Issue Archive: July/August 2005

Business Continuity - Where's The Access

I recently stopped at a Jack in the Box drive-through and was pleased to learn that they had a vegetarian burger available that evening. I ordered the sandwich and drove off. It was only later that I discovered that the vegetarian burger was simply a normal hamburger minus the beef patty-in other words, just buns.A much more serious surprise awaits many companies attempting to reestablish business continuity following a disaster.
According to a 2003 survey by EMC/Roper ASW, two-thirds of U.S. business executives believe they would resume normal operations within 24 hours. Their IT executives are only a little less optimistic, putting the figure at three days. The reality is much worse. Meta Group says that most businesses that suffer a catastrophe such as a fire or flood are out of business within two years. This is supported by the National Archives & Records Administration who reports that 93 percent of businesses that lose their data center for 10 days go bankrupt within a year. A study by McGladrey and Pullen shows that 43 percent of companies experiencing disasters never recover. Why the gap in expectations versus reality? The answer has largely to do with access. Without a viable access strategy in place, even sophisticated business continuity plans result in extended periods of downtime. Following the terrorist attacks on the World Trade Center, hundreds of thousands of employees were evacuated from Manhattan for up to a week. While many organizations utilized data center recovery sites to successfully and quickly restore mission-critical applications and data, their employees were unable to work because their loaner PCs did not have the required client software installed and configured. 

Business Discontinuity

Business continuity plans that fail to address the problem of access are grossly deficient. It does not matter how much money and time is spent perfecting a strategy to restore back-end systems if users have no way to access those systems. In a conventional distributed PC architecture, though, it tends to be both complex and expensive to incorporate the access component. Suppose, for example, that following a disaster a company's disaster recovery site successfully deploys the mission- critical Windows-based enterprise resource planning (ERP) application. IT still has the problem of how to give users secure access to the new location, and how to ensure that the data center facility, the network, and all the hardware and integrated software are recovered in a synchronized fashion. If users are not able to physically get to their PCs, then the company faces obstacles similar to the Manhattan companies following 9/11. Many client/server applications require specific client configurations that are not easily duplicated on loaner PCs. And despite common company policies to the contrary, users are prone to keep at least some corporate data on their local drives-meaning that the business continuity plan is ineffective for accessing this data.  The complexity of the access issue further increases when factoring in remote facilities. Remote office personnel frequently feel like second- class citizens when it comes to IT infrastructure. They are more likely to receive equipment hand-me-downs from headquarters, and are less likely to receive upgrades. This diverse set of older equipment can create a problem for IT in establishing business continuity in the event of a serious problem at the local office.  IT may find, for example, that recovering and synchronizing remote office data is difficult when the location equipment is not easily replaced. Tape backups may not be regularly performed or not regularly rotated off-site and, if they are, may still utilize out-of-date software versions. In order to establish a successful business continuity plan, business continuity professionals must designate responsibility at a corporate or regional level for the actual recovery in the field.
They must also identify off-site vendors, manufacturers and telecommunications vendors that can coordinate a recovery scenario to ensure that the right connections are made to the right data center. In many organizations, IT addresses the disaster recovery issues around data access by centralizing the backup of both PCs and of remote office servers. This solution, though, tends to be expensive to implement and maintain, and it fails to address the other access challenges such as connectivity to the backup data center, suitable physical work locations loaner PCs, and the problems of recovering outdated equipment or system parameters.

Business Continuity with Access Infrastructure

Fortunately, the complex business continuity problems around access can be largely resolved with a simple shift in computing paradigms to a centralized architecture. Not only does centralization significantly simplify the business continuity requirements, but  it typically generates more than  enough savings to easily incorporate a sophisticated business continuity plan. Business continuity, in fact, can almost be considered a byproduct of access infrastructure. The concept of running Windows applications in a centralized hosted model was originally referred to as thin- client, although it has both expanded and evolved into an enterprise architecture now known as access infrastructure (AI). The AI market as a whole continues to grow rapidly-at 12 percent, twice the rate of the overall software market-and includes scores of software producers, Windows terminal manufacturers, bandwidth management providers, administration tool suppliers, and many other manufacturers. Under AI, users enjoy secure, seamless access to their software  and centrally-managed data regardless of location, computing device, or the networks that the data must traverse. Very little bandwidth is required  (about 15K - 30K per session) because only screen prints, keyboard strokes, and mouse clicks actually travel  across data lines. Users with a broadband connection at home typically experience the same performance as when directly connected to their organization's high-speed LAN.

