Category: Uncategorized

Two weeks ago we visited Ironbridge, in Shropshire, one of the centres of the Industrial Revolution in the 1700’s. It is a quite extraordinary place, on the River Severn, close to lime and iron ore deposits and upstream from the port of Bristol. It is the birthplace of cast iron, bringing together the coke to smelt it, the steam engines to pump air into the furnaces to heat it, the railways and canals to move it.

We got into a discussion about the meaning of the words "engine" and "engineer". An engine powers a vehicle, but an engineer builds things like bridges and ships. We discovered that the words come from the Latin ingenium, meaning ingenuity and hence ingenious things.

Moving to today, a very good friend of mine has set up a home weatherstation and published it on the web. It’s worth a look. It’s just amazing what you can do with a bit of ingenuity.

Single sign-on, or integrated authentication, is easily overlooked by people doing IT. Here are some common and unnecessary scenes:

• the Intranet has a different logon from the desktop. Why??
• The xyz web service has a different logon. Again, why??
• The mail system and finance system have different logons.

On top of that they run different password policies: some require at least 6 characters, some at least 8, some even exactly 8!
The result is that people forget, they write it down, they share or they just don’t bother to use the service at all. Technically there is no excuse for it. It is easy enough to integrate the logons.

Basically passwords for all resources of any degree of importance should have a minimum complexity. That should be the start. A more secure environment might require more. If a user has to have at least password of this complexity, they may as well use this as the starting point for all. It isn’t really easier to have a secure password for your desktop, then a different less secure password for the intranet. You may as well use the same. And it isn’t any good exempting the chief exec from a password expiry or a required complexity. He’s the one whose account the bad guys would like to get into.

There are a few cases where you may need to handle logons differently.

• For remote access, you don’t have the same physical control of who is trying to log on. Someone in North Korea might be trying continuously to break in. So you must have auditing, maximum retries, SSL encryption of course. And you MAY choose to add a two-factor authentication. That means that as well as the usual logon details, you require an additional proof that you are who you say you are. There are plenty of ways to do this, but importantly they are on top of the usual logon, not instead of.
• For financial systems you may as a matter of policy choose not to integrate the logons. This means that if a clerk discloses their Windows password to someone, they don’t immediately have access to the Accounts Payable system. It also means that the IT helpdesk can’t reset a Windows password and get into the finance system, because the accounts are handled by different people. I am not really convinced by this. The kind of people who would disclose their password like that would also disclose their finance logon. They probably should not have access to any important functions anyway.
• At security boundaries you are bound to have different logons. At some point a user is a home user of their own systems, and an external user of someone else’s system. This means that in a large organization you are bound to have systems run by different groups, and some will be too far apart to be integrated. But at least the systems that are intended to be used widely should share the same authentication methods.

The main motivation for having different logons for different systems is not that it is necessary, but that it is easier and quicker to implement. Here’s how it should work.

1. Any organization should have a single main directory service. If it has an e-mail system then it already has a directory, so it is certainly possible to do.
2. The directory service should handle a range of logon types, mainly by supporting standard Kerberos authentication and LDAP directory structure. If the organization is principally a Windows type of organization, then it will be Active Directory. If UNIX, then something like Sun Directory Server. If MAC, then Open Directory.
3. All other services should refer to the directory for authentication, if they are capable of doing it. They can do this, for example, with a secure lookup over LDAPS.
4. You need to have a method of delegating administration of the directory, so that other departments or parts of the company can administer their own users. And ideally it should work over the web. The Dot Net Factory does this for Active Directory.
5. If the system can’t technically use the directory for authentication, then at least you can integrate the administration. M-Tech PSynch enables you to change passwords for different systems in one web interface, and to set whether the passwords are automatically synchronized or not.
6. If your intranet is hosted off site by another company, you need to insist that they use your authentication. This means running the intranet on a secure network that is logically part of your network, not part of the vendor’s. You can do this on their premises or on yours, but really, if it’s your intranet, it does not make a lot of sense for it to be running on someone else’s premises unless they run all your services.

This should not be a dogma. There will be situations where the logons can’t be integrated or the administration has to be separate. But you should be able to get the number of different logons for a user down to no more than two, at least for most people.

IT is currently delivered to you by many different vendors of hardware, software and services in a tangle of relationships with each other. It is complicated so you need people to run it for you. The people are the biggest cost so, assuming you want to keep costs down, you need to find a way to obtain IT that provides the best service with the fewest people. At Airdesk we believe the best way is to buy IT as a service.

