Transcript
Audit Defense Your playbook for license compliance audits
Introduction President of Aspera Technologies Inc. Christof Beaupoil Co-founded Aspera in 2000 13 year’s experience in software asset and license management Masters in Mechanical Engineering and Information Technology Certified ITIL Foundation and Licensing Specialist Led numerous license management projects for international corporations
Agenda 10 Steps
1. Announcement / Audit Announcement Letter (AAL) 2. Access / Confidentiality / NDA 3. Procedures / Data Formats / Tools
4. Timeline 5. Data collection 6. Data verification 7. Licensing Compliance Table (LCT) 8. Settlement
9. Transfers 10. Back to production
1 Announcement Audit Announcement Letter (AAL)
IBM: Sends Audit Announcement Letter (AAL) Requests starting date of the review Names contracted auditor Sets vague scope
Customer: To IBM
Communicates SPOC Negotiates starting date Questions scope Questions right to audit Questions auditor (already in accountant role?)
Internal
DO NOT buy any licenses until settlement DO NOT try to remove software DO NOT disclose any information until confidentiality agreement is signed NOBODY other than SPOC communicates with IBM
2 Access / Confidentiality / NDA / Scope Auditor: Requests uncontrolled deep access into your organization Tries to establish timeline
Customer: To Auditor
Grants NO unrestricted access (“darkroom”) Grants NO access to non IBM data (e.g. 3rd party vendors, customer data) Auditor may not keep data after audit NO sweetener clause (Auditor may not profit from audit result) DOES NOT agree on timeline to Step 4
Internal
Teams up: Upper Management Legal IT Procurement License experts Local license managers Welcome to the TLA/FLA World of IBM
Welcome to the TLA/FLA World of IBM (1/3) Agreements: IPLA International Program License Agreement (see §11) ILAN International License Agreement for Non-Warranted Programs
ILAE International License Agreement for Evaluation of Programs ILAR International License Agreement for Early Release of Programs IPAA International Passport Advantage Agreement (incl. SubCapacity Attachment) ELA Enterprise Licensing Agreement CEO Complete Enterprise Option ESSO (International) Enterprise Software & Service Option
Welcome to the TLA/FLA World of IBM (2/3) Licenses: S&S Support & Subscription SLA Software License Agreement LI License Information (edition and version specific) PLET/GA Program Announcement Letter / General Availability
FTL Fixed Term Licenses PoE Proof of Entitlement
FCT Flexible Contract Terms
Welcome to the TLA/FLA World of IBM (3/3) Metrics: PVU Processor Value Unit VC Virtual- (a.k.a. Sub-) Capacity RVU Resource Value Unit AUTH Authorized User FL Floating User … … …
FUSSI Floating User Single Session Single Install AUSI Authorized User Single Install
3 Procedures Data Formats and Tools
Auditor: Provides ASA Workbooks Provides scripts/instructions Requests on-sites
Customer: To Auditor
Reviews and extends ASA Workbook Requests full details on FastPass reports (auditor may not withhold information/details) Questions Missing Base License (MBL) rules Agrees on rules for transitioned vendors and PoE (hard-copy vs. invoices, POs) Imposes own procedures and (scan) tools
Internal
Starts contract review and entitlement collection Evaluates available internal tools and resources Agrees to internal timeline for data collection
4 Timeline Auditor: Will propose unfeasible timeline (time-pressure works only in favor of IBM)
Customer: To Auditor
Extends times for data collection Adds steps for review of any output Auditor produces Introduces Quality Gates that need to be passed before next phase starts Agrees on time frames, not dates
Internal
Plans for a long timeline (12 – 18 months)
5 Data Collection Auditor: Provides FastPass / PPAO extract Reviews collected data / requests additional information Screenshots Script output
Customer: To Auditor
Many IBM metrics require additional data collection via script / admin log on Does not provide script output without review:
Count inactive/legacy users High watermarks Concurrent limited to timeframes
Internal
Focuses on ENTITLEMENT collection
PoEs Missing base licenses
Loads license data and assembles effective license position May restrict auditor’s access to selected information – but may not withhold access to licensing relevant data
5.1 Passport Advantage Online (PPAO) Key Focus
Missing licenses: Transited Vendors (FileNet, Cognos, SPSS,…) Missing trade-ups Missing Site Numbers
Transferred entitlements (negative numbers) Delayed/faulty transmission from reseller Purchased outside of PPA:
Embedded Passport Advantage Express Enterprise Licensing Agreement (ELA) Complete Enterprise Option (CEO) (International) Enterprise Software & Service Option (ESSO/iESSO)
Export option is available only per site – Auditor has Access via FastPass and can provide full export
5.2 ILMT Over counting: Missing Bundle Rules (Check LI) Hyper Threading Counting of Deactivated Cores (Check LI) Wrong product/edition Incomplete product names (e.g. missing edition) Ghost installs/false positives Keeps high water marks Virtual vs. full capacity
Does not apply failover/standby/testing/clustering rules (Check LI)
6 Data Verification Auditor: May ask to verify data in on-site visits Positive testing: Picks server from workbook and confirms data Negative testing: Picks device that is NOT in workbook and confirms no IBM software on it May try/ask to run additional scripts
Customer: To Auditor
Restricts auditor’s physical access – but answers license relevant questions and provides data for verification
Internal
Checks all workbooks for problems described in 5.x Loads workbooks – this will show additional gaps and inconsistencies Use License data/compliance view in audit environment to close inconsistencies in workbooks (choose edition, choose metric)
7 Licensing Compliance Table (LCT) Auditor: Manually assembles LCT – always has errors/interpretations Will not include S&S without base licenses Uses Version less for products under maintenance Draft status -> will push for EXIT Meeting
Customer: To Auditor
Does NOT agree to present LCT to IBM (Exit Meeting) until numbers are corrected, confirmed, and agreed In EXIT Meeting: Explicitly mentions any disagreements with the auditor, makes sure included in meeting minutes
Internal
Compares to internal compliance view Checks for:
Multi metric products Not considered licenses Wrong editions Not applied bundling rules Sub-capacity vs. full capacity Release dates for out of S&S positions Over-licensing (Change in metric? Change in product name?)
