Vmware Audit

thwr

@scottalanmiller said in Vmware Audit:

@thwr said in Vmware Audit:

Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?

Often, at least with MS, they use external audit firms who are so far removed from wanting the customer to be happy that there is almost no way that things will go well. No idea how VMware does it.

I know, and that's the problem. Anyway, there's a company selling something, there's a customer who spends a reasonable amount of money and I would do virtually anything to keep that customer happy. It's not just about the money, but also about reputation.

scottalanmiller

You would think. But it's a major reason why I've moved us to zero Windows servers. If you have a lot, whatever. If you get down to like just one, the audit risk could just go away. So we pushed hard to eliminate all of them. Why carry that risk unnecessarily.

Funny, in another thread that prompted this one to pop back up elsewhere, someone laughed at me for even taking audit risk into consideration with "you'd have to eliminate all audit risk" which, of course, makes no sense as each risk stands on it own. But we did just that... eliminated everything that had audit risk. It's very freeing.

StorageNinja

@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.

scottalanmiller

@John-Nicholson said in Vmware Audit:

@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.

I understand that it is very hard. It's also tough because the OP is saying that this is from a EULA, not from the EA. Hopefully he will chime in soon. It seems like crazy audit stuff.

Is there a clear guide to what audit requirements would fall on someone NOT under an EA?

StorageNinja

@thwr

Depends on the agreement and your industry.
If your a service provider operating under SPLA (Microsoft) or VCAN (VMware) you have to be reporting this every 30 days. If the licensing had "per day, or per month" fee's its completely normal to require this type of information be maintained. The most favorable (granular) licensing terms require the most aggressive logging information be maintained for audit purposes.

StorageNinja

@scottalanmiller said in Vmware Audit:

@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.

I understand that it is very hard. It's also tough because the OP is saying that this is from a EULA, not from the EA. Hopefully he will chime in soon. It seems like crazy audit stuff.

I don't believe auditing is in the standard EULA on the website. I have NEVER heard of a non-EA customer being audited.

scottalanmiller

@John-Nicholson said in Vmware Audit:

@thwr

Depends on the agreement and your industry.
If your a service provider operating under SPLA (Microsoft) or VCAN (VMware) you have to be reporting this every 30 days. If the licensing had "per day, or per month" fee's its completely normal to require this type of information be maintained. The most favorable (granular) licensing terms require the most aggressive logging information be maintained for audit purposes.

Maybe those needing that could send it automatically? Seems WAY better to have VMware getting your daily logs than to suddenly be on the hook for years of logs that go back before anyone is around to know first hand what might have been there.

I'd happily log ship to a good vendor partner in real time. But having to maintain old data like that is scary. Too much to go wrong.

StorageNinja

@scottalanmiller There is phone home capability in vSphere. Most people backup their vCenter DB's and hold onto that DB for the life of their environment.... If your exporting logs to some type of SIEM, or something like LogInsight those can maintain logs as long as you want to archive.

These are all normal things that F500's do (as well as many use over-archiving SAM solutions for tracking their licensing usage). This isn't something SMB's have to think or worry about (and when your at this scale you enter into these type of EA's because the cost of the added overhead for compliance is generally significantly offset by the YUUUUUUUGE discounts you get).

StorageNinja

@thwr said in Vmware Audit:

Xen

The cost of System Center with VMM isn't much cheaper at scale, and it also comes with a yearly audit call from a 3rd party in India who doesn't understand virutalization which leads to hilarious conversations. A Microsoft EA does not simplify auditing requirements.

scottalanmiller

@John-Nicholson said in Vmware Audit:

@thwr said in Vmware Audit:

Xen

The cost of System Center with VMM isn't much cheaper at scale, and it also comes with a yearly audit call from a 3rd party in India who doesn't understand virutalization which leads to hilarious conversations. A Microsoft EA does not simplify auditing requirements.

YOu mean... Hyper-V. Xen is license free (other than GPL.)

StorageNinja

@thwr 7 days isn't actually that hard to meet with if your a Fortune 500 who properly tracks your licensing. If you don't then you need to ask for extra time (Which even Microsoft and Oracle will give you) and assistance (VMware has licensing optimization scripts that can be run even outside of audits to make sure your in compliance).

Do you just install Office on computers, and Windows and create Windows SQL servers without tracking your usage vs. licensing or do you just use BSD licensed software?

travisdh1

@John-Nicholson said in Vmware Audit:

Do you just install Office on computers, and Windows and create Windows SQL servers without tracking your usage vs. licensing or do you just use BSD licensed software?

