Aug 24, 2016

8 Massive Myths about Vendor Certifications

There’s a lot of confusion in the SAM market space currently about vendor “certifications” of License Management tools. What does it actually mean when a platform or tool claims to be certified? And what advantages does that “certification” provide you with in the case of an audit?

Let’s start with the basics.

A “vendor tool certification” inherently means that a software publisher has given their blessing for the quality of data or output that a SAM tool generates. Sounds great, right? What’s better than sitting down at the negotiation table armed with qualified data that a vendor has already approved as officially accurate in advance?

Well, you might be surprised to learn that vendor certifications actually don’t exist for License Management tools. It’s true. Although some companies may report certain vendor certifications, it should not be a relevant consideration when choosing the right SAM tool for your company’s needs. As Martin Thompson, Founder of ITAM Review, explained in a recent article: “I won’t be using vendor verifications as a competitive differentiator to discriminate between tools.”

This article aims to dispel eight common myths. We will add actual facts from the IBM and Oracle vendor websites to explain.

Myth #1: Vendor certifications for License Management tools exist.

No, they don’t – of course not. When you stop and think about it, this seems fairly obvious. Why would any vendor give up the right to audit (and a potentially huge revenue stream) just because the customer paid for a License Management tool from a third party?

“But the sales rep from company XYZ told me they have a certification from Oracle and IBM. Are you telling me he is lying?” Well, at a minimum he is stretching the truth. Let’s have a closer look at what Oracle and IBM say on the topic.

Myth #2: IBM officially accepts third party tools to replace ILMT.

They say silence is worth a thousand words. The IBM website does not provide any information regarding guidelines, programs, tool certification or tool verification process. In fact, IBM has never issued any public statement about plans to alter its requirement that you must use IBM-owned tools like ILMT, TADd/TAD4D, IBM BigFix or SUA for sub-capacity reporting.

Let’s clear up the confusion with facts. Even if such an announcement were made in the future, your only option would be to obtain a waiver or contract modification directly from IBM‘s legal and compliance team. But this waiver will still not decrease your audit risk. On the contrary, your audit risk will significantly increase, because the waiver amounts to replacing ILMT. Now IBM can audit you on both the data AND the tool.

Additionally, although IBM offers several options for partner status, technical or conceptual certifications, none can be interpreted as a SAM vendor certification. Unfortunately, some marketing statements fail to differentiate between these and may blend the facts. Take a critical eye to any technology vendor claiming to be a “source of truth” for any activity other than purchasing and installation.

The only benefit of a waiver is if you already have a third-party tool rolled out and don’t want to run a second agent to scan for the same data. A major issue with ILMT is that its active agent runs on every machine with a 30 minute scan interval. But any replacement tool would have to do the same — producing the same load hit on your machines — and that data will be used to supplement IBM audits, not replace it. So... what have you really gained?

Myth #3: Some third party tools are exceptions because, well, they say so!

Quite recently and relevantly, IBM issued an official statement that they are “no longer accepting” a certain vendor’s promoted technologies as an ILMT replacement. IBM has clearly announced that this solution, which has been heavily marketed as a tool to replace ILMT, can no longer be used as a replacement.

IBM auditors initially led the trend to ignore results from third party technology that provides inadequate and incomplete quality of data. IBM policy now appears to have adopted this protocol when negotiating a dedicated customer’s plan for replacement.

Myth #4: Alternative technologies are always accepted for soft audits.

Although voluntary “Reviews” may provide an opportunity to utilize alternative technology to ILMT, it’s not an inherent right during the process. Even without a hard audit in front of you, it would be dangerous to assume that the use of an outside technology will be blindly accepted. Any such use would be determined through negotiation between the parties. Often having a “friendly” first impression, it’s important to remember that reviews are basically “normal audits” that were just triggered by the customer. All information gathered and exchanged with the vendor or its partner can – and will – be interpreted to identify correct usage and licensing. Whenever such a “friendly audit” is conducted, be aware that the same rules and procedures that you’d expect in a formal vendor audit will apply.

Myth #5: A verified discovery tool means that your SAM tool is certified by Oracle

It is as simple as this: Oracle does not provide any form of tool certification.

Oracle does have a verification process for discovery tools. This guarantees the tool delivers the same Oracle usage information that a customer would get from a manually executed Oracle compliance script. And it guarantees that the discovery results will be accepted by Oracle’s compliance team. But – and this is crucial – this means that only the raw data is accepted and not the results of the SAM tool.

