Challenging 24/7/365 - Question the Status Quo
Gideon T. Rasmussen - CISSP, CISA, CISM, CFSO, SCSA
readers have responded to a previous article
in which I recommended powering down computer rooms to prepare
for inevitable emergencies. The respondents stated that
they could not power down their systems due to either 24/7/365
or 99.999 percent availability requirements (often referred
to as "the five nines").
full testing one can never be 99.999 percent certain that
systems are prepared for an incident. With this in mind,
users may appreciate a scheduled maintenance window (excluded
from the up time meter). Here are a few points to consider:
the services provided by a computer room require extremely
high availability, then it stands to reason that the computer
room itself should not be a single point of failure.
° Note that system maintenance is critical to meeting uptime
requirements. Paralysis caused by unnecessary restrictions
may ultimately result in downtime.
° High availability solutions are expensive. It is prudent
to know which business processes are being supported.
In the course of routine operations it is difficult to truly
quantify the needs of the user community without conducting
research. To determine actual needs, be sure to document
° A functional description of each application
° Users of the application (e.g., customer service reps, loan
officers, customers, etc.)
° Time periods when users access the application
° Business criticality of the application and its respective
° The financial impact of two to three hours downtime per
° Primary and alternate contacts representing the application's
° The redundant infrastructure components supporting the application
(e.g., mirrored disk, clustering)
° Whether or not the infrastructure meets the requirements
of the application
° The redundant components of the data center (e.g., UPS,
generators, separate power grids, communications lines from
separate central offices)
° Whether or not the data center fulfills the requirements
of the applications
Do not rely solely on verbal responses. Verify utilization
through system and application logs. Create a matrix representing
users' needs by application. Usage gaps begin to emerge
into maintenance windows. In this stage, the need for a
24/7/365 computer room may still exist.
this process an intimate understanding of the user community's
needs are gained. One common argument is "We will lose
$x million in revenue." Question how that figure was
generated. Is it reasonable to assume that users will not
return if they are greeted by a maintenance Web page in
the middle of the night?
of revenue starts to build a business case for a redundant
or resilient solution. If the business cannot bear two to
three hours of downtime once a year, determine the best
solution to meet those requirements. If only a few applications
must be highly available, it may be possible to replicate
them to a hot site instead of keeping the entire computer
room running 24/7/365. Hot sites need not be an economic
burden if a remote company-owned computer room is used.
Hot sites also offer obvious disaster recovery benefits.
Advise senior management of your findings so that they can
make an informed decision.
appropriate redundancy/resiliency is in place, there should
be no issues with an annual computer room shutdown. If for
some reason the computer room still cannot be powered down,
this exercise will have created a better understanding of
the user community's needs and made it easier to take down
individual systems for maintenance.
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission