RSS

Tag Archives: compliance

Microsoft Online Services Terms – What you need to pay attention to before signing your Azure agreement

Article update (April, 2018 ) We created a new website called MSCloudlicensing to help SPLA and CSP partners understand the different program options and use rights available to them. The new website is www.mscloudlicensing.com it’s designed to be a collaborative platform that includes a forum to ask and answer licensing questions, document library, and licensing articles.  Check it out, it’s free. 

There’s a lot of benefits to moving to Azure, I’ll let your Microsoft account team review them with you.  On this website, we are not that concerned about the benefits, all we care about is the licensing.  In this article, we will review the Microsoft Online Services Terms.

What is the Microsoft Online Services Terms?  First starters, it used to be called Microsoft Online Services Use Rights or MOLSUR for short (or long).   It is now called OST pronounced OAST when speaking to Microsoft.  Basically the OST defines how you may consume online services through Microsoft.  You can download a copy here.  Although your legal team should review the document in its entirety, below are some of the highlights I think you will find relevant and are often overlooked.

License Reassignment 

“Most, but not all, SLs may be reassigned. Except as permitted in this paragraph or in the Online Service-specific Terms, Customer may not reassign an SL on a short-term basis (i.e., within 90 days of the last assignment). Customer may reassign an SL on a short-term basis to cover a user’s absence or the unavailability of a device that is out of service. Reassignment of an SL for any other purpose must be permanent. When Customer reassigns an SL from one device or user to another, Customer must block access and remove any related software from the former device or from the former user’s device.” (April, 2017 OST)

What does this mean?

Most Microsoft products cannot be reassigned on a short-term basis, that’s why Microsoft has the use right called license mobility.  In short, pay attention to which users are assigned a license and if/when they no longer need the service.

Hosting Exception “Customer may create and maintain a Customer Solution and, despite anything to the contrary in Customer’s volume licensing agreement, combine Microsoft Azure Services with Customer Data owned or licensed by Customer or a third party, to create a Customer Solution using the Microsoft Azure Service and the Customer Data together. Customer may permit third parties to access and use the Microsoft Azure Services in connection with the use of that Customer Solution. Customer is responsible for that use and for ensuring that these terms and the terms and conditions of Customer’s volume licensing agreement are met by that use.” (April, 2017)

What does this mean?

It allows you (a service provider) the right to use Azure as a datacenter provider.  The last sentence is very important in the above definition “Customer is responsible for that use and for ensuring that these terms and the terms and conditions of Customer’s volume licensing agreement are met by that use.”  In the above definition,  “customer” is you.  If you use Azure as a datacenter provider, purchase Azure via your own volume licensing agreement, and use SPLA for user based products (e.g. RDS) you must follow the OST, Product Terms, and the SPUR!

Azure Services Limitations

Customer may not “Allow multiple users to directly or indirectly access any Microsoft Azure Service feature that is made available on a per user basis (e.g., Active Directory Premium). Specific reassignment terms applicable to a Microsoft Azure Service feature may be provided in supplemental documentation for that feature.” (April, 2017 OST)

What does this mean?

Sounds similar to a SAL license right? “Directly or Indirectly access any Microsoft Azure Service.”  Although if you are using Azure as your datacenter provider, the likelihood of you consuming user based licensing through Azure is not very high.

Security

I encourage you to read the security measures and policy’s set forth by Microsoft for their online services.  You can read it here.  I included a breakdown of the difference compliance and security certifications below:

Microsoft Online Information Security Policy (as of April, 2017)

Online Service ISO 27001 ISO 27002

Code of Practice

ISO 27018

Code of Practice

SSAE 16 SOC 1 Type II SSAE 16 SOC 2 Type II
Office 365 Services Yes Yes Yes Yes Yes
Microsoft Dynamics 365 Core Services Yes Yes Yes Yes* Yes*
Microsoft Azure Core Services Yes Yes Yes Varies** Varies**
Microsoft Cloud App Security Yes Yes Yes No No
Microsoft Intune Online Services Yes Yes Yes Yes Yes
Microsoft Power BI Services Yes Yes Yes No No

 

Last and certainly not least, I get asked A LOT about language that you should include as a service provider.  I would encourage you to create your own online services terms for your hosted offerings.  Too many providers do not have basic language around compliance, licensing, and overall use rights.  At a minimum, you should include a copy of the End User License Terms for SPLA.  If you do not have a copy, please contact your reseller.  If you forget to include licensing terms and conditions, you could be on the hook during an audit.  Don’t be on the hook.

