It should be no surprise to anyone who reads this article that Oracle Corporation, like many other vendors, is using software audits as a way to generate easy revenue.
To quote Gartner research: “Vendor-imposed and revenue-motivated audits are increasing for organizations of all sizes and industries. Software asset managers must examine the audit trends exposed in our survey, and prepare the organization to avoid compliance risk and unbudgeted costs.”
Oracle Licensing Rules are Complex and Confusing
The fact that properly licensing Oracle is complex and confusing only further compounds the problem.
To quote the General Counsel News: “Oracle maintains what I consider to be the most aggressive audit program of any major software publisher. Its licensing rules can be extremely difficult to understand, and they frequently are not clearly stated in the applicable license agreements. Moreover, Oracle’s License Management Services (LMS) team typically is unforgiving when it comes time to apply those rules, and it often uses Oracle’s ambiguous license terms and confusingly constructed contracts to prepare audit findings that can cause heart palpitations for business owners.”
Audits Means Revenue
Add into this fact, that Oracle requires no license keys, which spells trouble for anyone who deploys Oracle software. Oracle knows this, and like several other software vendors, they are now accelerating the pace in which they do software audits. The more audits Oracle performs, the more revenue they produce.
Small Companies Does Not Mean Small Audit Findings
LicenseFortress has a small manufacturer, who has been a long term customer with Oracle. Their annual support bill was less than USD 15,000 a year. Yet an audit of their Oracle usage would have resulted in about a 1 Million dollar fine. https://www.licensefortress.com/oracle-licensing-audit-whitepapers/2018/5/15/small-manufacturer-avoids-a-big-oracle-bill
Oracle knows no matter what the size of your Oracle software footprint, there is easy revenue to be had if they take the time to audit your software compliance. This fact has resulted in several changes in the way Oracle handles software audits. The first change was to increase the pace of software audits. It is now common for Oracle to use 3rd parties to perform Oracle software audits on their behalf. Currently, this practice is more common outside the United States than inside. We expect 3rd party audits to continue to increase in velocity and breadth of organizations that are authorized to perform software audits for Oracle corporation.
Beware New Oracle Terms and Conditions
Over the years, Oracle has used contract renewals as an opportunity to change the original contract terms and conditions. It can be easily argued that many times, it is not in the customer’s best interest to let the original contract terms change. For example, many customers who originally had the right to run Oracle for up to 10 days on another server anywhere in the world lost that right when they accepted new contract terms.
Well, Oracle is attempting to change the terms yet again.
To quote the Oracle General License Terms found on page 15, under section 8: (Source: https://www.oracle.com/a/ocom/docs/lic-online-toma-us-eng-v040119.pdf)
Upon 45 days written notice, Oracle may audit your use of the programs to ensure your use of the programs is in compliance with the terms of the applicable order and the Master Agreement. Any such audit shall not unreasonably interfere with your normal business operations.
You agree to cooperate with Oracle’s audit and provide reasonable assistance and access to information reasonably requested by Oracle. Such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on your servers and providing the resulting data to Oracle.”
This line in particular is a big change: “Such assistance shall include, but shall not be limited to, the running of Oracle data measurement tools on Your servers and providing the resulting data to Oracle.”
Important: You should not accept this change. This would require you to run the Oracle audit script.
Limit the Scope of the Oracle Audit
There are a lots of legitimate business reasons why you should not just let Oracle run their audit script on your systems. The Oracle audit script collects a lot of information about your organization that is not needed for Oracle to do a software compliance audit.
Important: Before you allow Oracle to run any audit script on your infrastructure, they should agree it can only collect information that is necessary to complete the software license audit. You should agree that the scope of the audit is limited to systems that deploy Oracle software. This will limit the scope of where the script needs to be run. Do not allow Oracle to gather unnecessary information under the veil of a license compliance audit.
Refuse to Accept New Terms and Conditions
When presented with these new terms, consider this example of an initial response. “Running third-party scripts on company server is in direct violation of our internal security policy. We see no need to update the original terms and conditions we agreed to.”
Determine Where Oracle Will Send Your Audit Information
The next important point: Where does Oracle send the information, that is collect during a software audit? Recently I was told, it goes to an Oracle team in Romania. Do you really want sensitive information about your infrastructure and company going outside your country?
While I agree that Oracle has a right to do an audit, this clause goes too far in Oracle’s favor. It’s important for your organization to control the audit process. Gartner research said it best, “Vendor-imposed and revenue-motivated audits are increasing for organizations of all sizes and industries.” This process is now revenue motivated. So, protect your organization accordingly.
Get Third-Party Help
Do not deal with an Oracle software compliance audit on your own. A smart organization works with a firm like LicenseFortress that has the experience in negotiating with Oracle. It’s imperative for an organization to proactively check that their Oracle license usage is in compliance before an Oracle audit happens.