Oracle Cloud: The Audit Fox In The Hen House

FoxFor years now we’ve talked about how Oracle gets information to conduct audits.  Audits can be direct (you get an official audit letter from Oracle LMS) or they can be quite sneaky (Oracle offers to help you with a ULA certification or a license position).  Oracle LMS calls these their “managed services.”  I call them Stealth Audits.  Non-compliance findings in LMS audits have cost Oracle customers unbelievable amounts of money over the years, so it’s only natural that businesses are looking to the cloud to help stem the tide of unbudgeted software audit findings.  Surely if you use Oracle’s cloud you can’t go out of compliance. Right???  I hate to be the bearer of bad news here, but not only can you go out of compliance with your cloud contracts, you are also letting the Oracle LMS audit fox into your IT hen house.

Let’s walk through how this…

Your Oracle cloud contract gives Oracle the right to audit you.   You didn’t know that?  According to Oracle’s own agreement, they have the right to audit.  They make so much money off of audits there is no way they are giving up that right just because you are using their cloud service.

Here is the real scary part: when Oracle wants to audit you in an on-premise license arrangement they need to send you a letter, put you on notice, and then solicit information from you. At least you have an opportunity to defend yourself.  In the Oracle cloud world things are much different.  Your Oracle cloud agreement allows Oracle to run tools and scripts that will pull information to be used for “license management purposes.” License management purposes is code for LMS AUDIT.

You are now effectively giving Oracle the right to pull data and audit you without being able to defend yourself.  Oracle pulls data, Oracle does an analysis, Oracle sends you an audit letter and then a bill.  This has the potential to be disastrous.  What information is Oracle collecting?  How do they analyze it?  What are your rights here?  Not surprising, but there are no answers to these questions in your Oracle cloud contracts.  It’s up to you to make sure you put some restrictions around Oracle LMS’s access to your data.

To be fair to Oracle, we have not seen them take this step.  Why?  Well, the cloud offerings are new and there is no way Oracle wants to get any negative publicity around their cloud services.  Targeting their cloud customers now would be suicidal for them.  However, what happens in a few years when the business is more mature and Oracle is looking for more revenue?  Do you think they will be as understanding then?  I’ll let you answer that one.

Here is another thing to keep in mind.  Oracle has hundreds of people focused on finding revenue through audits.  They’ve done an amazingly effective job profiling non-compliant customers.   As Oracle moves to the cloud do you think these auditors are just going to see their jobs vanish or do you think they are going to actively look for ways to find additional revenue from audits? Cloud audits will be even easier for them because they already have access to your data. I wouldn’t be surprised if someone in Oracle LMS had a cloud audit plan sitting on the shelf ready to execute on a moment’s notice.  Watch this space.

At Palisade Compliance, we advise every single client to take control of their Oracle relationship. Our cloud advisory services will make sure you are in compliance with all your agreements, licenses, and services usage.  The risks here are getting larger and larger. Failure to be in compliance with your on-premise or cloud arrangements will cost you dearly.