Thanks for reading,

SPLA Man

Advertisements
 
Leave a comment

Posted by on April 24, 2017 in Uncategorized

 

Tags: , , , , , , , , , , , , , , , , , , , , ,

IaaS Gotchas…

In this post I will highlight new (and not so new) compliance gotchas as it pertains to providing infrastructure as a service.

Let’s start with a common example and go from there.  You provide the infrastructure such as Windows/SQL, your customer provides the applications.  Sound familiar?  You license Windows Datacenter, SQL Enterprise in a shared (aka public cloud) environment under SPLA. You have no idea or really care what applications your customer’s are installing right?  You just provide the support of the infrastructure.  That’s not your concern.  It’s their application, why should you care?  Ahhh…but maybe you should.

Have you ever wondered how they’re accessing the applications?  Are all applications web-based?  I will answer that question for you…no.  So how are they accessing the applications?  Do they use Citrix?  Do they remote into the application somehow?  There’s that word…remote.

If you enable the Remote Desktop Services role within Windows Server – you guessed it…you need to report RDS licenses.  The number of IaaS providers who just report Windows and SQL is astronomical. The number of IaaS providers now reporting RDS is also rapidly growing.  Did they wake up one day and decide they should start reporting RDS?  Unfortunately no.  They were audited.  Shoot me over an email and I will forward the guide that explains RDS and when it applies. Remember when you license RDS, you need to license each user that HAS access to RDS – not who does access.

Let me provide an example of how easily you could be underreporting RDS.   Let’s say your customer has an application from another vendor (outside Microsoft) that’s hosted in your datacenter.  That same vendor provides support to the application.  You are not hosting the application for the vendor but for your customer, you just provide the vendor access to support the application via remote connection.  SPLA allows 20 users to provide support and administration per datacenter.  If you exceed that limit, you are going to have to report those additional users.  Yes, even if you are not charging them.

Other IaaS Gotchas –

While we’re on the topic of customer owned applications, do you have it written in your agreement with the customer that you are not responsible for the applications they install?  What would happen if they install applications that you are not aware of and they don’t have the appropriate licenses…who’s responsible you or the end customer?  Kind of a trick question, it’s both.  You will get audited, it’s installed in your datacenter, you are ultimately responsible.  You need to ensure you have it written in your agreement that you’re not responsible so you can have a nice chat with your customer.  All the big boys do it…you should too.

What about SQL?  Are you virtualizing?  Why aren’t you reporting SQL Enterprise?  Are you utilizing all the use rights that come with SQL Enterprise – unlimited virtualization, DR, mobility within server farms, etc?  What about smaller environments?  Have you considered licensing by user instead of by core for SQL Standard edition?

SQL Web is tempting isn’t it?  Less expensive option but no one really understands what it is.   Here’s a quick synopsis – if you do not host public facing websites, SQL Web is not an option.

How are you managing your datacenter? Do you have System Center installed?  You should report the Core Infrastructure Suite.  Running Hyper V with few VM’s, license CPS. Both products include Windows.  You need Windows to run System Center, so you kill two birds with one stone so to speak.

Ask your customers if they have Software Assurance.  It’s no longer about latest version rights and annual payments.  It’s about moving to the cloud.  Let’s make sure it’s your cloud and not someone else’s.