This is a far cry from certification of a SAM tool and its Oracle results. The ITAM Review discussed the limited scope of Oracle's verification process in detail.

Unlike IBM, the Oracle website specifies their position:

“The scope of the verification process only covers the data collection related to the installation and usage of specific Oracle products, namely Oracle Database and the associated Options. The verification does not include any other Oracle products or the overall capabilities of the vendor’s solution. […]. Please note that the installation and usage of a tool from a verified vendor does not replace an Oracle License Review or Audit or revoke Oracle’s contractual right to perform a License Review or Audit.

So what’s the catch? Keep in mind that there are many details to consider when examining how Oracle views data sources. For instance, only Enterprise Edition databases and associated options are recognized — which excludes over 90% of Oracle products.

Myth #6: Data quality is not an issue for a verified tool.

A third party tool is verified when its output is consistent with or exceeds what Oracle’s scripts would produce at the time of the review. But false positives during that process are still very common.

In fact, at Aspera, we have recently seen common false positives from “Oracle Verified” tools. Products like Advanced Compression, Tuning Pack and Diagnostics Pack are shown as being used when they are actually not. Or Standard Edition installations show up as Enterprise Editions after applying a patch.

This problem is so pervasive that Oracle had to intensify the frequency and content of its re-verification process. Why? Because after being verified initially, some vendors “forgot” to maintain their Oracle component, and were no longer able to deliver accurate results covering the latest Oracle product versions.

Myth #7: A verified scanning tool replaces an Oracle audit.

Using a verified tool never replaces an Oracle license review or audit. That data is used to supplement the Oracle License Management Services (LMS) review process. But so would any other data that you are willing to share with Oracle.

Of significant note regarding Oracle LMS verification, the ITAM Review recently wrote that inside sources reported “the whole program is on ice with 50 tools in the queue waiting to be verified…it should be disregarded as a program.” Several rumors exist around the topic, most commonly that the “Oracle scanning tool” will never exist.

Myth #8: Verification gives you peace of mind.

It’s important to know that verification tools do not encompass entitlement, assessment, or compliance. Each verification approach only takes into consideration the inventory and measurement data which it can technically measure. When pointed at a database, the verified tool outputs the same data as Oracle’s own scripts and tools. This means that data weakness is always your organization’s responsibility.

In a related plot twist, some SAM software companies have applied for certifications in technical Oracle development or administration. These certifications allow platforms to use Oracle software within their products and architecture.

Needless to say, this is a completely different type of “vendor certification” that doesn’t impact SAM functionality. Yet some third party companies creatively combine their certification statements to appear more relevant to novice consumers. You should always carefully investigate such promises, as reality is more complex than a clever marketing slogan.

Why are we talking about this now?

So, why is there so much marketing hype promoting these phantom certifications? And if vendor certification isn’t real, what is your best strategy when choosing a SAM solution?

The hype: Usually the push to promote “vendor certification” is due to a third party platform’s weakness. Perhaps it doesn’t have adequate connectors to a customer’s preferred discovery tool or a vendor’s mandated tool. So the SAM platform advocates their own discovery to compensate for the ineffective data collection that could result.

Effective SAM solutions are built on trust, reliability and results. If the initial sales story foundation begins to disintegrate, additional platform shortcomings may be around the corner.

The fix: If you already purchased a SAM platform that isn’t delivering on its sales promises, examine your contract. You may have a dedicated section entitling you to step back if some, or all, defined functions are missing.

If no contractual recourse exists, your best course of action is to contact a mature SAM consultant. An expert can help your organization clearly define your technical and conceptual options, which may include replacing the technology. Process, technology and data quality are always your key to success.

The strategy: Our best advice is that it’s crucial for your company to run a technical proof of concept (POC) to test the tool’s claims before you purchase. Buying and implementing a suboptimal technology is an expensive mistake. It can cost your organization significant time and – if audits aren’t correctly handled – even more in penalties. Be careful of marketing claims that promise a quick solution to your challenges. Let’s face it: Like all important things, SAM is never quick.

At Aspera, we’ve witnessed how buying and implementing a technology that doesn’t deliver is a very expensive mistake. And then we’ve helped to unravel that mistake.

We know that trust is the solid foundation for successful SAM. And we firmly believe that customer relationships don’t end once a contract is signed, or a tool is implemented. Our experienced team is happy to honestly educate you on what tools are and aren’t capable of doing.

Topics: SAM Insights