It is an interesting question why IT is this way. Cars are not delivered as kits of components requiring mechanics to put together and run. The main reason is that, contrary to perceptions, IT is still immensely primitive. What is classed as innovation is really overcoming basic obstacles. There are still so many basic obstacles that you need skilled people to set everything up and run it. Take, for example, software licenses. Your car uses intellectual property from hundreds of companies, but you don’t have individual licenses from each of them. With IT you have a different license from each vendor, with different conditions. This means that you need more people and technology just to manage the licenses for software you have already bought.

Companies have dealt with the complexity of managing IT in two main ways:

• Contracting for individual services
• Outsourcing.

Contracting for individual services is separating out a discrete set of IT components and contracting for them to be delivered as a service. We have found this to be very cost-effective for certain types of service, if you can find the right company to contract with. For example, Connectria provides a very efficient way to obtain an e-mail service. However there are some problems with this approach:

• Sometimes you just cannot find a company to provide the service cost-effectively. We have come across many situations where the best quote amounted to the sum of buying the hardware and software and hiring the people.
• You still need the expertise in-house to specify the service and, in particular, to integrate it with your other services.
• It can be difficult to pin down responsibility for fixing problems that run across different services. For example, if a service at a remote site is running slowly, is it the service, the network or the client? It takes time even to agree who will investigate.

Business process outsourcing, such as provided by Xchanging, is a variation of contracts for individual services. It has the same advantages and disadvantages. It is a great way to go if you can find the right terms from a provider, and if you have the capability to integrate it into your organization. Of course with business process outsourcing you still have to find a way to run all your other IT.

Full outsourcing refers to taking all the IT components and all the people, and passing the responsibility for managing them to someone else. Instead of an employment relationship with your IT people, you have a contractual relationship. Essentially the components and the people are the same, but your commercial relationship with them is different.

Outsourcing is a counsel of despair. When you outsource IT you are conceding that, not only is your organization unable to run IT, but it is also incapable of managing or trusting people who can. You are not changing anything within the IT service, either the components or the people, but merely the relationship you have with it. It is based on the hope that a third party will be able to manage the same components more effectively than you can. In return, you pay the transaction costs of the relationship.

Outsourcing is usually based on a flawed assumption. The customer assumes that the vendor has expertise that will be applied to managing IT better. In reality the vendor has no such expertise other than that which the customer could obtain in a separate contract for project services. The vendor is simply supplying back the same people and components. The management that is applied is usually management of the customer more than management of the service.

A new way to obtain IT is as a service, which is what Airdesk provides. By IT as a Service we mean taking all the main IT requirements in the organization, like the e-mail mentioned above, and bundling them into one service. The service is provided and charged per user. The organization does not know or care what IT components are used or what people are involved in running it.

This approach has the advantages of contracting for individual services but avoids the disadvantage of integrating services from different providers. Unlike outsourcing it completely replaces the IT components and people with a more cost-effective and better run service.

The services that can be obtained this way are most of the services that most organizations need, like: PC support; software distribution and licensing; backup; networking; file storage; intranet; e-mail; HR and finance systems. This can be done because most of the requirements people have for these services are fairly standard.

It requires a slightly different approach within the organization to the supply of these services. We have been constantly struck by the difference between what people require from their IT department and what they are willing to pay for themselves. The answer to this puzzle is to provide what is standard, and allow people to pay extra for what is non-standard. No-one will pay. So the organization needs to get used to the idea that you don’t specify what you require, but adapt to what is standard (which, as it happens, is very good).

Because the components providing the service are standard, they can be automated to use fewer people, and therefore to cost less. When the standard service costs so little, there is even less reason to depart from the standard.

Some people may think of this as outsourcing the IT Infrastructure. First, it is not outsourcing. The components and people are completely replaced, not passed over to another party to manage. Second, it is not just infrastructure (assuming by that you mean servers, networking equipment, operating systems etc). It is the actual services being provided by these components.

There are some obvious limitations to this approach. If you have a large IT organization you can not just fire it. We think that IT as a service will grow, beginning mainly with startups, small companies, and new sites within large companies.

Second, you would think that larger more complex companies have requirements that can not be met by standard solutions. We feel that this is much less true than at first appears. The history of SAP over the past ten years is of companies adapting themselves to a more standard way of operating. Airdesk uses SAP as a service to deliver standard HR and finance systems to the business. Even more complicated requirements can be met by plugging in non-standard services. For example, a completely custom business system could be run on the same platforms, with the same backup and system management, the same directory service, with the same client deployment methods and helpdesk, as the standard service.

