Spotlight on SMB Storage

Storage is a hard nut to crack.  For businesses storage is difficult because it often involves big price tags for what appear to be nebulous gains.  Most executives understand the need to “store” things and more of them but they understand very little about performance, access methods, redundancy and risk calculations, backup and disaster recovery.  This makes the job of IT difficult because we need to explain why budgets need to be often extremely large for what appears to be an invisible system to the business stakeholders.

For IT, storage is difficult because storage systems are complex – often the single most complex system within an SMB – and often, due to their expense and centralization, exist in very small quantities within a business.  This means that most SMBs, if they have any storage systems, have only one and keep it for a very long time.  This lack of broad exposure to storage systems combined with the relatively infrequent need to interact with storage systems leaves SMB IT departments dealing with a large budget item of incredible criticality to the business that is a small percentage of their “task” range and over which they actually have very little experience by the very nature of the beast.  Other areas of IT are far more accessible for experimentation, testing and education purposes.

Between these two major challenges we are left with a product that is poorly understood, in general, by both management and IT.  Storage is so misunderstood that often IT departments are not even aware of what they need at all and often are doing little more than throwing darts at the storage dart board and starting from wherever the darts land – and often starting by calling vendors rather than consultants leading them down a path of “decision already made” while seemingly getting advice.

Storage vendors, knowing all of this, do little to aid the situation since once contact between an SMB and a vendor is made it is in the vendor’s best interest not to educate the customer since the customer already  made the decision to approach that vendor in the first place before having the necessary information at hand.  So the vendor simply wants to sell whatever they have available.  Seldom does a single storage vendor have a wide range of products in their own lines so going directly to a vendor before knowing what exactly is needed can go much, much farther towards the customer having effectively already decided on what to buy than in other arenas of technology and this can cause costs to be off by orders of magnitude compared to what is needed.

Example: Most server vendors offer a wide array of servers both in the x64 family as well as large scale RISC machines and other, niche products.  Most storage vendors offer a small subset of storage products offering only SAN or only NAS or only “mainframe” class storage or only small, non-replicated storage, etc.  Only a very few vendors have a wide assortment of storage products to meet most needs and even the best of these lack full market scale hitting the smaller SMB market as well as the mid and enterprise markets.

So where do we go from here?  Clearly this is a serious challenge to overcome.

The obvious option, and one that shops need to not rule out, is turning to a storage consultant.  Someone who is not reselling a solution or, at the very least, is not reselling a single solution but has a complete solution set from which to choose and who is going to be able to provide a lot cost, $1,000 solution as well as a $1,000,000 solution – someone who understands NAS, SAN, scale out storage, replication, failover, etc.  When going to your consultant do not make the presumption that you know what your costs will be – there are many, many factors and by considering them careful you may be able to spend far less than you had anticipated.  But do have budgets in mind, risk aversion well documented, costs for downtime and a very complete set of anticipated storage use case scenarios.

But turning to a consultant is certainly not the only path.  Doing your own research, learning the basics and following a structured decision making process can get you, if not to the right solution, at least a good way down the right path.  There are four major considerations when looking at storage: function (how storage is used and accessed), capacity, speed and reliability.

The first factor, function, is the most overlooked and the least understood.  In fact, even though this is the most basic of concerns, this is often simply swept under the carpet and forgotten.  We can answer this question by asking ourselves “Why are we purchasing storage?”

Let us address this systematically.  There are many reasons that we will be buying storage.  Here are a few popular ones: to lower costs over having large amounts of storage locally on individual servers or desktops, to centralize management of data, to increase performance and to make data more available in the case of system failure.

Knowing which of these factors, or if there is another factor not listed here, driving you towards shared storage is important as it will likely provide a starting point in your decision making process.  Until we know why we need shared storage we will be unable to look at the function of that storage, which, as we know already, is the most fundamental decision making factor.  If you cannot determine the function of the storage then it is safe to assume that shared storage is not needed at all.  Do not be afraid to make this decision, the vast majority of small businesses have little or no need for shared storage.