Conclusion –

I’ve been around this game of SPLA for a long time.  The best advice I can give is to listen to your customers and don’t be afraid to change.  Cloud is evolving, you should evolve too.  Don’t report out of convenience, look into ways you can optimize what you are reporting.  It’s competitive out there, let’s make sure you are getting the most value out of your agreement.

Thanks for reading,

SPLA Man

 

 

 
11 Comments

Posted by on January 31, 2015 in IaaS

 

Tags: , , , , , , , , , , , , , , , , , ,

SPLA Audit start to finish

Your business is doing great, your sellers and customers are happy, you are making money instead of spending money, when out of the blue….BAM…you receive an audit letter.  Sound familiar?

So what do you do?  Your first reaction is panic.  Your second reaction is to call a lawyer.  Your third reaction is to blame your reseller.  I think that about sums it up.  If you disagree, I’m not 100% sure you are being truthful with yourself.  If you do agree, I also think you are making a HUGE mistake.  Sounds a little odd doesn’t it?

First thing you need to understand is it’s not your fault.  It’s not as if you are purposely trying to be out of compliant.  Microsoft knows this as well.  SPLA is a difficult program and very hard to understand. As I pointed out in the “About” section of this blog, there is little information written about the SPLA program leaving service providers vulnerable.  The SPUR?  Forget about it. That’s why I created this blog in the first place.

I think that is why SPLA customers call a lawyer to help guide them.  This may help you sleep at night, but is it REALLY helping?  I will let you determine that after the dust settles.

What does happen during an audit? I don’t care if this is the first step or fourth step but at some point you will have to collect data.  Data that PROVES the reason you reported the way you did.  One of the biggest mistakes a SPLA provider can make is not reporting indirect access.  Again, not your fault.  Who has any idea of what “indirect” really means?  Think of indirect as Microsoft software that is used to run your other applications that you market to your customers.  You have an application that you developed that reports back to SQL using Excel.  Users have no idea they are using SQL, all they know is the application they use.  But since SQL is part of your hosted solution…it must be reported.  Make sense?  That’s also why Windows will always need to be reported.  Try running Exchange without a Windows OS.  Not going to happen.

Data can also mean the licenses that your customers own that they bring over to your environment.  How do you know who owns what?  Are there enough CAL’s?  One of the arguments service providers make is they can go after their customers if being audited.  There’s an easy conversation right?  Remember, you want to keep customers not lose them.

Some service providers have learned that their end customers install software on VM’s without informing them.  How do you know what is actually being installed?  So take a look at your datacenter; are your customers installing software you don’t know about?  Collecting this information after the fact is a difficult process.  This leaves auditors with no choice but to make a best guess.  Best guesses can cost you significantly.

So after all this data is analyzed by the audit team, it is then delivered to Microsoft.  That’s when you present your case.  They will take things into consideration, but understand that if you are missing information, it makes your argument that much more difficult.  Don’t blame your reseller, that doesn’t work.  Don’t rely on a lawyer, that doesn’t always work either.  Educate yourself.  That’s the best advice I can provide.  Just by taking the time to read this I think you are on the right path.

Happy to walk you through the process in greater detail.  I am one of the few that actually gets it. My email is at the top righthand side of this page.

Thanks,

SPLA Man

 

 
Leave a comment

Posted by on September 18, 2014 in Compliance

 

Tags: , , , , , , , ,

Predicting the future…

Not an easy task.  When my kindergartener teacher asked “what do you want to be when you grow up?” I can promise you SPLA was not part of my vision.  (I should’ve worked harder to be a firefighter)

This post is 100% opinion based and would love the opportunity to hear/read yours. So here’s my take on SPLA and what’s next for the hosting industry.

Who will win the Amazon/Azure War? 

Contrary to popular opinion, I think Microsoft has already won this battle.  The reason might surprise you too as it has nothing to do with the service offerings or pricing; it has everything to do with who controls the licensing. I think we can all agree that Microsoft can make up their own rules to their own software.  What happens if Amazon spins up a Windows VM in their datacenter?  Amazon has to report it via SPLA.  Who ultimately get’s the SPLA revenue?  Microsoft.  What happens if Microsoft decides to offer fully hosted Windows 8 desktops using Azure or Office 365 but NOT authorize if for other service providers?  Yikes!!!  What happens if Microsoft authorizes MSDN mobility rights but not offer it for other service providers?  Oops…already happened.  What happens if they allow Office to be installed on 5 devices?  Oh man.

