Full capacity licensing risk

For experienced IBM license management professionals, full capacity risk is likely to be a familiar subject. However, we still experience a high number of customers facing audit reports that are based on full capacity licensing, the undesirable result of which is significant compliance exposure.

While you may think that the installation and deployment of the IBM license metric tool (ILMT) is enough to meet the requirements for sub capacity licensing, IBM customers are often surprised to learn that these measures are in themselves not sufficient. ILMT data collection and reporting must be accurately configured, and BigFix agents must be deployed on all machines using processor-based IBM software licenses.

Although receiving a compliance report based on full capacity licensing can seem like a dire situation, it’s important to remember that even in these circumstances, IBM are usually willing to reach a settlement that is closer to the value of the sub capacity license position.

To achieve the optimal settlement, it’s crucial to identify and document all arguments and corrections that can be used to mitigate the reported shortfalls. This also includes those that are not related to sub capacity licensing. The more detailed and convincing that evidence is, the more favorable the settlement will be.

With this approach, ITAA have succeeded in protecting many of our customers, including those with compliance exposure exceeding $200m.

The IASP (IBM Authorized SAM Provider) program

Since its introduction in 2019, IBM has often pitched the IASP program as a way to avoid an imminent software audit, or alternatively, to reach a favorable settlement at the end of an audit.

ITAA has received an influx of enquiries about the advantages and drawbacks of the IASP program. While we recommend that every customer should weigh these factors based on their specific circumstances, we have found that the following are applicable to most IBM customers.

Benefits of the IASP program

Predictability

By reviewing the compliance position on a quarterly basis, there is less risk of a large, unexpected compliance exposure after the first baseline review.

Expertise

IASP partners have all the required expertise of ILMT and sub capacity requirements that you may not have in-house access to.

Leniency

The IASP agreement includes some terms which allow “accidental” software installations to be removed without cost, within certain restrictions.

Confidentiality

Any information received by the IASP partner is treated with confidentiality and will not be shared with IBM. However, it’s worth noting that any compliance shortfalls must be reported to IBM as part of the IASP agreement.

Disadvantages of the IASP program

Cost

The IASP program is paid for by the IBM customer (as opposed to software audits, which are paid for by IBM).

Conflict of interest

Even though the IASP partner will be paid for by the customer, those same partners depend on IBM for a significant amount of business.

Control

By allowing continuous transparency to IASP partners and IBM on your IBM compliance position, you are also ceding some control over your commercial relationship with IBM. For example, if the customer decides to significantly reduce their IBM software footprint, this will become quickly clear to IBM and they may take corresponding action.

Long-term relationship

In the short term, IBM has stated that their goal with this program is customer satisfaction. However, IBM’s priorities might change over time to value revenue instead. The IASP partners are IBM business partners so they may be pressured by IBM to adopt certain new policies.

IBM software license audit risk from legacy OS

While the withdrawal of legacy operating systems as sub-capacity eligible technologies is not a recent development, customers are increasingly encountering compliance risks related to having IBM software with processor-based licenses installed on a legacy OS.

In 2021, ITAA provided software audit defense support to an IBM customer who was facing significant exposure due to a license compliance audit. The $16m exposure was the result of IBM software installation on Windows 2008 being calculated at full capacity, despite having those installations scanned by ILMT. ITAA were able to leverage specific circumstances and deployment details to succeed in eliminating the risk for the customer entirely.

To avoid a similar circumstance, we recommend that you continuously review ILMT reports for Legacy OS, as well as working to proactively identify OS to determine which may be withdrawn from support in the future.

For example, while Windows 2012 is currently eligible for sup capacity licensing, in 2022 Microsoft announced that the deadline for Extended Support was October 2023. Assuming there is a grace period of 6 months, IBM may choose to remove sub capacity eligibility for OS in Q1 2024.

It’s possible to upgrade operating systems or migrate server applications in this time frame, however, these are lengthy and complicated processes in large organizations. By identifying these risks in advance, there is more time to implement mitigating measures.

Audit scope and data sources

The early stages of an audit may appear as formalities in preparation for actual audit procedures, but it is essential that both the audit scope and data sources are carefully considered to ensure the best outcome.

The aim is to avoid any unreliable and inaccurate data from being shared with the auditor that can be subject to multiple interpretations. Instead, we recommend to provide a minimal set of data that creates a complete and accurate overview of the compliance position.

In our experience, running auditor scripts on all machines (often the preferred approach of the auditor) may streamline initial data collection, but will often lead to a high number of false positive installations included in the results. Therefore, data source selection and vetting is a crucial part of audit preparation.

In 2021, ITAA was approached by an IBM customer to provide defense services at the very end of the audit process. The audit report presented license shortfalls worth $80m based on sub capacity licensing and $265m at full capacity licensing.

Based on our initial review of the draft report, we concluded that over 95% of these risk values were caused by unreliable software discovery data, reporting a number of installations that did not exist.

Through months of arduous technical discussion, we were able to help the customer eliminate these false findings, proving that diligent audit scoping and source mapping can help to minimize difficulty during the audit reporting phase.

Container Licensing

Container licensing is not a main focus of IBM license audits, but customers often ask us about containerization and the IBM rules surrounding it. There are many aspects to consider and here are the key takeaways:

Contractual arrangement

As per the introduction of the new Passport Advantage terms in February of 2023, it is no longer required to sign a separate addendum to be eligible for container licensing.

Tools

Similar to sub capacity licensing and ILMT, the use of IBM License Service tool is mandatory to benefit from container licensing. Make sure to plan, implement and set up regular reporting through this tool prior to deploying IBM products using container licensing. Also, for hybrid environments where a product is installed on both container as well as non-container machines it’s recommended to implement report aggregation from both environments, for example using the IBM License Service Reporter tool.

Developments

Ensure to keep track of developments, as this is a relatively new area and IBM is likely to change the terms and requirements of container licensing in the future.

Another useful factor to consider is Cloud Pak licenses. These are marketed for use in cloud and container environments but can also be used on premise and flexibly allocated to a range of products and license metrics, instead of a single product.

Allocating Cloud Pak licenses can be a complex task but can mitigate audit risks or help to optimize audit settlement outcome.

New Passport Advantage terms

In February of 2023 IBM introduced new Passport Advantage licensing terms, the details of which can be found here:

• IBM announcement
• Full agreement

We recommend all IBM customers carefully review these terms, which include new clauses such as the container licensing clause mentioned previously.

From a license compliance perspective, an important change to the terms is that IBM customers are now required to maintain a report of deployed programs, including supporting documentation, and provide this to IBM upon request on an annual basis.

Additionally, customers who wish to reduce S&S (maintenance) quantities on any IBM license are now required to provide IBM with software deployment documentation at least 30 days prior to the S&S expiry date. If this requirement isn’t met then the full S&S quantity must be renewed.

These new clauses give IBM additional options to require customers to provide software deployment information on a more frequent basis. Such information requests may not always be described as an “audit” or “software license review” by IBM. However, we recommend to treat any such request as a formal audit as the process and outcome are often very similar.

How ITAA can help if you’re facing an IBM software license audit

For many organizations, preparing for an IBM software audit is low on the list of priorities, but facing an audit that you aren’t prepared for is a risk to your legal rights and professional reputation.

At ITAA, we can provide in-depth audit guidance, helping you to prepare for and manage an audit, as well minimizing the impact on your business.

If you relate to the situations outlined in this article and would like support in defense of an IBM software license audit, or if you have any questions about the IBM audit defense service ITAA provide, don’t hesitate to contact our IBM vertical lead, Koen Dingjan.