Once we determine the function of our shared storage we can now, relatively easily, determine capacity and performance needs.  Capacity is the easiest and most obvious function of storage.  Performance, or speed, is easy to state and explain but much more difficult to quantify as IOPS are, at best, a nebulous concept and at worst completely misunderstood.  IOPS come in different flavours and there are concerns around random access, sequential access, burst speeds, latency and sustained rates and then comes the differences between reading and writing!  It is difficult to even determine the needed performance let alone the expected performance of a device.  But with careful research, this is achievable and measurable.

Our final factor is reliability.  This, like functionality, seems to be a recurring stumbling point for IT professionals looking to move into shared storage.  It is important, nay, absolutely critical, that the idea that storage is “just another server” be kept in mind and the concepts of redundancy and reliability that apply to normal servers apply equally to dedicated shared storage systems.  In nearly all cases, enterprise storage systems are built on enterprise servers – same chassis, same drives, same components.  What is oft confusing is that even SMBs will look to mid or high end storage systems to support much lower end servers which can sometimes cause storage systems to appear mystical in the same way that big iron servers may appear to someone only used to commodity server hardware.  But do not be mislead, the same principles of reliability apply and you will need to gauge risk exactly the same as you always have (or should have) to determine what equipment is right for you.

Taking time to assess, research and understand storage needs is very important as your storage system will likely remain as a backbone component on your network for a very long time due to its extremely high cost and complexity of replacing.  Unlike the latest version of Microsoft Office, buying a new shared storage system will not cause a direct impact on an executive’s desktop and so lack the flash necessary to drive “feature updates” as well.

Now that we have our options in front of us we can begin to look at real products.  Based on our functionality research we now should be able to determine if we are in need of SAN, NAS or neither.  In many cases – far more than people realize – neither is the correct choice.  Often adding drives to existing servers or attaching a DAS drive chassis where needed is more cost effective and reliable than doing something more complex.  This should not be overlooked.  In fact, if DAS will suit the need at hand it would be rare that something else would make sense at all.  Simplicity is the IT manager’s friend.

There are plenty of times when DAS will not meet the current need.  Shared storage certainly has its place, even if only to share files between desktop users.  With today’s modern virtualization systems shared storage is becoming increasingly popular – although even there DAS is too likely avoided even when it might suit well the existing needs.

With rare exception when shared storage is needed NAS is the place to turn.  NAS stands for Network Attached Storage.  NAS mimics the behaviour of a fileserver (NAS is simply a fileserver packaged as an appliance) making it easy to manage and easy to understand.  NAS tends to be very multi-purposed replacing traditional file servers and often being used as the shared backing for virtualization.  NAS is typified by the NFS and CIFS protocols but we will not uncommonly see HTTP, FTP, SFTP, AFS and others available on NAS devices as well.  NAS works well as a connector allowing Windows and UNIX systems to share files easily with each other while only needing to work with their own native protocols.  NAS is commonly used as the shared storage for VMWare’s vSphere, Citrix XenServer, Xen and KVM.  With NAS it is easy to use your shared storage in many different roles and easy to get good utilization from your shared storage system.

NAS does not always meet our needs.  Some special applications still need shared storage but cannot utilize NAS protocols.  The most notable products affected by this are Microsoft’s HyperV, databases and server clusters.  The answer for these products is SAN.  SAN, or Storage Area Networking, is a difficult concept and even at the best of times is difficult to categorize.  Like NAS which is simply a different way of presenting traditional file servers, SAN is truly just a different way of presenting direct attached disks.  While the differences between SAN and DAS might seem obvious actually differentiating between them is nebulous at best and impossible at worst.  SAN and DAS typically share protocols, chassis, limitations and media.  Many SAN devices can be attached and used as a DAS.  And most DAS devices can be attached to a switch and used as SAN.  In reality we typically use the terms to refer to their usage scenario more than anything else.

SAN is difficult to utilize effectively for many reasons.  The first is that it is poorly understood.  SAN is actually simple – so simple that it is very difficult to grasp making it surprisingly complex.  SAN is effectively just DAS that is abstracted, re-partioned and presented back out to hosts as DAS again.  The term “shared storage” is confusing because while SAN technology, like NAS, can allow for multiple hosts to attach to a single storage system it does not provide any form of mediation for hosts attached to the same filesystem.  NAS is intelligent and handles this making it easy to “share” shared storage.  SAN does not, it is too simple.  SAN is so simple that what in effect happens is simply that a single hard drive (abstracted as it may be) is wired into controllers on multiple hosts.  Back when shared storage meant attaching two servers to a single SCSI cable this was easy to envision.  Today with SAN’s abstractions and the commonality of NAS most IT shops will forget what SAN is doing and disaster can strike.

