Vmware

VMware Audit and Top5 Compliance Risks

Introduction: VMware Audit Key Takeaways

  • Understanding VMware Audit: A VMware audit, conducted by the Global License Advisory Services department, is a systematic review to ensure customer compliance with VMware’s software licensing terms and conditions. The audit process includes stages such as notification, data collection, data review and validation, and license reconciliation.
  • Audit Process: The audit begins with a notification letter and a kick-off call to outline the process and gather preliminary information. Data is then collected through human feedback and computerized outputs from scripts and tools. The data is reviewed and validated to create a draft Effective License Position (ELP) or License Reconciliation. Finally, a report is presented, and outstanding points are discussed and resolved.
  • Common Compliance Issues: Common issues in VMware audits include territory restrictions, inconsistent support levels, hosting limitations, incorrect deployment, unintentional software upgrades, and lack of periodic reconciliation. Understanding these issues can help organizations prepare for and navigate the audit process.

What is a VMWare Audit?

What is a VMWare Audit

As Section 5 of the VMware End User License Agreement stipulates, organizations must accurately complete a provided questionnaire within a specified timeframe. Failure to do so may prompt VMware to initiate a full audit as a follow-up to the notification received.

Conducted by the Global License Advisory Services department, the VMware audit is designed to facilitate customer compliance with VMware’s software licensing terms and conditions.

Depending on the audit results, entitlement, and deployment management options may need to be discussed after the self-audit process.

The audit information, which includes data such as Machine/Host Names, Physical Processor (CPU Count), and product information, including version and edition, is exported from vCenter.

However, there are several considerations that organizations need to keep in mind. For instance, how current is the information in your vCenter, and does it align with the licenses held on your MyVMware portal?

Are our license keys being utilized correctly across multiple locations? If you have a single license key for, say, 8 CPUs for vSphere Enterprise Plus that are used for more than one location, can you provide evidence to show licenses (keys) aren’t being used more than once?

These are just a few questions that must be addressed to ensure a smooth and compliant VMware audit process.

The VMware Audit Process – A Closer Look

Notification Letter

The audit begins with a “Software and Support Review Notification” letter. This letter outlines critical aspects of the audit, including:

  • The auditing firm conducting the review
  • Reference to the current audit clause within the End User License Agreement (EULA)
  • The VMware Global Compliance Services representatives
  • An outline of the stages and proposed timeline of the VMware license review process

Kick-off Call

An introductory call with the auditing firm is held to:

  • Outline the license review process.
  • Gather preliminary information about the VMware estate.
  • Discuss data requirements, collection methods, and validation process.
  • Discuss the expected timelines.

Data Gathering

Data gathering is a crucial part of the audit process. It involves a combination of human feedback from the company and computerized outputs from scripts and tools.

The data-gathering stage includes the following:

  • Questionnaire: The company is asked to complete a questionnaire that contains queries ranging from simple scoping questions to technical usage declarations. The feedback helps the auditor measure the completeness of the data provided and supplement the technical data with information that cannot be gathered through scripts and tools.
  • Script and Tool Outputs: This phase involves a computerized data collection method, such as a PowerCLI script, third-party tools, or database queries into SAM Tools and vCenters. The purpose is to provide empirical data from the estate as the basis of the license requirement for various products.

Data Review and Validation

The auditing firm reviews the feedback provided to create a draft Effective License Position (ELP) or License Reconciliation.

This phase may involve follow-up queries to the data provided and a request for screen share sessions with vCenter admins or onsite visits to validate the accuracy of data provisions on a sample basis.

License Reconciliation

The auditing firm presents a final report of the license compliance snapshot based on the data provided during the review. Companies are given time to review the snapshot and challenge any presented findings.

A three-way call is held with the company, the auditing firm, and VMware to review any outstanding points and close out the review.

Any subsequent commercial discussions around potential settlement or challenges to the finding are held between the company and VMware.

Preparing for a VMware Audit

Preparing for a VMware Audit

Proactively managing your VMware license compliance position is the simplest way to prepare for a VMware license review and minimize potential software risk.

This involves building up key knowledge areas:

  1. VMware License Terms and Conditions: Familiarize yourself with the VMware license terms. Your agreement’s applicable terms and conditions will form the basis for measuring compliance with your VMware license.
  2. The VMware Deployments: It’s essential to know how to license VMware Software, manage the estate, and know the deployments. Assumptions are likely the single largest source of potential risk in most license compliance reviews, and VMware is no exception.
  3. The VMware License Audit Process: The final puzzle is understanding the VMware license audit process. The auditors aren’t always in the right despite being acknowledged as a source of authority. Most VMware audits follow a templated approach in which many aspects may not even be applicable.

