Jan 29, 2019

Understanding the Fundamentals of IBM Software Audits

IBM software audits are becoming more and more common. Being properly prepared for an audit is your first line of defense. In order to achieve IBM license optimization and compliance, a solid understanding of the use and the rights of use are essential to avoid non-compliance risks.

IBM Software Audits

Why IBM software audits are harder than other vendors

IBM software audits differ from software compliance audits by other publishers for several reasons. On average, audits are conducted once every 4 years to ensure a higher maintenance fee via third parties (Deloitte, KPMG, etc.)

The diversity of contracts, the complexity of products and metrics – as well as their perpetual renaming, the lack of knowledge about the use terms of certain licensing benefits, and many other elements make IBM software license management an increasingly difficult challenge. These factors also increase the risk of non-compliance.

Common IBM contracts

The Passport Advantage (PA) contract remains the IBM Standard contract. The Enterprise Software & Services Offering (ESSO) contract is sometimes used as a global contract framing several contracts of the same group.

Under a contract, a customer can purchase a license entitlement to have the right to use the product and / or optional maintenance which, if subscribed, must be renewed annually on the total purchased licenses. If the maintenance has not been renewed, after a period of one year, the customer will be forced to buy Reinstate licenses if he wants to use a newer version and reactivate his right for support. Finally, a trade-up is a license to upgrade the product range like a change from Domino Messaging Server to Domino Application Server.

IBM’s main licensing metrics

IBM has a wide range of metrics that can be categorized into two main categories:

Hardware Metrics
  • Storage Capacity Unit (SCU) - former Terabyte metric (TB): IBM announced this metric in June 2016 for Spectrum Control and Virtualize (TPC, SVC). IBM differentiates three classes of storage and each type of storage that does not "fit" into these categories, will be included in category 1.

Storage Class

Technology

Use Case

1

Flash & SSD

Maximum performance

2

SAS & Fiber Channel

Average performance, lecture intensive

3

SATA & Near-Line SAS

Less active data, backup, archive

  • PVU (Processor Value Unit): based on the number of cores of a server multiplied by a coefficient according to type of processor. Depending on the usage rights, we speak of full capacity or sub-capacity.
  • Resource Value Unit (RVU): the notion of resource is very variable, the specificity is based on a degressive accounting
  • And more…
User-related metrics
  • Authorized User: related to the number of people who can access the solution
  • AUVU (Authorized User Value Unit), XUVU (external User Value Unit), EUVU (Employee User Value Unit): these are derivatives. One rule is to read the license text (often degressive).
  • Floating User, Concurrent User: depending on the number of users connected simultaneously.
  • Simultaneous Session: based on the number of sessions open at a given time.
  • CEO: based on the number of employees and third parties who can access the information system (in the broad sense). Auditors are often based on the number of workstations.

Tips for strategic IBM software audit defense

An audit clause is still included in IBM's contracts. Two modes of audit exist according to the size of the company and the products used:

  • Self-declaration where the client declares to IBM its use and its right of use
  • Full audit where IBM conducts all stages of the audit

Upon receipt of the notification letter, an in-house organization may provide better audit management. It is even advisable to appoint a team in charge of this audit to ensure its smooth running. The shareholders of this event are the purchasing, deployment and, if necessary, legal experts.

Before sharing data with IBM, it is essential to have a view of IBM installations (data sources, architecture, products, users, etc.), and to verify that the data is accurate and complete. On the other hand, the collection of all proofs of license acquisition, conditions of use, maintenance contracts is essential to ensure that the conditions of certain licensing models are met.

A common risk for most companies is to apply the sub-capacity model without necessarily having the right. The sub-capacity is eligible only if the following points are respected:

  • Contractually benefit from this model
  • Have an eligible virtualization technology
  • Apply computation rules according to IBM definitions
  • Apply it to products eligible for sub-capacity
  • Have an eligible processor model Deploy IBM License Metric Tool (ILMT) or IBM BigFix

IBM license management is key

The main risks of non-compliance are related to the usage control, and a lack of proper understanding of usage rights. Learning how to manage the licensing and maintenance contracts, verify the legacy of licensing models, control the deployments of bundles, etc. ensures a consistently high level of compliance and the readiness for any software audit that may be announced.



Topics: Audit Defense, IBM