SAN has its place, to be sure, but SAN is complex to use and to administer and very limiting.  Often it is very expensive as well.  The rule of thumb with SAN is this: unless you need SAN, use something else.  It is that simple.  SAN should be avoided until it is the only option and when it is, it is the right option.  It is rarely, if ever, chosen for performance or cost reasons as it normally underperforms and out costs other options.  But when you are backing HyperV or building a database cluster nothing else is going to be an option for you.  For most use cases in an SMB, using SAN effectively will require a NAS to be placed in front of it in order to share out the storage.

NAS makes up the vast majority of shared storage use scenarios.  It is simple, well understood and it is flexible.

Many, if not most, shared storage appliances today will handle both SAN and NAS and the difference between the two is in their use, protocols and ideology more than anything.  Often the physical devices are similar if not the same as are the connection technologies today.

More than anything it is important to have specific goals in mind when looking for shared storage.  Write these goals down and look at each technology and product to see how or if they meet these goals.  Do not use knee-jerk decision making or work off of marketing materials or what appears to be market momentum.  Start by determining if shared storage is even a need.  If so, determine if NAS meets your needs.  If not, look to SAN.  Storage is a huge investment, take the time to look at alternatives, do lots of research and only after narrowing the field to a few, specific competitive products – turn to vendors for final details and pricing.

Apple’s Roadmap for iOS

Guessing at a company’s roadmap is always a dangerous venture.  In the case of Apple today and their iOS family of products, it feels less like predicting a roadmap and more like computing a trajectory.  Apple has some serious, game changing strategy already in motion and seeing where they intend to take it seems pretty reliable.  I know that many industry pundits have covered this ground as it has been a very popular topic as of late, but I wanted to add my own voice and viewpoint to the discussion.

Over the past several years Apple has been making a lot of seemingly disconnected and questionable decisions around their purchases, research and product releases.  Each piece, seen individually, makes little sense to the outside observer.  Taken together, however, we are piecing together a picture of what appears to be grand design and careful planning.

Rapidly Apple’s fortunes have shifted from its traditional desktop market (Mac OSX) to its portable device market (iOS.)  This began, innocuously, with the iPod and slowly turned into the iPhone, iPad and, most recently, the AppleTV.  The AppleTV is the really interesting player here as this device in its first iteration was based on OSX but in its second iteration became an iOS product.  Apple actually morphed a product from one line into the other.  Very telling.

The most interesting piece of the iOS puzzle, to me, is the App Store.  The App Store seems like little more than a neat way to funnel end user funds into Apple’s ample pockets and, on the surface, it certainly was a huge success in that area.  However, the App Store represents far more than a simple attempt at increasing profit margins.  No the App Store has brought a paradigm shift to the way that end users acquire, install and manage applications.  This shift is nothing new to the technical world of Linux desktop users who have long had simple software acquisition systems that the App Store mimics but the App Store brings the ease of use of Linux’s package management to the mainstream market and does so with a revenue model that does wonders for Apple at the same time.

The App Store makes the entire process of discovering and acquiring new software nearly painless for their customers which encourages those customers to buy more apps, more often.  Traditionally computer owners buy software very infrequently.  Even with the ease of Internet downloads the rate at which software is purchased is relatively low due to complexity caused by differences between download sites, concerns over compatibility, concerns over security and quality and the need to establish a transactional relationship with the software company to facilitate payment.  The App Store solves all of those issues and also makes finding new software much easier as there is a central repository which can be searched.  By doing this, Apple’s customers are purchasing software at an incredible pace.

Apple has many reasons to look more favorably upon its iOS product family than its more traditional products.  The old Mac lineup is, in reality, just another PC in a commodity market.  While OSX has some interesting features compared to Windows it is hardly a majorly differentiated product and with Linux rapidly cutting into the PC market in the netbook and alternative computing device space there is less and less room for OSX to play in.  The iOS devices, running on Apple’s own A4 processor, offer Apple the unique opportunity to engineer their products from the ground up as a completely controlled vertical stack – they control every significant piece of hardware and software giving them unprecedented control.  This control can be leveraged into awesome stability and integration as well as profit as few outside vendors are looking for their piece of the pie.