I just use OSS licensed software whenever possible. We're down to 3 computers that still have Windows installed here. I get way fewer complaints about things not working right now (that infamous caps lock key still gets one of the older ladies.)

StorageNinja

@travisdh1 Open Source can still require audits. The GPL has requirements (Cisco was sued over this). Redhat if I"m not mistaken can audit you for your usage of RedHat Enterprise Linux.

BSD is the only safe license

DustinB3403

@John-Nicholson said in Vmware Audit:

@travisdh1 Open Source can still require audits. The GPL has requirements (Cisco was sued over this). Redhat if I"m not mistaken can audit you for your usage of RedHat Enterprise Linux.

BSD is the only safe license

But you're only going to be audited (or put at risk of an audit) if you are using a software from a business that is offering OSS software with support.

scottalanmiller

@John-Nicholson said in Vmware Audit:

@travisdh1 Open Source can still require audits. The GPL has requirements (Cisco was sued over this). Redhat if I"m not mistaken can audit you for your usage of RedHat Enterprise Linux.

Red Hat audits based on the EULA, not the GPL. GPL audits are for use of code, not for use of binary.

thwr

@scottalanmiller said in Vmware Audit:

You would think. But it's a major reason why I've moved us to zero Windows servers. If you have a lot, whatever. If you get down to like just one, the audit risk could just go away. So we pushed hard to eliminate all of them. Why carry that risk unnecessarily.

Funny, in another thread that prompted this one to pop back up elsewhere, someone laughed at me for even taking audit risk into consideration with "you'd have to eliminate all audit risk" which, of course, makes no sense as each risk stands on it own. But we did just that... eliminated everything that had audit risk. It's very freeing.

Risk management has to be taken care of.
Not a question at all.

scottalanmiller

With GPL there is nothing to audit over.

Q: How many of that products are you using?
A: As many as I want.

Want to deflect an audit...

Q: Did you download this?
A: Yes
Q: Did you use it on any machines?
A: No
Q: Then why is it running on thousands of machines?
A: Oh, that's an identical copy that I licensed to myself.

GPL makes you the license granter. So auditing it automatically eliminated from possibility.

thwr

@scottalanmiller said in Vmware Audit:

@John-Nicholson said in Vmware Audit:

@thwr said in Vmware Audit:

Xen

The cost of System Center with VMM isn't much cheaper at scale, and it also comes with a yearly audit call from a 3rd party in India who doesn't understand virutalization which leads to hilarious conversations. A Microsoft EA does not simplify auditing requirements.

YOu mean... Hyper-V. Xen is license free (other than GPL.)

Actually, there are quite a few papers out there comparing the TCO of all major virtualization systems at large scales. Basically, Xen is the cheapest followed by Hyper-V with MSSC (SCVMM + SCOM) and vSphere being the most expensive.

scottalanmiller

@thwr said in Vmware Audit:

@scottalanmiller said in Vmware Audit:

@John-Nicholson said in Vmware Audit:

@thwr said in Vmware Audit:

Xen

The cost of System Center with VMM isn't much cheaper at scale, and it also comes with a yearly audit call from a 3rd party in India who doesn't understand virutalization which leads to hilarious conversations. A Microsoft EA does not simplify auditing requirements.

YOu mean... Hyper-V. Xen is license free (other than GPL.)

Actually, there are quite a few papers out there comparing the TCO of all major virtualization systems at large scales. Basically, Xen is the cheapest followed by Hyper-V with MSSC (SCVMM + SCOM) and vSphere being the most expensive.

Which would be why we see all the largest players on Xen. At that scale that stuff adds up. They have to be very careful.

thwr

@John-Nicholson said in Vmware Audit:

@thwr 7 days isn't actually that hard to meet with if your a Fortune 500 who properly tracks your licensing. If you don't then you need to ask for extra time (Which even Microsoft and Oracle will give you) and assistance (VMware has licensing optimization scripts that can be run even outside of audits to make sure your in compliance).

Do you just install Office on computers, and Windows and create Windows SQL servers without tracking your usage vs. licensing or do you just use BSD licensed software?

I'm in public EDU. We're running quite a bunch of MS products like SQL Server, SharePoint, Forefront UAG, System Center and others. I have a very exhaustive stack of paper about where we use what since when - and it's driving me nuts. It's very hard to keep track, especially in case of upgrades. Try to keep track of a machine upgraded since XP. Very funny.

That's why I am replacing quite a few things with FOSS alternatives wherever possible.