Vmware Audit
-
@John-Nicholson said in Vmware Audit:
I've read several EA's over the years and never seen this language.
here is the thing... if EA's are standard, there should be no problem having the language of the audit be public. If they are not standard, then having seen many of them doesn't tell us anything.
-
So here is the real question at the end...
How do we, at the end of the day, know how VMware is going to hold us to audits? The cost of the legal team alone to verify the requirements would cost more than the product itself in the SMB space. If you are an enterprise, you will have the legal team for this. But even then, so much of auditing is "knowing how the vendor is going to behave" which gets really tough always depending on "well they aren't normally unreasonable." Often it isn't the vendor but random third party auditors.
-
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
-
@thwr said in Vmware Audit:
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
Auditors don't care, they aren't paid through sales. They only make money, if they are paid that way, through penalties.
-
@scottalanmiller said in Vmware Audit:
@thwr said in Vmware Audit:
@Jason said in Vmware Audit:
Not sure yet, but they want a lot of stuff and we have thousands of Vmware servers. It's due within 7 days.
TLDR, but if it were me who had bought thousands of VMware licenses and some guy shows up and wants an audit in 7 days I would just ask him if he knows the current pricing of Xen or Hyper-V with MS System Center in such a scale.
Auditors don't care, they aren't paid through sales. They only make money, if they are paid that way, through penalties.
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Seven days is a joke, no matter the size. In case of being such a big customer, I would expect the audit to be announced at least a few months in advance and that the auditor will bring donuts and coffee. Sorry, this is driving me mad.
-
What would be great (for us to better understand this) is if @Jason could post an copy of the Audit forms that he's been given. Even if he excluded the details of the audit firm / his employer.
-
@thwr said in Vmware Audit:
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Often, at least with MS, they use external audit firms who are so far removed from wanting the customer to be happy that there is almost no way that things will go well. No idea how VMware does it.
-
@scottalanmiller said in Vmware Audit:
@thwr said in Vmware Audit:
Sure, but wouldn't it be fun to see an auditor explaining to his boss why an audit resulted in the loss of a big customer?
Often, at least with MS, they use external audit firms who are so far removed from wanting the customer to be happy that there is almost no way that things will go well. No idea how VMware does it.
I know, and that's the problem. Anyway, there's a company selling something, there's a customer who spends a reasonable amount of money and I would do virtually anything to keep that customer happy. It's not just about the money, but also about reputation.
-
You would think. But it's a major reason why I've moved us to zero Windows servers. If you have a lot, whatever. If you get down to like just one, the audit risk could just go away. So we pushed hard to eliminate all of them. Why carry that risk unnecessarily.
Funny, in another thread that prompted this one to pop back up elsewhere, someone laughed at me for even taking audit risk into consideration with "you'd have to eliminate all audit risk" which, of course, makes no sense as each risk stands on it own. But we did just that... eliminated everything that had audit risk. It's very freeing.
-
@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.
-
@John-Nicholson said in Vmware Audit:
@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.
I understand that it is very hard. It's also tough because the OP is saying that this is from a EULA, not from the EA. Hopefully he will chime in soon. It seems like crazy audit stuff.
Is there a clear guide to what audit requirements would fall on someone NOT under an EA?
-
Depends on the agreement and your industry.
If your a service provider operating under SPLA (Microsoft) or VCAN (VMware) you have to be reporting this every 30 days. If the licensing had "per day, or per month" fee's its completely normal to require this type of information be maintained. The most favorable (granular) licensing terms require the most aggressive logging information be maintained for audit purposes. -
@scottalanmiller said in Vmware Audit:
@scottalanmiller EA's and audit requirements have huge variables depending on industry, requirements, the country its originated in, the countries it is used in. The language varies so much (and you can ask for things to be waved, changed, or added based on your needs). EA's are fundamentally driven by both parties liking the numbers, and what the lawyers will approve. There is no "standard language" as what the DOD will accept is different from a hosting company is different from a oil company.
I understand that it is very hard. It's also tough because the OP is saying that this is from a EULA, not from the EA. Hopefully he will chime in soon. It seems like crazy audit stuff.
I don't believe auditing is in the standard EULA on the website. I have NEVER heard of a non-EA customer being audited.
-
@John-Nicholson said in Vmware Audit:
Depends on the agreement and your industry.
If your a service provider operating under SPLA (Microsoft) or VCAN (VMware) you have to be reporting this every 30 days. If the licensing had "per day, or per month" fee's its completely normal to require this type of information be maintained. The most favorable (granular) licensing terms require the most aggressive logging information be maintained for audit purposes.Maybe those needing that could send it automatically? Seems WAY better to have VMware getting your daily logs than to suddenly be on the hook for years of logs that go back before anyone is around to know first hand what might have been there.
I'd happily log ship to a good vendor partner in real time. But having to maintain old data like that is scary. Too much to go wrong.
-
@scottalanmiller There is phone home capability in vSphere. Most people backup their vCenter DB's and hold onto that DB for the life of their environment.... If your exporting logs to some type of SIEM, or something like LogInsight those can maintain logs as long as you want to archive.
These are all normal things that F500's do (as well as many use over-archiving SAM solutions for tracking their licensing usage). This isn't something SMB's have to think or worry about (and when your at this scale you enter into these type of EA's because the cost of the added overhead for compliance is generally significantly offset by the YUUUUUUUGE discounts you get).
-
@thwr said in Vmware Audit:
Xen
The cost of System Center with VMM isn't much cheaper at scale, and it also comes with a yearly audit call from a 3rd party in India who doesn't understand virutalization which leads to hilarious conversations. A Microsoft EA does not simplify auditing requirements.
-
@John-Nicholson said in Vmware Audit:
@thwr said in Vmware Audit:
Xen
The cost of System Center with VMM isn't much cheaper at scale, and it also comes with a yearly audit call from a 3rd party in India who doesn't understand virutalization which leads to hilarious conversations. A Microsoft EA does not simplify auditing requirements.
YOu mean... Hyper-V. Xen is license free (other than GPL.)
-
@thwr 7 days isn't actually that hard to meet with if your a Fortune 500 who properly tracks your licensing. If you don't then you need to ask for extra time (Which even Microsoft and Oracle will give you) and assistance (VMware has licensing optimization scripts that can be run even outside of audits to make sure your in compliance).
Do you just install Office on computers, and Windows and create Windows SQL servers without tracking your usage vs. licensing or do you just use BSD licensed software?
-
@John-Nicholson said in Vmware Audit:
Do you just install Office on computers, and Windows and create Windows SQL servers without tracking your usage vs. licensing or do you just use BSD licensed software?
I just use OSS licensed software whenever possible. We're down to 3 computers that still have Windows installed here. I get way fewer complaints about things not working right now (that infamous caps lock key still gets one of the older ladies.)
-
@travisdh1 Open Source can still require audits. The GPL has requirements (Cisco was sued over this). Redhat if I"m not mistaken can audit you for your usage of RedHat Enterprise Linux.
BSD is the only safe license