May, 2009

License management could be the key to your next Oracle review

In a news story that appeared on SearchOracle.com last week about Oracle’s acquisition of Sun triggering reviews of software licenses and audits, it hammered home the point to us that IT shops more than ever need to establish best practices for managing software licenses.

Oracle has always had the right to call for a review (with very little notice, I might add) to verify that users have not downloaded more copies than their contract calls for. But the Sun acquisition, coupled with the crushing effect the economy has had on Oracle’s revenue growth, the likelihood of reviews and audits has risen considerably.

As Jeff Greenwald, Acresso Software’s Senior Director of Product Management for Enterprise Licensing Optimization told us last week:

“This (Oracle-Sun) merger could spark other conversations with a shop that may or may not have Sun boxes running in them, but Oracle won’t know that when they start the conversation. Oracle could treat this as an opportunity to investigate a shop’s hardware base and without realizing it, users enter into an audit.”

It has been his experience, Greenwald said, that most users have no best practices guidelines or software in place to track deployments. In fact, many use only a spreadsheet to track their compliance, which is a bit scary. The drawbacks to this relatively primitive method are it is time consuming, prone to errors and its results are often out of date even before the exercise is completed.

Naturally, Greenwald believes his lineup of license management software offers a better alternative, but he does have a cogent case. Not only does Acresso’s products present an automated way to collect instances of Oracle software and store them it a central location, they also provide users with reports that “interpret” those deployments comparing them to their contract.

“It is about (Acresso’s) technology but it is also about services that can help customers come to a decision by recommending what the best course of action is when they renegotiate a new contract with Oracle,” Greenwald told us.

Greenwald believes there is a basic set of license management best practices that can be applied to a range of different “events” that trigger reviews and audits. Events can be many things including not just mergers and acquisitions but divestitures, re-organizations, expansions, facility closings, or layoffs.

The following rules can better prepare an IT shop for such reviews, he believes.

Pro-active, consistent monitoring of Oracle deployments.  IT shops should monitor Oracle deployments continuously instead of waiting until a review or audit deadline approaches. This is the most sensible way to avoid a crazed fire drill under tight time constraints.

Collect complete, granular information. Oracle deployments and licensing both can be complex, involving multiple instances on multiple platforms. Consequently, IT organizations should make sure their visibility into their Oracle deployments is complete and granular, including discovery of all processors and all named users.

Use of automation. IT organizations can reduce strain on their staffs as well as improve the accuracy of their information through automation. That automation however should be scheduled to avoid being a drag on performance of critical business services. It is a good idea to implement agentless automation to avoid management complexity.

Clear reporting against actual license structure. Once IT shops have a granular accounting of their Oracle deployments, they need to understand how those deployments compare to their actual current license entitlements. That understanding can come through reports highlighting where the deployment exceeds the license and where there is “shelfware” i.e. software that is not in use.

Fully leveraging of deployment insights across all IT and business functions. Once an IT organization can maintain pro-active insight into their Oracle deployments, it must then deliver that insight across an organization.  These organizations, besides developing the ability to monitor their deployments, will want to take advantage of experts in disciplines such as negotiation, budget allocation and planning.

Larry’s a hardware man now

After weeks of speculation about whether Oracle would keep or sell off Sun’s hardware business, we have the answer. Well, the answer for now.

In an e-mail interview with Reuters, Oracle CEO Larry Ellison made it clear he intends to keep not just Sun’s chip and server products but its disk storage and tape backup businesses too. So with one short interview Ellison has confirmed he will attempt to significantly change the competitive landscape among major vendors competing for the billions of enterprise dollars at stake.

And he is not lacking for confidence about his chances. In the Reuters interview Ellison said he has the in-house talent — both from among Sun and Oracle engineers - to compete successfully against the likes of hardware giants including IBM, Hewlett Packard and Dell.

“We have lots of hardware experience inside of Oracle. Hundreds of Oracle’s engineers came from systems companies like IBM and HP. Even I started my Silicon Valley career working for a hardware company that worked with Fujitsu to design and build the first IBM compatible mainframe,” Ellison said in the Reuters interview.

I am not sure how much of Larry’s own hardware experience will successfully translate to competing against The Big Three in a cutthroat low margin business. I suspect it will have more to do with retaining key Sun engineers and their managers working on key hardware technologies. But you have to like his optimism here.

It could very well be that Oracle has no intention of engaging in hand-to-hand combat with his major competitors in the low end, Intel-based server market. According to his comments in the Reuters interview, he intends to invest heavily in Sun’s Sparc- and Solaris-based servers where margins would be significantly higher.

