Blog

Miro Consulting specializes in software license audit defense, license management, subscription management, and cloud services, for Oracle, Microsoft & IBM.

Oracle Virtualization Compliance

Oracle Virtualization Compliance & VMware

Any mention of virtualization causes many people to immediately think of VMware, as they remain to be a main player among virtualization technologies. The challenge of keeping up with Oracle’s evolving licensing requirements of virtualization platforms can be a daunting endeavor for many IT departments and Oracle database administrators.

Any technological advancement made by VMware, specifically relating to any abilities to easily move server sessions around the virtualized environment, prompts a new possible interpretation of licensing requirements by Oracle on the popular platform.

We refer to the requirement updates as “changes of interpretation” since Oracle’s documented policy guidelines have never actually changed. Oracle’s “Hard Partitioning Policy” simply indicates that VMware is considered by Oracle to be soft-partitioning and does not consider any of its features capable of satisfactorily limiting software licensing through resource partitioning.  Oracle’s concerns stem from any possibility for a client to inadvertently and rapidly expand the use of Oracle software without proper licensing.

As VMware’s features have developed into enabling greater flexibility in redistributing computing resources, Oracle’s continually evolving licensing requirements have adapted. IT departments should carefully plan the use of Oracle software within their VMware environments. Oracle can be just as harsh in licensing their software within other virtualized environments, including their own virtualization products.

Oracle VM Server for x86 is based-on and incorporates the open-source Xen hypervisor technology. Oracle recognizes the feature of the virtualization platform which enables the pinning of CPU’s to virtual machines. This enables OVM to be used to partition the processing resources of a server, which Oracle considers to be hard-partitioning. However, should you activate live migration capabilities within a pool of these servers then the accepted hard-partitioning scenario described above is invalidated, and all physical processors are required to be licensed. This would give it the same challenge as experienced with VMware.

IBM Power servers that have LPAR technology, which is recognized by Oracle for the hard-partitioning of server resources, will face the same dilemma. Once those servers are tied together through the use of IBM Live Partition Mobility features, the use of LPAR technology for hard-partitioning is invalidated.

Just because you utilize virtualization technology that Oracle does recognize as having hard-partitioning capabilities, you could be invalidating those features due to the way you are implementing the technology.

Please contact Miro Consulting should you have any license compliance concerns regarding the way you are implementing your virtualization technology.


Oracle Software Licensing and EU General Data Protection Regulation (GDPR) Compliance

The European Union (EU) General Data Protection Regulation (GDPR) is a new regulation that will go into effect on May 25, 2018. The GDPR introduces a legal accountability obligation for organizations and will require organizations to reassess current policies, procedures, and systems and increase the level of controls, processes, and protection around the personal data of EU individuals. Organizations must have a complete understanding of their data and have the ability to implement appropriate technical and organizational measures that ensure and demonstrate that data processing activities are in compliance with the requirements of the GDPR.

As a result, organizations may be required to license additional software to comply with the data protection requirements of the GDPR. Under GDPR, data protection requirements can be broken down to three main categories that include assessment, preventive, and detective controls. Many software vendors such as Oracle offer security products to help address the GDPR’s assessment, preventive, and detective compliance requirements.

Assessment Controls – Article 35 of the GDPR mandates that organizations are to perform risk assessments to help identify vulnerabilities and lessen the possibility of security breaches. Organizations are also required to indicate how data privacy will be addressed. Organizations need to know where the personal data exists, who has access and what privileges, identify possible vulnerabilities, and determine the likelihood of potential threats and the impact to the organization.

Software vendors such as Oracle offer tools to assess the current state of data security. For example, Oracle Application Data Modeling can be used to discover personal data, Oracle Enterprise Manager’s Database Lifecycle Management Pack can be used to scan database configurations, and Oracle Database Vault Privilege Analysis can be used to analyze roles and privileges.

Preventive Controls – Article 32 of the GDPR mandates that organizations implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Therefore, once the risks are identified, policies, procedures, and controls must be put into place to prevent and deter unauthorized access and misuse of personal data. Unauthorized access can occur internally and externally; therefore, appropriate controls such as encryption, pseudonymization, and anonymization should put in place.

