Are software audits still necessary in the age of cloud computing?
There may be a way to avoid costly software licensing audits!
Published on 14th May 2018
Virtually every organization has some form of IT infrastructure and software licensing. For many, the cost to license software is in the tens of millions of dollars, and it’s obviously a vital part of running a business. With so much money on the line, and the potential impact of not having the necessary software, it’s easy to see why an increasing number of organizations are finally being proactive with software asset management (SAM).
The nature of software is that it is easy to install and run, or to access tools and data on or from multiple devices and doing so may go unnoticed by IT administrators. Accessing email or data on a corporate server from an employee’s smartphone, for example, typically requires some form of software license. Employees do this every day, and it’s often in the best interest of the organization to let them, but if the organization doesn’t manage it properly, the consequences can be severe.
The proliferation of devices and ease with which users can access corporate servers and data has contributed to an increased emphasis on software licensing audits being performed by major software vendors such as Microsoft, Oracle and others. There was a time when pirated sales and distribution of software was the primary focus of attempting to recover lost revenue, but since physical media such as CDs and DVDs are less common today, software vendors are now focusing on unauthorized or improperly licensed software use. Since enterprise and other large software users represent the largest revenue stream for many vendors, it’s easy to see why Microsoft and others are focusing on recovering applicable revenue, which may otherwise be lost.
Why am I likely to be audited?
Software audits are easy money for Microsoft, as the customer typically bears the cost, unless they are found to be within 5% of compliance (on the low side; they can purchase as many unused/surplus licenses as they want).
Many software vendors attempt to perform some sort of audit on their high-volume customers at least once every three years, although they are often entitled to do so annually. This may be done by a third-party auditor, or something as seemingly innocuous as a “self-assessment”, in which the customer is required to scan their environment and report deployed software, which Microsoft will compare to their record of licenses sold. The customer will be required to purchase licenses for any shortcomings discovered, often with little or no discount.
The current practice and methods of performing audits has proven lucrative for Microsoft, Oracle and others, but they obviously fail to capture all, or perhaps even most, offenders. Audits also strain the relationship between software vendors and their customers. There are instances in which the software vendor chooses not to audit certain customers, due to strategic reasons. This may be costly for the vendor, as there is no opportunity to discover unlicensed software, even if it is being used unintentionally. Even for customers who understand that audits may be purely procedural on the part of the vendor, and that they don’t necessarily suspect the customer so being non-compliant, the process is disruptive, and results can be costly.
Is there a way to prevent software licensing audits?
Today, software audits allow the vendor to see what has been deployed in an organizations datacenter, but what happens when the software is deployed in the cloud? In the case of Microsoft, for example, they (MS) host products such as Office 365 on their own servers, and as such, have increased visibility to who accesses software or data, and how it’s being used. The same may not be said for Microsoft products which reside on competing cloud service providers, such as AWS, but if the customers entire Microsoft estate is hosted by Microsoft, it could potentially change the audit process. This could be structured in several ways, but if products and services reside on MS servers, Microsoft would have the ability to identify and track users and devices. Of course, there would be privacy and security concerns in such a scenario, but they could be addressed as part of the boilerplate license agreements.
A “Microsoft-only” scenario seems like it would be relatively easy to design and implement, and it would benefit customers by increasing compliance and reducing the fear of an audit. Microsoft would benefit from increased compliance by customers they would typically audit today, and it would ensure that those “strategic” customers who may rarely be audited are compliant, as well.
What about customers who use MS products, but have them hosted in a competitor’s cloud? Microsoft would presumably treat them in much the same manner as they do today, since they wouldn’t have visibility to the user or device credentials they would have if MS were hosting.
Microsoft could use a “Microsoft-only” model as a competitive advantage against other cloud service providers. Since most organizations want to be compliant, removing audits from the table would give Azure a significant advantage which no one else could match. They could also further increase their efforts to audit on-prem customers or those being hosted by competing cloud service providers with hopes of luring them to Azure if the likelihood of future audits were reduced or eliminated.
I haven’t seen any formal steps toward this, but as Microsoft continues to promote their cloud services, I wouldn’t be surprised to see it in the future.