Why would IT as a service work now and not before?

• Hardware and software components are more reliable, so you don’t need lots of mechanics on hand in case they break. For example, the standard office desktop of Windows, Office, Acrobat, Winzip and anti-virus rarely if ever fails if it is set up properly.
• Stable servers rarely fail and have built-in redundancy for failed components or allow switching across multiple servers and sites.
• Cheaper networks, especially with ADSL and SDSL, allow problems to be fixed and service managed remotely.

But on their own these reasons would also enable you to run your own IT more cost-effectively. The key reason for buying IT as a service is automation. There are more and better tools to run services automatically. These require more skill and cost more to set up, but once the service is designed and implemented it can be employed on a large scale. At Airdesk we use Altiris as the core system for service management. With Altiris and a bunch of other related systems we can set up and operate services remotely, on almost any scale. The services are heavily standardized and automated. For example, software can be requested, approved, purchased, installed and configured without involving technicians or visiting the desk at all. As a customer you can buy into the service with one desktop or a thousand. It is substantially the same service. We think this is the way of the future.

At Airdesk we spend a lot of time and money fighting spam. You have to laugh. Here’s a phishing e-mail from: User uvmvfgedoyjj [uvmvfgedoyjj@qiacrz]; on behalf of; Halifax [security@halifax.co.uk]

Dear Client of Halifax Online!

Summer 2006 has been hard for our Bank due to the increasing number of clandestine practices.
Sensible information about our clients is of constant interest for swindlers.
Lots of people seek protection from the hazard of losing money from their bank accounts.

In this respect, Bank announces that September is the fraud-fight month.
Before Octomber 1st all our clients should activate new account protection system.
We have upgraded and considerably improved it. Top EFT specialists tested the system, and independent experts have already affirmed its reliability.
We do not publish this information in mass media in order that malefactors could not employ it criminally.

You have been randomly chosen for the final testing of the account protection system.
Now we offer you to go to http://security.halifax.co.uk/update.co and activate the new security system by entering the Internet banking as always.
Currently you may notice some defects.
We are aware of them so you do not have to inform us of these problems, we shall obviate the difficulties on our own.

Please note that on and after September 1st you will have to use the new security system, otherwise your account will be blocked until your identity is proven.
That is why we strongly recommend changing over to the new security standard as soon as possible.

Best regards,

Fraud Fight Department

Halifax Online

IBM Lotus Domino is a great product but it has persistent flaws that make you eventually lose patience with it. Here are a few examples. I cannot see why IBM have allowed these flaws to persist, but I can see a common trait – a refusal to accept Microsoft-led standards.

This is not a review of Exchange against Domino. Another review would be entirely superfluous. Instead I am looking at a few things that make Domino unnecessarily difficult to use, and may eventually lead people to give up on it.

Exchange is an ugly product to administer. Its architecture is derived from assembling different components – Windows NT SAM, now Active Directory; MS SQL Server; IIS; Exchange; and MS Office Outlook. So Domino should be in a good position.

Lotus Domino is in many ways a great product. It was one of the first to have a full set of internet protocols so if you preferred you could just connect it to a standard mail client and use LDAP, IMAP and SMTP. We did this for an international rollout where some of the small offices had no need for Outlook, shared calendars etc. It is also internally secure. You can put a Domino server in the DMZ and connect to it over the web or from the LAN. In a remote office you just need to set up one server with Domino, not Exchange, IIS, Active Directory and SQL.

However to use the Groupware features (like shared calendars) you need to use a Lotus Notes client. You could use the web client but it’s not the same. A web client does not stay open on the desk and ping you when you have a meeting coming up. The client is where the problems arise.

First, it’s ugly. Nothing is where you expect it to be. I have used it for years and still can’t find the Change Password routine. When I do find it, I need to go though several steps before it is changed. I am sure there are answers to all of these problems, but they depend on people being trained and skilled in the Notes client. It is not intuitive. The Help is hopeless. I could just use an Outlook or Thunderbird client with the internet protocols, but then no groupware.