Software vendors such as Oracle offer tools to protect sensitive data at the source. For example, Transparent Data Encryption can be used to encrypt data in production applications, Data Redaction can be used to pseudonymize data in production applications, and Oracle Data Masking and Subsetting can be used to mask or anonymize the data in non-production applications and be used to subset the data either by deleting or extracting the data to a different location.

Detective Controls – Article 30 of the GDPR mandates that organizations maintain an audit record of processing activities on the personal data. The audit data can then be used to help detect potential security breaches, unauthorized activity, and misuse of personal data and be used to timely notify authorities in case of a breach. Article 33 of the GDPR mandates that organizations report personal data security breaches within 72 hours of becoming aware of a breach to the designated GDPR supervisory authority. If the security breach is likely to result in a high risk of adversely affecting the rights and freedoms of individuals, organizations must also inform those individuals affected by the breach.

Software vendors such as Oracle offer tools to monitor suspicious activity. For example, Oracle Database Auditing can be used to enable and maintain audit records of processing and Oracle Fine-Grained Auditing can be used to record and audit specific activities of users.

About the GDPR

The GDPR was approved by the European Parliament on April 14, 2016 and replaces the 1995 Data Protection Directive (95/46/EC). The aim of the GDPR is to give EU individuals more control over their personal data and to simplify the regulatory environment for organizations by unifying the data protection law across all 28 European Union (EU) member states. The GDPR defines personal data as any information, either directly or indirectly, that can be used to identify an individual. An identifier can be name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Extended Jurisdiction

The GDPR will apply to any organization that creates, stores, or processes personal data of EU individuals, regardless of whether the organization is located in the EU and regardless of where the data is created, stored, or processed. The GDPR will apply to data controllers and data processors and holds both liable for breaches or non-compliance; therefore, if personal data is hosted in the cloud or shared with vendors or contractors, the organization (data controller) and the third-party (data processor) are liable for penalties.

Penalties

Organizations in breach of the GDPR may be liable for penalties. The GDPR has a tiered approach to penalties depending on the nature of the violation. For example, organizations may be fined up to 2% of total global annual turnover or €10 million (whichever is greater) for not having their records in order, or not conducting a risk assessment, or not notifying supervisory authorities when a security breach occurs, or not notifying individuals affected by the breach. Organizations with more serious consequences may be fined up to 4% of total global annual turnover or €20 million (whichever is greater).

Individual Rights and Control

The GDPR will give back control to EU individuals over their personal data, which includes the right to access, right to be forgotten, and right to portability.

Right to Access – Organizations will be required to request consent from individuals and consent must be provided in an intelligible and easily accessible form. The GDPR will give individuals the right to obtain confirmation from the data controller as to whether or not their personal data is being processed, where the data is being processed, and for what purpose. Individuals will be entitled to a copy of their personal data, free of charge, in an electronic format.

Right to be Forgotten – The GDPR will give individuals the right to withdraw. Once consent is withdrawn, individuals also have the right to direct the data controller to erase and not use their personal data for data processing.

Right to Portability – The GDPR will give individuals the right to portability, which means that individuals may transfer their personal data between organizations more easily.

Data Protection Officer

Organizations that process large amounts of personal data will be required to designate a data protection officer. This position may be performed by either an employee of the data controller or processor or can be outsourced to a third party. Data protection officers will be required to have knowledge and expertise in data protection law and practices. Data protection officers will be responsible for overseeing the GDRP data protection strategy, implementation, and compliance. Responsibilities also include training and conducting internal audits and address potential vulnerabilities. The data protection officer also serves as the point of contact between the organization and the designated GDPR supervisory authority. The data protector officer is also available for inquires and requests by individuals pertaining to their data privacy.

