How Accurate is the Certero Article on Software Audits?
Executive Summary
- Certero published an article on dealing with SAP software audits.
- We reviewed this article for accuracy.
Introduction
Part of what we do at Brightwork Research & Analysis is reviewing the accuracy of IT entities’ media output. In this article, we will focus on Certero’s media output. Certero is a software vendor that offers SAM software.
Virtualization
Virtualization is a mature technology that can help you save money, time and carbon emissions. Consequently, just about every major organization has adopted it in one form or another, somewhere on their IT estate.
But, there is a major issue with virtualization that many organizations overlook – the impact it has on your software licensing. Unless you are fully aware of these implications and are able to manage your license position, you could end up paying more for additional software licenses (and fines if the shortfall is discovered during a vendor audit) than you saved through virtualizing in the first place.
That is quite true. A significant motivation for virtualization was to save money on software licenses. However, eventually, the software vendors became savvy to virtualization, and they changed their license terms to account for it. This significantly reduced the virtualization incentives as the potential software cost reductions were always more significant than the hardware cost reductions.
And vendors do know how to audit and determine penalties on their software when virtualized.
Monitoring Usage
Dependent on the terms of your license grant, the need to measure the usage of your software could be important in ascertaining whether you are compliant and also what you have to pay. Certain software vendors, like SAP and Oracle, charge for software based on metrics that can be unique to your business. For example, if you are a car manufacturer, the metric could be based on the number of cars you have built.
Yes, that is also true. And SAP and Oracle, as well as others, differ from each other as well.
Indirect Access
As if the licensing agreements of the likes of Oracle, SAP and Microsoft were not complicated enough already, many user organizations fall foul of something called indirect usage and end up owing significant amounts as a result of licensing non-compliance.
Indirect usage, indirect access, or multiplexing as it is sometimes called, is where your software (be it Oracle, SAP, Microsoft etc.) is accessed indirectly by a non-named third party, which can either be a person or machine. For example, an organisation has created a system that allows all their employees to enter their expenses. That system then sends all that employee expense information to a second system using a single named user account.
True.
Key to getting to grips with indirect access is the ability to correctly classify users of your software as direct or indirect and so make sure they are given the correct license type. Identifying indirect access can be tricky without the help of an automated monitoring tool.
This is another way of saying monitoring usage also, which is what SAM software does.
However, there are tell-tale signs that make indirect access easier to spot. These include things like a user accessing a system all day long (no human user would do that) or a very large volume of work processed within a set period by one user (again, no human could conceivably process such a volume within that time).
That makes a lot of sense.
One way to avoid indirect access problems in the Oracle world, for example, is to license via processor, rather than Named User. Sadly, there is no such corresponding license in the SAP world, where you are limited to Named User.
The distinction that I would want to be drawn here is that SAP enforces indirect access differently from Oracle. SAP is the only vendor I have yet observed charge for what I have called Type 2 indirect access.
Conclusion
This article by Certero earns a Brightwork Accuracy Score of 9.5 out of 10.
There is nothing inaccurate in the article, and the only area that could be adjusted is adding some specificity.
The Problem: Secrecy Around Indirect Access
Oracle, SAP, and their consulting partners, ASUG, and the IT media entities all have something in common. They don’t want indirect access understood. Media outlets like Diginomica are paid to distribute PR releases as articles, as we covered in the article SAP’s Recycled Indirect Access Damage Control for 2018. The intent is to lower SAP customers’ concern around indirect access so that indirect access is underestimated, as we covered in the article The Danger in Underestimating SAP Indirect Access.
The primary providers of information in the SAP space are all financially linked to SAP. SAP does not want indirect access understood, so these entities do as they are told by SAP.
References
*https://www.certero.com/software-audits-can-go-wrong-2/