This article is a collaboration between AJ Witt of The ITAM Review and Dean Bolton, Co-founder & Chief Architect of LicenseFortress. In it, we explore the challenges around licensing highly complex environments and how to approach these to minimise risk, reduce cost, and maintain compliance.
What is a complex environment?
For the purposes of this article, we are focusing on licensing database technologies. However, much of the advice will also apply to other environments with complex metrics or strict deployment rules – including on-premises, cloud, and hybrid environments.
We consider a complex environment to be one where some or all of the following apply:
- License consumption is continuously monitored internally within software log files or is reported back automatically to the publisher
- Usage rights vary according to the environment in which the software is deployed. For example, differing usage rights in Oracle Cloud versus Amazon AWS or Microsoft Azure
- Usage of options, features, and functionality within a previously deployed program can generate additional license requirements post-install. For example, the Oracle Advanced Compression option (ACO) is always installed with the Oracle database and cannot be uninstalled. If the customer uses it after install, even accidentally, it creates a compliance issue.
- Changes to the underlying hardware or deployment location can generate additional license requirements
What is the impact of deploying software in a complex environment?
Put simply; complexity increases risk. Consider a simple environment:
- A desktop PC
- Software that is licensed per desktop
- In order to deploy the software a unique key is required, and this key is tied to the hardware fingerprint of the desktop PC
- The software is activated on installation via communication with the publisher
In this scenario, the risk of non-compliance with license terms is small. The software program is installed and activated, and that’s all that’s required. Any user of that physical PC is permitted to use the software. The unique key has been paired with the fingerprint of the PC and sent to the publisher. All is well – setting aside the difficulties of managing keys and activations.
Now, let’s see what it looks like in a complex environment like this one:
- A virtualised datacenter
- Software licensed per processor core, per socket with restrictions on where the program may be physically installed
- Named User, concurrent user licensing options exist
- No serials or keys required for installation
- No activation process required
- Additional options and features may be installed, or be activated by system administrators at any time
- All consumption of options and features, along with installation data, is retained in log files and/or reported to the publisher
Here we have a “perfect storm” of license compliance risk. It’s possible for license non-compliance to be generated inadvertently and by multiple individuals or teams in multiple locations.
Examples of compliance risk
There are many sources of license compliance risk in this scenario. For example, a server administrator might enable datacenter host-level features such as high availability that seamlessly redeploys the program on replacement hardware. Or the hardware team might increase processor core capacity in response to requirements for other services. A third-party management organization might inadvertently migrate a database workload onto a physical server that is unlicensed or has a higher core count than the existing license allows for. The application administrator may enable a feature without understanding the impact on license compliance. Additionally, third-party applications, vendor patches, could turn on unlicensed features.
These risks are compounded by the program recording consumption data in log files, creating a “paper trail” of non-compliance information accessible by the publisher under audit conditions.
The key here is that there are human factors at play, and humans make mistakes. There are multiple stakeholders involved in the deployment, operation, and management of this program, and the environment in which it runs. None of those stakeholders will have a full understanding of license compliance risks. License compliance isn’t their day job, and so possibly at the back of their mind when that urgent request comes in to resolve a performance issue for a key business application.
Managing Complex Environments
In order to manage compliance risk in complex environments, you need all of the following:
- Application knowledge
- Licensing knowledge
- Legal/Contract knowledge
- Technical knowledge
- Monitoring tools
Without all of the above, you’re unable to understand the impact of a change in one area, potentially unrelated to the licensed program, on the overall compliance position of the environment.
How do you address this?
There are a number of approaches. Licensing specialists, stakeholder engagement, and managed services are all options for solving this challenge. Let’s look at these in greater detail.
Many ITAM teams will have specialists assigned to specific publishers – for example, Oracle, IBM, SAP, or Microsoft. Licensing experts develop a deep knowledge of compliance requirements for their specialties and use that knowledge to optimise deployments and manage risk. These specialists need to build the right stakeholder relationships and also potentially technical skills to deliver on their objectives. It takes considerable time to build up both licensing knowledge and knowledge of your business. Once the proper knowledge base has been established, continuing education is needed to keep up with the evolving landscape of license metrics.
The stakeholder approach aims to engage application, technical, and legal teams in ensuring that license compliance for complex environments is maintained. This requires excellent stakeholder management skills with the ability to influence decisions and drive progress. For example, the ITAM team may uncover a non-compliance risk, and the stakeholder approach will be used to mitigate that risk. Or, more positively, you may discover a deployment approach that substantially reduces costs but needs technical and application knowledge to implement it.