Figure 1 shows a simple schematic of an AI architecture. While the diagram shows an active/passive strategy utilizing a disaster recovery center running the same servers as the primary data center, it is just one example of many potential back-end scenarios. The schematic shows both PC-based applications and Web-based applications hosted on central servers utilizing a Microsoft Terminal Server platform. In practice, many users will still run select local applications, but the now virtual desktop is no longer constrained to a specific PC. This "decoupling" of the desktop from the physical PC means that the desktop follows the user around to any location or to any device. As long as they can get to a browser, users securely access their virtual desktop-including applications, data and shortcuts.  Access infrastructure reduces the cost and complexity of business continuity by ensuring and simplifying access to data in a recovery situation. Business continuity professionals no longer need be concerned with how to provide users with access to their own PCs, or to any PC at all. If a headquarters building becomes inaccessible due to a fire, hurricane, or other problem, a user can simply go home, go to an Internet café or even go to an airport kiosk and log on securely to his virtual desktop.  Connectivity limitations are also minimized in the AI environment because the Internet itself becomes the fall- back transport medium in the event of a catastrophe. Utilizing SSL-VPN tunneling enables users to quickly connect to the system without requiring the cumbersome steps of setting  up an IPSEC based VPN. Figure 1 shows the remote offices and employees utilizing the Internet to connect to the disaster recovery site- although, as shown in the diagram, it can also serve as the connectivity medium to the primary data center. AI simplifies remote office recovery because it eliminates the need for servers and supporting infrastructures. These servers are instead consolidated into a much smaller number of servers located in central data centers. Figure 1 shows an example of a remote office utilizing only a switch and a router to connect to the data center. Without requiring local servers that are vulnerable to failure, a remote office is far less likely to suffer downtime. If the office becomes inaccessible due to fire, flooding, etc., the users can continue to access their virtual desktops just as easily from another office, from home or even from an Internet cafe- anywhere they can get to a browser. 

Funding Business Continuity with Access Infrastructure

The great benefit about implementing business continuity as part of an access strategy is that in most cases the process of virtualizing the client pays for the implementation of business continuity and a lot more. The bulk of the savings tend to come from extending the lifecycle and simplifying the administration of PCs and from consolidating the network infrastructures of the remote offices.  Gartner performed a study of 25 organizations running AI (utilizing the Microsoft Terminal platform along with Citrix software) across 25 industries on five continents, and showed an average "hard" savings payback of 7.5 months. Figure 2 shows a typical relative amount of savings that a government agency realized by migrating to AI. Our own studies show that the average organization saves about $700 per user per year by implementing an access
strategy. For most sizable organizations, therefore, a small portion of the savings generated by migrating to access infrastructure will fund a business continuity plan - particularly since the access component is no longer an issue. In fact, business continuity can almost be considered a byproduct of implementing access infrastructure.

Business Continuity As Part of an  Access Strategy

All too often, organizations view business continuity as an isolated project-and an unpopular one at that, given its huge requirements for both staffing and monetary resources. Rigid testing of the efficacy of business continuity implementations
tends to be both time consuming and expensive, undoubtedly helping to account for the low rate of successful sustained recoveries following a catastrophe. Business continuity should be designed as an integral part of an organization's migration to access infrastructure. Planning for access significantly reduces the complexity and cost of implementing a business continuity solution while elevating the probability of its success. Furthermore, its cost is more than offset by the savings generated by migrating to access infrastructure.  Thinking about access at a strategic level enables organizations to benefit from the consolidation, simplification, and standardization that access infrastructure enables. The process of centralization improves security and enhances the user computing experience, thereby improving employee productivity and enabling truly effective business continuity.