RSS

Tag Archives: Microsoft Audit

Don’t be Jimbo

Jimbo had a small IT firm for which he provided backup, security, and hosting for two clients.  He also purchased Office 365 licenses for a handful of users directly from the Microsoft Office 365 website and would bill them accordingly.  Jimbo also had an application he tried to develop to help end users better communicate with one another. It was similar to SharePoint, but more seamless and had better integration with third-party applications.  He had a SPLA, and had one person who submitted their usage report to their reseller.  Unfortunately, that person got sick and passed away.  Jimbo was sad and so was the rest of the staff.

To put his mind at ease, he spent every waking hour improving his application.  He thought it was going to be the next best thing.  I experienced the application firsthand myself, and found it to be a powerful tool.  I even asked to invest in it, but without any money, (Mrs. SPLA Man spent it all at Target), I had nothing to invest with.

Fast forward a year later.  Jimbo is still working on improving the application, and he's still hosting.  One day, Jimbo received an email from Microsoft.  It was titled “Self-Audit”, Jimbo was getting audited.  One thing left unmentioned, Jimbo is the nicest guy on the planet. He replied to Microsoft and in the end, provided them with everything.  All his server information, customer name, and reporting history.  It was an auditor’s dream.

Several weeks later, Microsoft provided Jimbo with the findings.  He owed $450,000 in unreported licensing fees.  Why so high?  No usage was being reported since the lady who reported SPLA passed away.  When she was reporting, she reported the wrong thing.  Instead of licensing Windows Datacenter, she reported Standard.  Instead of reporting physical processors and/or cores, she reported per VM.  Everything was a mess.  Jimbo, who neglected his hosting practice for months to focus on his application, was left feeling very uncertain about his future.  He did not have the funds to pay for licenses.

It’s unfortunate, but Jimbo had to shut down his hosting business.  The application he built?  Stopped.  He tried to sell it, and last I heard very few were interested.

Why such a depressing story and was it true?  Yes, the story is true (although slightly embellished).  Why share it?  I am telling you the story because there are too many organizations doing the same thing.  They have one person who manages the licenses, one person who was in contact with the reseller, and one person who knew what they were reporting.  What happens if that person leaves?  Too many organizations are also buying Office 365, but not getting the best discount.

Licensing is challenging, and in the case of Jimbo, his love wasn’t reporting usage, it was developing an application.  He should have had allocated resources to help manage his SPLA, so he could focus on what he knows best, the technology.

I am always asked why I created splalicensing.com and what's so different about SPLA Man than other blogs.  I think the main difference is honesty.  I am your licensing Siri or Alexa.  I am SPLAlexa. (that was bad).  Don’t be Jimbo.

Thanks for reading,

SPLA Man/SPLAlexa

 

 

 

 

 

 

 

 
Leave a comment

Posted by on July 24, 2017 in Compliance

 

Tags: , , , , , , , , , , , , , , , , , ,

Steps to take to limit SPLA audit exposure

It’s the fourth quarter at Microsoft, this means audits are in full swing.  One of the easiest ways to collect large upfront payments are through SPLA audits.  Knowing this, what steps can you take to limit your audit exposure?