The Notes client depends on an ini file to control the user settings. You need first to select the multi-user install option, then you can save an ini file for each user in their Windows profile. That’s handy, as with a roaming profile the user settings can be the same across different machines. But there is a problem. The ini file contains the path to the user’s ID file, the file that contains the certificate that identifies the user when unlocked by a password. The ID file is supposed to be stored locally. You can not store the ID file in each user’s My Documents folder, because Lotus Notes does not recognize the path, which is a logical not physical path. Therefore you can’t actually roam, because you can’t get your ID file. You could keep one central copy on the network, and copy it down to each machine, but when you change password it is changed in the ID file and you would have ID files scattered around with different passwords. You could just store the ID file on the network, although you would have to have a mapped drive, but this is not supported by Lotus. At least, it used not to be supported, with the explanation that the Notes client is not network-aware, but you would have a hard time researching this on the Lotus website. Just try a search and see what I mean.

You may decide that you would like instead to use Outlook as the client for Domino. Lotus make a plug in for this purpose, the Domino Access for Microsoft Outlook (DAMO) client. That’s handy. We could just roll out the DAMO client and have people use their familiar Outlook to connect to Domino. But there’s a problem. You can’t automate the rollout as it is not really a multi-user product. This takes a bit of explaining, but the basic conclusion is that IBM either don’t know or don’t care how to make software run effectively on the Window platform.

The DAMO client comes as an exe that installs DAMO and sets up the user mail profile. You can’t use this directly as it requires admin rights and would not set up a mail profile for each user when they log on. IBM do not document or publish a Windows Installer msi. However the product clearly is an msi, so you can disassemble it to obtain: the msi; and the separate profile setup routine. In the msi you can select a multi-user option. However this one is not multi-user in the normal sense. It is multi-user in a special IBM-only sense, multiple users sharing the same logon. It is not even the same sense as the Notes client multi-user install. All it does is to put each user’s data directory in a different path. By digging around we find that LAUNCHDFOSETUP=0 will disable setting up the user profile, so if we run the msi with this switch, we could install the product for all users, and then let them set up their profile when they first run it. A few other minor details:

• For some reason we also need to run ONLYCURRENT=1
• You can add single sign-on by setting the install level of this feature to 101. It is the opposite way to any other msi, as normally features install if the level is below a figure (say 100). In this case it is above, but now nothing surprises us about IBM.

So we are all set. The user runs the profile setup part after the install and Outlook is set up for them. But it turns out not to work unless they have local administrator rights. That’s odd, as by definition we are carrying out only the user portion of the setup. It turns out that the per-user install writes files to the Program Files directory. That’s OK, we can work around that by changing the rights on that directory only. But it still does not work. We watch it carefully and find that the per-user portion of the setup installs files in the System directory, where we can not give users rights, and makes numerous registry per-machine entries. So starting with the best intentions and applying a great deal of expertise to an undocumented product, we finally admit defeat. It turns out that running Outlook before you set up the DAMO profile breaks it anyway, so we would have had to send an engineer to the desk for each installation. Basically, IBM have deeply engineered it in such a way that it can not work in a standard corporate environment. How did they come to do that?

This is about software licensing for automated software distribution, and some recent changes in licensing methods. Quick summary: both Microsoft and Adobe are introducing Licensing Servers as the way to control licenses for volume use.

If you wanted to distribute software automatically up to now you generally needed a volume license. A volume license enables you to use the same serial number for more than one installation. Therefore you can provide the serial number with the media to perform an automated installation on more than one computer. For example, with Adobe Photoshop Elements, you add the license number as a parameter in the setup and no user input is required at all. It can be deployed automatically using Group Policy or a software distribution product like SMS or Altiris.

Volume licenses are prone to theft. The license number has to be visible to be used, and can therefore be copied. If the number can be copied it can be stolen. Also, more installations can be made than the license provides. So the system relies on honesty, and using a software inventory system to check how many copies are actually in use.

The next step in license protection is online license checking. The serial number provides a proof of purchase, and you go online to exchange this for a key, a process known as activation. Unfortunately this directly conflicts with automated distribution, and therefore results is a lot of expense and inconvenience for the customer. A few examples:

• Someone needs to attend the installation to go online and activate the license
• If you want to reuse the license on another PC you need first to deactivate it
• If you rebuild a PC without first deactivating the license, you need to correspond with the vendor to cancel the activation and enable reuse. Vendors have opening hours, so if you are in Europe or Asia and you need to re-enable a license from a vendor in the US you are going to have a delay.
• Some products have a fixed number of installations associated with a serial number, so if you need more you need another serial number, and from that point have to keep track of how many installations have been made with each serial number.

