Oracle Audits Our Awards: – Principal License Consultant

Oracle Audits
Tam Kyle – Principal License Consultant
Our Awards:
Topics
•
Who am I?
•
Why are we here?
•
Audit, initial steps
•
Remember, the goal of SAM in compliance
•
Entitlement
•
Usage
•
Reconciliation and compliance - surely it’s just (entitlement – usage)?
•
Et al, Conclusions, Questions, Close
Who am I?
•
Tam Kyle - Principal License Consultant – [email protected]
•
Last 10-15 years involved in Software Asset Management primarily in the Database and
Middleware arenas covering products from Oracle, IBM and Microsoft.
•
In the past 3 years, working for Rocela, I have narrowed and deepened that interest into Oracle
products.
•
Rocela were acquired by Version 1 in December 2013 to expand capabilities in the UK.
•
We are Independent – not aligned to Oracle.
•
We have provided support and advice to hundreds of clients in the UK and worldwide prior to,
during and after Oracle audits.
Why are we here?
From the flyer:
“You’ve heard about the risk from vendor software audits – but are you prepared”
•
I’ll talk about Oracle specifically – and share some thoughts both on formal audits and SAM
•
IT is reining in its spend, or controlling it to a tighter degree than in the past.
•
Vendors are looking for ways of protecting and increasing revenue and audits are potentially one
way of achieving this.
•
Don’t forget - Audits are part of your contractual obligation:
–
Don’t be surprised if you get one – Just be prepared
Audit, initial steps
Contractual obligation !
•
Upon 45 days notice, Oracle may audit your use of the programs. You agree to co-operate with Oracle’s audit and
provide reasonable assistance and access to information. Any such audit shall not unnecessarily interfere with your
normal business operations. You agree to pay within 30 days of written notification any fees applicable to your use
of the programs in excess of your license rights. If you do not pay, Oracle can end programs-related service
offerings (including technical support), program licenses ordered under the schedule and related agreements,
and/or the Master Agreement. You agree that Oracle shall not be responsible for any of your costs incurred in
cooperating with the audit.
But note several things:
•
•
•
•
•
45 days notice
Provide reasonable assistance and access to information
Audit shall not unreasonably interfere with your normal business operations
Oracle shall not be liable for costs
There is no defined time for completion
Audit, initial steps
A couple of examples:
•
Generic – open ended
•
Specific – details a particular OLSA, a Contract number, and or specific products, or entities
Audit, initial steps
•
Anyone under current audit or review?
•
Anyone been audited – would you like to share how you feel?
•
Generally people panic, or get scared – do not be – one of the goals of good
SAM is to invite audits!
•
Do Not Panic – lots of people get audited and reviewed – it’s not just you
•
Check the correspondence - determine the nature of the engagement and it’s
scope …
Audit, initial steps
•
Is the letter addressed to the correct company?
•
Is it open ended or restricted to a single contract or CSI?
•
Does it reference a proper CSI?
•
Does it state specific entities within the company?
•
Does it mention specific products?
•
Is it within the bounds of contractual liability (audit once per year)?
•
Is it within the bounds of contractual liability (not interfering with business process)?
•
Are there any other boundaries to consider – evidence of restrictions – is the company in a current
engagement with Oracle on anything else – this may be relevant and unknown.
•
Do not be overwhelmed – you have responsibilities but also the ability to control and drive the
engagement
Audit, initial steps
•
Who does the audit – LMS
–
•
LMS are auditors – not aligned to customers or sales
Their job is to count - and one of the fundamental issues with this – it’s often very difficult to count
– licensing rules and policies are complex - not easy to interpret and apply consistently.
•
LMS project manager and Consultant engaged. Back office data calculations possibly abroad.
Collation by consultant.
•
Several people engaged – this can impact the level of end to end context.
•
Once completed, depending on result, will pass to COLS – sales oriented
•
Joint Partner Engagement (JPE) partners may often be engaged
Audit, initial steps
•
Project Control – driven by Oracle or yourself – what works best for you?
•
Meetings schedule
•
Data Required
–
Sign off of entitlement
–
Usage collection – more on this later
•
Analysis of data and clarifications
•
Presentation of interim findings and feedback
•
Final Report
•
Closure?
•
This can be daunting – Oracle taking control – Stay calm – you take control!
Remember, the goal of SAM in compliance
Deployment ≤ Entitlement
AND
Entitlement – Deployment = ε
Where ε is an optimised (positive) value determined by
Cost
Risk
Growth
Flexibility
Strategy
Control and capability
etc.
This is not necessarily how an audit is targeted or progresses
Entitlement
•
What products do you own?
•
What products did you own?
•
What do your subsidiaries own?
•
What do your connected companies own – JVs etc.?
