Oracle Database – top 10 compliance issues seen
Forty years after its first release, Oracle Database is still one of the most popular database systems for the world’s largest companies. Almost every organization, however, struggles with the complex contracts and constantly changing conditions, with all the financial risks involved.
In this article, I sum up the ten most common compliance issues seen with Oracle Database.
Oracle’s policy is that its Database software must always be directly available to use – 24 hours a day, seven days a week. Everyone can download the software and use it without any technical restrictions. This in fact happens in many organizations. In terms of speed and user-friendliness, the benefits are evident, but many end users do not realize their organization is responsible for meeting the conditions set by Oracle. For the IT department, it is difficult to keep an overview and ensure agreement and practice are in line.
As a compliance issue can result in major financial consequences, managing and understanding contracts is absolutely necessary. The two well known contractual documents many organizations deal with are the ordering document, which includes the number of licenses purchased and the license metric, and the license agreement, that provides the conditions under which the software may be used. In addition, there are program documentations, support renewals, technical support policies, online license documents and online guidelines.
To know exactly, from a contractual perspective, what you can do with your Oracle Database software, you must know the fine print. This is challenging for many organizations and compliance issues tend to appear daily. A lack of knowledge on how software needs to be licensed within a particular hardware infrastructure often causes problems, but things can also go south when installing or configuring software. The following Oracle Database compliance issues are most commonly seen by large organizations.
1. Incorrect interpretation minimum number of licenses
For each person who gets access to the Oracle Database software, a so-called Named User Plus license is required. Oracle thereby applies a minimum required amount. This number differs per version, changes regularly and is calculated in different ways: Standard Edition Two includes 10 Named User Plus licenses per server, while Enterprise Edition includes 25 Named User Plus licenses per processor. Many organizations go wrong when counting the minimum number of licenses they require, resulting in a compliance issue. Note: If more people than the minimum required have access to the software, then additional licenses must be purchased.
2. Incorrect counting of processors
Counting processors, as required by Oracle Database Enterprise Edition, sounds easy, but too many organizations make mistakes here. Oracle has set up a method, which takes into account several factors when counting: not only the number of CPUs, but also the number of cores and the type. A small miscalculation can lead to a shortage of, for example, 25 licenses, which in the case of Enterprise Edition equals to around $ 1 million.
3. Server virtualization with VMware
The fact that Oracle is not a VMware fan is already known amongst most IT professionals – the 2016 trial with Mars is a good example of that. Oracle does not accept VMware as a technology to reduce the number of licenses required: all physical cores and processors on which the virtual server can be hosted must be licensed. However debatable this may sound, for years it has been Oracle’s default position in the licensing discussion. Nevertheless, for many organizations it is still a surprise when a compliance issue of several millions arises. Surely because different rules apply for licensing VMware version 5.0, 5.1 – 5.5, and 6.0 or higher.
4. Server virtualization with Oracle VM
As a non-fan of VMware, Oracle is pleased if you were to use Oracle VM, its own virtualization software, instead. From a licensing perspective, this technology includes the ability to limit the number of licensable ‘cores’. However, in practice, this often does not happen, and organizations fail to remember that the “peak use” (high-watermark) must be licensed. In addition, organizations are not aware that with other virtualization software each technology has its own rules (such as IBM Logical Partitions).
5. Less control through cloud computing and outsourcing
Many organizations today choose to outsource their hardware infrastructure to external parties. However, as an organization, you remain responsible for the correct licensing of Oracle Database, even though it is installed externally. There is less control with this type of cloud computing, while usually the same complex rules apply as for virtualization. Although outsourcing offers clear financial benefits, out-of-compliance situations still lurke. It is therefore sensible to agree with the outsourcer in advance who is responsible for the correct purchase of licenses, and to be informed in advance, as an end user, of the implications of transitioning to the (public) cloud.
6. Incomplete overview of installations
As mentioned earlier, if installed, Oracle Database products must be licensed, regardless of whether or not they are used. However, many organizations lack a complete overview of installation because, for example, they use the wrong SAM tool or they do not use one at all. Thus, it is virtually impossible to know how many licenses you need to be compliant.
7. Various software configuration options
When installing Oracle Database, you have the option to install different components and products – from Database Options to Management Packs. Depending on what you select, different license scenarios arise. This makes it difficult to know, as an organization, which and how many licenses you need exactly. Such an option or pack must also be licensed if you will use it, but how do you determine if you really use it? And whether this usage is not ‘out of the box’ system usage?
8. Internal versus external access
In each license agreement, Oracle states that the Database software may only be used for internal business processes. What exactly these processes contain, is nowhere to be defined, but for sure it is not possible to use Oracle licenses to open up commercial applications to third party access. This requires special hosting licenses.
9. Use by another legal entity
Any purchased Oracle Database license may be used solely for purposes of a pre-registered legal entity (or entity list). Particularly in case of acquisitions, compliance problems arise: the software may not be used for the business purposes of the newly purchased company. Acquisition situations are therefore known moments for Oracle to focus its audits on.
10. Access to Oracle Database
Last but not least: in addition to the way in which software is installed, the way it is used can also lead to compliance issues. This is mainly due to the definition of Named User Plus, which is often misinterpreted. A Named User Plus is about any specific individual who has access to the software, not about the total number of employees or the number of FTEs. Freelancers or external service providers who have access therefore also count. The number of people who have access to the software and are “authorized” to create, read, update and delete data (whether directly or indirectly) count – no matter whether they actually use it. For example, if you’ve created an account for a thousand people and only fifty people use it, you’ll still need a thousand licenses. It is important to regularly check who needs access and who not, both to reduce risks and to save costs. Additionally, you may need a separate license not only for people, but also for devices that directly or indirectly access the database.
Although the competition of new players has increased in the last years, Oracle Database is still the core of business processes in many large organizations. If these companies do not want to throw millions of euros into compliance issues, they simply cannot afford not to manage their licenses continuously – no matter how complex this is.
For more insight into the nitty-gritty details of Oracle Database most common compliance issues, you can read our white paper.
Richard is one of the managing partners at B-lay. He started to work in the license management industry in 2004 and worked for almost 10 years at Oracle as regional director of compliance. He uses his knowledge of enterprise software vendors (such as Oracle, SAP, IBM and Microsoft) to educate, equip and enable software end users in their challenges regarding proper software license management. Richard holds a master’s degree in IT, from University of Amsterdam in the Netherlands.