  1. Inventory – Although you submit a SPLA usage report each month, licenses are missed inadvertently.  When collecting inventory of what you should and should not report, be sure to include customer owned licenses.  If ANY customers are bringing licenses into your datacenter, they must have software assurance if it’s a shared environment.  Secondly, make sure to take a hard look at SQL.  To no one’s surprise, SQL is very expensive.  If you miss license SQL, it can add up really quickly.
  2. Agreements – Which MBSA agreement did you sign?  Don’t know what a MBSA agreement is?  Please ask your reseller for a copy.  Every SPLA customer has a signed Master Agreement.  This is the umbrella that ties all your Microsoft agreements together including SPLA.  There’s specific language in the agreement that goes over audits and the timeframe in which they are able to audit historically. Look closely at your agreements with your customer.  Did you mention they are responsible for licenses they bring into your datacenter?  Did you send them a license verification form for license mobility?  Do you have language that states they are responsible for anything under their Microsoft agreement but you are only responsible for yours?  Do you make the end user license terms (part of your signed SPLA) available to all customers?  Don’t know what an end user license terms agreement is?  Ask your reseller.
  3. Check AD closely.  Do you have administrative accounts that you are reporting?  What about test accounts?  Read your Microsoft SPLA agreement around testing, developing, and administrative access.
  4. Label server names appropriately – Label if a server is “passive” and label a server if it’s “development”.  This can save you time with the auditors.
  5. Check server install dates – If a server was active June, 2013 but nothing was reported on that server until June, 2015; Microsoft is going to ask A) what that server is doing and B) Why haven’t you reported it.  If it’s doing nothing, than shut it down before the audit.
  6. Check SAL licenses –  Do all users who potentially HAVE access are being reported?
  7. Check Office licenses – Do all users need access to Office Pro Plus?  Can they get away with Standard?  Did your engineers inadvertently publish Visio to every user when it only needs to go to a handful of end users?
  8. Double check server versions – Did your engineers accidentally install SQL Enterprise when it should be Standard?
  9. Are you taking advantage of all the use rights available?  As a SPLA, are you aware you can provide demonstrations to your customers at no charge?  Are you aware of the admin rights?  Are you aware you can run 50% of what you are hosting externally – internally?  (must actually report it all under SPLA – they are not free).
  10. Virtualization rights – Are you reporting SQL Enterprise to run unlimited VM’s? Are you running Windows Datacenter?  Remember, you do not license the individual VMs for Windows Server.  (You count physical cores which allows 1 VM for Standard or unlimited for Datacenter).
  11. MSDN, VDI, and other restrictions – No, you cannot host VDI and MSDN in a shared environment.  If you are, dedicate the servers immediately.  If you are hosting from the same hardware you are running internally, this also must be separated.
  12. Hiring Experts – Are they really experts or just advertise as such?

Hope this helps.  Any questions email info@splalicensing.com

Thanks for reading,

SPLA Man

 

 
Leave a comment

Posted by on April 25, 2017 in Compliance

 

Tags: , , , , , , , , , , , , , ,

Epic Community Connect and SPLA

The healthcare community has increased concerns with the way they have deployed (and licensed) their electronic medical record (EMR) software such as Epic Community Connect and others.  As a reader of this blog, you know that when you deploy software for the benefit of a third party (non employee) SPLA must be part of the conversation.  The only exception to this rule is if you actually own the code to the software you are hosting.  In other words, if you developed the software, you can use your own volume licenses to host your software.  If you host a third party software (such as Epic) you must license this in SPLA.   In most cases, many healthcare companies do not own the application, but lease it from the EMR vendor.

Rewind a few years and let’s pretend you are a large hospital who partnered with Epic to provide best in class patient record management for your clients, doctors, and other clinics. Your Epic deployment resides on a Windows Server, SQL Server, and RDS.  As the IT director, you purchased several server licenses and hundreds of Client Access Licenses (CAL) to cover all the external users.  You think you are covered; no one mentions you need to license this via SPLA.  Your reseller didn’t tell you, Microsoft didn’t tell you, and for that matter the vendor didn’t tell you.  You think all is well based off the information you received.  Fast forward 3 years and your volume licensing agreement is up for renewal.  Someone on the licensing side informs you that you shouldn’t true-up licenses or renew your agreement under volume licensing, you need to license SPLA.  You think that’s fine, if you must license under a different program who are you to argue. But what about all those license you already purchased and own?  Unfortunately, you cannot return them, you must allocate those internally.  You think to yourself that’s fine, except for one minor detail…. you purchased hundreds of CALs and you do not have hundreds of employees; those license you own are essentially worthless.  On top of everything else, you just received an audit notification.

Why would they receive an audit notification?  Once a vendor recognizes you have been under-licensed, the vendor might want to dig in deeper to see how long you have been out of compliant and if you purchased enough licenses to cover all the users.  In 90% of all audits, the customer is under-licensed.  Now you own licenses you don’t need, but should’ve purchased more because you don’t own enough licenses to cover all external users initially.  The vendor will want you to pay the delta of what you should’ve paid under SPLA and what you purchased under volume licensing (plus an audit fee).

