thought leader interview: dr. william turner on the software-defined future of it infrastructure

Thought Leader Interview: Dr. William Turner on the SoftwareDefined Future of IT Infrastructure By Iver Band September, 2014

As the Vice President, Datacenter Architecture at Presidio, William Turner, PhD has more than 20 years of handson, fullprojectcycle experience in strategizing, designing and deploying largescale Fortune 500 networks and security solutions. His extensive background in banking, security, and government has yielded several well regarded industry standards and noted reference models. Dr. Turner envisions and drives a future in which sophisticated software provisions and deprovisions IT infrastructure automatically in response to business needs. The specialized appliances enterprises traditionally rely upon will be replaced by

industrystandard hardware playing necessary roles on demand. EAPJ conducted this interview from the perspective of an infrastructure architect considering a softwaredefined future for the networking, hosting and storage underlying a major upcoming application investment. EAPJ: What are the four key elements of the softwaredefined future? WT: The softwaredefined future represents a whole new approach to enterprise IT infrastructures. It replaces manual changecontrol processes—designed and facilitated by human beings—with applicationcontrolled change processes. The changes occur automatically in real time based on real needs for IT resources. For example, if a company’s website server farm becomes overwhelmed with customer traffic, a softwaredefined infrastructure will add additional servers without any human intervention. The infrastructure is infinitely customizable via application programming interface (API) calls, direct application hooks, and wellknown network port responses. The approach also offers a way to control and manage not only the provisioning, but also the full lifecycle of an IT system. The softwaredefined future currently comprises four key elements: Softwaredefined networking: This includes separation of control and the data

plane; centralized visibility and network control; and network programing by external applications.

of 8 © 2014, EAPJ.org

Network function virtualization: Enterprises can replace fixedfunction appliances

with virtual machines that provision services on standard servers; multiple network services can also be consolidated to simplify the network and reduce costs.

Softwaredefined storage: Automated provisioning, scaling and tiered services

optimize storage solutions and scale them easily and costeffectively on heterogeneous systems across any mix of locations.

Orchestration and automation: Enterprises continually adapt their infrastructure

through frontend portals and service catalogs, workflow and process orchestration, and an adapter framework that can rely on customdeveloped software or customized offtheshelf software.

EAPJ: What are the industry forces driving adoption of software defined infrastructures? WT: Global forces that are driving the adoption of softwaredefined infrastructures include the macroeconomic slowdown of decision making as well as the pressure on CIOs to decrease capital expenses (CAPEX) and operating expenses (OPEX) every year as budgets become tighter. CIOs are constantly working on how to do more with less: trying to make $1 spent on IT infrastructure behave like $3. CIOs are also seeking the magic automation formula to make an “army of cloned IT resources” that can manage all business processes. To do this, they need to eliminate siloed IT organizations where server, storage and network groups operate independently and argue over resources without collaborating. The softwaredefined future makes this possible because software does not argue with itself. It removes competition for IT resources and eliminates power struggles among departments or between two companies that merge. A softwaredefined infrastructure also makes transitions smoother by automatically commissioning and decommissioning IT resources—according to the real needs of the business—by relying on software rather than people. Because software does not make mistakes, the softwaredefined future also reduces downtimes caused by human errors. EAPJ: What are the business benefits of softwaredefined infrastructures? WT: The benefits enterprises can generate from the softwaredefined future include increased market share and the ability to bring solutions to market faster as well as make decisions more rapidly. Ultimately, they can produce the same amount of products faster and respond more quickly to market trends—through the increased business flexibility and maximized IT asset usage that the softwaredefined future enables.


EAPJ: Clearly, there are great benefits here for organizations that provide software, platforms, and infrastructure as a service. But what about enduser organizations, i.e. those whose primary business is something other than IT? How do they benefit? WT: Businesses outside of the IT sector benefit primarily from the ability to scale their efficiencies—whether they are a manufacturer, retailer or service provider. Softwaredefined infrastructures make the process for developing products and service offerings more efficient. NonIT firms may not generate additional revenue from the softwaredefined future, but they can automate their infrastructure to make production and business processes more efficient. They can also reduce costs by converting CAPEX costs to OPEX costs and by relying on an IT infrastructure that is more efficient and utilizes its full capacity, which in turn reduces OPEX costs. EAPJ: Most enduser organizations try to buy rather than build whenever possible, and that includes minimizing system integration risks and costs. What are some of the most mature and wellestablished softwaredefined infrastructure solutions available on the market today? WT: Within the first three elements of the softwaredefined infrastructures mentioned above—networking, virtualization and storage—there are already several technology vendors with wellestablished softwaredefined models. All three types can be deployed separately or together depending on the customer environment, the operational support model, budgets, and the existing technology footprint. The orchestration and automation element is still in the process of maturing, but it will evolve rapidly. The concept of the softwaredefined future has been around now for only about 18 months, so many enterprises are just starting to create processes around this particular element. EAPJ: Let's say an organization is in the market for a new enterprise resource planning (ERP) system, and knows that system workloads will vary dramatically, peaking predictably at regular quarterly intervals and at other times during the year, but also unpredictably several times a year on average. How do they acquire the integration between the ERP package and the software defined infrastructure that will allow networking, hosting and storage to be provisioned and deprovisioned optimally? Are there outofthebox configurable components available for popular enterprise applications or middleware, or must the organization resort to custom development and integration?