“Once we own Sun we’re going to increase the investment in SPARC. We think designing our own chips is very, very important. Right now, SPARC chips do some things better than Intel chips and vice-versa. While most hardware businesses are low-margin, companies like Apple and Cisco enjoy very high-margins because they do a good job of designing their hardware and software to work together. If a company designs both hardware and software, it can build much better systems than if they only design the software,” Ellison said.

Yup, that’s right. Apple is a model, if not the inspiration, for Ellison believing he can deliver high margins servers if he can form fit Oracle’s software with Sun’s chips and servers ala Apple’s iPhone and iPod.

There may be at least a little concrete evidence to back up his ambitions. Oracle’s Exadata database machine, which tightly couples Oracle’s flagship database with HP’s server hardware, has received good reviews, particularly for its speed and performance.  It must be noted however, that the Exadata server uses Intel chips, and not RISC-based chips such as Sun’s SPARC processor.

Both Ellison, in the Reuters interview, and Oracle President Charles Phillips at last week’s Collaborate conference, said Exadata was the most successful product launch in the company’s 30-plus-year history. Oracle, of course, declines to release sales figures for the system, so there can be no iron-clad confirmation of this.

But if Oracle successfully applies its Exadata model to other server hardware-software combinations, perhaps targeting each offering at a specific vertical market, it may not only succeed in the market but also lay down the law for how server bundles will be sold.

There are a couple of unanswered questions remaining, of course. One, is if Oracle proceeds with its plans to sell SPARC-based servers bundled with its software, where does this leave HP?  HP still competes with Sun in some segments of the server market, and may not take too kindly to Ellison’s aggressive commitment to SPARC.

Second, how will Ellison deliver bundled combinations of servers to Oracle and Sun customers?  If he intends to focus on complete solutions using only Oracle-Sun chips, servers, operating systems, databases, middleware, and tools, the emphasis would seem to be on largely selling  these systems direct.  If he does an end run around the resellers, will this drive the channel into the arms of IBM, HP, and Dell that can reach customers across a greater number of markets?

We may not get these questions answered for another few months. But I’ll say this, with the Sun acquisition Larry has brought back some of the fun and excitement that has been missing from this market for some time now.

The top 10 security risks in Oracle E-Business Suite

Users may be worried about the obvious security risks associated with putting data in a cloud, but what about those Oracle security risks which aren’t as obvious?

Collaborate ‘09 speaker Jeffrey Hare, CPA, CIA, CSA from ERP Seminars, addressed some of these risks Tuesday in his session, “Top 10 Application Security Risks and Related Best Practices for companies running Oracle E-Business Suite.”

The majority of these application risks described by Hare are internal - so, even if you’re not putting your data out on the internet, you’re certainly not free from unwanted users accessing your systems.

What did Hare list as his the top 10 risks for E-Business Suite users, and what did he recommend for dealing with them?

10. Upgrade risk: To avoid upgrade risks, Hare said end user security should be designed from scratch, using completely custom menus and sub menus. He also advised against using AZN menus.

9. Risk analysis: Hare said it’s important to look at risk analysis holistically, from outside the system to access and processes inside the system. He recommended choosing a risk analysis firm that specialized in E-Business Suite, and to make sure to take into account material risks as well as sub-material risks.

8. Relying on auditors: Be aware that many auditors do not take into account risks of sub-material fraud and often fail to look at the business process holistically. He recommended starting with Procure- to -Play, hire a firm that specializes in fraud risk to do a risk assessment beyond SOX and review their conflict matrix before hiring them.

7. Security changes- Change management process: The change management process is not something you can afford to get wrong, Hare said. It should be very specific and include menus, responsibilities, roles, request groups, functions and profile options.  All security changes should go through a change management process.

6. SQL Forms: All activity in SQL forms should go through the change management process just like an UPDATE SQL statement would, including peer review and code freeze, Hare said. All activity should be audited via trigger or log-based technology.

5. High risk fraud forms: Hare said to be aware of forms subject to high fraud risk such as banks, remit to address, locations and suppliers. Define a procedure for changes and additions such as a form and procedure for new suppliers.

4. Password hacking: Hackers can get into production applications and database accounts via a published exploit code. Hare recommended reading the white paper Oracle applications 11i: Password decryption for solutions.

3. Override of workflow policy: It’s important to have a process in place regarding delegation of authority for processes such as worklist access and vacation rules, Hare said. Figure out the allowable delegation of authority within your company, and audit and trace back your changes.

