In this article we outline the VMware license audit process and highlight key compliance aspects you should be aware of
For most organizations, receiving notification of a VMware audit will be the start of a daunting and disruptive process. Our recent experiences confirm VMware is still actively auditing and that organizations are still at risk. We can’t stress enough the importance of ensuring compliance with your VMware license. In this article we’ll set out what a VMware audit is and outline pitfalls to avoid during VMware’s license review process so you’re better prepared if your organization is selected.
What is a VMware audit?
Proclaimed as a way to protect its Intellectual Property, a VMware audit is a mechanism for VMware to assess a Company’s use of its software and claim monetary compensation for any non-compliant use. While some might argue that a VMware audit is really just another avenue for VMware to generate additional revenue, we will resist being drawn on this topic and simply endeavor to explain the audit process, highlighting key aspects that end users should be aware of.
Before we delve in, a brief clarification on terms. Despite making reference to an ‘audit’ repeatedly in their “Records and Audit” EULA clause, when VMware actually issue an audit notification letter they refer to it as a “license review”. As end users commonly refer to this activity as a VMware license or software audit, or simply a VMware audit, we shall use these terms interchangeably throughout this article.
What right does VMware have to conduct a license review?
When a Company purchases software from VMware, they must agree to certain terms and conditions in order to use the software. This can be in the form of a custom framework agreement with VMware or the “standard” End User License Agreement (EULA). Under most circumstances, these agreements will contain a clause permitting VMware to conduct a software use audit.
VMware EULA (Updated 03 May 2021)
How does a VMware license audit work?
Performed through an independent third party (herein referred to as ‘Auditor’ for simplicity), usually one of the “Big Four”, the process consists of a few key stages and is relatively straightforward in principle.
The initiation of a VMware license review is the “Software and Support Review Notification” letter. This letter will state several key aspects:
- The Auditor conducting the review
- Reference to the then current audit clause within the EULA
- The VMware Global Compliance Services representatives
- An outline of the stages and proposed timeline of the VMware license review process
An introductory call with the Auditor will be held in order for them to:
- Outline the license review process
- Gather some preliminary information about the VMware estate
- Outline the data requirements, collection methods and validation process
- Discuss the expected timelines
There are two main aspects that comprise the data gathering stage of a VMware license review, effectively a source of “human” feedback from the Company accompanied by a source of “computerized” outputs from scripts and tools.
A questionnaire is issued during the early stages of the audit for the Company to complete. The questionnaire contains queries ranging from simple scoping questions to technical usage declarations.
The feedback is used both as a way for the Auditor to measure completeness of the data provided whilst also supplementing the technical data with information that cannot be gathered through the use of scripts and tools (e.g. Geographies, third party OEM bundling, operational environments, legal entities).
Script and Tool outputs
This phase of the data collection tends to vary depending on the Auditor but will involve some ‘computerized’ method of data collection, whether this is a PowerCLI script, other third party tools or database queries into SAM Tools and vCenters. The purpose of these data sources is to provide ‘empirical’ data (e.g. CPU Qty, Cores per CPU, peak number of concurrent users, vSAN datastores) from the estate as the basis of the license requirement for the various products.
Data review and validation
This is a phase that predominantly resides with the Auditor, where they will review the feedback provided in order to create a draft Effective License Position (ELP) or License Reconciliation.
During this phase, there will be a combination of follow-up queries to the data provided, along with a request for either screenshare sessions with vCenter admins or onsite visits to validate the accuracy of data provisions on a sample basis.
The Auditor will present a final report of the license compliance snapshot based on the data provided during the review, accompanied by a walkthrough call to explain the document and the findings. Companies are allowed time to review the snapshot and challenge any of the findings presented.
Following this, a three-way call will be held with the Company, the Auditor and VMware to review any outstanding points (in some cases, the Auditor does not have the authority to change the report to reflect amendments the Company proposes or there may be data collection aspects that were never closed) and to close out the review. Any subsequent commercial discussions around potential settlement or challenges to the finding will be held between the Company and VMware.
The VMware license review will be formally closed once VMware issues a formal notification of closure following the agreement of either compliance or commercial settlement.
How can you prepare for a VMware license review?
Pro-actively managing your VMware license compliance position to ensure you are compliant is always the simplest method to prepare for a VMware license review and to minimize potential software risk. In order to manage the compliance of your estate, it is necessary to build up some key knowledge areas:
1. VMware License Terms and Conditions;
2. The VMware Deployments;
3. The VMware License Audit Process
Let us explore some of these aspects and why they will help minimize the potential business impacts of a VMware audit.
VMware License Terms and Conditions
The first step of this is to invest time to familiarize yourself with the VMware license terms. The applicable terms and conditions from your agreement (whether this be a custom framework or the standard terms) will form the basis of measuring compliance with your VMware license. In particular, if you have a custom framework agreement, note down the differences against the standard EULA.