WT: As is the case with any system, an ERP platform uses many resources from a data center infrastructure such as storage, the network, security, the server workload, and virtualization, as well as a layer of abstraction and management. The scalability and the resilience (from a disaster recovery perspective) of the data center along with configuration management allow these resources to efficiently service the ERP application.


If the ERP platform needs to execute functions greater than the norm, the IT organization would traditionally acquire more IT assets—servers, switches, Ethernet ports and storage—and add them to the infrastructure, making the entire ERP platform more robust. However, the need for these resources may be temporary—perhaps during the close of each quarter. This means that the added resources are only needed for four weeks out of the entire year. But the enterprise would prefer to not have to pay for these resources during the other 48 weeks of the year. With a softwaredefined infrastructure, enterprises can tap into extra capacity that’s normally utilized by other business functions—such as servers for development and QA. The ERP platform could rely on these resources during the heavy quarterclose weeks, which likely won’t impair development and QA since businesses typically don’t do any heavy code changes when closing the books. The resources can be borrowed easily through the use of scripting and added to the ERP resource pool temporarily—making it able to process quarterend closings more quickly. Once the ERP system no longer needs these virtual machine resources, they can be returned to the common pool for use once again by development and QA. The infrastructure essentially flexes to provide IT resources only when needed and only as much as needed. Depending on the capabilities of the IT staff, there are several outofthebox softwaredefined infrastructure solutions that enterprise can deploy on their own, but much depends on the complexity of the environment and how often IT resource requirements spike. The process for developing softwaredefined infrastructures begins with a reference architecture or data center stack. One such solution that is available is OpenStack, a cloud operating system that controls large pools of compute, storage, and networking resources. The resources can be managed through a dashboard that gives administrators control while allowing users to provision resources through a Web interface. Such solutions deliver IT resources as containerized virtual elements that flex as the business requires. But there is no cookiecutter design with formulas to follow. Much depends on the expertise of the internal IT staff. Most likely, external consulting services will be required. EAPJ: Since our hypothetical organization will need extra infrastructure for peak periods, what are the options for temporarily acquiring infrastructure that will not have to be charged to the ERP operations budget when it is not in use? How does the infrastructure architect decide between these options? WT: To temporarily acquire infrastructure resources that will not be charged to the ERP operations budget when not in use, enterprises could rely on a virtual cloud or an onpremise disaster recovery data center. When using a virtual cloud, the business is


charged only for the time spent using the resources. The business could turn services on only when needed and then off to reduce costs. With a disaster recovery site, depending on interdepartment chargebacks, the ERP business unit may not incur any costs at all. But the business would temporarily run the risk of those resources being unavailable for a disaster scenario as the active data center moves its workload to the disaster recovery data center. To mitigate this risk, the company could monitor the health of the active data center and immediately return the disaster recovery data center resources back to recovery capabilities if the main data center experiences issues. With a softwaredefined infrastructure, the enterprise has the flexibility to go back and forth. To determine which option to use, the decision may come down to the sensitivity of the data for which extra IT resources are needed. If the system contains financial, legal, intellectual property or product data, the business may not want to trust the cloud. The disaster recovery center, assuming it’s within a physical building the company owns, is more likely a safer alternative. However, a virtual cloud offers more scalability should the need for extra IT resources spike dramatically or prove difficult to forecast. EAPJ: Let's say an infrastructure architect sees an opportunity for software defined infrastructure in her organization, but her organization has little or no capability in this area. What are the typical cost and benefit elements of a typical business case for software defined infrastructure? WT: The three components to consider include software, hardware and services. A softwaredefined infrastructure does not require any additional software beyond the software stack that’s required for the given business function, such as a database running on an operating system along with any necessary complimentary software programs. The software stack remains as it normally would. The required hardware—consisting of server CPU, memory and storage assets—will be reduced since hardware utilization normally increases by 2025% when leveraging a softwaredefined infrastructure. Where enterprises will incur additional costs comes primarily from the services that an outside solution provider needs to deliver. This includes writing the code to support the softwaredefined infrastructure as well as configuring and deploying servers. But where the softwaredefined infrastructure reduces the number of required servers, this helps control the cost of deploying the hardware systems. From the benefits perspective, the biggest for the organization comes from the business impact. The organization will become more agile in responding to business conditions since it has faster access to new compute services. Rather than the month it might normally take to order, receive, configure, test and deploy a new server, IT can leverage the softwaredefined infrastructure to deliver the same server in less than a day. This increases


