customer.

The Downside to ILMT

Complex Deployment and Maintenance

Going through installing ILMT for the first time is a quick way to learn how laborious and time consuming it can be. It may be a free purchase, but your company will still have to spend working hours getting it up and running. It is critical to ensure that ILMT is properly deployed throughout your software environment, it needs to be monitoring either every piece of IBM software or your entire architecture as it may be impossible to establish the difference. Making sure that ILMT has been properly deployed and making sure its reports (which will serve as ILMT’s most critical feature during an IBM audit) are accurate will be the most challenging part.

Even if the issue remains with ILMT as a product, it will be a very difficult case to defend during an audit, as you will have to prove a number of factors, including that you attempted to deploy ILMT and that you tried to contact IBM tech support concerning the issue.

ILMT is Mandatory for Sub-Capacity Eligibility

The main drawback of ILMT is that it is mandatory if you want to qualify for Sub-Capacity licensing. Sub-Capacity is not automatic after the installation of ILMT, in fact it is tricky to qualify for sub-capacity licensing. Unless you qualify for special exception, you’ll need ILMT installed or have everything licensed at Full-Capacity. If IBM finds that you have software that has been deployed for 90 days or longer and you have neither ILMT monitoring for Sub-Capacity or the software licensed at Full-Capacity, then you’ll be facing massive fines from IBM. You could be at risk of losing your Sub-Capacity eligibility if you are confronted with any of the following problems:

  • Not generating and properly keeping quarterly reports from ILMT.
  • Having an outdated version of ILMT.
  • ILMT agents can fail when it comes to agent scans and capacity scans, because of either incompatibility, lack of disc space, or credential issues.
  • If you want to selectively deploy ILMT to only servers with IBM products on them, then ILMT might come across issues detecting and identifying which servers to monitor. Anything that is missed will lose its Sub-Capacity eligibility.
  • Having any IBM products deployed on Operating Systems that ILMT doesn’t support.
  • ILMT can easily struggle with accurately bundling unique software signatures for reporting. To do this successfully requires knowledge of your specific license restrictions and entitlements.

Technical Issues with making sure that ILMT reaches everything that is licensed at Sub-Capacity and is reporting it properly is where we see a lot of our clients run into problems.

ILMT is also mandatory if you would like to avoid an audit, since if you do not have ILMT effectively installed, IBM takes that as an indicator that you are not properly monitoring your software environment, placing a huge auditing target on your back for later.

Under-Reporting and Over Reporting

Even after the hassle of properly installing ILMT throughout your software environment, your next hurdle is to make sure the data that it’s giving you is even accurate. ILMT can fail to give accurate reports due to network, firewall, or agent problems, which will directly affect your calculations.

On the flip side, with ILMT there is also the threat of over reporting, especially when it comes to bundling capabilities, which means you’ll have to manually correct specific scenarios to get an accurate reading.

HCL and What Does it Mean

Recently IBM sold ILMT along with their BigFix product to HCL.  What this means is that HCL is taking over all support of both products (along with a handful of other products that they purchased from IBM).  ILMT is being integrated into BigFix, which is mostly the same product, but it has different installation and management processes. Although IBM has not stated if ILMT will be the only SAM tool moving forward that allows you to manage Sub-Capacity licensing, we are speculating that IBM will have a certification process for other SAM Tool vendors soon.

IBM’s ILMT can be an effective tool in ensuring your software compliance. IBM is considered one of the heavy hitters in the software industry and their software audits can be quite challenging especially if you are licensing Sub-Capacity and do not have a correctly configured ILMT installation.  It is a recommended best practice that you take the steps necessary to be prepared and perform a self-assessment to assess that your data is organized in order to assure that you have ILMT accurately configured. At Metrixdata 360, we’ve helped numerous organizations with ILMT and have defended organizations in IBM audit, so if you would like to learn if you are exposed to an audit, you can check out our Audit Risk Checklist.