Audit Defense Your playbook for license compliance audits
Transcription
Audit Defense Your playbook for license compliance audits
Audit Defense Your playbook for license compliance audits Introduction President of Aspera Technologies Inc. Christof Beaupoil Co-founded Aspera in 2000 13 year’s experience in software asset and license management Masters in Mechanical Engineering and Information Technology Certified ITIL Foundation and Licensing Specialist Led numerous license management projects for international corporations Agenda 10 Steps 1. Announcement / Audit Announcement Letter (AAL) 2. Access / Confidentiality / NDA 3. Procedures / Data Formats / Tools 4. Timeline 5. Data collection 6. Data verification 7. Licensing Compliance Table (LCT) 8. Settlement 9. Transfers 10. Back to production 1 Announcement Audit Announcement Letter (AAL) IBM: Sends Audit Announcement Letter (AAL) Requests starting date of the review Names contracted auditor Sets vague scope Customer: To IBM Communicates SPOC Negotiates starting date Questions scope Questions right to audit Questions auditor (already in accountant role?) Internal DO NOT buy any licenses until settlement DO NOT try to remove software DO NOT disclose any information until confidentiality agreement is signed NOBODY other than SPOC communicates with IBM 2 Access / Confidentiality / NDA / Scope Auditor: Requests uncontrolled deep access into your organization Tries to establish timeline Customer: To Auditor Grants NO unrestricted access (“darkroom”) Grants NO access to non IBM data (e.g. 3rd party vendors, customer data) Auditor may not keep data after audit NO sweetener clause (Auditor may not profit from audit result) DOES NOT agree on timeline to Step 4 Internal Teams up: Upper Management Legal IT Procurement License experts Local license managers Welcome to the TLA/FLA World of IBM Welcome to the TLA/FLA World of IBM (1/3) Agreements: IPLA International Program License Agreement (see §11) ILAN International License Agreement for Non-Warranted Programs ILAE International License Agreement for Evaluation of Programs ILAR International License Agreement for Early Release of Programs IPAA International Passport Advantage Agreement (incl. SubCapacity Attachment) ELA Enterprise Licensing Agreement CEO Complete Enterprise Option ESSO (International) Enterprise Software & Service Option Welcome to the TLA/FLA World of IBM (2/3) Licenses: S&S Support & Subscription SLA Software License Agreement LI License Information (edition and version specific) PLET/GA Program Announcement Letter / General Availability FTL Fixed Term Licenses PoE Proof of Entitlement FCT Flexible Contract Terms Welcome to the TLA/FLA World of IBM (3/3) Metrics: PVU Processor Value Unit VC Virtual- (a.k.a. Sub-) Capacity RVU Resource Value Unit AUTH Authorized User FL Floating User … … … FUSSI Floating User Single Session Single Install AUSI Authorized User Single Install 3 Procedures Data Formats and Tools Auditor: Provides ASA Workbooks Provides scripts/instructions Requests on-sites Customer: To Auditor Reviews and extends ASA Workbook Requests full details on FastPass reports (auditor may not withhold information/details) Questions Missing Base License (MBL) rules Agrees on rules for transitioned vendors and PoE (hard-copy vs. invoices, POs) Imposes own procedures and (scan) tools Internal Starts contract review and entitlement collection Evaluates available internal tools and resources Agrees to internal timeline for data collection 4 Timeline Auditor: Will propose unfeasible timeline (time-pressure works only in favor of IBM) Customer: To Auditor Extends times for data collection Adds steps for review of any output Auditor produces Introduces Quality Gates that need to be passed before next phase starts Agrees on time frames, not dates Internal Plans for a long timeline (12 – 18 months) 5 Data Collection Auditor: Provides FastPass / PPAO extract Reviews collected data / requests additional information Screenshots Script output Customer: To Auditor Many IBM metrics require additional data collection via script / admin log on Does not provide script output without review: Count inactive/legacy users High watermarks Concurrent limited to timeframes Internal Focuses on ENTITLEMENT collection PoEs Missing base licenses Loads license data and assembles effective license position May restrict auditor’s access to selected information – but may not withhold access to licensing relevant data 5.1 Passport Advantage Online (PPAO) Key Focus Missing licenses: Transited Vendors (FileNet, Cognos, SPSS,…) Missing trade-ups Missing Site Numbers Transferred entitlements (negative numbers) Delayed/faulty transmission from reseller Purchased outside of PPA: Embedded Passport Advantage Express Enterprise Licensing Agreement (ELA) Complete Enterprise Option (CEO) (International) Enterprise Software & Service Option (ESSO/iESSO) Export option is available only per site – Auditor has Access via FastPass and can provide full export 5.2 ILMT Over counting: Missing Bundle Rules (Check LI) Hyper Threading Counting of Deactivated Cores (Check LI) Wrong product/edition Incomplete product names (e.g. missing