8 Settlement & Audit Relief IBM: Will make a settlement proposal based on §11.2 “Resolution” of IPLA: Missing base license: Purchase license with two years of RETRO S&S Missing S&S: Purchase reinstatement with two years of RETRO S&S Typically applies valid discount level
Will propose audit relief (no legal action) only for disclosed incompliance / resists base-lining
Customer: To IBM
Uses installation dates for less retro S&S Uses documented disagreements on LCT as leverage Pushes for base-lining No partial settlements Includes ALL negotiated terms into settlement agreement
Internal
Makes sure that executive management understands the audit results
9 Transfers IBM: Settlement was for Group Balance Will request to create internal compliance per site Might audit single sites in the future
Customer: To IBM
Receiving site triggers transfers on PPAO through transfer form (IBM) Giving site gives approval
Internal
Joins base licenses and S&S in same site Negotiates internal cost allocation
10 Back to Production IBM: n/a Customer: To IBM
Makes sure that agreed license position is properly reflected in PPAO
Internal
Adds “baseline” / new licenses to the production system Applies audit/settlement rules and exceptions to the system (e.g. bundling rules, DG rights, metric selections, full/sub-capacity decisions) Sets up process to maintain manually collected software data
Thank You
Questions?
The Company Aspera Technologies Inc.
Founded in 2000
Co-founders and management team:
Christof Beaupoil – Co-founder, President, Aspera Technologies Inc. Bernhard Boehler – Co-founder, CEO, Aspera GmbH Olaf Diehl – Managing Director, Business Development & Operations Keith Sauvant – Co-founder, Managing Director, Research & Development
Parent company: USU Software AG
Employees: 92
Partners in: Australia, Benelux, France, Scandinavia, South Africa, and the UK
Portfolio: Tools, LaaS, Managed Services, Master Catalog, Consulting, Project Management
Customers: 24 Fortune Global 500 companies, very large, large, and medium sized organizations, government and civil services bodies
Awards, Certifications, and Evaluations Awarded: Best Asset Management Solution
KPMG certifies Aspera SmartTrack This tool assessment and certification was provided by KPMG Deutschland AG.
and
Best Web Services Solutions
Aspera SmartTrack reached 100% with the maximum level of accuracy for Lab Simulation and Request Catalog.
Best IT Services
ECPweb.com Tools Manager – Annual Evaluation Aspera is the market leader. SmartTrack best meets the demands of large companies who wish to effectively manage software assets for their server and desktop environments.
Contact
North America:
Europe:
Aspera Technologies Inc. 470 Atlantic Ave., 4th Floor Boston, MA 02210
Aspera GmbH Dennewartstrasse 25-27 52068 Aachen, Germany
Your personal contact: Shawn Smith Tel.: +1 508-473-6373 Email:
[email protected]
Your personal contact: Alexander Lodenkemper Tel.: +49 241-963-3290 Email:
[email protected]
www.aspera.com
Aspera GmbH and Aspera Technologies Inc. check and update the information in this presentation on an ongoing basis. Despite this, data may have changed. Therefore, Aspera cannot be held liable for the up-to-dateness of this document. The content and structure of this document are protected by copyright. Any reproduction of the information and data contained herein, especially the use of texts, text passages or illustrations, requires written prior consent of Aspera Technologies. Aspera, SmartTrack, FlowControl, ICM, CMM, FM, MM, and the license management logo are registered trademarks of Aspera GmbH in Germany and/or other countries.