A fully integrated hardware and operating system stack also gives Apple’s development partners an opportunity to leverage their skills to the fullest – just as video game console developers know that underpowered consoles will often outperform desktop PCs simply because the developers have an opportunity to really tweak the code just for that one, stable device.  iOS offers this in a different environment.  Unlike developing for Android or Windows Phones, iOS offers a highly stable and well known ecosystem for developers to code against allowing them to leverage more of the platform with less effort.

The iOS devices, being based on a highly efficient operating system and being built on a very low power consumption platform designed for mobility, offer significant “green” advantages over many traditional devices.  This could be Apple’s new niche.  The power user market is all but lost and Apple quietly bowed out of their long-forgotten server market this past January.  This takes Apple to the other side of the spectrum entirely, but one where Apple seems to really understand what is needed and what their market wants.  Rather than being niche, Apple is poised to be a dominant player, and there is no denying that lower power consumption “green” devices will only continue to be important in the future.

In short order, Apple is going to be in a position to control an entire ecosystem ranging from mobile computing platforms, mobile telephony, fixed television-attached media devices and, with only minor effort, desktop computing.  Desktop computing may seem like an odd place for the iOS system to go, but if we really think about what Apple is developing here, it makes perfect sense.  The transition won’t be overnight, but it is sure to come.

The first step of the transition is hard to see but it involved the AppleTV.  The AppleTV 2.0 is an iOS device that is non-mobile working its way into peoples’ homes.  Currently it is designed to function purely as a media center device, but all of the iOS functionality is there, dormant, waiting for the day when Apple decides to release an app interface and AppleTV App Store loaded with apps controlled via wireless remote, BlueTooth keyboard or whatever input device Apple decides to provide for the AppleTV.  The only things keeping the AppleTV from becoming a full fledged iOS-based desktop today is a lack of USB into which to attach keyboard and mouse and Apple’s reluctance to provide a desktop environment and App Store for the AppleTV.  The foundation is there and ready to be activated.

In reality, we are early on in the iOS lifecycle and while the platform that Apple has chosen is very mature for mobile devices it is extremely underpowered for a desktop experience.  Each generation brings more computing power to the platform, however, and in very short order a desktop based on a later revision Apple processor and iOS may easily exceed the average user’s desktop expectations.  Most home users find their desktops today to be significantly overpowered for their basic needs of email, web browsing, watching Netflix and YouTube, etc.  These are tasks for which many people are switching to their iPads already.  In another generation or two of processors we may see an AppleTV-like device that draws only four or five watts of power able to adequately power the average user’s desktop computing needs.

The second step is in the newly added App Store appearing in Mac OSX.  The addition of the App Store to the Mac platform means that the beginning of the transition is underway.  Incumbent Mac users are now being introduced to the concept of finding software, acquiring it and installing it all through a simple, integrated system just as iPhone and iPad users have been using for years now.  Had the App Store and all of its cost and limitations been introduced to users and developers on the Mac first it would have likely been shunned and faded away without real comment.  But today the Mac landscape is far different.

The plan, as I see it, with the Mac platformed App Store is to begin centralizing critical apps for the Mac ecosystem into the App Store.  Over the next two to three years this process is likely to see all major apps move in this direction leaving only smaller, less popular apps out to be handled through the traditional purchase and install system.  Once a critical mass of apps has been reached and the iOS hardware platform has matured to a point where the speed is adequate for daily desktop computing tasks Apple will flip the switch and change out the Mac OSX desktop for a new iOS desktop that is either a sister of the AppleTV or, potentially, they will simply use the AppleTV device itself encouraging Apple users to see the world of desktop computing and media delivery as one – not as unlikely as some might think given the combination of the two so common on iOS mobile devices today.

An iOS desktop could be very attractive to home users.  Many businesses might be willing to jump at the chance to move to well polished, low power consumption devices for their non-power user staff.  Those needing more power might look to use them as little more than thin clients as well.  There are many options around such a low cost device – low cost to purchase and low cost to operate.  As many companies are already forced to implement iOS management for their existing iPad and iPhone devices, adding in iOS desktop devices might be a trivial matter.  Apple has conquered many of the hurdles that it faced with Mac OSX for the iOS platform before they’ve even announced plans to make such a desktop device.

