With vendors looking to recoup revenue lost due to sagging license sales, many customers have seen an uptick in software license audits, according to a Forrester Research report.
On top of that, software license compliance is getting trickier. Virtualization, multi-plexing and third-parties accessing software meant for internal use are all leading to under-licensing problems, according to Duncan Jones, principal analyst, with Cambridge, Mass.-based Forrester Research.
“This might be part of the maturing software industry, with audits now being part of their best practices, but software publishers are also trying to get every dollar of revenue to which they are entitled,” Jones said. “There’s nothing wrong with software companies doing license audits -- they have to protect their intellectual property. But sometimes they can be painful, or even terminal, for IT sourcing and vendor management leaders.”
Customers feel that pain. In the words of one customer who has been through an audit, “I’ve had root canals that were more fun.”
“A couple of vendors we rely on heavily pull surprise inspections, which causes a few sleepless nights," said Gerry Scheider, a purchasing agent with a large Arlington, Virginia-based defense contractor.
"We don’t get a lot of time to prepare so there is this uneasy feeling that you or someone in your organization is not in compliance because you didn’t understand the language in a contract, or whether you are just a mark for the vendor looking for revenues opportunities.”
When it comes to virtualization, part of the problem is that language used in licensing contracts hasn’t kept up with the evolution of the technology, Jones said. In turn, both IT shops and vendors have been lax in updating agreements, which are sometimes three or four years old.
For instance, Jones pointed to an IBM customer that had virtualized its data center. The client signed an agreement which stated that every server in that data center that was eligible to run IBM’s software had to be licensed, whether it was actually running that software at the time or not.
The client believed it only had to pay the license for servers running IBM’s software at the time it signed the agreement, and that other servers not running the company’s software would be covered under the agreement with no additional fees. But, the letter of that contract meant every server had to be licensed that was, and likely would be, running IBM’s software, Jones said.
For Oracle customers, compliance with virtualization policies has been problematic, particularly because of its hardware-based approach to licensing server software.
Oracle continues to license its products per processor and not by the box, which can be a pretty expensive proposition for those Oracle users with dozens of multi-core, multi-processor systems in their shops.
“Oracle’s policy is probably the worst of any of them because they ignore virtualization. They count all the cores in all the processors on every server that runs their software,” Jones said.
But Jones defended Oracle’s position pointing to the company’s high-end Exadata server that could potentially replace dozens of much lower-end servers, each one carrying licenses for Oracle software. Despite some industry skepticism about the economic value of moving its workloads to Exadata and its licensing scheme, Jones contends the company’s plan could give users the same value, if not more.
“I have clients who say, ‘I am replacing 20 old servers with fewer new ones therefore Oracle owes me a lot of money because I am running fewer servers.’ But they are processing the same workload and getting the same value out of the Oracle software as before,” Jones said. “Why should Oracle suffer the reduction in revenues?”
Alternatively, Oracle's chief competition in the applications market has different issues. Because SAP’s licensing strategy is user, not hardware, based, virtualization hasn’t been as big of a problem. A bigger issue for SAP customers has arisen around multiplexing – indirect use of the SAP back-end through an integrated application. Customers need licenses for users of any product that it has integrated with the product being audited, according to Forrester
For instance, say a customer develops a portal for customers to check account status, but that extracts data from the SAP backend. The utility needs user licenses for each of its customers, according to the report.
“I have seen situations where someone developed their own front-end for taking orders and those sales orders were interacting with SAP, creating order records in SAP,” Jones said “So SAP’s argument is, ‘in what sense are (these non-SAP applications) not using SAP.”
In turn, external use of the software has caused compliance issues. This happens when the software is licensed only for use within the company, but is accessed, for instance, through a portal by customers, suppliers or sales agents.
Strategies for reducing software license auditing pain
Once the letter announcing a software license audit arrives, it may be too late, Jones said. But there are measures customers can take now to prepare themselves for one.
First, appoint someone who has clear responsibility for the software licensing compliance effort.
It is a lack of ownership that most often gets IT shops into trouble, Jones said. If the person in charge of his company’s auditing process can show the vendor’s auditing team the controls he or she has put in place and get them to test the quality of those controls instead of doing a substantive software license audit, the vendor tends not to carry out the latter.
“If on the other hand you say ‘no, we don’t have that information and don’t know who would get it or how, all I know is it is not my job,’ then the vendor says well here is a revenue generating opportunity for sure,” Jones said.
Who is placed in charge of software license compliance, what title they are given and who they report to varies widely among companies. Companies that have done a good job at monitoring compliance, in Jones’ opinion, have “asset managers” or “compliance managers.” These people might be assigned to their company’s program management office, or to operations, and in a minority of cases report to the CIO.
Whoever is overseeing the compliance effort should call the vendor even before they come onsite to talk over what they are going to be doing and how they are going to do it, Jones said. This way, they can and hash out any vague issues that have evolved since the licensing agreement was originally signed.
“You may still face a bill at the end of the audit, but you will be able to limit purchases to just the products and capacity that you need going forward, rather than paying penalties for technical breaches that provide no value to your organization,” Jones said.