2. Support personnel access: Lack of inquiry only access and non-production support instance is a problem within organizations, Hare said. He recommends using SysAdmin Views, identify high risk single functions and SOD issues and to take the same precautions with security analysts as with end users.

1. Utilities: diagnostics: Hare stressed that no one should have access to these profile options in the production environment - they should be left off the production environment and go through the change management process.

What risks and/or best practices could you add to this list? If you’re an E-Business Suite or other application user, what has or hasn’t worked in terms of security and what do you think is worth your time and investment?

‘MySQL is not going to die,’ Collaborate speaker claims

One question has been on everyone’s minds since Oracle announced its acquisition of Sun Microsystems:

What is the future of MySQL now that it’s in the hands of Oracle?

This question about the highly popular open source database is being debated in the Oracle and Sun communities — some are insistent that Oracle won’t kill MySQL, but other open source executives are split. Some point out that this is Oracle’s chance to innovate and prove it’s serious about open source; however, the software giant has not shown a commitment in the past to open source even as it’s grown in popularity, according to the ZDNet article.

Collaborate ‘09 presenter and Oracle and MySQL DBA George Trujillo addressed the question Monday at the conference in his session, “What Every Oracle Professional Needs to Know about MySQL.” Trujillo said he could not say exactly what was going to happen with Oracle and Sun, but he did know one thing:

“I will tell you MySQL is not going to die,” he said.

Trujillo said because of the simple fact that MySQL is an open source database — a free source code available to anyone — it will continue on no matter what Oracle decides to do with it.

So, maybe MySQL is not as much in the hands of Oracle as we are think it is.

“It’s open source — if we wanted to get together tonight to get the source code and create our own version to start selling tomorrow, we could do that,” Trujillo told session attendees.  He said what’s more important is that whoever is the leader of open source has to be innovative.

Trujillo also discussed common misconceptions users have about MySQL, one being that the database can be compared with Oracle. He said comparing MySQL to Oracle is like comparing a fast speedboat to an aircraft carrier — if you bought one, it was probably for a reason, and you won’t be happy switching to the other.

So, maybe the real question is not will Oracle keep MySQL, but what will the software giant choose to do with it? How innovative will they be? Is there anything you would like to see Oracle do with the open source database? How do you think, or would like to see, Oracle will market itself to the open source community?

Is your data secure in the cloud?

As Oracle’s Bill Hodak looked out at the approximately 30 attendees at the Oracle in the Cloud session Monday at Collaborate, he noted it was probably the largest group he’s spoken to about cloud computing over the past two years.

Despite the growing interest, however, session attendees were not hesitant to voice their concerns - the biggest being the security of their data.

Hodak began his session by describing the benefits of cloud computing, which he described as “computing resources residing on the internet (aka’the cloud’).”  Cloud computing requires no long-term commitment, is infinitely scalable and allows the user to be billed by consumption rather than a fixed price, he said.

He went on to describe how Oracle works with Amazon — the top cloud computing vendor and Oracle’s first cloud computing partner — to provide Amazon Web Services for Oracle customers. Users can create an Amazon Web Services account to deploy Oracle software or back up an Oracle Database. Hodak described Amazon’s Elastic Compute Cloud (EC2), an environment which can be used for Oracle deployments. In EC2, users can also choose from a catalog of virtual machine images, such as Oracle Enterprise Linux or APEX, and within 10 minutes have a fully functional Oracle environment.

But one user had a question that Hodak admitted was a good one — how does one ensure privacy and securing of personal data when operating in the cloud?

Amazon is just beginning to promote its cloud services to larger enterprises rather than smaller start-ups, Hodak said, so security is just now becoming a bigger concern. Though he could offer no specific details, Hodak said that Amazon is in the process of getting certified as a “secure organization,” but in the meantime, users should encrypt their data through Oracle.

Private, on-premise clouds are also an option that that may lessen security-related concerns. Hodak said these are a good option for large enterprises that might find it difficult to move to public clouds in the immediate future. While many companies may not be ready to move to a third-party cloud, internal clouds can allow developers to faster respond to their organization’s need at a lower cost.

Hodak emphasized that few enterprises are actually in the deployment stage of their cloud computing initiatives-most are still only in the evaluating stage or deploying non-mission critical systems.

But with Oracle cloud computing still in the initial stages, what can we expect in the future? While most of that is still to be seen, it looks like Oracle is close to announcing seven new online products as part of its SaaS initiative.

Is security a concern for you when considering cloud computing? Has your organization considered cloud computing as an option? What factors have helped you decide for or against a cloud computing initiative?