Conclusion

The GDPR introduces a legal obligation for organizations that promotes accountability, transparency, and trust. The GDPR will require organizations to increase the level of controls, processes, and protection around the personal data of EU individuals. As a result, organizations may be required to license additional software to address the assessment, preventive, and detective compliance requirements of the GDPR. Organizations face strict penalties for not complying with the new standards set by the GDPR once the regulation goes into effect on May 25, 2018. For questions and further assistance, please contact your trusted Miro Analyst or Miro Account Manager to provide guidance on GDPR governance, risk, and compliance.


10 Signs of a Fake Microsoft Audit

Do you know how to spot a fake Microsoft Audit?  Learn the 10 Signs of a Fake Microsoft audit, and avoid a trap that could cost your organizations hundreds of thousands of dollars.

  1. You are contacted by a person using a “V-“ microsoft address, formatted like
    v-john.doe@microsoft.com”. These are not real Microsoft employees, but temporary employees or partners.  They do not have the authority of Microsoft to initiate a mandatory Microsoft audit.
  2. It’s not your Microsoft licensed partner. You don’t know the company or the person sending the email, and have not done business with them in the past.
  3. They ask for an email address where they can send some forms to be filled out.
  4. The person’s linkedin says they work at microsoft, but also says they work for another company (their real employer, the Microsoft partner).
  5. The email address the person uses may not match their name because multiple people use it to spam these requests. In fact, the person may not even exist, and the senders use a continually changing fake name, in order to stymie internet searches for the person.
  6. Possible File Names:
    1. Updated Copy of Deployment Summary SAMC.XLSX
    2. SAM+C Engagement.pdf
  7. The company is located in Atlanta GA, Fargo ND, Australia, or New Zealand.
  8. The audit letter is only delivered by email, not by paper mail.
  9. The audit email talks about penalties for refusing a Microsoft audit, not the voluntary partner audit, which is what the sender is proposing.
  10. Possible audit letter appearance:10 Signs of a Fake Microsoft Audit

You can research the issue to verify its veracity, but will likely find misleading results as such rogue partners will evolve their approach.  The truth is that they function as revenue generators and that those partners neither have the authority nor intention of actually conducting an audit.  Their goal is to get the organization to incriminate itself by sending the information.

These partners engage in a fishing expedition – or a phishing expedition –  looking for organizations and IT workers who are unaware of this practice and want to stay in compliance with their vendors. They will attempt to contact multiple people at the organization to solicit information.  If the organization ignores or refuses the information request, they will threaten to subject the organization to a full audit, and to disable any active Microsoft software.

But by completing and submitting these requests for information, the organization can give the partner the information it needs to share with the vendor who will then declare the organization out-of-compliance. In every scenario, the partner will strongly push the organization to purchase the additionally needed licenses from the partner themselves.

Audits initiated by Microsoft SAM partners are ALWAYS voluntary, and declining the offer will not always, or even often, lead to a formal audit by Microsoft, known as a Microsoft LLC audit.  An official Microsoft LLC audit will be initiated by a major accounting firm.  You will get an audit letter via snail mail from KPMG, Deloitte, or similar.

Download

The Definitive Guide to Microsoft Audits

by Miro Consulting

While this particular type of audit notice isn’t a real Microsoft audit, your organization may receive a real Microsoft LLC audit request that it cannot legally ignore.  To learn more about Microsoft Licensing, download The Definitive Guide to Microsoft Audits, or contact us at info@miroconsulting.com.  Miro is NOT a Microsoft Partner, and shares no information with Microsoft or it’s partners.

 


Oracle License Compliance Issues Related to API Usage

Users who have no direct access may still need licenses, if they use a system that connects via an API

APIs (Application Programming Interfaces) are utilized in all applications to allow programmers to interface with other applications or devices. It is common for us to find organizations that have underestimated the software licensing impact of leveraging the APIs of their Oracle applications and products. Oracle applications typically utilize an “application user” metric. It is logical for organizations to only consider the user IDs in their system for calculating software licensing requirements. Unfortunately, they may overlook the fact that an API utilizes a user ID itself.