The laptop space, where Apple has a strong foothold today, is possibly the easiest platform to migrate.  The iPad is almost a full fledged laptop today.  All Apple needs to do is to add a hinge and a keyboard and they would have a device that works like an iPad but looks like the Macbook Air.  An easy transition likely to be heralded by Apple and its users alike.

Apple excels at subversive technology.  The iPod and iPhone, and to some extent now the iPad, snuck into the market as media players or phones but emerged as highly mobile computing devices used for all sort of tasks and spurred on by the success of social media.  But they sneakily did one more thing – in only a few years time the iPod Touch went from being a MP3 player and email device to being one of the most popular mobile video game platforms making Nintendo shake and basically removing Sony from the game altogether.  No one bought the iPod Touch with the intent of making it their new, primary video game device, but it happened and the iPod is an excellent video game platform that is only just beginning to see its own potential.  The iPad is following close in its stead.  It is not necessarily that the iOS platforms are the best possible mobile video game devices but that they are purchased for other purposes and are “good enough” for most of the gaming population.  What the Wii wanted to be for consoles, the device that brought non-gamers into the gaming fold, the iPod truly did for mobile gaming.

The AppleTV is now perfectly poised to do the same thing that the iPod did for mobile gaming for the console market.  As more and more game makers focus on the iOS platform it will become increasingly apparent that the AppleTV, sitting already attached to many television monitors all over the world, is a video game console already purchased and ready to go.  What the Wii did in the last generation for the console the AppleTV is ready to do for the next.  Nintendo already proved that the largest segment of the video gaming market is primarily casual gamers who are not significantly concerned with having the latest, most powerful platform or the best games.

The AppleTV could provide an even less expensive gaming console with more features than the Wii that is far more attractive for developers who can utilize the same resources that they use to make games for all of Apple’s other iOS platforms.  Almost overnight, Apple has made the basis for a video gaming ecosystem that can rival nearly any in existence today.  And, of course, in time the AppleTV platform will get more and more powerful – slowly catching up to the more expensive video game consoles making it increasingly eligible as a serious platform contender for hard core console gamers.

Apple has a lot of pokers in the iOS fire but, if executed correctly, the potential is immense.

It will take a few years for Apple to completely phase out the long standing Mac family and users will be resistant, if only for nostalgic reasons, and Apple has a few versions of Mac OSX up their sleeves yet, but I believe that the march towards a unified platform under the iOS banner is inevitable.  iOS represents the future, not only for Apple but for much of the industry.  Lower power consumption, ease of use and a minimum of different parts between many different devices.  I, for one, am very excited to see what Apple can do with such a tightly integrated ecosystem and believe that Apple has more opportunity to do great things with iOS than it ever did with the Mac platform.  This could truly be a dawning of great things for Apple and a paradigm shift for end users.

Do You Really Need Redundancy: The Real Cost of Downtime

Downtime – now that is a word that no one wants to hear.  It strikes fear into the heart of businesses, executives and especially IT staff.  Downtime costs money and it causes frustration.

Because downtime triggers an emotional reaction businesses are often left reacting to it differently than traditional business factors.  This emotional approach causes businesses, especially smaller businesses often lacking in rational financial controls, to treat downtime as being far worse than it is.  It is not uncommon to find that smaller businesses have actually done more financial damage to themselves reacting to a fear of potential downtime than the feared downtime would have inflicted had it actually occurred.  This is a dangerous overreaction.

The first step is to determine the cost of downtime.  In IT we are often dealing with rather complex systems and downtime comes in a variety of flavors such as loss of access, loss of performance or a complete loss of a system or systems.  Determining every type of downtime and its associated costs can be rather complex but a high level view is often enough for producing rational budgets or are, at the very least, a good starting point on a path towards understanding the business risks involved with downtime.  Keep in mind that just like spending too much to avoid downtime is bad that spending too much to calculate the costs of downtime is bad.  Don’t spend so much time and resources determining if you will lose money that you would have been better off just losing it.  Beware of the high cost of decision making.