edition) Ghost installs/false positives Keeps high water marks Virtual vs. full capacity Does not apply failover/standby/testing/clustering rules (Check LI) 6 Data Verification Auditor: May ask to verify data in on-site visits Positive testing: Picks server from workbook and confirms data Negative testing: Picks device that is NOT in workbook and confirms no IBM software on it May try/ask to run additional scripts Customer: To Auditor Restricts auditor’s physical access – but answers license relevant questions and provides data for verification Internal Checks all workbooks for problems described in 5.x Loads workbooks – this will show additional gaps and inconsistencies Use License data/compliance view in audit environment to close inconsistencies in workbooks (choose edition, choose metric) 7 Licensing Compliance Table (LCT) Auditor: Manually assembles LCT – always has errors/interpretations Will not include S&S without base licenses Uses Version less for products under maintenance Draft status -> will push for EXIT Meeting Customer: To Auditor Does NOT agree to present LCT to IBM (Exit Meeting) until numbers are corrected, confirmed, and agreed In EXIT Meeting: Explicitly mentions any disagreements with the auditor, makes sure included in meeting minutes Internal Compares to internal compliance view Checks for: Multi metric products Not considered licenses Wrong editions Not applied bundling rules Sub-capacity vs. full capacity Release dates for out of S&S positions Over-licensing (Change in metric? Change in product name?) 8 Settlement & Audit Relief IBM: Will make a settlement proposal based on §11.2 “Resolution” of IPLA: Missing base license: Purchase license with two years of RETRO S&S Missing S&S: Purchase reinstatement with two years of RETRO S&S Typically applies valid discount level Will propose audit relief (no legal action) only for disclosed incompliance / resists base-lining Customer: To IBM Uses installation dates for less retro S&S Uses documented disagreements on LCT as leverage Pushes for base-lining No partial settlements Includes ALL negotiated terms into settlement agreement Internal Makes sure that executive management understands the audit results 9 Transfers IBM: Settlement was for Group Balance Will request to create internal compliance per site Might audit single sites in the future Customer: To IBM Receiving site triggers transfers on PPAO through transfer form (IBM) Giving site gives approval Internal Joins base licenses and S&S in same site Negotiates internal cost allocation 10 Back to Production IBM: n/a Customer: To IBM Makes sure that agreed license position is properly reflected in PPAO Internal Adds “baseline” / new licenses to the production system Applies audit/settlement rules and exceptions to the system (e.g. bundling rules, DG rights, metric selections, full/sub-capacity decisions) Sets up process to maintain manually collected software data Thank You Questions? The Company Aspera Technologies Inc. Founded in 2000 Co-founders and management team: Christof Beaupoil – Co-founder, President, Aspera Technologies Inc. Bernhard Boehler – Co-founder, CEO, Aspera GmbH Olaf Diehl – Managing Director, Business Development & Operations Keith Sauvant – Co-founder, Managing Director, Research & Development Parent company: USU Software AG Employees: 92 Partners in: Australia, Benelux, France, Scandinavia, South Africa, and the UK Portfolio: Tools, LaaS, Managed Services, Master Catalog, Consulting, Project Management Customers: 24 Fortune Global 500 companies, very large, large, and medium sized organizations, government and civil services bodies Awards, Certifications, and Evaluations Awarded: Best Asset Management Solution KPMG certifies Aspera SmartTrack This tool assessment and certification was provided by KPMG Deutschland AG. and Best Web Services Solutions Aspera SmartTrack reached 100% with the maximum level of accuracy for Lab Simulation and Request Catalog. Best IT Services ECPweb.com Tools Manager – Annual Evaluation Aspera is the market leader. SmartTrack best meets the demands of large companies who wish to effectively manage software assets for their server and desktop environments. Contact North America: Europe: Aspera Technologies Inc. 470 Atlantic Ave., 4th Floor Boston, MA 02210 Aspera GmbH Dennewartstrasse 25-27 52068 Aachen, Germany Your personal contact: Shawn Smith Tel.: +1 508-473-6373 Email: [email protected] Your personal contact: Alexander Lodenkemper Tel.: +49 241-963-3290 Email: [email protected] www.aspera.com Aspera GmbH and Aspera Technologies Inc. check and update the information in this presentation on an ongoing basis. Despite this, data may have changed. Therefore, Aspera cannot be held liable for the up-to-dateness of this document. The content and structure of this document are protected by copyright. Any reproduction of the information and data contained herein, especially the use of texts, text passages or illustrations, requires written prior consent of Aspera Technologies. Aspera, SmartTrack, FlowControl, ICM, CMM, FM, MM, and the license management logo are registered trademarks of Aspera GmbH in Germany and/or other countries.