Will SPLA be replaced?

No.  Too  much revenue being generated for SPLA to just disappear.  SPLA produces recurring revenue for both Microsoft and the partner community.  Secondly, using SPLA does not mean that volume licensing is going away; Microsoft get’s the best of both worlds.  I do foresee volume licensing changing more rapidly than it already has.  I think that’s a good thing too.

Will VDI be allowed under SPLA in the foreseeable future?

No way.  This will never happen in my opinion. Let’s throw in the towel on this one.

Will the cloud industry expand or contract over the next decade?

Expand.  I think organizations will not only have hybrid/cloud environments but multi-cloud environments. As an example, I have multiple software vendors (such as Adobe for PDF’s, Symantec for Security, Microsoft for Office, etc) I believe organizations will use several vendors in “cloud” paving way for those service providers that have specialization and unique offerings to gain market share.  Yeah, they might not be the next Amazon, but they will be critical to the next phase of cloud. Specialization = Profitability.

Are all service providers going to be audited?

Yes.

Do I need to have a SAM practice?

Not if you don’t believe me in the previous question. Just don’t cry and say I didn’t warn you!

What will be the biggest driver to the cloud?

On premise compliance audits.  Once they get audited, they would rather have someone else worry about it; that someone else is you.

Will License Mobility be allowed for Windows?

No.  I don’t think there is a reason why it would.  Windows is cheap.  For those that have hosted for a while, remember the Windows Outsourcer/Non Outsourcer SKU’s?  Datacenter was over $200 a processor.  Standard was over $75 (US).

Will Microsoft raise rates?

Yes.

Will my hosting business succeed since I can’t compete against larger providers?

Yes.  You  need to change the way you promote your offering.  Think about this (and be honest with yourself) – what separates you from your competition?  If you were a customer looking for a hosted solution…why would “they”… choose “you”?  How can YOU… help ME (customer).  Is it to keep compliance?  Is it costs? Do your employees bring you new ideas or are they collecting pay checks?  Do you worry about being the lowest price or quality/uniqueness of your service?   Is it because you have an “in” and listen to SPLA Man?  If it’s the latter, you will win for sure.

Who’s the biggest threat to cloud providers present/future?

Governments

Will VDI be allowed under SPLA?

NOOOOO!!!!!  You asked this twice!  Come on! 🙂

Who will win the World Series in baseball?

Why…the St. Louis Cardinals of course!

Who will NOT win the Super Bowl this year?

St. Louis Rams – Ugh.

Thanks for reading,

SPLA Man

 

 

 

 

 

 

 

 
1 Comment

Posted by on September 8, 2014 in In My Opinion

 

Tags: , , , , , ,

Hybrid, Dedicated, and Shared Scenarios…

There are three deployment options for service providers – Hybrid (mix of on premise and cloud) Dedicated, and Shared.  In this article, we will break each one down to explain how they work and the options available.

Dedicated Scenario – (3 options available)

Option 1
Your customer decides to bring their own software (such as Exchange) and infrastructure (Windows) via their own volume licensing agreement. They do not have software assurance on the software. Can they do this?

Yes. Why? Everything is dedicated. Server, virtual machine all dedicated to one single organization. Software Assurance is NOT required.

Option 2
Your customer decides to bring the software but the hoster will provide the infrastructure in a dedicated environment. Again, customer does not need Software Assurance if it’s a dedicated environment. In this scenario, the hoster (you) will provide the Windows license via SPLA and not report the other applications the customer brings over since it is already covered via their own volume licensing agreement. This is applicable, it’s dedicated (VM and physical servers)

Option 3
Your customer is a healthcare company that needs a dedicated environment due to regulatory compliance. They do not own any software; they would need the hoster to supply the software licenses. Can they (the hoster) do this? Yes, the hoster would report everything under SPLA. The hoster (you) CANNOT use your own volume licensing agreement to provide the solution but you can certainly provide SPLA. Please be aware that if you own a volume licensing agreement, you cannot use the same hardware your volume licensing agreement resides as your hosted solution.

