blay oracle audit defence_ itam review audit defence workshop amsterdam april 2016

Richard Spithoven b.lay, the license management company

ITAM Review Audit Defence Workshop, Amsterdam, 12th April 2016


Introduction

Richard Spithoven b.lay, the license management company

2013 – 2016 b.lay Director 2009 – 2013 Oracle LMS Europe South 2005 - 2009 Oracle Principle license consultant

Agenda -  Common misunderstandings….. -  What is an Oracle Audit?

-  Start -  Execution -  Closure

-  Under an Oracle Audit?

-  Things to consider…. -  Tips & Tricks

-  Best solution to tackle an Oracle Audit?


Common misunderstandings…

-  Not cooperating or delaying an Oracle audit is ok !?

-  COLS Business Review ≠ Oracle License Review ≠ Oracle Audit !? -  We are now using an Oracle Verified Tool, so we have full control !?

-  End-users under-estimating the level of detail and knowledge, needed in order to understand the real license entitlements.

-  End-users under-estimating the level of detail and knowledge, needed in order to understand the deployment and (licensable) usage of the different software programs/componens/features. -  End –users being re-active in terms of managing Oracle licenses and becoming (too late) active/pro-active’ at the start of an audit.


What is an Oracle Audit?


Start of an Oracle Audit



A closer look at Oracle’s Standard Audit Clause: Upon 45 days written notice, Oracle may audit your use of the programs. You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information. You agree to pay within 30 days of written notification any fees applicable to your use of the programs in excess of your license rights. If you do not pay, Oracle can end your technical support, licenses and/or this agreement. You agree that Oracle shall not be responsible for any of your costs incurred in cooperating with the audit.



-  Oracle License Management Services (LMS) -  Organizations are selected for an audit by either:

Oracle LMS Oracle Sales

-  License Compliance Risk analysis includes multiple parameters (e.g. historical metrics, purchase date, mergers/acquisitions etc.)



-  “Notification Letter” to your CIO and/or CFO.

-  Oracle License Review = Oracle License Audit! -  Objective to determine compliance issues ($) and cross/upsell opportunities ($) -  Single Point of Contact

-  Kick Off Meeting / Call


Execution of an Oracle Audit

Product Scope: - Oracle Database, Database Options, Database Mgmt Packs - Oracle Application Server - Oracle Weblogic Server - Oracle SOA Suite - Oracle JD Edwards - Oracle Siebel - Oracle E-Business Suite - Oracle PeopleSoft

Note: Other products can be included, but are typically not included.

Legal Entity Scope: - Which legal entities are included in the scope of the audit



License Inventory

._ Oracle software programs

._ Order Nr’s/Order Dates

._ Support Start Date, End Date

._ License Metric

._ License Level

._ License Status

._ other



ITAM Review Oracle Seminar, London 21st Nov 2014 License

Inventory

OF OLSA

SR

SP1 PD10g BP

SR SR

SP2 PD11g BP

SR SR

Time


Hardware Discovery 1

License Inventory

._ Oracle Server Worksheet (*.xls) ._ CPU queries (OS Commands) ._ Screenshot of Virtual (VMware) Infrastructure Client




Software Inventory 2

License Inventory

._ Oracle Fingerprints .- Oracle Discovery Tool (OMT)





Software Configuration 3

License Inventory

Oracle Product Specific Queries: - Review Lite (Database, DB Options, DB Packs) - FMW Script (Weblogic, OAS) - Siebel Extraction Scripts (Siebel) - Audit Trail (E-Business Suite) - Remote Review Tool (JD Edwards)






Usage Determination 4

License Inventory

Oracle Product Specific Queries: ._ Application Record Form (Database & Middleware) ._ Siebel Usage Tracking feature (Siebel) ._ Usage Based.sql (E-Business Suite)







License Inventory

Non-system data 5

Other items: .- company file .- hosting or not? .- $ metrics .- geographical .- etc.



Source: b.lay BLM program





Contract

Analysis

Source: b.lay BLM program

Non-system data 5

Manual Data Gathering & Analysis

T o o l i n g / s c r i p t s


Closure of an Oracle Audit

-  Oracle LMS - Final Report

-  Oracle Compliance Policy (30 days policy) -  Back Support Fees

-  Oracle Sales - Commercial Resolution Full details of Oracle’s Compliance Policy can be found through: http://www.oracle.com/us/corporate/license-management-services/policy/index.html


Why you should care: cost of even one PROC out of compliance?

Example: End-user has 2 Processor licenses Oracle Database Enterprise Edition but is found to make use of 3 Processor licenses Oracle Database Enterprise Edition for a period of 6 years: List License: $ 47,500 List Support: $ 10,450 Standard Discount: 10% Net License: $ 42,750 Net Support: $ 9,405 Back Support ( 6 years) 6 years x $ 9,405 = $ 56,430 Total Fees: $42,750 + $9,405 + $56,430 = $108,585


Under Audit? Things to consider..



-  IRM involvement (sensitive, confidential data)?

-  Can data gathered leave your premises?

-  Which results are shared when, and with whom from Oracle Sales?

-  What is the performance impact of the Oracle Audit tools proposed?



-  Make sure that you understand before the data is collected:

-  Why is this data collected?

-  What data will be collected?

-  Where is this data collected from?

-  How will this data be used?



-  Enforce you know what will happen with the data before you share it:

-  What will Oracle do with the data collected?

-  Where will Oracle store the data collected?

-  Who can access the data collected by Oracle?


Under Audit? Tips & Tricks..

What to do to let things run smooth?

-  Quick Risk Assessment -  Share and manage the expectations towards C-level

-  Internal Governance, Communication and Escalation Model -  Oracle Project Team

-  SPOC (Project Manager) -  Legal, Purchasing/Vendor Management, IT Depts, Outsourcer

-  Steering Committee -  C-level / Members of the Board

-  Data sharing within your company; (leaking results externally)

-  Do your own research before ( and during) the audit(!)


Best Solution to tackle an Oracle Audit?


Best Solution to tackle an Oracle Audit?

Be pro-active and take the control yourself, and don’t wait until you get audited by Oracle!

How?

Perform regular internal license reviews;

determine your license compliance position and mitigate financial, operational and legal risks.


Some take aways…..

Make sofware license management a priority at C-level and budget for the proper software license management practice, tailored to the specific needs of your organisation . Create an internal software license management team of multiple disciplines (procurement, legal, DBA, Infrastructure Managers, Business Application Mangers, Outsourcers) with C-level sponsoship and review on a regular basis: -  your real license entitlements (incl OD, OLSA, SR, SP, PD, BP)

-  your real deployment and (licensable) usage of the software

-  reconcile your license entitlements with your license deployment and usage in order to identify and adress software license compliance issues proactively!


Further reading on www.b-lay.com

1.  Oracle License Review or License Audit Answers to your Top 20 Questions

2. Oracle: Your quick Oracle Licensing Guide.

3. Oracle ULA: An overview of the major risks you should be aware of.

4. Oracle Pool of Funds: An overview of the ins & outs of this type of agreement

5. Oracle E-Businesss Suite: An overview of common license compliance issues



Questions?


Contact

Richard Spithoven b.lay, the license management company [email protected] T: +31 (0) 8 80 23 3702 M: +31 (0) 6 10 40 6619 W: www.b-lay.com L: nl.linkedin.com/pub/richard-spithoven

blay oracle audit defence_ itam review audit defence workshop amsterdam april 2016

Technology