We can start by considering only complete system loss.  What is the cost of organizational downtime for you – that is, if you had to cease all business for an hour or a day how much money is lost?  In some cases the losses could be dramatic, like in the case of a hospital where a day of downtime would result in a loss of faith and future customer base and potentially result in lawsuits.  But in many cases a day of downtime might have nominal financial impact – many businesses could simply call the day a holiday, let their staff rest for the day and have people work a little harder over the next few days to make up the backlog from the lost day.  It all comes down to how your business does and can operate and how well suited you are for mitigating lost time.  Many business will only look at daily revenue figures to determine lost revenue but this can be wildly misleading.

Once we have a rough figure for downtime cost we can then consider downtime risk.  This is very difficult to assess as good figures on IT system reliability are nearly non-existent and every organization’s systems are so unique that industry data is very nearly useless.  Here we are forced to rely on IT staff to provide an overview of risks and, hopefully, a reliable assessment of likelihoods of individual risks.  For example, in big round numbers, if we had a line of business application that ran on a server with only one hard drive then we would expect that sometime in the next five to ten years that there will be downtime associated with the loss of that drive.  If we have that same server with hot swap drives in a mirrored array then the likelihood of downtime associated with that storage system, even over ten years, is quite small.  This doesn’t mean that a drive is not likely to fail, it is, but that the system is likely to be unaffected until redundancy is restored without end users noticing that anything has happened.

Our last rough estimation tool is to apply applicable business hours.  Many businesses do not run 24×7, some do, of course, but most do not.  Is the loss of a line of business application at six in the evening equivalent to the loss of that application at ten in the morning?  What about on the weekend?  Are people productively using it at three on a Friday afternoon or would losing it barely cost a thing and make for happy employees getting an extra hour or two on their weekends?  Can schedules be shifted in case of a loss near lunch time?  These factors while seemingly trivial can be significant.  If downtime is limited to only two to four hours then many businesses can mitigate nearly all of the financial impact simply by asking employees to have a little flexibility in their schedules to accommodate the outage by taking lunch early or leaving work early one day and working an extra hour the next.

Now that we have these factors  – the cost of downtime, the ability to mitigate downtime impact based on duration and the risks of outage events we can begin to draw a picture of what a downtime event is likely to look like.  From this we can begin to derive how much money it would be worth to reduce the risk of such as event.  For some businesses this number will be extremely high and for others it will be surprisingly low.  This exercise can expose a great deal about how a business operates that may not be normally all that visible.

It is important to note at this point that what we are looking at here is a loss of availability of systems, not a loss of data.  We are assuming that good backups are being taken and that those backups are not compromised.  Redundancy and downtime are not topics related to data loss, just availability loss.  Data loss scenarios should be treated with equal or greater diligence but are a separate topic.  It is a rare business that can survive catastrophic data loss but common to experience and easily survive even substantial downtime.

There are multiple ways to stave off downtime, redundancy is highly visible and treated almost like a buzz word and so receives a lot of focus, but there are other means as well.  Good system design is important, avoiding system complexity can heavily reduce downtime simply by removing points of unnecessary risk and fragility.  Using quality hardware and software is important as well – as low end hardware that is redundant will often fail just as often as non-redundant enterprise class hardware.  Having a rapid supply chain of replacement parts can be a significant factor often seen in the form of four hour hardware vendor replacement part response contracts.  This list goes on.  What we will focus on is redundancy which is where we are most likely to overspend when faced with the fear of downtime.

Now that we know the costs of failing to have adequate redundancy we can compare this potential cost against the very real, up front cost of providing that redundancy.  Some things, such as hard drives, are highly likely to fail and relatively easy and cost effective to make redundant – taking significant risk and trivializing it.  These tend to be a first point of focus.  But there are many areas of redundancy to consider such as power supplies, network hardware, Internet connections and entire systems – often made redundant through modern virtualization techniques providing new avenues for redundancy previously not accessible to many smaller businesses.

New types of redundancy, especially those made available through virtualization, are often a point where businesses will be tempted to overspend, perhaps dramatically, compared to the risks of downtime.  Worse yet, in the drive to acquire the latest fads in redundancy companies will often implement these techniques incorrectly and actually introduce greater risk and a higher likelihood of downtime compared to having done nothing at all.  It is becoming increasingly common to hear of businesses spending tens or even hundreds of thousands of dollars in an attempt to mitigate a downtime monetary loss of only a few thousand dollars – and to then fail in that attempt and end up increasing their risk anyway.