Also keep in mind that SPLA is non perpetual, when the customer leaves, they can no longer use the software they were accessing.

Summary of Dedicated –
Dedicated is applicable for both SPLA and end customer owned volume licensing. Dedicated also means dedicated hardware and dedicated VM’s. In dedicated environments, the end customer DOES NOT need software assurance. From a compliance perspective, it is defined as the following:

“Any hardware running an instance of Microsoft software (OS or application) must be dedicated to a single customer. For example, a SAN device that is not running any Microsoft software may be shared by more than one customer; since, a server or SAN device that runs Microsoft software may only be used by one customer.” (source: Microsoft VDA FAQ)

Hybrid Scenarios – 3 options available

Option 1
You decide to offer your customer a shared infrastructure but they want the same applications to run on premise. A good option would be to have the customer purchase the server applications (think Exchange, SharePoint, Lync) with software assurance (SA) and run them on premise. You (the service provider) would run the same applications in your shared environment BUT report the SAL for SA SKU. Much cheaper option than standard SPLA prices. I wrote about this here This also works well for Disaster Recovery options.

Option 2 (not really a hybrid but just go with it)
You can use license mobility. Microsoft likes to define this as a “hybrid option” but to me, hybrid insinuates the ability to run on premise and in your cloud. License mobility is a SA benefit for certain applications (SQL, CRM, SharePoint, Exchange, Lync) that allows customers to leverage their investment in SA and transfer those licenses into a hosters shared infrastructure. Reason why I don’t think this is truly a hybrid is the customer is TRANSFERRING licenses into your datacenter. This means that if a customer wants to move back to their own datacenter, they have to wait 90 days. (transfer license rule). With SAL for SA, nothing is being transferred. Windows does not have mobility rights, this will need to be reported under your own SPLA. I wrote about license mobility many times – here’s an article for your review – here You can also check out the Microsoft site for more of a definitive definition http://www.microsoft.com/licensing/software-assurance/license-mobility.aspx

Option 3
Good Ole’ SPLA. Customer can run their own servers on premise, you just report SPLA licensing in your shared environment. The new SPLA agreement even allows you to run SPLA software on customer owned hardware as long as you still manage it.

Shared Scenarios – 2 options

Option 1
License Mobility – see above

Option 2
SPLA. We all know what that is.

Summary

I hope this brings a bit more clarity. Sorry if some things are redundant but at the same time, some things are simply worth repeating. Here’s the takeaway – customer’s can always bring licenses into your datacenter. There is no law of the land that prohibits this. What is prohibited is the way you deploy the technology. There is only one option to install customer owned licenses in a shared environment and that is license mobility. Again, (here I go being repetitive) if Microsoft allowed customer owned licenses to be installed in shared environments than why would they create license mobility?

If you still have trouble comprehending all this, shoot me an email located at the top right of this page. One general rule of thumb – if it’s shared – 90% of the time SPLA is required.

Thanks for reading

SPLA Man

 
15 Comments

Posted by on August 27, 2014 in Compliance, License Mobility

 

Tags: , , , , , , , ,

Self Hosted Rights and Office

The other day I was on a call with a customer who developed a financial application that takes a customer’s information and then reports it back from Excel.  The goal would be to have it deployed via a web browser, possibly using SharePoint.  Immediately I thought of Office Web App.  Browser based, users could not only read it but edit it as well, sounds like a perfect fit  What about the licensing?  Since this is their own Intellectual Property (IP) I thought of the self hosted rights for volume licensing.  SPLA might be too expensive since users could not be tracked. This is where we got stuck. 