You can imagine that if you have a high staff turnover, or if you run a design studio, you could spend a lot of time administering licenses.

Microsoft products like Windows and Office retail versions use online checking and therefore have these problems. Microsoft up to now effectively have bypassed license checking for corporate customers by giving them an activation number that is not exclusive to one computer and not checked online. This means they have the same problem with theft as with a standard volume license.

Adobe operates the same way. For products like Acrobat, Photoshop and Illustrator Adobe provides a volume license with no license checking.

For some reason theft seems to be prevalent in the creative industries which therefore use online checking more extensively. Movie Magic Scheduling from Entertainment Partners shows the problem. Movie Magic requires online activation. You can obtain a volume serial number, but each installation still requires manual activation. If you buy more licenses these can not be added to the same serial number, so you need to keep track of each installation and record which serial number was used. AutoCAD from Autodesk is another one. AutoCAD lite requires activation for each installation and does not have a volume license. This puts up the cost of administering AutoCAD considerably. AutoCAD proper has a volume license, but each installation needs to be activated manually.

Final Draft shows how to do activation properly. Final Draft is the number one script writing tool. Final Draft uses a simple online activation for retail and volume licenses. To work round the inconvenience you can run Final Draft with the CD in the drive, or you can activate it for up to two installations, for use by the same person only. The volume licenses are flexible, and more licenses can be added to the original license number. For automated deployment Final Draft use a network licensing service, KeyServer from Sassafras. This is similar to online activation, but the service runs on your own network and so can be automated. You need to use the KeyServer enabled version of Final Draft. Then you need to set up a KeyServer licensing service on the network, and add your volume license for Final Draft to the KeyServer service. When Final Draft starts, it looks for the KeyServer, and draws down one license. The license is checked each time Final Draft start. This means that a laptop would have a problem off the network, but KeyServer has a Checkout facility that lets you opt to check a license out for a specified period. This reduces the number of licenses available to other users, but means that you do not need to contact the licensing server until the checkout period expires. KeyServer is an independent product, but the software needs to be KeyServer-enabled to use it, meaning that its license checking is deferred to KeyServer.

The network licensing server is the way to go to combine license checking with ease of deployment. Microsoft already does this with client licenses, for example for Terminal Services. Your licenses need to be entered into a Terminal Services Licensing Server, and the client contacts the licensing server to see if it is allowed to run. This makes the licensing server a key part of the infrastructure. If the terminal services licensing server can not be contacted, the client will not run.

Now Microsoft and Adobe are adopting the licensing server approach more widely. Windows Vista volume versions will require activation from a network licensing service, the Key Management Service (KMS). Adobe products starting with Acrobat are going to use the new Adobe License Manager service. There is a really interesting background to this.

A product called FlexLM has provided a popular network licensing service for a while, like Sassafras KeyServer but predominantly for Unix and Mac products. AutoCAD have a version using FlexLM for network licensing. FlexLM was originally developed by Globetrotter, and later marketed by Highland Software. Then it was acquired in 2000 by Macrovision, and renamed FlexNet. Macrovision started by creating copy protection for videos and DVD’s. Macrovision also acquired Installshield, the leading developer of software installer or packaging tools, in 2004. So now Macrovision own both the leading software packager and the leading software licensing service. Adobe products use Installshield for their installers, and now Adobe volume products will be activated by FlexNet technology rebadged as the Adobe License Manager (ALM) service.

This is great news for Adobe licensing as it makes it much easier to automate. However it raises a question: how many different licensing services will you need to operate, how will you operate them and would it not be easier if there was only one? The new standard for software management, ISO 19770-1, defines the process for managing licenses, but not a method. The proposed new standard, ISO 19700-2 defines a new method called a TAG, that has a unique ID for each software instance, but the standard is not expected to be agreed before 2010, which means we are likely to have multiple methods until at least then. However if other vendors choose FlexNet, we could have a standard licensing server on the network before then.

Licensing servers are easy to set up, although you need to be familiar with how each one works. For example, you need to know that the Microsoft Terminal Services Licensing Service in Enterprise mode (as opposed to Domain mode) does not work across the enterprise as you might expect but only across all domains on one site. You need to provide redundancy in case a licensing server fails, and you need to provide one per site in case a site link fails. I see an opportunity to provide a licensing server appliance in a device like a router box, able to run all the different licensing services you will require on the network.

