VMware Audit and Top5 Compliance Risks

Introduction: VMware Audit Key Takeaways

• Understanding VMware Audit: A VMware audit, conducted by the Global License Advisory Services department, is a systematic review to ensure customer compliance with VMware’s software licensing terms and conditions. The audit process includes stages such as notification, data collection, data review and validation, and license reconciliation.
• Audit Process: The audit begins with a notification letter and a kick-off call to outline the process and gather preliminary information. Data is then collected through human feedback and computerized outputs from scripts and tools. The data is reviewed and validated to create a draft Effective License Position (ELP) or License Reconciliation. Finally, a report is presented, and outstanding points are discussed and resolved.
• Common Compliance Issues: Common issues in VMware audits include territory restrictions, inconsistent support levels, hosting limitations, incorrect deployment, unintentional software upgrades, and lack of periodic reconciliation. Understanding these issues can help organizations prepare for and navigate the audit process.

What is a VMWare Audit?

As Section 5 of the VMware End User License Agreement stipulates, organizations must accurately complete a provided questionnaire within a specified timeframe. Failure to do so may prompt VMware to initiate a full audit as a follow-up to the notification received.

Conducted by the Global License Advisory Services department, the VMware audit is designed to facilitate customer compliance with VMware’s software licensing terms and conditions.

Depending on the audit results, there may be a need to discuss entitlement and deployment management options after the self-audit process.

The audit information, which includes data such as Machine/Host Names, Physical Processor (CPU Count), and product information, including version and edition, is exported from vCenter.

However, there are several considerations that organizations need to keep in mind. For instance, how current is the information in your vCenter, and does it align with the licenses held on your MyVMware portal?

Are our license keys being utilized correctly across multiple locations? If you have a single license key for, say, 8 CPUs for vSphere Enterprise Plus that are used for more than one location, can you provide evidence to show licenses (keys) aren’t being used more than once?

These are just a few questions that must be addressed to ensure a smooth and compliant VMware audit process.

The VMware Audit Process – A Closer Look

Notification Letter

The audit begins with a “Software and Support Review Notification” letter. This letter outlines critical aspects of the audit, including:

• The auditing firm conducting the review
• Reference to the current audit clause within the End User License Agreement (EULA)
• The VMware Global Compliance Services representatives
• An outline of the stages and proposed timeline of the VMware license review process

Kick-off Call

An introductory call with the auditing firm is held to:

• Outline the license review process.
• Gather preliminary information about the VMware estate.
• Discuss data requirements, collection methods, and validation process.
• Discuss the expected timelines.

Data Gathering

Data gathering is a crucial part of the audit process. It involves a combination of human feedback from the company and computerized outputs from scripts and tools. The data-gathering stage includes the following:

• Questionnaire: The company is asked to complete a questionnaire that contains queries ranging from simple scoping questions to technical usage declarations. The feedback helps the auditor measure the completeness of the data provided and supplement the technical data with information that cannot be gathered through scripts and tools.
• Script and Tool Outputs: This phase involves a computerized data collection method, such as a PowerCLI script, third-party tools, or database queries into SAM Tools and vCenters. The purpose is to provide empirical data from the estate as the basis of the license requirement for various products.

Data Review and Validation

The auditing firm reviews the feedback provided to create a draft Effective License Position (ELP) or License Reconciliation. This phase may involve follow-up queries to the data provided and a request for screen share sessions with vCenter admins or onsite visits to validate the accuracy of data provisions on a sample basis.

License Reconciliation

The auditing firm presents a final report of the license compliance snapshot based on the data provided during the review. Companies are given time to review the snapshot and challenge any presented findings.

A three-way call is held with the company, the auditing firm, and VMware to review any outstanding points and close out the review. Any subsequent commercial discussions around potential settlement or challenges to the finding are held between the company and VMware.

Preparing for a VMware Audit

Proactively managing your VMware license compliance position is the simplest way to prepare for a VMware license review and minimize potential software risk. This involves building up key knowledge areas:

1. VMware License Terms and Conditions: Familiarize yourself with the VMware license terms. Your agreement’s applicable terms and conditions will form the basis for measuring compliance with your VMware license.
   
2. The VMware Deployments: It’s essential to know how to license VMware Software, manage the estate, and know the deployments. Assumptions are likely the single largest source of potential risk in most license compliance reviews, and VMware is no exception.
   
3. The VMware License Audit Process: The final puzzle is understanding the VMware license audit process. The auditors aren’t always in the right despite being acknowledged as a source of authority. Most VMware audits follow a templated approach in which many aspects may not even be applicable.

Top compliance issues in VMware Audits

1. Territory Restrictions: Many people aren’t aware that most VMware licenses restrict the country of use. This can lead to non-compliance if the software is used in a different country than the one specified in the license agreement.
   
2. Inconsistent Support Levels: Under VMware’s Support Policy, there is a requirement that all products within a given environment must be supported under the same support level. This often trips up businesses that make incremental purchases over time, as they may not have been aware of such a restriction.
   
3. Hosting Limitations: You require written consent (often as an additional Agreement or Amendment) to provide hosting services. There is also a restriction to sublicense the software to any Affiliate.
   
4. Incorrect Deployment: While processes dictate that the correct license key should be deployed on the correct assets, have you validated this through the admin consoles, or have you assumed the strategy is working correctly based on a limited sample?
   
5. Unintentional Software Upgrades: Are you sure there was no accidental edition upgrade during a version upgrade? With VMware no longer selling vSphere Enterprise Plus, something that seems to be happening more and more frequently is users’ accidentally’ upgrading from vSphere Enterprise to Enterprise Plus as part of their version upgrade.
   
6. Periodic Reconciliation: As with many Software Vendors, executing regular license reconciliation exercises is critical to staying ahead of audits and renewals. Use the regular reviews to resolve any issues in deployment or processes and to model future implementations/changes to the environment.

Understanding VMware’s End User License Agreement

The VMware End User License Agreement (EULA), specifically under Section 1.14, defines “Territory” as the country or countries where you have been invoiced. If you’ve been invoiced within any European Economic Area member states, you can deploy the corresponding Software throughout the entire European Economic Area.

However, being explicit about the country or region of your VMware purchase with your reseller partner is crucial. If they’re not aware of the specific rules around VMware licensing, your organization could inadvertently become non-compliant.

Note: vCenter licenses purchased in the EEC can be used to manage vSphere licenses bought and used in a different region.

Managing Licenses in the MyVMware Portal

Another potential issue arises with managing the licenses within the MyVMware portal. If you’ve purchased licenses for a specific country or region, annotating the notes section for the license within the portal is recommended. This can help track where each license is intended to be used.

1. Creating specific folders for different locations can also help ensure the licenses purchased for a particular region are managed correctly. Without proper management of your VMware licenses, it’s easy to become non-compliant. Therefore, keeping your licenses organized and annotated is essential to avoid compliance issues.

FAQs on VMWare Audit