The stakeholder approach is challenging because you will be advocating changes to be made to complex business-critical environments. For example, pushing through an architecture change to ring-fence Oracle database deployments on a dedicated virtual cluster. Lead times may be long, teams may be focused on more pressing priorities, and there may be concerns around availability and application performance that are difficult to address ahead of the change being made. You need to build and maintain momentum, and that’s no easy task in a busy IT environment.
The need for continuous management
These approaches are susceptible to another problem of managing complex environments – that they need continuous management and monitoring. Managing a complex environment is not a project. If a licensed program is continuously monitoring consumption, then it needs to be managed continuously. Continuous management is clearly resource-intensive, and so automation of compliance may have a role to play. It’s also important to prevent unintended or inadvertent consumption of unlicensed programs, and so technical restrictions may also be required.
This continuous management approach is already mandated by some vendors. To qualify for sub-capacity licensing, IBM requires the use of ILMT, and for SAP, regular SAP LAW reports are required. Others, such as Oracle, leave it up to their customers to maintain the necessary records to comply with audit requests.
Annual license compliance audit no longer enough
The gold standard for license compliance monitoring historically has been an annual audit. Much like an annual financial audit, an outside firm conducts a third-party review and reports back findings. While this was sufficient in the past, given the high costs associated with compliance mistakes in a database environment, real-time monitoring and alerting is a now a requirement. The outcome under audit conditions is very different when a database compliance issue is detected in hours and days and corrected or goes unknown and uncorrected for months or even years.
The place for Managed Services
Managed Services aim to overcome some of the challenges presented above and are well-placed to do so. The key is that they are contracted to maintain license compliance for your complex environment. That’s their entire focus. An experienced MSP will be doing this for multiple customers, and this enables them to build up a wealth of knowledge around what works and doesn’t work for a given scenario. Re-architecting a database environment is not something an in-house team will do regularly. Databases are so critical to business performance and service provision that often they have a big virtual “Do Not Touch” sticker attached. Building the level of expertise on offer from a competent in-house Managed Service Provider would take years, and all with the threat of that highly experienced colleague moving on to pastures new.
Where Managed Services may not necessarily compete with the in-house approach is in building a deep understanding of your business environment – your motivations, objectives, and strategies. These are areas where an in-house approach has merit, but it’s no good knowing where you want to go if you have no way of getting there. Managed Services will help you climb that mountain and may have more influence on senior leaders and service owners than an in-house team. Strong vendor management, service management, and clear SLAs will ensure alignment of an MSP with your objectives.
It’s important to note that whoever owns the licenses is ultimately responsible for any license compliance mistakes made by the MSP.
An example of delivering a positive result in a complex environment is detailed in the case study linked below. In this case study a health services provider generated an inadvertent non-compliance with Oracle’s License Agreement during delivery of a complex multi-stakeholder project. The key factors leading to this non-compliance position were time constraints, the use of a Systems Integrator rather than in-house resources, and parallel solution delivery from multiple teams. These will be very familiar risk areas for anyone governing delivery of modern IT projects.
When audited by Oracle they were faced with the stark choice of a bill which would have bankrupted them or settling by taking out a ULA. However, the costs associated with the ULA option were still a tough pill to swallow ($5m instead of $14m). By working with their Systems Integration partner and Managed Services from LicenseFortress they were able to reduce annual support costs by 75% and divert funds back to their core mission of improving health outcomes for their customers.
Realising these cost savings required a detailed understanding of Oracle usage, license terms, and technical deployment options, along with the ability to deliver the necessary technology changes. With their house back in order and ongoing support savings locked in the final piece in the puzzle was ensuring that the new Oracle environment and licensing structure was continuously monitored to prevent the type of non-compliance that had stricken them previously.
To read more on this case study please visit the following link:
Health Exchange Case Study (external link)
This article has outlined the unique challenges of managing complex environments and the various approaches to solving those challenges. It has argued that for many organisations, the Managed Services approach offers benefits over attempting to solve the challenges of complex metrics and continuous license compliance in house. Some publishers recognise that this is a significant burden for organisations, and perhaps even a barrier to growing usage of their products within those organisations. IBM, for example, recently initiated the IASP program to address some of the challenges. Others, such as Oracle, continue to offer limited help, and inevitably this ends up with mistakes being made and non-compliance being uncovered at audit time. With the potential for audits to increase due to the revenue impact of the coronavirus pandemic, now is a good time to assess how you manage complex environments.