Virtualization: A Compliance Nightmare

Updated: Feb 23

There are many ways that you can be found out-of-compliance with virtualization. Here are the top three:

1. Hardware/OS Virtualization

When you add things like VMware/Hyper-V, LPARs, KVM and AWS/Azure to optimize your hardware investment, you frequently open the door to aggressive publisher definitions of usage and how processors are counted.

Example: According to Oracle, a processor is defined as all processors where their programs are installed and/or running. When you deploy a VM with Oracle products, Oracle asks that you pay for all VMware cores in your global environment. Think of it as buying a seat on an airline flight, and getting charged for all the seats because you could, theoretically, sit in any one of them.

2. Applications Virtualization

When you deploy software on a Citrix server, many users can be granted access to those software applications. This can have drastic implications if licensed by named users based on access. (According to my ClearEdge colleague, and former auditor, Tres Larson, auditors and publishers love it when clients make a large investment in application virtualization because they know they will find a significant amount of noncompliance issues. For a detailed discussion of exactly how and why this happens, follow the links at the bottom of the page to view Tres' 30-minute webinar on Application Virtualization.

3. Desktop Virtualization (VDI)

when you create virtual desktops that are based on a golden image with chargeable software components/products. This practice is often used by off-shore development teams that log in to a Cisco/Citrix server, which then generates their desktop for the day, and it gets deleted at the end of the day.

Example: In Quest audits, we see clients getting in trouble because the software is used by developers who often put it in Citrix or on a virtual desktop, allowing access to every developer in the environment whether they use it or not. When Quest finds it on the server, they claim it constitutes unlicensed use by everyone in the organization with access to the server, and they issue an audit finding.

The difficulty with virtualization is that it’s hard and often time consuming to track all access and usage risks, and terms can be interpreted in different ways. However, at audit time, it is essential to know exactly what software you’re contractually entitled to, and exactly who is using what. Otherwise, you will be found noncompliant, and be charged accordingly.

How you control access, and demonstrate that control, is mission critical to limit your exposure. We counsel clients to get favorable interpretations and explanations in writing: in a contract or amendment is best, but an email is better than nothing. Your “view of the world” must be documented so it can be used to defend yourself at audit time.

Further, when auditors ask to run scripts or provide extensive data, we advise clients to provide only that information that supports their interpretation or is the contractual minimum. And finally, be prepared to challenge their findings and fight back. We like to remind people about “contra proferentem” – a Latin term that means when there are ambiguous areas surrounding definitions and interpretations, in a court of law, contract law generally favors the signer, not the originator, of the contract. This shouldn’t be your only defense; it is meant to provide confidence in the negotiation.

You can also build leverage in audit negotiations by highlighting other deals that you have with that vendor, re-arranging deal timelines (take advantage of quarter-end/year-end), and showing you have confidence in your position with them by not agreeing to overarching interpretations.

Recommended SAM Policies

  • Require SAM group approval on all physical hardware (# of cores/processors) changes for virtual environments.

  • Perform self-audits periodically to review the current license situation with high-risk publishers and products (i.e., Microsoft, Oracle, IBM, Quest, Micro Focus).

  • Require that any external request for data go through an Audit Response Team comprised of SAM, Procurement and/or Legal representatives. These requests might be called a review, assessment, cloud enablement exercise or something else – they are all data audits, and must be vetted by trained staff.

  • Involve the SAM group in the contract review process to evaluate areas such as audit clauses, change in control, cloud, geographic restrictions, license changes, license definitions, commitments, and deployment flexibility. This is where an ounce of prevention may prevent a pound of penalty in fees.

  • Negotiate as much of the audit clause as possible; and ask for a pre-audit agreement or addendum that establishes the “audit methodology” and defines the scope, the testing approach, the timetable, and who is responsible for what.

  • Attach point-in-time URL language to agreements or scrape a point-in-time view to save for later reference.

To learn more about the risks inherent in software audits and what you can do about them, click here or contact the ClearEdge Compliance Services team.

Jared Frehner is a former professional auditor and a senior manager in the ClearEdge Compliance Services team.

This blog post was inspired by the webinar on Application Virtualization. You can access the full recording to this webinar below. For a deeper dive, we urge you to sign up for our online certification program.