- Is there even a right for VMware to audit?
- Is there a global use right?
- Are there any custom restrictions present (e.g business unit)?
- Are there custom metrics or commitments that change the way you count your license requirements?
For users governed under the universal EULA, are you aware of some of the common pitfalls with VMware licensing? An assumption made by many is that you simply have to count the CPUs of your hosts and that’s it.
Many people aren’t aware that most VMware licenses come with a restriction to the country of use.
VMware EULA (Updated 03 May 2021)
Inconsistent Support Levels
Under VMware’s Support Policy, there is a requirement that all products within a given environment must be supported under the same support level (often coined the “consistent coverage policy”). This often trips up businesses who make incremental purchases over time as they may not have been aware of such a restriction – leading to project based purchases with different support levels.
VMware SnS Terms and Conditions (Updated April 2021)
Are you aware that you require written consent (often in the form of an additional Agreement or Amendment) in order to provide hosting services? Of particular note is also the restriction to sublicense the software to any Affiliate.
VMware EULA (Updated 03 May 2021)
Whilst it is important to know how to license VMware Software, equally important is the management of the estate and knowing the deployments. An aspect that repeats itself time and again is that assumptions are made. Assumptions are likely the single largest source of potential risk in most license compliance reviews and VMware is no exception.
While processes dictate that the correct license key should be deployed on the correct assets, have you validated this through the admin consoles or have you assumed the process is working correctly based on a limited sample?
Do you truly know the full extent of VMware software deployed in the estate? Have you run any form of coverage validation or software discovery within the estate? Are you sure some “random” end user compute software (Workstation seems to be a frequent culprit) has not found its way into the network?
Are you sure that during a version upgrade there was no accidental upgrade of editions either? With VMware no longer selling vSphere Enterprise Plus, something that seems to be happening more and more frequently is users ‘accidentally’ upgrading from vSphere Enterprise to Enterprise Plus as part of their version upgrade.
As with many Software Vendors, executing periodic license reconciliation exercises is key to staying ahead of both audits and renewals. Use the periodic reviews as a time to resolve any issues in deployment or processes and to model future implementations/changes to the environment. Having an accurate baseline allows you to forecast far more effectively and acts as an early alarm for potential VMware license compliance risk before it grows too large.
Unfortunately, as with many things, this is far easier said then done and the first iteration or two will be rather painful as you establish the processes required for a single source of truth. However, once the processes are implemented, repeating reconciliations become far smoother as the stakeholders learn the schedules for such exercises and what activities are required.
VMware License Audit Process
So after getting a clear grasp on VMware licensing and suitable insight into your VMware estate, the last piece of the puzzle is to understand the VMware license audit process.
Simply said, the Auditors aren’t always in the right despite being acknowledged as a source of authority. The majority of VMware audits follow a templated approach in which many aspects may not even be applicable. In addition, do not skip on the necessary due diligence from a legal and IT security perspective, this is not just to ensure compliance to company policy but many times will actually impact the review itself.
- Have the Auditors signed an appropriate NDA or are they just trying to barrel through the process to minimize time spent on the review for their own gains?
- Are the approaches appropriate for your organization? Do your IT security policies accept the execution of third party tools/scripts or will the Auditors have to provide an alternative approach?
- Has the scope been clearly defined? While there is nothing stopping VMware or the Auditors from requesting a full review of the entire estate for every single product in the VMware portfolio, would such an audit just be a waste of resources? Defining a clear scope of business units and products is a reasonable topic of discussion to limit the effort of all parties to what is relevant.
- What assumptions have they applied for the analysis and why did the assumptions arise in the first place? Is it a result of a grey area in the licensing which has multiple interpretations? Many times, the analysis is presented as infallible and discussions are steered so the Auditors always seem to be correct. However, do not hesitate to challenge the findings (especially if you have done the due diligence internally beforehand).
- Have the Auditors provided reasonable justification for their asks or have they just issued a data request and glossed over the relevancy, leading you to share more information than is necessary?
At the end of the day, the audit clause does not enforce a specific procedure and, in addition, stipulates that the audit ‘will not unreasonably interfere with your business activities’ and you must ‘reasonably cooperate’ with VMware. How this is interpreted will vary from business to business and opens avenues to challenge requests and streamline the process. After all, if you already have a justified baseline inventory, the onus is on the Auditors to establish why this cannot be used and why it must be done ‘their way’. More often than not, their arguments are insufficient.
So, whilst a VMware audit may still be a daunting and disruptive process there are a number of ways to ensure you are well prepared and help the process proceed smoothly. If you are experiencing an audit and would like to discuss the points raised in this article and how we can support please do contact us. We have helped many organizations better understand their VMware licensing, not only in audit situations, but also to establish their current license position or to realise optimization opportunities. Further information about our VMware licensing services can be found here.