Directors are increasingly being asked by their CTOs or IT managers to consider IT projects which involve virtualisation. In-house server virtualisation can be seen, in certain circumstances, as an alternative to cloud computing. It offers some of the benefits (cost savings, efficiency and scalability) associated with the cloud, without the risk of outsourcing key business functions to third parties. As this technology is picked up by businesses, lawyers may find themselves needing to cut through a significant amount of jargon to understand this evolutionary step in enterprise computing. This article sets out the technology and its benefits, before considering the legal consequences of its application.
Understanding Virtualisation
Traditional servers
Traditionally, each server runs the following software:
• a single operating system (eg Microsoft Windows Server); and
• one or more applications (eg Microsoft Exchange e-mail software).
Servers can be inefficient. They, like other computers, do not necessarily need to operate at the full capacity of their hardware at all times. Many servers spend most of their time idling at a very low percentage of their full capacity. It is important to note that each server can only run one operating system at once. Each operating system can run any number of applications, but this is often undesirable for technological and security reasons (should we really host the intranet on the same server that processes the management accounts?). Therefore systems administrators often use a dedicated physical server for each application. These under-nourished servers are still using, and incurring costs for, electricity, cooling and data centre space as if they were bursting at the seams.
Is there a better way?
Virtualised servers
Virtualisation involves using a software ‘hypervisor’ in-between the physical server hardware and multiple installations of operating system software. Each operating system thinks it has the physical server to itself, but the hypervisor is actually sharing the hardware out between virtual servers. It is virtualising the physical hardware.
Physical servers employing virtualisation will typically run the following software:
• a single hypervisor, ie a virtualisation software install (eg VMWare);
• multiple operating systems; and
• one or more applications on each operating system.
Each operating system, plus its application software, becomes a ‘virtual server’. The physical server hardware is used more efficiently as long as these ‘virtual servers’ do not make excessive demands on their shared hardware at the same time. They rarely do, and in any case – except in relation to certain very ‘latency’ sensitive applications such as equities trading software – it often doesn’t matter if one virtual server is kept waiting for a few microseconds whilst another finishes its processing on the same hardware. Companies can therefore use virtualisation to consolidate existing servers onto less hardware. This can result in lower costs in hardware, power, cooling and data centre space.
Advising on Virtualisation
From the perspective of an IT or in-house lawyer, what key issues should be considered when asked to advise on a project that involves virtualisation?
Virtualisation software
Virtualisation requires specific hypervisor software and so the purchasing of that software should be treated as a standard software procurement exercise. The lawyer should first ask:
• what virtualisation software/hypervisor is being used?
• who is the software provider (ie the vendor)?
• what are the terms and conditions of its use?
• are these standard terms?
• to what extent can they be negotiated?
Most virtualisation software is effectively ‘off-the-shelf’ but software providers are usually keen to offer support and maintenance, and other ‘value-added’ services. If these services are being taken:
• what are the terms of these services?
• do they come with a service level agreement?
Virtualisation software can be a major strategic investment and a fundamental part of the business’s IT system. If it is faulty, it can be difficult to remove without significant time and investment in a replacement system, and potential down-time. On that basis, the following questions arise:
• What warranties are being given by the software provider?
o Will the software provider warrant that the software will perform to your required uptime and performance standards?
• Will your provider indemnify you if you are sued by a third party for patent infringement due to your use of the virtualisation software?
o The law on the ability to patent software is far from settled and virtualisation software is a prime candidate for patent protection and litigation in certain jurisdictions.
• What testing is to be conducted?
o Is a testing/acceptance process to be documented in the contract?
o On what basis can the software be rejected if it doesn’t work in your environment?
• What are the remedies for the licensor’s breach of the software licence agreement or service level agreement?
o Are they sufficient to protect the business against its costs and lost profits?
o Does the contract disclaim or limit liability for these costs and lost profits?
o Are there any other limitations of liability in the software provider’s favour? Are these appropriate?
It is important to note that software providers will commonly limit or disclaim liability for all damages or losses due to faults in their software (other than, perhaps, their liability for the direct costs – eg the purchase of replacement software – up to a capped financial limit: usually the return of a customer’s fees). This does not marry well with the potential loss to the business if the software fails or is faulty. Explaining, negotiating and managing this issue can be one of the most difficult elements of a major software purchase, but it is nearly always overlooked when deciding upon a software provider and planning a software roll-out. Dealing with this issue upfront can pay dividends later.
Application software
When running application software (eg Microsoft Exchange, the software that provides the server side e-mail processing and storage for Microsoft Outlook) on a virtualised server, rather than a physical server, care must be taken to ensure that it is licensed correctly for that environment.
This is usually simple in cases where the software provider’s licensing scheme does not deviate from the usual industry practices (‘per seat’ or ‘per client’ etc). Where licence fees are due in respect of ‘each server’ upon which the software is installed there is cause for thought. Are we talking about the physical server or the virtual server? In most cases it is difficult to construe this to mean anything other than each virtual server, but once in a while it will be ambiguous.
Occasionally, software licenses will contain terms that prevent them from being used on a virtual server. These may be explicit but are usually simply a drafting oversight. Instances of such drafting are rare and often difficult to justify, and clarity should be sought from the software provider if these issues are encountered.
More commonly, software licences will contain terms that allow the licensee to run the software only on a set number of physical servers, sometimes by reference to the number of CPUs in that server. CPUs are the central chips in the server and it is dangerous to assume that one CPU equals one server: Modern servers will often have two, four, eight or more of these CPUs. To make matters worse, chip-makers such as Intel have been able to combine multiple ‘core’ CPUs onto one ‘die’ – ie physical chip – but these ‘dual core’ processors are often represented as two CPUs in software. CPU licensing can therefore be a minefield of technical detail that does not always match what the engineers think that they are getting.
Conversely, IT managers will have often worked out these details, and many of the other issues discussed in this article, with the software providers’ commercial representatives in advance of approaching their legal function. With luck, the lawyer’s role will simply be to ensure that these discussions have tracked across to the contract, and advise on the wider legal implications of the commercial project (data protection, for example). It is nevertheless worth asking the difficult questions surrounding risk and liability and ensuring that the licensing of such a fundamental component of the IT infrastructure is done on appropriate terms. The consequences of getting this interplay between IT and law wrong may never be of consequence, but on the other hand a systems failure could be disastrous, and obtaining sensible compensation may be made more difficult if there has been a failure to comply with the core contract. Likewise a software provider – or worse, a possible acquirer of the company’s business – playing hardball over a perceived licensing deficiency could be painful down the line, but may be avoidable from the outset.
Chris James is a solicitor with Macfarlanes LLP, practising IT, IP and general commercial law. The author offers his apologies to Jay Kay for the title and his particularly uncomfortable reference to popular music – uncomfortable even by IT lawyer standards!