We want everything to be integrated. Who would not? It usually sounds as though it should not be too difficult. But often it is rather more complex than it seems.

An example: user profiles. Telligent make an excellent collaboration platform for forums and blogs called Community Server. It is simple to set up and use, inexpensive and runs on Windows. Community Server comes with an optional Active Directory (AD) authentication module. That’s alright then. We can implement it inside an organisation and have people use their normal Windows account. Except they can’t, entirely.

The Community Server AD authentication module does not actually defer to Windows for account management. It still creates an account in its own database, but it marks it as a Windows account and lets Windows tell it whether the logon is valid or not. This works fine when you log directly onto Community Server. But if you try to connect to Community Server with an editor to upload content the authentication will fail. You would need to know the random password stored in the database for the parallel account.

Also, you would like the user details in Community Server to be the same as the user details in Active Directory. For example, details like e-mail address, phone number, title. But in fact the two accounts are entirely separate. Details you have in AD do not show up in the Community Server profile, even though you are using the AD authentication module. And if you change your password in Community Server it does not change in AD.

This is not in any way a criticism of Community Server. The AD authentication module does what it says, in allowing the user logon to be authenticated against an AD account. But it does not provide an integrated Windows service. To do that, you would need to build CS to use the standard Lightweight Directory Access Protocol (LDAP), and then to connect to a compatible LDAP database for all its accounts details, and provide an LDAP interface to manage the account. Then you could use Windows, or other LDAP compliant systems, for your integrated accounts.

A product like Confluence from Atlassian, for enterprise wiki’s, also has an LDAP module for AD integration. This handles the user account and group memberships. But they also have not yet implemented a common user profile, so contact details in Confluence will still be different from AD.

To make web services like these work more easily for the user we use another product, EmpowerID from The Dot Net Factory. EmpowerID has components that enable the user to manage their password and profile on the web. The nice thing about these components is that they can integrate into other web services. For example, if your logon fails, the web site will bring up the MyPassword component for password recovery. In our view this kind of integration makes the services much more usable.

The key constraint in data centers now is not rack space but power supply. Manufacturers have increased server density over the past few years by producing physically smaller servers. The smallest, a Blade server, stands upright in a chassis containing up to 8 Blades. But it is all for nothing. Smaller servers still use a lot of power and produce a lot of heat, so there is a limit to how many you can fit in one place, regardless of the rack density. You may well see a rack containing only one blade chassis. At that point the effort to reduce server size is redundant. It may as well be a full size server with more space and more airflow.

As the processing power of servers has increased, so has the energy consumption. It is close to a linear relationship. We are familiar with the heat and battery life problem from laptops. But the more fundamental problem is that computers are using more power, and power is becoming the constraining factor in computing capcity. It is a constraint because of cost, cooling capacity and standby generation capacity.

Here is a table of a small selection of HP Compaq servers over the past few years:

Model         Year      BTU      Power
1850R         1995      1010      225
DL380         2000      1475      275
DL380 G5    2006      4150      1000

The newer server is doing more work, and is possibly a little more energy efficient. But whereas you might not notice a 200W power consumption, a 1KW consumption is like having a small electric heater running. Imagine if your office contained several electric heaters running summer and winter. And as you need air-conditioning to reduce the temperature, your overall power consumption is even larger.

What should we do?

1. Add energy costs into any cost-benefit that involves buying computers: the power consumed and the power for cooling.
   
2. Increase the output per unit of computing capacity, by consolidating applications onto fewer servers. The traditional and simple way to run applications has been to give each major application a dedicated server. This has some real advantages, for example when downtime is required. Also, like town traffic, a lot of computing wants resources at the same time and it is difficult to work out what can share with what. Even if you could work it out, some vendors make software that is unintentionally incapable of sharing a server because of conflicts. The answer to this is Virtualization. Several virtual servers can run independently on one larger physical server. The virtual servers can be allocated resources based on usage, and can be moved between physical servers if required. This is the best way to make use of capacity, and hence power consumption.
   
3. Don’t bother to switch PC’s off at night. They use hardly any power on standby. The HP DC7700 uses around 3W on standby. Monitors use almost none. At night they are carrying out background tasks like backup, virus scanning and updating. You can switch the PC off if you want, but you would save more by switching off all the lights.