It may also be thought that licensing that single API user ID is sufficient. However, that is not the case. Oracle considers such use as a form of multiplexing, which obscures the true count of users accessing the application. This also has the potential of falling under Oracle’s concept of batching if an external home-built application compiles all incoming data from users and delivers it at once through an API. This is why Oracle counts users at the front end of usage.

All users that are utilizing the external application or interface that feed data into the Oracle application through the API must be licensed for the Oracle application. It is common for users of Oracle E-Business to incorporate the use of APIs to pull data from external sources, and this is a typical source of software compliance issues. However, this situation can impact any Oracle program that utilizes a user licensing metric and receives data from external sources into an API, which includes Oracle Database.

Examples of API Connected Systems:

  • CRMs
  • ERPs
  • Mobile Apps
  • Point-of-Sale
  • Scanners
  • Business Analytics

Identifying software compliance issues in these situations can be very confusing as there are many different usage scenarios, licensing metrics, and differing license rules across all Oracle products. If you have any usage situation that you feel could fall into the situation described above please contact Miro Consulting.


Is Cognos Putting You Out of Compliance with IBM?

In the past couple of years, Miro has seen clients with IBM Cognos that all seem to have an issue.

Cloud

The first one is the easiest to explain – Cloud.  IBM offers SaaS IBM Analytics.  It includes both Cognos Analytics and Planning Analytics (TM1), along with dashDB and Bluemix too.  IBM does a good job getting around to their Cognos and Planning clients to discuss the possibility of them moving to IBM Analytics, which results in questions to Miro.

Like everything else, the answer starts with ‘it depends’.  We’ve seen multiple ‘Bridge to Cloud’ presentations from IBM.  The common feature is that IBM suggests clients explore IBM Analytics before making a decision.  They can run both on-site and cloud side-by-side, and then after a period of time decide whether they want to remain on-premise or finish migrating to IBM Analytics in the cloud.  This seems similar to the dual entitlements that IBM offered to their Lotus Domino clients.

We believe the main point that would create an obstacle is the version of Cognos deployed in your environment.  If it’s not the same version as the cloud version, do you want to upgrade?   The on-site Cognos Analytics and Cognos Planning Analytics (TM1) would need to be on version 11 (at the time I wrote this blog).

IBM’s offers have been customized to meet the individual’s needs.  If you’d like to know more about IBM Analytics, before contacting IBM directly, IBM has a presentation online at

https://www-01.ibm.com/events/wwe/grp/grp304.nsf/vLookupPDFs/Cognos%20Analytics%20on%20Cloud%20Presentation/$file/Cognos%20Analytics%20on%20Cloud%20Presentation.pdf

and the service description that you can read through

https://www-03.ibm.com/software/sla/sladb.nsf/pdf/6858-03/$file/i126-6858-03_12-2015_en_US.pdf

 

Legacy

The second issue is the opposite of the Cloud issue.  What if you still have a legacy support agreement that includes Cognos?  What should you do?

Again, ‘it depends’.

  • We’ve seen the old Cognos support priced high for the ability to migrate to later versions of Cognos. The client wanted to remain on that agreement for the terms.
    • Are they good terms?
    • Are they not comfortable with the current way Cognos is licensed or is there a lack of awareness?
  • Licenses may not be listed, or if listed not detailed, in Passport Advantage
    • We’ve seen the legacy Cognos agreement not treated with the same weight as current Cognos licenses in Passport Advantage during a software audit. It created an unnecessary burden for compliance.  In one case, the auditor would not even annotate the exception language in the document to their Effective License Position (ELP).  It was left as a license shortfall, as if there were no license entitlements, when the ELP was handed off to IBM to begin the settlement phase.
    • I’ve also seen the legacy agreement be a perfect fit for a client’s usage of the product both currently and when they signed the agreement. This led to a productive discussion during their IBM Software License Review with both the auditor and IBM.

Current Licensing

IBM acquired Cognos in 2007 but did not immediately blue-wash the license metrics or bundle them differently.  Licensing Cognos seemed complex to the IBM software licensing mindset with about a dozen different user licenses to match the types of user roles assigned within the product.

