IT appliances: Avoid overdoing it

Set it and forget it isn’t only a mantra for infomercials for kitchen rotisseries. The idea has also spread through information technology departments. In this case, the amazing machines are appliances — stripped-down, single-purpose computers that can tackle tasks ranging from network management and security to information retrieval and business analysis. This year, the market for security appliances could top $4 billion. Despite their popularity, the set-it-and-forget- it dream isn’t always reality. Appliances are designed to simplify the IT manager’s life, but each new device introduced into a data center can add managerial complexity to the work of an overburdened staff. The strategy of adding to the hardware headcount rather than reducing it also runs counter to another popular trend in government IT departments — packing multiple virtual servers into shared physical computers to reduce hardware maintenance and power costs. All of this causes some observers to warn that unless appliances are installed judiciously, any chance for simplifying operations will quickly evaporate. “The whole appliance issue is a bit of thorn in the side of IT executives,” said Andreas Antonopoulos, senior vice president at Nemertes Research. “If each one is a silver bullet, what you don’t want is for your infrastructure to become a bucket of silver bullets. You need a framework to tie everything together.” Appliances are understandably popular as IT managers bypass the sometimes complex task of integrating hardware and software to solve a particular business problem. Instead, they simply plug in a dedicated computer or blade server configured by the vendor to work immediately. Typical appliances include the application and an operating system, sometimes a stripped-down version of Linux named juice or JEOS, which stands for just enough operating system. “People don’t have to know a lot about Linux or Windows or anything else,” said Adam Powers, chief technology officer at LanCope, a maker of network analysis appliances. “They just follow the installation guide by pointing and clicking their way through a simple Web user interface, and they’re good to go.” Many vendors also ease maintenance and upkeep by providing downloads of application revisions or security patches — sometimes feeding the changes automatically to the device through secure Web connections. The latest appliance designs take advantage of blade formats that slide into a rack-mount chassis to share power and power-protection resources. Meanwhile, such benefits continue to drive appliance sales. For example, security appliances, the largest category, could grow by about 37 percent to $5.5 billion in the next three years, said Victoria Fodale, program manager and analyst at technology researcher In-Stat. Unfortunately, potential problems may lurk behind those benefits, analysts say. For example, the flipside of single-purpose designs is a take-what-you-get reality. “The biggest historical problem with appliances is that people often want to make certain modifications; they don’t want quite what’s off-the-shelf,” said Gordon Haff, principal IT adviser at technology consultant Illuminata. “But once they start modifying appliances, you lose the benefit of having one in the first place.” What some call a conga line of appliances connected to an agency’s network can also present management problems, Haff said. “If you end up with many different appliances from different vendors throughout your infrastructure, you can potentially end up complicating your environment instead of simplifying it,” he said. However, some government IT managers say conflicts among appliances competing for network resources are rare. “The real question is [whether] you have a robust-enough general architecture that you can partition the architecture to take care of specific functions,” said Daniel Mintz, chief information officer at the Transportation Department. “It’s a bigger issue than whether appliances clash or not.” A valuable tool for organizations with a number of appliances is a central management console for troubleshooting and monitoring appliance performance. Many appliance vendors offer central management applications. “The management piece is becoming important because the way for some vendors to differentiate their solutions is through ease of management by having consistent interfaces,” Fodale said. However, many appliance vendor consoles work only for one company’s product line, necessitating monitors for each appliance category. A partial alternative comes from some more flexible, category-specific options. For example, companies such as Arc- Sight, IntelliTactics and NetForensics sell security information management systems that can provide central control for security appliances from a range of vendors. Broader solutions include enterprisewide network management systems, such as Hewlett-Packard’s OpenView and IBM Tivoli products, which can monitor a range of devices connected to internal networks. Appliance red flags include the automatic updates meant to ease users’ maintenance burden. Service contracts that pay for the updates can increase the cost of an “This is why hardware vendors love appliances,” Fodale said. “The box is just a fraction of the overall cost. You also may pay a license fee that you have to update every year.” Ongoing fees represent more than 50 percent of some appliance vendors’ revenue stream, she said. Security can also be a concern. Appliances are often self-contained, so users don’t always have tools to verify security settings in general-purpose servers. “I can’t get in there and audit it myself as a consumer,” Powers said. “I have to trust that the vendor has secured the box.” Fortunately, appliances that support two network management standards — such as Simple Network Management Protocol and Syslog — can automatically create a log of any change to a device’s configuration, such as adding a software revision, rebooting the box or removing it from the network. The logs provide proof for auditors that the equipment is being maintained to comply with security regulations. “Appliances are closed, so that means an administrator can’t just go in and blow away these logs,” Powers said. “It’s not even physically possible for them to do that, and that’s a good thing because the administrator, unfortunately, can’t always be trusted.” Meanwhile, some IT managers take a philosophical approach when weighing the pros and cons of IT appliances. The Education Department, which contracts with outside providers for many IT services, prefers to let those companies make decisions about when appliances are appropriate. “I don’t care if they use appliances as long as I’m confident they’re secure, they’re configured in accordance with all the government’s rules and we’re getting the level of service and outcomes that we contracted for,” said Bill Vajda, Education’s CIO. “If it costs the vendor $100,000 to do that with one device and 50 people or with 50 devices and one person, that’s their concern, not mine.”