•
What can be included or excluded within the bounds of the engagement – which you reviewed earlier?
•
Do not include, or contemplate products outwith this scope
Entitlement is generated from internal Oracle systems – the Org Report – can often include a generic search to a
company name – ensure that:
•
nothing is included that isn’t yours
•
everything of yours relevant to the scope is included
Entitlement
Snapshots may not be completely accurate – do not take anyone else’s word for this – YOU should know
what your entitlement is !
•
How many here do?
•
So you have:
•
–
original order document
–
underlying terms and agreements – the OLSA, SLSA or TOMA
–
every exhibit, addendum, email, renewal, termination and piece of correspondence
Why?
–
Your entitlement is NOT just about the products you currently renew, or that you have
–
It’s about what RIGHTS you have to use those products, it’s about what metrics are used to
measure that use, it’s about what was relevant when you purchased, what has changed and
what is relevant now.
Entitlement – why you should have all the data
A renewal shows what’s currently renewed – or what was last renewed – but it might not be the whole
story … examples of some contractual clauses whose effect would never be noticed on a renewal:
•
Data Centre Address restriction in order – programs could only be used in ‘your’ data centre at a
fixed particular address
•
Client who believed that it only ever had to count or license production installations and could
ignore development
•
Client who believed that ‘Enterprise’ in the product name meant it could be deployed throughout
the company
•
Clients who believe that OTN licenses can be used to cover all development (note restrictions on
use types (prototyping), and ‘used by one person on one computer’)
•
Customer entity lists may be open ended – i.e. generic to all subsidiaries, or specific – i.e. listing
the entitled entities in a contract exhibit – no others allowed to use
Entitlement – why you should have all the data
A renewal shows what’s currently renewed – or what was last renewed – but it might not be the whole
story … examples of some contractual clauses whose effect would never be noticed on a renewal:
•
Excluded exhibits! – where those listed entities have no access to the programs
•
Functional clauses – all programs allowed in support only for a particular function – may seem very
valuable but, a) where is the boundary of the ‘function’ and, b) people often believe usage rights
are broader than they are
•
Addenda – a contractual metric may be subsequently altered. Has it been altered, a) to the
detriment of the client or, b) has it been altered for just that order, or for all previous orders?
Entitlement – in summary
My point is – renewals are not entitlement
They may NOT be sufficient during an audit
Do not assume that because you know what is being renewed, you know what your entitlement is
You should agree the entitlement to be used in the audit.
Be mindful of the momentum of engagements
Entitlement is often not given the focus it deserves!
Scope! No more, no less
Usage
Here’s where it gets interesting in an audit;
•
Where you’ll be asked to fill in an OSW – an Oracle Server Worksheet
•
Where you’ll be asked to run CPU scripting on your hardware infrastructure
•
Where you’ll be asked to run SQL scripting against some of your product components
•
If this is what Oracle use during an audit, then perhaps you should be collecting similar data?
•
Oracle spend a lot of time doing detailed database auditing – and it still generates most of the audit
activity - a prime product, widely used
•
The next biggest product auditing we see is E-Business Suite components
•
Followed by Middleware – iAS and BEA and Weblogic
•
There are Oracle audit scripts available for many areas – though often Oracle take a declarative
stance for many – and in some cases have to where enterprise metrics are in play.
Usage
•
The OSW can be quite frankly a bit of a troublesome spreadsheet
•
It may be restricted in capability to format – which makes it difficult to deal with, and heightens
effort and nervousness.
•
Use your own, as long as it provides the right and necessary information. 4 hours per server
estimate
•
Some of the columns – dates (good and bad), applications, resilience, virtualisation
–
Dates; may be in your favour for e.g. early lower core factors
–
Dates; may not be in your favour if back charges need to be levied
–
Applications; may be useful due to apps with included or embedded licenses (which therefore
may not require to be counted)
–
Resilience; important detail to have – Oracle will ask about it
–
Virtualisation; a topic in it’s own right ! Be careful of use
Usage
•
CPU scripting (lmscpuq) tries to uncover the infrastructure usage at a reasonable level
•
It is not comprehensive, it often relies on o/s being comprehensively up to date, and it can report
differing levels of information (e.g. threading, virtualisation)
•
DB scripting (reviewlite) to be run on each active database
•
Produces 10 files per instance
•
Reads database features, and other metadata tables – does some more sophisticated checking.
•
Other product declarations, or scripting – e.g. for Primavera, ODI, Siebel, OWB, BEA …
Usage
What else can or may be used:
•
The company accounts! Where Enterprise Metrics are in use – e.g. employee count, Capital
Expenditure – don’t give data that’s not necessary – if apps are Enterprise metricated then there is
little need for numbers of application users.