 

Some products, like firewalls, have been sold as appliances for a long time. It made sense to sell one product combining hardware and software as the firewall needs a specially secure configuration of the operating system. However more and more software products are now being sold as appliances. Here are a few recent ones:

• SocialText wiki server
• KACE KBox system management (inventory, software deployment)
• LogLogic security log manager
• SugarCRM customer relationship management system
• Google search engine
• Packeteer iShared caching server

The benefit to you is that you don’t need IT staff to set them up. You don’t need to configure hardware, install system software, and then install the application. The benefit to the vendor is that it is far easier to support. They don’t have to test and support lots of different configurations of the system software or hardware. Licensing is easy to control. They can configure the database, the website and any other secondary software.

Most of these products run on Open Source operating systems. Open Source operating systems are great, but they require a degree of skill to support and they are all different. It is hard to run commercial systems reliably on a wide variety of open source operating systems. Appliances provide a solution to this. Appliances remove a lot of the people costs associated with new projects.

But appliances are also a compromise. The vendor does not need to control what size or type of hardware you choose to use, but he has to. He adds no value in this. The problem is that if you buy appliances you can end up with lots of underused boxes. Regular software allows you flexibility in how to deploy, scale and re-use. It allows you to vary and integrate in ways the vendor may not have planned.

A new variation in software delivery is the Virtual Appliance. This is a complete software implementation running as a virtual server installed on a physical host server. This is the way of the future. You need to set up and support one large physical server running something like VMWare ESX Server. This runs a very small operating system, just sufficient to control the virtual servers and give them access to the physical hardware. In the ESX Server you install and run the virtual appliance servers. Each virtual appliance server is self-contained. It runs its own system software, with all the benefits of the real appliance. However you can scale the hardware resources available to it up or down depending on how much it is used. If you end up not using it much, or replacing it, the physical hardware is completely re-usable. If you need to expand it, you don’t replace it, just scale up the hardware. Here’s a diagram from VMWare:

The virtual appliances are easy to create. In effect the software vendor installs and configured his system once on a virtual server, and then clones it out to customers. If the vendor can produce an appliance, he can produce a virtual appliance. If he does not offer an appliance, he may be able to install and configure the application within a self contained virtual server, and so insulate you from the system software he is using. He can then support it fully, just like a physical appliance. It opens the door to a whole array of applications that run on Open Source.

 

Disk storage is cheap. It really is very cheap. It’s so cheap it is not even worth sorting your data to delete stuff you don’t want any more. So that’s what most people do, just letting the old data build up. The trouble is, once you accept that you can’t afford to lose it, it starts to become really quite expensive.

Let’s say we store 160 gigabytes of data on a standard Serial ATA disk, the type that comes in any PC. That will cost around £55 or less, say around £0.35 a GB. But SATA disks are low cost and not intended for hard work in a server. A 300GB SCSI or SAS drive for a server will cost more like £400 or around £1.35 a GB, four times as much (these figures are just approximate and vary greatly for corporate buying, but the ratio and the principle remains the same).

If you could just keep adding disks then this would still be cheap. But of course you need something to read the disks with. If you fully cost the storage in a PC you might end up at around £1.20 a GB.

But this storage is not really suitable for sharing; a bit hard to manage as it is scattered all over the place; and vulnerable to hardware failure or theft. So you need a server to manage the storage.

With shared storage you need to use a RAID array in case an individual disk fails. You also need the operating system on one set of disks and the data on another. You need a reasonable server to put it all in, a rack to put the server in, an Uninterruptible Power Supply in case the mains fail. This will cost around £4.25 a GB.

So adding cheap extra hard disk space to a PC you already own costs you £0.35. But fully costed storage on a server costs you £4.25, 12 times as much. And we have not even backed it up yet. Or paid the staff to set it up.

Business storage is still relatively expensive and you can’t afford to waste it on data you don’t really need. On the other hand you can’t afford the time and effort to go through it all.

Archiving unused data is the solution to preserving data without paying for expensive storage. A good storage management system will sift through the data and park the less used data onto a cheaper form of storage. In a small company with one server you could put the data onto a PC with large disks. In a larger company you could have one server with a very large array of cheaper disks for the archive. The software can identify data that has not changed in the last six months, and move it to different storage with read-only access. One backup can be made, and not made again as the data can not change. Any data that needs to be changed can be retrieved and put back on the expensive storage. In another six months you make another archive and back it up once.

If half of your data is unused in the last six months, and if the archive storage costs around a quarter as much as the normal, then you will reduce your storage costs by nearly 40%. That’s not bad for a day’s work.