Chris James

VirtualInsanity?
VirtualisationforLawyers.
First Published on SCL.org: 17/12/2009
Also published in Computers & Law magazine (April / May 2010 Edition)
Directors are increasingly being asked by their CTOs or IT managers to
consider IT projects which involve virtualisation. In-house server
virtualisation can be seen, in certain circumstances, as an alternative to cloud
computing. It offers some of the benefits (cost savings, efficiency and
scalability) associated with the cloud, without the risk of outsourcing key
business functions to third parties. As this technology is picked up by
businesses, lawyers may find themselves needing to cut through a significant
amount of jargon to understand this evolutionary step in enterprise
computing. This article sets out the technology and its benefits, before
considering the legal consequences of its application.
Understanding Virtualisation
Traditional servers
Traditionally, each server runs the following software:
a single operating system (eg Microsoft Windows Server); and
one or more applications (eg Microsoft Exchange e-mail software).
Servers can be inefficient. They, like other computers, do not necessarily need
to operate at the full capacity of their hardware at all times. Many servers
spend most of their time idling at a very low percentage of their full capacity.
It is important to note that each server can only run one operating system at
once. Each operating system can run any number of applications, but this is

often undesirable for technological and security reasons (should we really

host the intranet on the same server that processes the management
accounts?). Therefore systems administrators often use a dedicated physical
server for each application. These under-nourished servers are still using,
and incurring costs for, electricity, cooling and data centre space as if they
were bursting at the seams.
Is there a better way?
Virtualised servers
Virtualisation involves using a software hypervisor in-between the physical
server hardware and multiple installations of operating system software.
Each operating system thinks it has the physical server to itself, but the
hypervisor is actually sharing the hardware out between virtual servers. It is
virtualising the physical hardware.
Physical servers employing virtualisation will typically run the following
software:
a single hypervisor, ie a virtualisation software install (eg VMWare);
multiple operating systems; and
one or more applications on each operating system.
Each operating system, plus its application software, becomes a virtual
server. The physical server hardware is used more efficiently as long as
these virtual servers do not make excessive demands on their shared
hardware at the same time. They rarely do, and in any case except in
relation to certain very latency sensitive applications such as equities
trading software it often doesnt matter if one virtual server is kept waiting
for a few microseconds whilst another finishes its processing on the same
hardware. Companies can therefore use virtualisation to consolidate existing
servers onto less hardware. This can result in lower costs in hardware,
power, cooling and data centre space.
Advising on Virtualisation
From the perspective of an IT or in-house lawyer, what key issues should be
considered when asked to advise on a project that involves virtualisation?

Virtualisation software
Virtualisation requires specific hypervisor software and so the purchasing of
that software should be treated as a standard software procurement exercise.
The lawyer should first ask:
what virtualisation software/hypervisor is being used?
who is the software provider (ie the vendor)?
what are the terms and conditions of its use?
are these standard terms?
to what extent can they be negotiated?
Most virtualisation software is effectively off-the-shelf but software
providers are usually keen to offer support and maintenance, and other
value- added services. If these services are being taken:
what are the terms of these services?
do they come with a service level agreement?
Virtualisation software can be a major strategic investment and a
fundamental part of the businesss IT system. If it is faulty, it can be difficult
to remove without significant time and investment in a replacement system,
and potential down-time. On that basis, the following questions arise:
What warranties are being given by the software provider?
Will the software provider warrant that the software will perform to your
required uptime and performance standards?
Will your provider indemnify you if you are sued by a third party for
patent infringement due to your use of the virtualisation software?
The law on the ability to patent software is far from settled and
virtualisation software is a prime candidate for patent protection and
litigation in certain jurisdictions.
What testing is to be conducted?
Is a testing/acceptance process to be documented in the contract?
On what basis can the software be rejected if it doesnt work in your
environment?
What are the remedies for the licensors breach of the software licence
agreement or service level agreement?
Are they sufficient to protect the business against its costs and lost profits?

Does the contract disclaim or limit liability for these costs and lost profits?
Are there any other limitations of liability in the software providers
favour? Are these appropriate?
It is important to note that software providers will commonly limit or
disclaim liability for all damages or losses due to faults in their software
(other than, perhaps, their liability for the direct costs eg the purchase of
replacement software up to a capped financial limit: usually the return of a
customers fees). This does not marry well with the potential loss to the
business if the software fails or is faulty. Explaining, negotiating and
managing this issue can be one of the most difficult elements of a major
software purchase, but it is nearly always overlooked when deciding upon a
software provider and planning a software roll-out. Dealing with this issue
upfront can pay dividends later.
Application software
When running application software (eg Microsoft Exchange, the software
that provides the server side e-mail processing and storage for Microsoft
Outlook) on a virtualised server, rather than a physical server, care must be
taken to ensure that it is licensed correctly for that environment.
This is usually simple in cases where the software providers licensing
scheme does not deviate from the usual industry practices (per seat or per
client etc). Where licence fees are due in respect of each server upon which
the software is installed there is cause for thought. Are we talking about the
physical server or the virtual server? In most cases it is difficult to construe
this to mean anything other than each virtual server, but once in a while it
will be ambiguous.
Occasionally, software licences will contain terms that prevent them from
being used on a virtual server. These may be explicit but are usually simply a
drafting oversight. Instances of such drafting are rare and often difficult to
justify, and clarity should be sought from the software provider if these issues
are encountered.
More commonly, software licences will contain terms that allow the licensee
to run the software only on a set number of physical servers, sometimes by

reference to the number of CPUs in that server. CPUs are the central chips in
the server and it is dangerous to assume that one CPU equals one server:
Modern servers will often have two, four, eight or more of these CPUs. To
make matters worse, chip-makers such as Intel have been able to combine
multiple core CPUs onto one die ie physical chip but these dual core
processors are often represented as two CPUs in software. CPU licensing can
therefore be a minefield of technical detail that does not always match what
the engineers think that they are getting.
Conversely, IT managers will have often worked out these details, and many
of the other issues discussed in this article, with the software providers
commercial representatives in advance of approaching their legal function.
With luck, the lawyers role will simply be to ensure that these discussions
have tracked across to the contract, and advise on the wider legal
implications of the commercial project (data protection, for example). It is
nevertheless worth asking the difficult questions surrounding risk and
liability and ensuring that the licensing of such a fundamental component of
the IT infrastructure is done on appropriate terms. The consequences of
getting this interplay between IT and law wrong may never be of
consequence, but on the other hand a systems failure could be disastrous,
and obtaining sensible compensation may be made more difficult if there has
been a failure to comply with the core contract. Likewise a software provider
or worse, a possible acquirer of the companys business playing hardball
over a perceived licensing deficiency could be painful down the line, but may
be avoidable from the outset.

Posted on
Dec 17 2009

Written by
Chris James

Does your firewall have an open door?