If you are a healthcare provider and have been notified by Microsoft or any other vendor, please contact us.  We have found that in many cases the licenses report is not always 100% accurate.

Thanks for reading,

SPLA Man

 
Leave a comment

Posted by on October 12, 2016 in Compliance, EMR Software, Self Hosted

 

Tags: , , , , , , , , , , , , , , , ,

IaaS Gotchas…

In this post I will highlight new (and not so new) compliance gotchas as it pertains to providing infrastructure as a service.

Let’s start with a common example and go from there.  You provide the infrastructure such as Windows/SQL, your customer provides the applications.  Sound familiar?  You license Windows Datacenter, SQL Enterprise in a shared (aka public cloud) environment under SPLA. You have no idea or really care what applications your customer’s are installing right?  You just provide the support of the infrastructure.  That’s not your concern.  It’s their application, why should you care?  Ahhh…but maybe you should.

Have you ever wondered how they’re accessing the applications?  Are all applications web-based?  I will answer that question for you…no.  So how are they accessing the applications?  Do they use Citrix?  Do they remote into the application somehow?  There’s that word…remote.

If you enable the Remote Desktop Services role within Windows Server – you guessed it…you need to report RDS licenses.  The number of IaaS providers who just report Windows and SQL is astronomical. The number of IaaS providers now reporting RDS is also rapidly growing.  Did they wake up one day and decide they should start reporting RDS?  Unfortunately no.  They were audited.  Shoot me over an email and I will forward the guide that explains RDS and when it applies. Remember when you license RDS, you need to license each user that HAS access to RDS – not who does access.

Let me provide an example of how easily you could be underreporting RDS.   Let’s say your customer has an application from another vendor (outside Microsoft) that’s hosted in your datacenter.  That same vendor provides support to the application.  You are not hosting the application for the vendor but for your customer, you just provide the vendor access to support the application via remote connection.  SPLA allows 20 users to provide support and administration per datacenter.  If you exceed that limit, you are going to have to report those additional users.  Yes, even if you are not charging them.

Other IaaS Gotchas –

While we’re on the topic of customer owned applications, do you have it written in your agreement with the customer that you are not responsible for the applications they install?  What would happen if they install applications that you are not aware of and they don’t have the appropriate licenses…who’s responsible you or the end customer?  Kind of a trick question, it’s both.  You will get audited, it’s installed in your datacenter, you are ultimately responsible.  You need to ensure you have it written in your agreement that you’re not responsible so you can have a nice chat with your customer.  All the big boys do it…you should too.

What about SQL?  Are you virtualizing?  Why aren’t you reporting SQL Enterprise?  Are you utilizing all the use rights that come with SQL Enterprise – unlimited virtualization, DR, mobility within server farms, etc?  What about smaller environments?  Have you considered licensing by user instead of by core for SQL Standard edition?

SQL Web is tempting isn’t it?  Less expensive option but no one really understands what it is.   Here’s a quick synopsis – if you do not host public facing websites, SQL Web is not an option.

How are you managing your datacenter? Do you have System Center installed?  You should report the Core Infrastructure Suite.  Running Hyper V with few VM’s, license CPS. Both products include Windows.  You need Windows to run System Center, so you kill two birds with one stone so to speak.

Ask your customers if they have Software Assurance.  It’s no longer about latest version rights and annual payments.  It’s about moving to the cloud.  Let’s make sure it’s your cloud and not someone else’s.

Conclusion –

I’ve been around this game of SPLA for a long time.  The best advice I can give is to listen to your customers and don’t be afraid to change.  Cloud is evolving, you should evolve too.  Don’t report out of convenience, look into ways you can optimize what you are reporting.  It’s competitive out there, let’s make sure you are getting the most value out of your agreement.

Thanks for reading,

SPLA Man

 

 

 
11 Comments

Posted by on January 31, 2015 in IaaS

 

Tags: , , , , , , , , , , , , , , , , , ,

 
%d bloggers like this: