Attack vs Defence: How to Avoid Conceding an Oracle Audit Compliance Penalty

As a part of the SAM team in a large organisation, your role can feel like the last line of defence against mega-vendor software audits and multi-million-dollar compliance settlement fees. You may have a well-drilled team and plenty of experience against lower-league opposition, but now you are on the playing field against the auditing all-stars, the Oracle GLAS team, renowned for their meticulous approach and aggressive strategy.

You will be tested tactically and put under pressure, but can you keep possession of your compliance status and avoid conceding needless own goals? And remember, the rules of this game can change at any time, becoming increasingly complex and making it easy for your team to be caught offside.

Surviving until the full-time whistle won’t be easy, but with the right preparation you can keep a clean sheet by avoiding some of the common mistakes that lead to Oracle audit penalties.

For this pre-match team talk, Poppy Gacke, of software audit defence specialists FisherITS, and Philippe Bonavitacola, of SAM technology provider USU, will get your defensive strategy prepared to face the Oracle attack.

Choosing the Right Formation

Organisations who are targeted by Oracle (or any other software vendor) for a licence compliance audit should follow the standard audit response procedure as documented in this USU and FisherITS guide. This process will get your team set up correctly, ensuring communications are effectively managed, an appropriate timeline is established, and the required personnel are brought into your audit response playing squad.

In addition to the standard audit defence process, FisherITS Oracle licensing specialist Poppy Gacke explains why organisations should take extra care when setting up for an Oracle audit. “Oracle’s licensing rules are complicated,” said Poppy. “When this is combined with the usual high level of investment customers have in Oracle software, an Oracle audit is extremely high-risk. The settlement fees for noncompliance frequently run into multi-millions of dollars.”

Understand the Laws of the Game

Initially, customers who receive an audit notification should carefully review their Oracle contract. There are several areas of an Oracle contract that customers should fully understand as they head into an audit defence including:

• Customer Definition: Which legal entities can use and access Oracle software?
• Territory: Is there a geographic restriction on where Oracle software can be deployed?
• Limited Use Programs: Can the software only be used with specific applications?
• Support: Matching Service Levels and License Set – Customers often pay for support on unused licenses.
• Cloud: Can you deploy Oracle software in the cloud?
• Audit Clause: Commonly included in the OMA (Oracle Master Agreement), the clause governs Oracle’s right to Audit but, more importantly, your rights within the process.

Poppy explains further that customers should also identify any concessions that are included in the organisation’s Oracle licence agreement. She says, “In some cases, customers with older contracts may be able to hold Oracle to previous terms and conditions that have since been superseded. For example, contracts dating from 2010 do not include language prohibiting use of Oracle software in third party cloud, however newer contracts that were executed after the 2017 Cloud Policy was released may place restrictions around this, particularly for any use that doesn’t fall within the term ‘Authorized Cloud Environment’. Customers should understand what terms and conditions they are operating under and hang on to any favourable terms that are still applicable under their specific contract.”

Study the Opposition

As with any software vendor, understanding your compliance position (software deployed vs licence entitlement) is vital in preparing an audit defence. For Oracle this is far more complex than simply counting licences owned and comparing this against the software that is deployed. Customers should ensure they understand Oracle’s licensing rules when they are identifying their licence requirement. These include:

• Edition of database
• Options and packs
• Virtualisation rules (Partitioning Policy)
• Licensing rules for Test and Development environments
• NUP (Named User Plus) minimums

Identifying the installation is not enough to understand Oracle licence compliance. Instead, Oracle compliance requires an understanding of the hardware configuration and the environment where the application is running.

Poppy continues, “We frequently find customers who have Standard Edition database entitlement, but they are using an option or pack that is only available for Enterprise Edition. Customers should be aware that even using an option for a few days and then turning it off again can be a noncompliance flag to Oracle. More commonly, options can be enabled by accident, or even be preconfigured to be turned on, without the organisation realising they are noncompliant. The burden is on the customer to ensure options and packs for which they have no licence entitlement for are not in use.”

Philippe Bonavitacola of USU expands of this point, “We worked with a large Swiss financial institution who host roughly 150 servers running a mix of Oracle Databases, WebLogic, Options and Packs. They were lacking knowledge about the noncompliance risks and the financial exposure. We found they were using options which were not part of the ULA (Unlimited License agreement) and in a VMware environment. Using a SAM tool for Oracle along with some expertise, we managed to reduce their noncompliance and non-ULA options footprint.”

Avoid Needless Own Goals

As mentioned by Philippe, another common pitfall in Oracle licensing compliance is the Oracle Partitioning Policy. This is not a contractual document, but it explains Oracle’s view on how they expect customers to manage soft and hard partitioning. The policy effectively rules out using Oracle software on VMware. “For VMware, Oracle will expect customers to licence the hardware capacity of every physical host in the cluster or even datacentre, even if the software is only deployed on a single Virtual Server,” says Poppy.

Customers should also not assume that their Oracle software is free for test and development environments. These environments do need to be licenced and, in most cases, there is no difference in cost for test/dev and production licences.

Choosing Your Licensing Tactics

In some cases, Oracle customers will have a choice for how to licence their products. Deciding upon the best strategy can make a huge difference in the licence and support fees that the customer pays to Oracle, but get this wrong and the Oracle team will zero in on your compliance goal line. An organisation that licenses their environment with NUP (Named User Plus) licensing instead of Processor licensing can cut their spend by 50%.

Poppy explains, “This is effectively licensing per user, but you also have to understand the underlying hardware requirements. For Database Enterprise Edition, the NUP standard is 25. This means you should multiply the number of processors that require a licence by 25 and compare this against the total number of actual users (whichever is greater) to determine the NUP licence requirement. The Named User Plus metric should only be used for environments where users and/or devices can be easily identified and counted and this includes non-human operated devices that connect to the database.”

Below is a table of some Oracle products and the NUP minimums applied to each.

Avoid the Mind Games

As with most high-stakes contests, the mental side of the game can be as demanding as the physical. There are several horror stories of Oracle audits that have resulted in multi-million-dollar court cases including cases against Envisage and NEC. Although these cases are at the extreme end of the scale, Oracle is known to present an alarming compliance figure to begin with. Philippe explains further, “Oracle’s initial compliance settlement fee can be a scare tactic. Oracle will always give the list price first to alarm the customer.

“By the time a lower fee is negotiated, the customer will be happy to settle. Oracle will want to lock you in for another three-year contract in return for settling for the lower number.”

By following the preparation guidelines discussed so far, Oracle customers should be aware of their true compliance position and contractual entitlement and will be able to approach negotiations with confidence backed up by data.

Get Ready for the Rematch

The conclusion of any licence compliance audit should be seen as an opportunity to ensure that you are prepared for the next audit to come. Customers can also take advantage of the data and insight they now have to move towards more efficient licensing. It is easy to become fixed upon the red lines of noncompliance in a vendor audit report, but the green lines may reveal over licensing, where a customer can save money by reducing licence amounts or employing a different licensing strategy.

If you would like to learn more about your audit defence strategy, or ask any questions on vendor licence audits, FisherITS and USU will be hosting a Software Audit Defence Expert Panel, live at 2.00pm GMT on Thursday 24^th February. Registration is free for this online event.