When gauging the cost of mitigation it is critical to remember that mitigation is a guaranteed expense where risk is only a risk.  Much like auto insurance where you pay a guaranteed small monthly fee in order to fend off a massive, unplanned expense.   The theory of risk mitigation is to spend a comparatively small amount of money now in order to reduce the risk of a large expense later, but if the cost of mitigation gets too high then it becomes better to simply accept the risks.

Systems can be assessed individually, of course.  Keeping a web presence and telephone system up and running at all times is far more important than an email system where even hours of downtime are unlikely to be detectable by external clients.  Paying only to protect those systems where the cost of downtime is significant is an important strategy.

Do not be surprised if what you discover is that beyond some very basic redundancy (such as mirrored hard drives) that a simple network design with good backups and restore plans and a good hardware support contract is all that is needed for the majority, if not all, of your systems.  By lowering the complexity of your systems you make them naturally more stable and easier to manage – further reducing the cost of your IT infrastructure.

Patching in a Small Environment

In enterprise IT shops, system patching is a complicated process involving large numbers of test systems which mirror production systems so that each new patch arriving from operating system and software vendors can be tested in a real world environment to see how they interact with the hardware and software combinations available in the organization.  In an ideal world, every shop would have a managed patching process that immediately responded to newly published patches, tested instantly and applied as soon as the patch was deemed safe and applicable.  But the world is not an ideal one and in real life we have to make due with limited resources: physical, temporal and financial.

Patches are generally released for a few key reasons: security, stability, performance and, occasionally, to supply new features.  Except for the addition of new features, which is normally handled through a different release process, patches represent a fix to a known issue.  This is not a “if it is not broken, don’t fix it” scenario but is a “it is broken and has not completely failed yet” scenario which demands attention – the sooner the better.  Taking a “sit back and wait” approach to patches is unwise as the existence of a new patch means that malicious hackers have a “fix” to analyze and even if an exploit did not exist previously, it will very shortly.  The release of the patch itself can be the trigger for the immediate need for said patch.

This patch ecosystem creates a need for a “patch quickly” mentality.  Patches should never sit, they need to be applied often as soon as they are released and tested.  Waiting to patch can mean running with critical security bugs or keeping systems unnecessarily unreliable.

Small IT shops rarely, if ever, have test environments whether for servers, networking equipment or even desktops.  Not ideal but, realistically, even if those environments were available few small shops have the excess human IT resources available to run those tests in a timely manner.

This is not as bleak as it sounds.  The testing done for most patches is redundant with patching already tested by the vendor.  Vendors cannot possibly test every hardware and software interaction that could ever happen with their products but they generally test wide ranges of permutations and look at areas where interactions are most likely.  It is rare for a major vendor to cripple their own software with bad patches.  Yes, it does happen and having good backups and rollback plans are important, but in day to day operations, patching is a relatively safe process that is far more important to do promptly than it is to wait for opportunities that may or may not occur.

Like any system change, patches are best applied in frequent, small dosages.  If patches are applied promptly then normally only one or a few patches must be applied at the same time.  For operating systems you may still have to deal with multiple patches at one time, especially if patching only weekly, but seldom must you patch dozens or hundreds of files at one time when done in this manner.  When done like this it is vastly easier to evaluate patches for adverse affects and to roll back if a patch process goes badly.

The worst scenario for a small business lacking a proper patch testing workflow is to wait on patches.  Waiting means that systems go without needed care for long periods of times and when patches are finally applied it is often in large, bulk patch processes.  Applying many patches at once increases the chances that something will go wrong and, when it does, identifying which patch(es) is at fault and producing a path to remediation can be much more difficult.

Delayed patching is a process that provides little or no advantage to either IT or a business but does carry substantial risk to security, stability and performance.  Best practices for patching in a small environment is either to allow systems to self patch as quickly as possible or to schedule a regular patching process, perhaps weekly, during a time when the business is most prepared for patching to fail and patch remediation to be handled.  Whether you choose to patch automatically or simply to do so regularly through a manual process, patch often and promptly for best results.

The Information Technology Resource for Small Business