Self hosted is a software assurance benefit. It allows volume licensing customers to host their application that runs on Microsoft technology to third parties. I included the terms and conditions directly from the Product Use Rights (PUR) at the bottom of this post (in case you are really bored) but in my opinion this will allow developers to continue to build their applications and utilize volume licensing that offers the greater discount.

As a SAM manager, I was engaged by the customer to review both past and current licensing.  Since this was a new offering, nothing was licensed or even deployed yet.   Whew…Rule #1 – before building a datacenter make sure the solution fits the licensing. Secondly, this is being provided as a service, not simply allowing external users to access.

What did we advise? In order for a solution to qualify as “self-hosted” all applications must be self hosted eligible. Unfortunately, Office does not qualify. Ugh. There goes that option. Now we must look at SPLA for everything (one unified solution as defined in the PUR). The problem with SPLA is you must license Office STD or PRO to enable Office Web Apps. To add more complexity, Office in a server environment is licensed by user (SPLA) Since user count is expected to be very high, this does not seem to be an economical solution. What I proposed was to get rid of Office. That’s right, I recommended they remove it from the solution and use Open Office. The solution worked and met the compliance guidelines set forth by Microsoft.

In conclusion, I hated my recommendation but went with it in order to be compliant. Microsoft Office is a superior product to “Open Office” If only Microsoft would allow Office to be self hosted eligible, I think it would benefit the service provider, Microsoft, and more importantly the end customer.

Bottom line- make sure if you have your OWN application (not license someone else’s) and you decide to use volume licensing to host, make sure all software is eligible or risk BIG compliance risk.

Thanks for reading.

SPLA Man

From the PUR
You must have the required Microsoft licenses and maintain Software Assurance coverage for:
• the Self-Hosted Applications run as part of the Unified Solution; and
• all access licenses used to make the Unified Solution available to external users (See Universal License Terms, Definitions).
All Microsoft software used to create and deliver the Unified Solution must:
• be licensed through a Volume Licensing program that is subject to these license terms (e.g., Enterprise Agreement, Select Plus Agreement, Open License Agreement) and not any other (e.g., Services Provider License Agreement, Independent Software Vendor Royalty License and Distribution Agreement); and
• be marked as ‘Yes’ for ‘Self Hosting of Applications Allowed’ in these license terms
Your software must:
• add significant and primary functionality to the Self-Hosted Applications that are part of the Unified Solution (dashboards, HTML editors, utilities, and similar technologies are not a primary service and/or application of a Unified Solution);
• be the principal service and/or application, and sole point of access, to the Unified Solution;
• be delivered over the Internet or a private network from your datacenter to end users. The Self-Hosted Applications component may not be loaded onto the end user’s device; and
• be owned, not licensed, by you, except that your software may include non-substantive third party software that is embedded in, and operates in support of, your software.

 
Leave a comment

Posted by on February 4, 2014 in Compliance, Self Hosted

 

Tags: , , , , , ,

How SAL Licenses Really Work

SAL (subscriber access licenses) can be complex and without question the number one underreported licenses under SPLA.  Why all the confusion stems from misinterpretation of the SPUR and/or bad advice.

When you report by user, you have to take in account each user that HAS access to the software, not who does.   Microsoft is not based on concurrent licensing.  I wrote about this prior, but thought it was worth repeating.  If you have 5 users that use the software, but 15 users can access at any given time, you must report all 15.  Seems ridiculous, but is 100% true.  Consider licensing by processor if user licenses become too difficult to track.

Read this section of the SPUR (use rights).  “You must acquire and assign a SAL to each user that is authorized to access your instances of the server software directly or indirectly, regardless of actual access of the server software.”  It’s the last part of that sentence that can get you in trouble “regardless of actual access of the server software” For a copy of the SPUR check out http://spur.microsoft.com/products.aspx

Thanks,

SPLA Man

 
4 Comments

Posted by on September 21, 2013 in Compliance

 

Tags: , , , , ,

 
%d bloggers like this: