Audit Risk for Microsoft applications on Citrix

Does your organisation host Microsoft Applications on Citrix?

Have you measured your audit risk? If so, then it is probable that you may have a significant license compliance risk and your costs in the event of an audit will be potentially very high.

Compliance Risk

In the last 6 to 12 months we (@Suredatum) have noticed a significant increase in the number of Microsoft license reviews and audits carried out on organisations hosting applications on Citrix infrastructure (XenApp or XenDesktop).

What makes these reviews particularly alarming is that the initial estimates on compliance gaps are usually several million dollars/euros.  This is because the user count of the entire organisation is used as the basis for the estimate.   For relatively small organisations we have seen auditor’s estimates run into tens of millions.

Potential Cost

Although the initial compliance gap estimate quoted by the auditor can be ridiculously high, in most cases the commercial resolution arrived at with Microsoft has been the purchase of Office 365 subscriptions for a subset of the total users.  Even this compromise can still be a significant and unbudgeted expense.
The subscription must also be signed immediately, even if your organisation is not ready to implement an Office 365 programme. You must also roll out a remediation plan which may include additional software license purchases.
To coincide there is the added cost of expensive Microsoft products (Visio, Project, etc.) that were only ever meant to be available to a small subset of users. These products will also be added into the scope of the audit and require further negotiations to resolve any gaps.

Who is at risk of an audit?

Organisations most at risk of a Microsoft Audit focused on Citrix have the follow profile:

  • Citrix XenApp or XenDesktop deployed.
  • Historically used Device Based licenses.
  • Relatively low adoption of Office 365.
  • Have not had a license review in the last 12 months.
  • Enterprise Agreement review over 12 months away.
  • More than 500 users.

It should be made clear that the number of users who actually use the Microsoft applications via Citrix is not relevant, it is the number of users that can potentially access the applications which determines your risk.

Preparing for a Microsoft Audit

Some measures your organisation can take today to reduce your audit risk:

  • Inventory applications hosted on Citrix Servers, remove any that are not used by your organisation.
  • Where Microsoft Office is deployed, ensure the version and edition are correct.
  • Reduce/eliminate multiple versions or editions of the same applications.
  • Lock down access, via Active Directory security groups, who has access to what applications.
  • Create specific user groups for expensive applications, e.g. Project Managers Group.
  • Review access logs periodically and revoke access to users not using hosted applications.

Eliminating Audit Risk for Applications on Citrix

To eliminate a compliance risk on Citrix you need to implement some additional protections to reassure Microsoft that you are correctly licenses and have control of your network.

These include:

  • An endpoint management solution deployed. You must show that you have control of what device a user can access and the applications on Citrix that can be accessed.  Products like AppSense or Rentsoft Meter.
  • Logs and Reports. Logs of who has access to what applications for the past 12 months.  These logs should be reviewed every 90 days.  These logs will need to cover Active Directory, Citrix and End Point Management.
  • Virtual Desktop Policy in place. A document outlining all aspects of Desktop virtualisation policy in your organisation.  If you have evidence of this policy being communicated to staff periodically, even better.
  • Procedures. Evidence of procedures used to support the management of access to Virtualised applications.

How we help

The steps outlined above will go some way to helping you reduce your compliance risk for Microsoft applications deployed on Citrix. To eliminate the risk is a more complex project and you will probably need help.  As part of our Microsoft License Health Check we include an option to review of applications hosted on Citrix.

If you should receive notice of a Microsoft license review or audit and you are in doubt about your position with regards to virtualised applications (Citrix, VMware or Microsoft Virtual Desktop) we can also help.

Find out more about our Microsoft Health Check service

« | »

Piaras MacDonnell