Measuring customer license compliance

I have purchased/installed/managed/operated many license based commercial software in large organizations. Some of them work with license keys that unlock certain capabilities, like the VPN capability of Checkpoint Firewall-1. Some of them work on the honor system. For example the basic Checkpoint FW1 license comes in various sizes, protecting a small network is cheaper than protecting a large network. Using a 100 node license key does not mean the firewall will stop working after you power up your 101th internal computer system though. (I guess that would not be good for Checkpoint’s business.) Instead, the FW1 software will issue warnings about this in the log files, telling you to upgrade your license.

Of course software vendors do not want organizations to abuse the honor system, either intentionally or unintentionally. Most organizations wouldn’t want that either, but I am sure it happens for various reasons. One possible solutions is to sell a unlimited/enterprise license that does not have an implied limit to its use. FW1 has this for example.

Oracle has found another solution. Their License Management Services department will simply come in and audit your license compliance. On their website they describe this as:

Oracle’s Global License Management Services is an organization that assists you in managing Oracle software license risk.

Its goal is to provide you with the most up-to-date knowledge, best practices and tools to manage and maximize your Oracle license investment.

That sounds very nice. However  in a  job opening they described it as:

The License Management Services (LMS) Team has the responsibility to assure the compliance of our customers and partners regarding their utilization and distribution of ORACLE software products. This is delivered in various programs, solutions & tools by field consultants spread among various countries.
The License Management consultants in the field are assisted & supported by the LMS Service Centre. The Technical Analysis Team within the LMS Service Centre provides remotely support for Oracle’s customers throughout the process of installing and running LMS technical measurement tools and performs research / analysis of usage on technical data gathered from customers.

That has quite a different ring to it.

I wonder if all organizations actually let Oracle do this. I mean, come in and run some tools on their production(!) environment to make sure they stay within the boundaries of their  Oracle software license. Note that Oracle licenses their software in various different ways. CPU usage, memory usage, number of database users, concurrent connections, etc. This data might not be easily gathered without running some intrusive software on their customer’s servers.

As a skeptical security professional, I can’t help but wonder if there is a legal basis for such measurements. If a large organization would refuse to run the measurement tools, what would happen? The Oracle Complicance Policy states:

If Oracle Corporation identifies a license violation, it will provide written notification of the violation to the non-compliant organization and generally will allow thirty days for obtaining the appropriate licenses or otherwise correcting the violation.

[snip]

Oracle endeavors to resolve license compliance violations in a fair and accurate manner. If a business resolution cannot be obtained, the resolution will be escalated to the appropriate authority through Oracle’s Legal Department. Remedies open to Oracle include, but are not limited to:

  • Charging full list price for additional software licenses required to correct the license violation
  • Charging technical support fees for the period of unlicensed use of the software
  • Suspension of technical support service and software updates, where applicable
  • Termination of the license agreement and associated licenses
  • Cancellation of OPN status and sublicense rights

Right, but how do they know you violated your license in the first place? Exactly: by running their measurement tools on your servers. In theory an organization not willing to run these tools could be subject to the above, including termination of the license agreement and associated licenses. I doubt that Oracle would go that far, but obviously their LMS program is paying off if they are hiring more people to staff it.


2 Responses to “Measuring customer license compliance”

  1. Cailin Coilleach Says:

    Whoa, that’s pretty fscked up! :/

  2. Richard Says:

    It is even more interesting than I originally thought. According to http://www.dba-oracle.com/oracle_tips_license_compliance.htm there are certain tables such as DBA_HIST_* that require an additional license if you query them. To me it sound like Oracle invented a very complex licensing system based on so many complex parameters that only Oracle can determine if you are compliant. While license compliance is important, the complexity of the licensing system can be an unneeded burden to organizations.

Leave a Comment