Thursday, October 29, 2009

Impact of Virtualization & Cloud on License Compliance

The proverbial virtualization train has left the station - yet many software vendors & customers alike are still scrambling on to understand the impact on their current technology, licensing models, and processes. Like many major paradigm shifts - customers are moving forward and carving out what they believe to be the right pathway based on limited information and their interpretation of where this market is headed based on decisions from major technology vendors such as Microsoft, Oracle, and SAP.

Unfortunately for most customers there are no true best practices across software vendors for supporting virtualization. As consumers you need to be aware of what the pitfalls are, precautions you can take to avoid them, and ways you can leverage your existing tools and processes to reduce not only the costs but impact of virtualization to your organization.

Considerations to Address
  1. What Delivered - there are many different types of virtualization that can be leveraged such as Server, Desktop, or Application. What you are delivering will impact how you count and license the product. Is it an open source application, custom homegrown application, regulated and restricted access, or an expensive off the shelf application such as Adobe Photoshop. Whether the application is a desktop application, server application or combination of the two - Web 2.0 - makes a difference to cost structures and tracking.

  2. How Delivered - For example - is it a server application running inside a virtual machine, a virtual application launched off a USB stick or file media share, or a combination of virtual applications with a virtual desktop from a datacenter, or a virtual application delivered from the Cloud or Managed Service Provider. All can have license impacts depending on the software vendors support policies. Different software vendors have different rules depending on delivery: Concurrent desktops in Datacenter (VDI/HVD), Virtual Applications from a Client Device, or Streaming from the Cloud all typically have different caveats. For example, Microsoft requires an additional Services Provider License Agreement to distribute their applications from a cloud environment to customers. There are many unanswered questions that have come up regarding traditional delivery of virtual applications - if I stage it - does that count as a license? Do virtual applications (not installed) count against a EULA that claims it has to be installed? One rule of thumb - if you use it, you should expect to pay for it - Software Usage becomes even more critical in the virtual world.

  3. How Discover & Audit - Virtualization can have significant impact on existing tools and process for Audit & Control of applications.

    Application
    -If you are using application virtualization - does the provider provide transparency into the virtual bubble? Does the virtual application have digital rights management to prevent copying from client to next? How do you detect a virtual application that isn't registered? What hooks are available to ensure there are no invisibility cloaks hiding applications that can call back to ISVs but are undetected by company?

    Desktop
    -When you check out the type 1 hypervisor - will your traditional tools be able to know that the license on the user endpoint is the same one under the agreement with the hosted virtual desktop?
    If you vary your update schedule for discovery - how do you audit the virtual desktop? What happens if the user never logs in during the appropriate window? What is the impact on audit trail for tracking who touched what pieces? How will the discovery tool input and discern between licenses on the different virtual machines? Particularly - the personal VM and company approved VM?

    Server - When you dynamically move one virtual machine to another host - will the discovery tool know to not double count the application? Will the software vendor support the flavor of server virtualization being used? What level of support will be provided? How is it licensed compared to traditional licensing when server farms may have a cluster of more powerful boxes with multiple CPUs
    to support capacity on demand in the cloud (private or off premise).

  4. What is Impact on Performance - Oracle and many other major vendors provide prescriptive guidance on running certain applications in a virtual environment due to performance. There is no one perfect rule of thumb on virtualization and performance but there are some things to consider. Regardless of the type of virtualization - they all run on hardware of some type and are all affected by the traditional layers in the stack from network, to I/O, CPU, SAN/NAS, etc. The more layers you add to the stack will eliminate some problems but are still bound by the underlying hardware. When selecting the right type of virtualization - it is critical to understand what that is, where it will be run from, and impact on capacity requirements for individual users. There are tools out there from BMC - Capacity Management Essentials and Novell - Platespin acquisition- that can assist here.

  5. What is impact on Security - If using Type 1 hypervisor approach - who is responsible for patching the personal VM and ensure there are no Distributed Denial of Service Attacks on the company network? What are the implications of regulations on this approach - Cyber Security Act, Personal Information Acts? For application virtualization - what measures are put in place to prevent viruses from executing from the virtual registry on systems that the users have Administrative rights to like their home PC, employee owned machines, or as required to support legacy applications that can not be virtualized? Is the right transparency there for virtual applications to detect if there is a virus in the virtual registry? Do they employ anti-injection techniques to prevent malware from impacting the virtual environment?
Like any paradigm shift - the benefits of virtualization and cloud computing far outweigh the risks and effort required to bring nascent markets and technology to mainstream but it will take time. The most important thing for customers and vendors both is to be informed and understand what the implications are, where adjustments need to be made and make decisions based on assessed impact. Typically I always advise customers to crawl, walk and then run when it comes to adopting new paradigms (this is not just new technology) that will impact the overall ecosystem in place around people, processes, and technology. An ounce of prevention is truly worth 100 pounds of cure when you consider how dependant we have all become on technology.

No comments:

Post a Comment