Cloud Platforms and Microsoft Licencing

Over the past few weeks I’ve been conducting licence reviews on behalf of a client. An one part of the review revolved around Cloud platforms.

This lead me down an interesting, and truly unexpected, path of discover – and uncovered so many mistruths, unknowns and some seriously concerned staff training issues…

Now, I’m no Microsoft Licencing expert, but I can safely say that I know more about it that some other people in the industry, and I know my way around the various Microsoft schemes.

The problems all develop when you start looking at Cloud platforms – specifically Amazon EC and Microsoft Azure – when you are looking to run Windows nodes (either a Windows AMI in EC, or a Windows VM Role in Azure).  Neither of these options supports running a Microsoft Windows Server Web edition, so in essence, you have to tread carefully with regards to licencing, as there are requirements with these editions.

Both Amazon EC and Microsoft Azure bundle the licence cost of the Windows Server into the Instance Hour cost. So sorted. Or are you.

As I’m sure any readers in the industry will be aware, there are Client Access Licence (CAL) requirements to operate a Windows Server on your own hardware – for both users making use of services on the box (even if they are consuming them remotely, via a website) or, in a rather nicely worded paragraph in Microsoft’s EULA, are not anonymous when making use of any websites or webservices hosted on said server.

The curious thing is, there is no clarification on how this authentication or identification has to be carried out. The immediate assumption would be that users need to be authenticated by Active Directory accounts. But what about authenticating against a customer SQL Table? Or a XML file? Surely in these cases a user is no longer anonymous, and therefore you are required to have a CAL per user?  Obviously this would have a massive impact on services hosted without clouds – as most of them have authentication, and as such know who you are. Yet they are not purchasing additional CALs (which, by chance, would make any service hosted prohibitively expensive. This is after all why Microsoft brought out Microsoft Windows Server Web edition).

I pitched this question to Amazon’s support guys. Who referred me to their sales team. Who after four attempts to elicit a response finally got back to me. With one of the most confused, and noncommittal responses I’ve ever seen.

Now, ultimately, this could be a really big deal to services that are using Cloud platforms, and assuming they are fully licence compliant. In order to try and get clarification (and ultimately, wrap this up for my client!), I’ve ended up contacting Microsoft to give me the final verdict. But I’ve yet to hear.

I hope things are not as dire as they seem to be …

Social Privacy - So who is

Over the last 24 hrs I’ve been watching the growing debate around a new website that has appeared called  It has very little information on it, and had even less on it yesterday (no privacy policy).

Sophos’ security blog, Naked Security, picked up on it here – and highlighted the madness of some people who are registering with a service that does not say what it actually does. Especially when you need to hand over the keys to your LinkedIn, Twitter or Facebook account to them to get in. Surely these people have seen what can happen when any of these accounts get compromised?

I’m pleased that Sophos actually had a response from the people behind, but it still doesn’t exactly fill me with confidence. This feels decidedly dodgy to me. Anything that doesn’t explain exactly what they are offering before I have to register, or give me a way to register with some other details is a big no-no for me.

What really shocks me a little is actually the people that are registering for this service. I have seen a number of exceptionally technical people fire off the automated tweet saying they have “reserved their username” on And some of these people should really know better than to trust an unknown entity with their identity. (Hey, that rhymes!)

Needless to say, I’ll be keeping well clear until their intentions are well known.

UPDATE: I’ve just come across this article on Mashable. To me, it feels like they are trying to justify the approach has taken, by arguing that they are in “Startup Stealth Mode”. Well, if that is the case, why would they post it on Facebook in the first place, and why on earth would you have a viral hook in there to hit twitter etc when people signed up? Does not seem terribly stealthy to me. I have to say, I’m still not comfortable with their approach – it’s one thing to collect email addresses, its another to collect social media details.