In 2014, IBM simplified Cognos to narrow the users into less licensable categories.  The licenses required are still based on the roles assigned within Cognos.  This may be an issue if the Cognos administrator is unaware of licensing, but ignorance of quantity and type of user licenses is more universal Software Asset Management (SAM) rather than specific to Cognos.

The bigger issue is any migration to PVU metric licenses.   Commonly the Information Distribution users (receive reports) are licensed by PVU because they should be the largest class of user.  The license change intention was to make it more cost effective to distribute reports directly to many users because only the server requires licensing.

If this was not communicated well within an organization, there could be a blind spot as other Cognos servers are set up without procuring additional PVU licenses.  Contact Miro to discuss your Cognos and IBM compliance concerns.


Is Your Organization Out of Software Compliance following a Merger, Acquisition, or Divestiture?

Executive SummarySoftware Compliance following a Merger, Acquisition, or Divestiture
A merger, acquisition or divestiture initiative can pose a serious software license management risk. When considering such initiatives, organizations should review all licensing agreements to ascertain if they are freely transferable between organizations. Non-compliance can lead to an audit failure, significant penalties, and expensive software purchasing fees that can be completely unexpected and at times unnecessary.

Risks/Considerations
Software licensing agreements typically include language that states licenses as non-transferrable and may be unusable until the organization obtains the software vendor’s consent. Therefore, organizations should include clauses relating to acquisitions and subsidiaries before entering into a service agreement. These are necessary to both protect the organization and to provide the flexibility to expand and contract depending on organizational needs and changing market conditions.

Merger, acquisition, or divestiture activity is a key trigger for software audits. Software vendors know that many organizations considering a merger, acquisition or divestiture initiative go through a period of integration, migration, and decommissioning to eliminate redundancies, reduce costs, and increase operational efficiency and quality. However, service agreements may include license metrics that would automatically put the organization out of compliance at the time of a merger or acquisition should such metrics exceed the license base thresholds. As a result, the software vendor may demand a license review or full license audit to determine if the newly formed organizational structure is in compliance. Non-compliance may result in the organization paying significant penalties and purchasing additional software licenses that may be unnecessary considering consolidation plans in the near future.

Many organizations do not consistently maintain software license inventories and a lack of management may result in non-compliance and significant penalties. Organizations should also review all licensing agreements to identify any gaps in regards to software installations, licensing, and usage. This may be challenging if software inventories were not maintained and multiple licensing agreements and different licensing types were purchased over time and spread across different divisions and geographic locations. Maintaining software inventories saves time in the event of an organizational change or if the software vendor demands a license review or full license audit. In the case of an acquisition, the acquiring organization has an opportunity to negotiate terms if there are any gaps in compliance before the transaction takes place; otherwise, it is the new owner’s responsibility to assume all costs relating to non-compliancy.

Conclusion
Software vendors often demand a license review or full software audit following a merger, acquisition or divestiture to determine if the newly formed organizational structure is in compliance. Non-compliance may result in the organization paying significant penalties and repurchasing software licenses and applicable support at a higher cost. Please contact your trusted Miro Analyst or Miro Account Manager if you are considering or have recently gone through a merger, acquisition, or divestiture initiative. Miro can assist your organization with assessing all of the risks and opportunities to maximize your software investment while ensuring a fully compliant environment.


Will You be Forced to Use a Microsoft CSP?

Discontinuing Microsoft Software Assurance is no longer an option

Microsoft is significantly advancing its cloud services by transitioning their existing customer base to Office 365, Exchange Online, and the various Azure offerings. It also involves upselling existing cloud customers on a broader range of services. The most notable of these is Microsoft 365, a suite of Office 365, Windows (client), and Enterprise Mobility + Security (“EMS”).

Yet another strategy has emerged as Microsoft seeks to ramp up its smaller customers. Small businesses needed the computing power and the applications Microsoft offered, but the small businesses lacked the technical resources to do manage the installations on their own. These organizations have now opted for Office 365 and other cloud services as a worry-free alternative.

