Virtualization = 'Elegant' Data Security

"Any kind of synch that doesn't occur or any step that gets missed introduces a tremendous risk for failure if there is a disaster."

Editor's note: Disaster readiness (DR) involves securing and safeguarding all corporate assets — employees, principally, but also data, facilities, and equipment. John Humphreys ([email protected]), senior director of Citrix's Virtualization and Management Division in Boston, Mass., said organizations are learning how virtualization can ensure their data centers are safe and remain operational in the event of a disaster. Humphreys discussed how this works in the following June 23, 2009, interview with OH&S Editor Jerry Laws.

OH&S: Please explain how virtualization contributes to managing disaster preparedness and why using it is a smart strategy for companies.

John Humphreys: For the most part, organizations either don't have a DR plan or only have a DR plan that protects what they view as the most important, or mission-critical, assets inside their IT organization. The reason behind that is because to have a secondary site that is an exact replica of your primary site is really costly, time consuming, complex, and difficult to manage. And so, rather than trying to stand up a secondary data center that is a mirror image of your primary data center, a lot of companies just take the risk, and they don't buy any insurance for that hundred-year flood.

I see what you mean.

Humphreys: The big reason, as I said, is the complexity of maintaining that mirror image. Well, virtualization eliminates all of that. It allows you to homogenize a server, so you can't tell whether that VM is running on a Dell with 12 gigabytes of memory and four processors and you moved it to an HP with one gigabyte and one processor. You can do that. That's the kind of flexibility that virtualization provides and brings.

The second thing it provides is mobility. To have an exact replication of a server means you need to have two copies of an application: one on your primary server and one in your secondary site. Well, with virtualization, you only need one. You just take a copy of that VM, which is a file, and replicate that file to the secondary site Priority site goes down, you just boot up that copy in the secondary site.

So it really is eff ective if there is a hundred-year flood? You won't lose that secondary site?

Humphreys: The plan is to have that secondary site at a great enough distance. Even disasters — Katrina being the most obvious one — in the grand scheme of things, they tend to be fairly localized. You have that secondary date center 50 miles, 100 miles, maybe even 500 miles away, you're fine. In 99.9 percent of those hundred-year floods, you're now well outside of that impact zone.

Our office is in Dallas. A strong hurricane hit the Houston area last September but did no harm here. Being 250 miles away sometimes is enough.

Humphreys: The same thing with earthquakes. You go 20 miles from San Francisco and you're outside the impact of a major earthquake there, as well. Even with some of the big power outages that you saw along the Eastern Seaboard, if you went 200 miles inland, you were fine. Disasters, when you take that step back, do tend to be localized.

Do some companies not even think about their data centers or IT as they plan for disasters? They'll think of their people, surely, but do they overlook data?

Humphreys: People are recognizing that IT is an important part of keeping a business up and running. If you can't get your critical systems going in a disaster, you're running the risk of a tremendous loss of revenue in terms of continuing to be able to process orders.

Our customers, as supply chains become more and more integrated across industries, they're finding they have to do more in terms of ensuring continuous operation by the person down the stream from them.

If you stop delivering parts to the next person in the supply chain, then they stop making cars, building computers, or whatever it is. That kind of focus — the ability to show ensuring disaster readiness and making sure the supply chain is undisruptable, if I can say that — is really important in today's day and age of justin- time delivery models.

It brings up the point that if you're a CEO or senior manager, you want to make certain the companies you rely on can withstand emergencies. Would you reach out to them to say, "Is your disaster readiness in good shape, and have you considered virtualization to guarantee it?"

Humphreys: I've seen a lot of those CEOs or risk managers reach out to ask other companies to show the partner community that they're prepared. Th ey haven't gone as far as recommending a specific solution, as yet. They leave that up to the partner, obviously. Those that don't have any plan or need to protect additional parts of their organization look to virtualization as a low-cost way to get that preparedness, instead of having to build out or expand their replicated sites.

Is it a lot lower cost?

Humphreys: About a tenth of the price. If you look at some of these service providers who specialize in disaster recovery and disaster preparedness, they're charging somewhere around $1,000 to $1,500 per server per month. If you're dealing with 50, 60, 70 servers in your data center that you want to protect, you're looking at a heft y monthly bill. And so, if you can do that for even 25 [percent] or half of that cost, that would be a tremendous leap forward.

Part of the reason why they have to spend so much to have that exact replica: Everything you do on your primary site, I have to replicate on my secondary site. It's a very coordinated and orchestrated ballet that must occur between the service provider and the customer. And any kind of synch that doesn't occur or any step that gets missed introduces a tremendous risk for failure if there is a disaster.

As you're describing it, not only would the cost be significant, but also you could never relax in terms of how well you have the systems working together.

Humphreys: As a result, it's an expensive service to purchase. Which means the market doesn't consume it all that much, or they only consume the minimum amount. And if you could reduce the cost tremendously, you increase the opportunity, the potential, tremendously. Why wouldn't you put it in place?

The CFO, CEO, CIOs want more disaster recovery, want to be better protected. Virtualization is a technology that allows the IT administrators not to have to twist their bodies into all sorts of pretzel, contorted situations in order to make it occur, and it doesn't cost an arm and a leg. So it becomes a really elegant way to meet the needs of everyone across the entire organization.

Many of our readers are safety and health managers who have a seat at the table with all of those people. They work with HR people, CFOs, CEOs, and others across their organizations. They're going to ask, "How do I make use of this?" What do you want to tell them about how to put virtualization into use and how to make the case for it inside their organizations?

Humphreys: My suggestion would be just to download a copy of XenServer and try it. I'm a big believer in just experimentation. You can get a copy of this thing for free. Now you have a way to conceptualize an architecture to do disaster recovery and actually implement it on a small scale. Use some data replication tools, ones that most companies already have in their environment, and now you have a solution up and running. If you're already replicating your data to some secondary site, now you just add some servers to that mix, and you're up and running.

Are there case studies on your site to show how companies have done it well?

Humphreys: Yes. There are some drilldowns on using [it] for disaster recovery, some whitepapers.

This article originally appeared in the October 2009 issue of Occupational Health & Safety.

Featured

Artificial Intelligence