Several SAM providers claim their products are “vendor certified” and that their reports will be accepted in place of reports by the auditing vendor. Like the millions you’ve been promised by the fictitious prince, some things are too good to be true. This blog explores the realities, limits and risks of so-called “vendor certification” programs.
For any company facing a software vendor audit, it is a tempting thought, “What if instead of depending on tools from the auditing vendor to measure application usage I could instead create reports from my software asset management (SAM) software?” After all, SAM users have discovered how accurate, detailed, and useful SAM reports can be to understand and optimize software usage. Unfortunately, usage of SAM reports as a full replacement for vendor scrutiny or as protection against audits simply isn’t possible.
But wait, aren’t there SAM providers that claim their products are “vendor certified” and that their reports will be accepted in an audit? Indeed, there are, but like the millions you’ve been promised by the Nigerian prince, some things are too good to be true. Let’s dig into two of the biggest vendors to find out how this confusion arises.
As part of their License Management Services (LMS), Oracle does specify a handful of “verified vendors.” From their website:
“Tools from the following vendors have been verified to provide the required data set to supplement a LMS engagement. The scope of the verification process only covers the data collection related to the installation and usage of specific Oracle products, namely Oracle Database and the associated Options. The verification does not include any other Oracle products or the overall capabilities of the vendor’s solution. LMS will accept data from any of these tools as an alternative to installing LMS measurement tools.
Please note that the installation and usage of a tool from a verified vendor does not replace an Oracle License Audit or True Up engagement or revoke Oracle’s contractual right to perform a License Audit or True Up. The usage data gathered from these tools will still need to be analyzed by the LMS organization to assess license needs and provide the customers with a compliance statement.”
That is a lot of lawyer talk so let’s see if we can parse out the key takeaways:
- This says verified tools deliver the same usage information as from a manually executed Oracle compliance script. This nothing close to “certifying” a SAM tool and its Oracle results.
- This only covers discovery, not entitlement assessment or compliance functions. It does not include the process of discovering the databases in the first place which is notable as tools have widely verifying capabilities to discover databases. Finally, it doesn’t include other inventory/ measurement data which may be required such as for virtual/ physical configurations, Veritas clusters, and more.
- Anything discovered by these “verified” tools is only a “supplement” to the data collected for an audit or true up. The fact is the Oracle LMS team will solicit and accept data from diverse sources, both their own and 3rd party, regardless of whether it is part of the “verified” program. This willingness to accept SAM data is true across most vendors, just not to the exclusion of reports by the auditing vendor.
- It applies only to Oracle Enterprise Edition databases and, since the verification program was closed a few years ago, only to certain older versions of databases.
- Any report from these “verified” tools will not protect you from an audit.
The fact is that Oracle has zero incentive to harm the lucrative stream of audit revenue the LMS team generates. The analyst firm ITAM Review has done a nice job detailing the limitations and risks associated with this supposed verification.
Unlike Oracle, IBM has never provided any public statement regarding guidelines, programs, tool certification, or a tool verification process. On the contrary, as specified on IBM’s website, there has been a consistent requirement that only ILMT be used for sub-capacity calculation and reporting, unless language to the contrary is specifically included the license contract. In spite of this, select SAM vendors continue to claim their solution is “certified” by IBM and can replace ILMT. As an example, in a recent opportunity, a vendor claimed IBM would accept the license management vendor’s reports and that ILMT was not required. Snow put the buyer directly in touch with IBM who explained this was false.
BEWARE MISLEADING CLAIMS
Some license management vendors mislead buyers into believing their usage reports will be accepted instead of vendor tool reports. While unfortunate, Software Asset Management and license management buyers would be wise not to take the word of any vendor who makes claims their product has been “certified.”
One piece of good news is that many are getting wise to the “certification” game, with recent blogs from SAM vendors Certero and Aspera and the analyst firm ITAM Review setting the record straight. Snow encourages all SAM buyers to learn as much as they can about this sometimes-complex subject.
As “certification” programs from Oracle, IBM, Microsoft, and others become available, Snow will participate if it helps our customers in any way. At the same time, we are 100% committed to always being honest brokers and sharing the truth about how these programs help and how they don’t.
If you want to know more about Oracle or IBM products and how you can make savings on them, take look at Snow’s e-books: 5 Ways to Cut Spending on Oracle Databases, which describes five cost-saving initiatives for Oracle products and 5 Way to Save on IBM Licensing, by applying all of these initiatives, you can save up to 30% on your licensing costs.