This new strategy is the Cloud Solution Provider or “CSP” program. Microsoft has extended the CSP program to its existing partners as a way to grow, citing the partner’s relationship with the customer, longer-term agreements, predictable costs, and increased revenue. Essentially, these partners become indirect resellers of Microsoft’s cloud services. Initially, at least, the terms of the CSP program are very favorable to the partner, with terms like a single seat to start, the ability to add or subtract seats on a monthly basis, and incentives in addition to the partner’s margin.

So what is Microsoft’s motive? Beyond wanting a bigger piece of the overall cloud market, there are other factors at play. The first is to drive continual revenue through subscriptions. The ability for a customer to reduce its spend on Microsoft by discontinuing Software Assurance is no longer an option. Second, the maintenance of Microsoft-hosted solutions is controlled by Microsoft. This can help reduce the costs associated with technical support by limiting the number of supported product versions in the field.

Is the cloud right for your organization? There’s more to it than we’ve covered here. Contact Miro Consulting to discuss your current state as well as your future plans and objectives.


8 Signs You’re About To Be Audited For Non-Compliance

Oracle Software Audits, Microsoft Software Audits and IBM Software Audits can be challenging, time consuming and expensive.  Preparation is the key factor.  If these items apply to your organization, it’s likely you could soon be audited for non-compliance.

1. Merger, Acquisition or Divestment

Software companies like Oracle, Microsoft and IBM know that tracking software assets can be difficult during a merger, acquisition or divestment. When databases get merged and assets combined, licenses are often the last thing on IT staff’s list of tasks. While everyone is focused on getting critical business systems online, software companies take the moment of weakness as an opportunity to audit their clients.

2. Backed out of a purchase

If you recently negotiated a purchase with a software vendor, but then declined to finalize the deal, you are very likely about to be audited. Vendors may assume that you still need those licenses and subscriptions, and that you are trying to avoid paying for them. Unless you are working with a licensing specialists and have complete documentation for your entire environment, an audit is very likely in your near future.

3. Past Noncompliance

If you’ve been audited in the past, you are a prime target for future audits. Some software vendors like Oracle, IBM and Microsoft may audit companies in as little as 18 months from their last audit. During a software audit, compliance teams may look to see if your organization is setting up a system or process for license management.

4. No License Management

If a software vendor is conducting an audit, and they see that the target company is not planning for the future by setting up a process, team or outside consultant to oversee the licenses and subscription management of an organization, they may mark that client for future audits. Not having a license management specialist in place is a sign of vulnerability which vendors may exploit.

5. Reports of Organization Instability

Are there press reports or industry journalists reporting a rising level of instability within your organization? Software vendors have learned that executive departures, office relocations, downsizing or rapid growth are all signs of likely non-compliance at an organization. These red flags may often trigger a software audit.

6. Your Rep is suspicious

Software vendors like Oracle, IBM and Microsoft have trained their sales reps to look for suspicious behavior at the organizations in their territories. If your sales rep is calling you and asking you a lot of questions about your environment, this is frequently a sign of an incoming software audit.

7. Virtualization or Cloud

If you’re organization is looking to move to the cloud or using virtualization, the chances of a software audit greatly increase. There are many complex and ever changing rules regarding virtualization, having to do with processors, cores and server counts. When you factor in virtualization in the cloud, even more rules apply. While companies often employ these technologies to reduce costs, they can lead to audits that cost more in the long term.

8. Your Licensing Expert Leaves

Did your licensing expert just leave the company? If so, your software vendor probably knows. License compliance teams at software vendors like Oracle, Microsoft and IBM keep track of how your organization is managing its licenses and renewals. Using outside consultants is a common strategy used by many large enterprise clients as a way of avoiding audits when personnel changes.

With proper experts managing your licenses and compliance, organizations can be well prepared for the inevitable software license audit.  Miro can help your organization with software audit compliance, license management, subscription management and cloud services.  Contact Miro today if you’re facing a software audit or want to know if you’re ready to be audited.  Our experts can review your environment and let you know if you’re out of compliance or paying too much for licenses and subscriptions.