•
Enterprise Tools output – e.g. SCCM, Tivoli, ILMT
•
Press and Media information, and data from consultants working for you – control information flow
•
3rd party specialist tooling
Usage
Depending on the products and metrics you might be asked other things or to provide other things after
an initial discovery exercise:
•
Additional virtualisation information, architecture schemas, DR positions, logs
•
Note, that database scripting is NOT limited to the products you own.
EBUS – underlying technology free
•
Customisations
–
•
What’s a customisation?
Diagnostics use, partitioning, olap, spatial
Usage
My Oracle Support and the Technical Support Policies:
•
Everyone signs up to these as part of signing their contracts
•
If Oracle tools are used to help provide support then these can also provide information which
Oracle can use for license compliance
Usage
All of this takes time
You have a business to run
Do not ignore it – but be in control of it
When questions are asked make sure you have a full understanding of what is being asked, why it is
being asked and how it is relevant to the scope of the audit you are involved in.
Reconciliation and compliance - surely it’s just (entitlement – usage)
Yes, although it’s probably a little bit more like:
This is not meant to be mathematically accurate – more to illustrate that it’s not a simple sum!
It’s important for you to understand what you own and where it is:
•
But more important to know HOW you own it…and HOW it’s used
Reconciliation
Once all information has been shared, there will a period of internal calculation, followed by the
production of an Interim Report.
•
This can be in Excel form, and may have a lot of data but less on context and provenance, e.g.
Diagnostics noted in use – but is it in use because of
•
Real use of Diagnostics – many times or once !
•
Diagnostics via oem or grid control
•
Diagnostics via Database Cloning
•
Diagnostics through resilience
•
Diagnostics through E-Business use
Reconciliation
Once a short time period has elapsed a final report is produced – at this point, LMS will begin to step
away from the engagement, and hand it over to COLS.
If you are unclear about the data, then ask for clarification – do not sign off until you are happy with the
information.
LMS final report can look daunting.
•
Even if you are not experienced – go through it
•
Simple checks – totals
•
NUP minimums per processor, per company, etc.
•
There may be many people involved in the production of the report – work through the data
Reconciliation
This is often where an audit engagement can seem incomplete – but remember – it’s an AUDIT, not an
OPTIMISATION.
So a report may note that you have a deficit of processor licenses
but may not consider:
•
what you might do with the surplus of NUP licenses you have – coverage, migration.
•
What about old products unsupported – have you any?
•
Do you have downgrade products you can upgrade?
•
Are you non compliant because of a data centre migration?
•
Have you considered term licenses?
•
What about asfu licenses?
Et al – some other thoughts
OOD (MCS) – Oracle on Demand (Managed Cloud Services) – you may be:
•
Paying Oracle to run your products
•
Paying Oracle to license the products being run
•
Paying Oracle to do customisations of the applications for you
•
Paying Oracle for the resultant need to license the underlying technology
•
All of which may be housed in Oracle datacentres under their management!
AWS – Amazon Cloud – a virtual physical core = a physical core – remember you need the license as
well as paying for the service!
Et al – some other thoughts
ULA – another topic all on its own ! Unlimited License agreements are not an excuse to not think about
licensing or compliance – they can often be treated this way and end up being more problematic than
ad-hoc purchasing. They need specific care and guidance. They will almost always have specific
entities listed as allowed to use, and will have a specific list of unlimited deployment products.
Policy Documents – may not contain information which is likewise specified within contracts. Use
carefully.
Information requests – check what you are being asked for – is this a valid request. Are you being
reviewed, or audited, or is this simply a request for information. Do you need to engage formally?
Conclusions
•
SAM and audits in particular can cause fear - software is expensive, and can be deployed easily
•
Remember one key thing – Oracle’s software license rules are not comprehensively stated, nor easily understood –
seek clarification, and take your time
•
LMS are all normal people but they have jobs to do – be calm
•
Are you being audited, or reviewed or have you simply been asked for information (internal or external)
•
Do you know your entitlement – search for it – ask for it – even Oracle
•
Usage – remember fundamentals – NUP minimums, virtualisation, resilience.
•
Reconciliation – look at your rights – only count (and make sure you count), what you can and have to
•
Count it in the way you need to – e.g. DR testing rights.
•
Would your CIO sign off your assumptions ?
•
Do you have a closure letter?
Conclusions
•
These slides discuss how you might engage with Oracle during an audit
•
But in reality, how you react should not be a surprise
•
You should have this information available to you
•
You should not be afraid of audits – indeed, as you progress SAM Capability you should invite
them!
•
You should think of SAM in this way – I will be audited, I will audit myself !
Questions?
Thank you
Tam Kyle – Principal License Consultant
[email protected]
07860-406-085
Linkedin