HOW TO SURVIVE A SOFTWARE AUDIT AND DEAL WITH A REQUEST David Chamberlain / General Manager SAM Services 19 July 2012
HOW TO SURVIVE A SOFTWARE AUDIT AND DEAL WITH A REQUEST David Chamberlain / General Manager SAM Services 19 July 2012
Agenda
License Dashboard- Who are we?
Why have I been targeted?
What information does the vendor want and what are the risks of giving it?
Due diligence on your estate
Due diligence on your entitlement
Mitigation
Resolution/Rectification
License Dashboard in 60 seconds
Technology used to successfully deliver 1,000 SAM projects globally
Designed, built & maintained by licensing experts
Used by SAM and licensing consultants in Europe, US, Canada & Australia
Recognized by leading vendors
Microsoft (SAM partner), Adobe, Symantec, VMware and more
Technology supported by licensing expertise
Full range of Professional Services, SAM Consultancy & Licensing Advice
Delivery options to meet your needs:
Perpetual and subscription on-premise or Managed Service
The vendor doesn’t understand your organization
Merger/Divestiture
Global Organization Complex Organisation
Revisiting a previous review Exiting EA Perceived irregularities with Licenses
Odd purchasing patterns Maintenance no base Inconsistent quantities
WHY HAVE I BEEN TARGETED?
The Vendor believes your installs do not match your entitlement They will be asking you to declare your usage They may challenge, test or sample that data It is unlikely you will avoid -or even postpone for long- this request
You need to be confident the information you eventually provide is accurate and not overstated
Primarily you want to be assured the data you submit is not for more usage than you actually have You will want to be confident that any minimizing of liability will stand up to scrutiny You will want to retain in place some of the steps taken to respond to this request so that in future you can have confidence should you be contacted again by this or any other vendor
BOTTOM LINE
Must understand your estate Must understand your software users Understand what discovery capability you currently have
For areas of the estate with no coverage look at free tools or manual discovery
Understand what you actually need to measure Obtain help or advice in areas of major risk ($)
TAKE CONTROL
Do you have any geographical challenges? Will you need to report or exclude by Country of Use, Language, Trading Name or Business Unit? Which areas are in/out of scope
How many devices do you have? Have disposals been appropriately managed? Consider Active Directory to compare against discovery
Where AD is not up to date ensure it is cleaned!! AD Tidy http://www.cjwdev.co.uk/Software/ADTidy/Info.html
Consider AV tool output to compare against discovery
UNDERSTAND YOUR ESTATE
Do you have any undiscoverable software usage? Additional liability beyond an install- Citrix/thin client- Server Virtualization
Do you have any other device types that may require licenses? PDA, iPad, Tablets, Tough books, EPOS
Are any devices test, staging, MSDN, DR, Training, WAH, strictly LOB only? Identify and exclude from calculations devices that may not necessarily consume regular licenses
UNDERSTAND YOUR ESTATE
User CALs CALs obtained for users with multiple devices For mixed CAL environments can you demonstrate your counts?
Eligible Users
Often you are able to exclude ancillary or non computer users from this count
UNDERSTAND YOUR SOFTWARE USERS
Eligible Devices For reference purposes, ““Qualified Device” means any personal desktop computer, portable computer, workstation or similar device that is used by or for the benefit of the Enrolled Affiliate’s Enterprise. It does not include (1) any computer that is designated as a server and not used as a personal computer, (2) any Industry Device, (3) any device running an embedded operating system (e.g. Windows Phone 7) that does not access a virtual desktop infrastructure, or (4) any device that is not managed and/or controlled either directly or indirectly by Enrolled Affiliate’s Enterprise. Enrolled Affiliate may include as a Qualified Device any device which would be excluded above (e.g. Industry Device)”
Eligible Users For reference purposes, ““Qualified User” means a person (e.g. employee, consultant, contingent staff) who: (1) is a user of Qualified Device, or (2) accesses any server software requiring an Enterprise Product Client Access License or any Enterprise Online Service.
Processors/Logical Processors/Virtual Processors/Cores Farms
WHAT DO I NEED TO MEASURE?
Many organizations already have some form of Discovery capability Help desk systems, ITAM Solutions
Check its coverage across your estate Compare with tidied AD data/AV Data Disposed/retired/duplicate
Challenge its output Sample devices MSI vs .EXE Which devices do not run COE and why? Were the results as anticipated?
Look for areas of undiscoverable usage ISA/Sharepoint Servers outside of DMZ Remote workers Citrix/Thin Client Mission Critical servers with no discovery client CALS
UNDERSTAND WHAT DISCOVERY CAPABILITY YOU CURRENTLY HAVE
Consider FOC Agentless discovery MAP Toolkit
http://www.microsoft.com/en-us/download/details.aspx?id=7826
Spiceworks http://www.spiceworks.com
Check & sample the output!!
Cleansing of Discovery Is licensable/freeware, Editions/Versions/Metric Multiple versions Suites
Virtualization DRS, Affinity Rules, V-motion, license mobility GET HELP OR ADVICE NOW!!
UNDERSTAND WHAT DISCOVERY CAPABILITY YOU CURRENTLY HAVE
Operating System Coverage 1. Optimum Scenario best value new purchase
Calculators available
2. Optimum Scenario utilizing existing licenses
Virtualization of Applications GET HELP OR ADVICE NOW!
VIRTUALIZATION
Virtualization V-motion- is it switched on?
Allows v servers to move between Hosts and increases the liability of every Host
DRS vSphere Distributed Resource Scheduler continuously monitors utilization across a resource pool and intelligently allocates available resources among virtual machines according to business needs.
Affinity Rules Can restrict the movement of V servers across Hosts reducing liability Logs and reports available
Many Licensing Options Can License the Farm, Physical Host or V Server License mobility Multiple instances per license
License Rules differ greatly by version release
VIRTUALIZATION
The Vendor will have records of your purchases through VLA Retail/shrinkwrap/off the shelf are never recorded The Vendor will have searched only on the names it knows
Mergers Transfers Spelling errors from the reseller
WHERE ARE MY LICENSES?
Find out who has historically supplied you your software Obtain purchase reports from these resellers Compare with Vendor data Look for chronological gaps in the data Test and challenge aggregate calculation figures
Licenses with no base Technology guarantees Grandfathering rights Side agreements to EAs
WHERE ARE MY LICENSES?
From where do you purchase your hardware? Counterfeiting Base licenses
Can you obtain records OEM licensing Base license eligibility for SELECT/ EA upgrade license Server & CAL OEM
WHERE ARE MY LICENSES?
Co-operate- most reviews are unavoidable
Qualify your active actual estate- do not pay for retired or disposed of machines!! Determine the parts of your estate that do not consume licenses- DR, Dev, Training Test your Discovery output- Look for multiple versions per device
Understand your potential liability for virtual estate Understand what your current licenses will enable you to do on that estate
Mitigation - If you have made errors understand the reasons why/how
Incorrect media Affinity rules not set Actual usage
SUMMARY
All vendors will seek to have shortfalls rectified in accordance with their EULA They are duty bound to protect their IP They will be reluctant to set precedent
Consider who from within the vendor is conducting the review Compliance team Tele sales type compliance Audit Partner
Consider your anticipated future requirements Do you have plans to upgrade or roll out to newer technologies? Will this rectification achieve this?
Are you planning significant spend on other technologies with this vendor?
Many will seek a speedy settlement
RESOLUTION/RECTIFICATION
Coming next…
Life after an audit request
Making sure the pain does not continue
July 26th 2012 – 15:00 UK, 16:00 CET, 10:00 EST
Read the white paper
View a weekly live solution demonstration