Like most software publishers, Oracle routinely audits their customers to ensure license compliance. Regardless of whether or not any compliance violations were identified, customers often move on from an audit with the feeling of a “clean bill of health” in terms of Oracle license compliance. Having “righted the ship,” customers may feel that they could pass a future Oracle audit. This, however, is a false sense of security as Oracle’s audit process and licensing policies are ever-evolving and expanding.
As Oracle seeks to drive additional revenue through audit activity, their audits have become more wide-reaching, and their licensing policies more severe. An Oracle audit conducted today may yield drastically different conclusions than an audit from 5 years ago, regardless of how Oracle programs are used. In other words, even if your environment hasn’t changed, the Oracle audit has.
Oracle Partner Network / Oracle Technology Network
In recent years, Oracle audits have increased their focus on customers’ use of Oracle technology under programs like Oracle Partner Network (OPN) and Oracle Technology Network (OTN). These membership programs allow for the use of Oracle products within some very strict limitations related to development and demonstration purposes.
Today’s Oracle audits often require that customers report and explain all installations of programs used under OPN/OTN in addition to the installs used for regular business purposes. When Oracle determines that programs deployed under OPN/OTN have been used beyond the limitations of the membership, they will require the purchase of full-use licenses. As all too many companies have discovered, this can lead to costly non-compliance findings. Customers should ensure that they are complying with the terms and conditions of their OPN/OTN agreements and should be prepared for Oracle’s scrutiny of those environments in any future Oracle audit.
Licensing Oracle on VMware Technology
Many customers are familiar with Oracle’s infamous VMware policy which dictates that all physicalESXi hosts where Oracle programs could potentially run via VMware technology (vMotion, DRS, High Availability, etc.) be licensed, regardless of where Oracle is actually running at any point in time.
All too often, customers have learned this policy the hard way – through an audit. But “passing” an audit in the past does not guarantee that you are compliant today, even if your Oracle usage and entitlement has not changed. As VMware technology has improved, Oracle’s licensing position has consequently created more potential compliance exposure for customers. This is because, while older versions of VMware allowed virtual machines to migrate between hosts within a cluster, newer versions of VMware allow for the migration of virtual machines between clusters, data centers, and even vCenter instances. This can greatly increase the number of machines that require licensing. In this way, a customer that has done nothing more than upgrade to a newer ESXi version can create a sizable compliance violation that may be exposed during an audit.
New Products + New Programs = New Risks
Oracle’s compliance organization has kept pace as it continues to make new acquisitions by rolling out audit programs for a number of products that may not have been included in past audits. In recent years, Oracle has built compliance programs for products like Siebel, JD Edwards, Peoplesoft, Agile, Hyperion, WebLogic and Tuxedo.
Where a past Oracle audit may have focused only on the database, Oracle audits now routinely include multiple product lines. Oracle has also expanded its standard tool-set used during an audit. While yesterday’s audit relied heavily on a customer’s declaration of where Oracle programs were installed, today, Oracle is increasingly leveraging their own ‘discovery’ tooling to scan customer environments. A customer that may have emerged from an audit “compliant” five years ago may very well face a much more inclusive and thorough audit today or in the future.
Stay Diligent, Stay Compliant
It is important that customers stay diligent about Oracle compliance, even after having finished an audit. While customers are generally not audited more than once per year, the risk of an audit in future years is always present and Oracle’s bullish approach to compliance will likely continue. As IT in general evolves, so too will Oracle audits change over time in their scope, method, and policy. Achieving compliance in the past does not guarantee a state of compliance today or in the future.
To ensure you can pass an Oracle audit, contact an Oracle SAM specialist by clicking on the banner below.