Top compliance issues in VMware Audits

Top compliance issues in VMware Audits
  1. Territory Restrictions: Many people aren’t aware that most VMware licenses restrict the country of use. This can lead to non-compliance if the software is used in a country other than the one specified in the license agreement.
  2. Inconsistent Support Levels: Under VMware’s Support Policy, all products within a given environment must be supported at the same level. This often trips up businesses that make incremental purchases over time, as they may not have been aware of such a restriction.
  3. Hosting Limitations: You require written consent (often as an additional Agreement or Amendment) to provide hosting services. There is also a restriction to sublicense the software to any Affiliate.
  4. Incorrect Deployment: While processes dictate that the correct license key should be deployed on the correct assets, have you validated this through the admin consoles, or have you assumed the strategy is working correctly based on a limited sample?
  5. Unintentional Software Upgrades: Are you sure there was no accidental edition upgrade during a version upgrade? With VMware no longer selling vSphere Enterprise Plus, something that seems to be happening more and more frequently is users’ accidentally’ upgrading from vSphere Enterprise to Enterprise Plus as part of their version upgrade.
  6. Periodic Reconciliation: As with many Software Vendors, executing regular license reconciliation exercises is critical to staying ahead of audits and renewals. Use the regular reviews to resolve any issues in deployment or processes and to model future implementations/changes to the environment.

Understanding VMware’s End User License Agreement

Understanding VMware End User License Agreement

The VMware End User License Agreement (EULA), specifically under Section 1.14, defines “Territory” as the country or countries where you have been invoiced.

If you’ve been invoiced within any European Economic Area member states, you can deploy the corresponding Software throughout the entire European Economic Area.

However, being explicit about the country or region of your VMware purchase with your reseller partner is crucial. If they’re not aware of the specific rules around VMware licensing, your organization could inadvertently become non-compliant.

Note: vCenter licenses purchased in the EEC can be used to manage vSphere licenses bought and used in a different region.

Managing Licenses in the MyVMware Portal

Another potential issue arises with managing the licenses within the MyVMware portal. If you’ve purchased licenses for a specific country or region, annotating the notes section for the license within the portal is recommended.

This can help track where each license is intended to be used.

Creating specific folders for different locations can also help ensure the licenses purchased for a particular region are managed correctly.

Without proper management of your VMware licenses, it’s easy to become non-compliant. Therefore, keeping your licenses organized and annotated is essential to avoid compliance issues.

FAQs on VMWare Audit

What is a VMware audit?

A VMware audit is a systematic review conducted by VMware or an independent third party to assess a company’s use of VMware products and ensure compliance with the terms of its licensing agreement.

How does the VMware audit process work?

How does the VMware audit process work?

The VMware audit process typically involves several stages: notification, data collection, data analysis, audit report preparation, remediation, and follow-up.

What triggers a VMware audit?

VMware audits can be triggered by various factors, including a change in the company’s software usage, a significant increase in the company’s size, or a routine check by VMware.

What are the most common license compliance issues with VMware?

Some of the most common VMware license compliance issues include over-deployment of software, inconsistent support levels, territory restrictions, and hosting limitations.

What are the top 5 mistakes organizations make with VMware licensing?

The top 5 mistakes include not understanding the licensing terms, failing to manage and track software usage, not preparing for audits, not understanding the implications of changes in the IT environment, and not seeking expert advice when needed.

What is the best way to prepare for a VMware audit?

The best way to prepare for a VMware audit is to manage your VMware license compliance position proactively. This involves understanding the VMware license terms and conditions, your VMware deployments, and the VMware license audit process.

What happens during a VMware audit?

During a VMware audit, the auditor will review your use of VMware products, compare it with the terms of your licenses, identify any areas of non-compliance, and prepare an audit report.

What happens after a VMware audit?

After a VMware audit, if any areas of non-compliance are identified, you will need to take steps to address these issues. This could involve purchasing additional licenses, adjusting your usage of VMware products, or changing your practices or procedures.

What should I do if VMware audits me?

If VMware audits you, it’s essential to understand the audit process fully, provide all requested information and seek expert advice. You should also review the audit findings carefully and take steps to address identified issues.

Is it permissible for a customer to use the software for evaluation purposes?

Customers can use the software for evaluation purposes, provided it is not used in a production environment and is strictly for testing.

Can an affiliate use the software?

Generally, a corporate affiliate can use the software if they are under common control or ownership of more than 50%. This implies that joint ventures or affiliates with less than 50% shared ownership, possession, or voting rights must have a separate license. This is outlined in Section 1.1 of the VMware End User License Agreement (EULA).

Is it possible to transfer the software?

According to the VMware End User License Agreement, the software cannot be transferred unless the customer obtains written consent from VMware. VMware will not unreasonably withhold this consent. This is stated in Section 12.1 of the EULA.

Does the license have an expiration date?

The EULA specifies that all VMware licenses are perpetual unless the order for the software specifically limits the license term. This means that the license will not expire unless it is terminated.

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, enhancing organizational efficiency.