the productivity of the organization by accelerating how quickly end users can tap into the new services. IT can also maximize the usage of the purchased IT assets. That’s because a softwaredefined infrastructure knows the exact capacity each hardware asset can deliver and can also measure usage precisely. This allows the usage of CPU, memory and storage assets to reach close to 100%. The typical hardwaredefined infrastructure utilizes 7075% of IT assets for fear of overtaxing systems and bringing them down. The softwaredefined architecture thus utilizes an additional 2025% of existing IT assets for which the enterprise does not have to write a check. IT can also reduce the cost of future assets by allowing production and disaster recovery systems to share resources. Under the old model, enterprises had to buy one complete system for production and a duplicate system for disaster recovery. But with a softwaredefined infrastructure, IT can create an activeactive infrastructure with the two systems sharing production and disaster recovery. By sharing production, system resources and their associated costs can be reduced by as much as 30%. But the enterprise still enjoys the same compute horsepower as the two systems move workloads back and forth. Another key area in which a softwaredefined infrastructure reduces cost is audits for regulations such as SOX, HIPAA and PCI. Software can execute audits much faster than a manual, humandriven audit. Software also eliminates human errors relating to the tweaking of passwords, routers and firewalls. The amount of time the enterprise needs to spend with an outside firm for the audits will thus be reduced significantly. EAPJ: Companies have the option of building their own software defined infrastructure, using a commercial managed infrastructure provider, or combining these approaches. What factors should they consider when making this choice? WT: The factors to consider in choosing whether to deploy a softwaredefined infrastructure in the cloud or on premises include the security risk. How comfortable is the business with putting intellectual property or financial data in the cloud, where the chances of a breach are higher? On the other hand, if the organization does not have an operational IT staff with sufficient expertise, the cloud is more viable. Working with a cloud hosting provider can also provide benefits because such firms have already figured out what type of storage works best, which security ports to open, and which network protocols to run. The enterprise just has to decide the amount of compute, networking and storage capacity that’s required—the cloud provider can take it from there.

The cloud approach is likely to cost less because the business only buys what it needs and can easily scale. When building on premises, enterprises typically buy more than they need because they likely won’t have time to provision more resources when they need them


quickly down the road. Whereas cloud providers can deliver a new server immediately, businesses can’t do the same inhouse. Combining the cloud and onpremise approaches can create elasticity in business decisions. Companies taking this approach can flex capabilities to the cloud for certain approved applications, such as marketing, and keep others, such as finance, on premises. EAPJ: What are the limits of software defined infrastructure in the next five years or so? What infrastructure components will be softwaredefined, and which will remain unitary compositions of hardware and software? WT: The concept of softwaredefined infrastructures is still relatively new, but the capabilities are virtually limitless as more and more technology vendors become involved in a vendor marketplace that has grown exponentially since first launching in early 2013. The capabilities are limitless because software can always access more resources when necessary, whereas hardware devices are limited to a fixed set of commands. The only components of a data center that enterprises will likely not convert to a softwaredefined infrastructure would be things like electricity, where there’s a risk of people turning off the power, or the physical security system that controls the opening and closing of doors. Progress for the softwaredefined future could be limited if the IT industry decides standards need to be applied. Governing bodies trying to ratify standards can hold things back, such as the case with IEEE 802.11, which bogged down advancements within the wireless industry for a couple of years.

EAPJ: How does software defined infrastructure affect information security? Does it typically reduce or increase any common risks? Does it warrant any new approaches to risk mitigation? WT: From a security standpoint, softwaredefined infrastructures present a bad news/good news scenario. On the one hand, if a softwaredefined controller is successfully breached, the harm could spread very quickly throughout the entire infrastructure. Rather than hacking many entities, cybercriminals only have to attack one entry point from which they can control everything. However, a softwaredefined infrastructure also means that there’s a smaller attack surface to defend. The security team only has to protect one box instead of many. To do so successfully, security professionals need to focus more intently on how they design the security countermeasures. Because softwaredefined infrastructures can be provisioned and deprovisioned rapidly within a few seconds, there are also many more events to monitor. At the end of the year, an enterprise may have to audit 1 million events rather than 100 per each virtual server. If


there’s a successful breach, the process to diagnose the breach could be like looking for a needle in a haystack due to all the records that must be checked.

EAPJ: What additional advice do you have for organizations considering investing in the software defined future? The softwaredefined future is not something enterprises need to rush into, but they do need to begin the process soon of looking into this new approach. As a first step, determine what the company has for appropriate internal DevOps resources and give them a softwaredefined infrastructure element as a pet project. If there are not sufficient DevOps resources on staff, identify a contractor to work with. Getting a jump on the future now will save development costs in the long run. Three years from now, enterprises will find themselves behind the competition, and they will likely pay three times as much to catch up.

About the Interviewer Iver Band is a practicing Enterprise Architect and a developer and communicator of enterprise architecture standards and methods. At Cambia Health Solutions, a health insurer and direct health solutions company, he shapes solutions that promote accountability, quality and efficiency in health care delivery. Iver also serves as Director of Enterprise and Solution Architecture for EA Principals, a training and consulting firm, for which he works with clients, develops curriculum materials, and edits the Enterprise Architecture Professional Journal and EAPJ.org. Iver represents EA Principals in the Open Group, where he is the elected Vice Chair of The ArchiMate Forum.
