Russell Mickler 7/28/09 Russell Mickler 7/28/09

2010: Server Upgrade Choices for the SMB

Many small to mid-range companies upgraded their server assets with the release of Windows Server 2003. The 2003 server was very popular and contributed to Microsoft retaining a 88% server market share, fending off Mac and Linux in this space for most of the decade. However, as it's now five years old, the 2003 R1 Server product is entering its extended support phase, meaning direct support costs from will go up and Microsoft will begin releasing only limited updates for licensing, compatibility, and new features. Hardware warranties on this equipment have long expired, and many of the hard disks/arrays in these units will be reaching their MTBF (Mean Time Before Failure) ratings this year; their likelihood of crashing is much higher. So, small to mid-range businesses should soon be thinking about their strategy for retiring the legacy asset.

Surely, the state of economy will likely push these decisions out for another 12-18 months as business owners stay put with what they got and contend with larger problems. Analysts are seeing the results of fear and uncertainty when we look at the results of Microsoft's last earnings report in June 2009: sales are down 17-percent from the previous quarter and profits are down 30-percent for the year. Okay, so you're a small business: what are your options?

It used to be that I had only three answers to that question: one, do nothing - ride out the extended support period for the next five years and assume increasing risk of hardware failure; two, upgrade the existing platform and the operating system to the current o/s release; three, replace the server entirely. This year, I'm really happy to say that the small business has many more choices.

Windows Server Upgrade and Asset Replacement.

The default position for most will be upgrading or replacing their Windows Server 2003 with a Windows Server 2008 - whether or not they do it now, or, wait for Windows Server 2008 R2 scheduled to be released Q4 2010. Companies that would do this are tied to the Microsoft Windows product: software solutions they own are locally-installed apps that require a centralized server on their LAN to function, and they use Windows, and these companies are forced to upgrade to maintain support on those legacy applications. Or, maybe they'll stay on the Windows platform because they know Microsoft and trust it. Either way, it's the default choice.

Doing Nothing and Staying Put.

An alternative is to do nothing. I think a lot of SMB (small to mid-range business) consumers are going to stay with Windows 2003 for as long as possible; similar to what we're likely to see with WindowsXP, Windows Server 2003 will be one of those microcomputer software products that will have an extreme, unheardof longevity encouraged by apathy for Microsoft's licensing costs and complexity. Business owners will find no compelling functional reason to upgrade, may be risk-adverse with the economy the way it is, may distrust other choices presented to them, or simply have shallow pockets.

[adsense format = "wide"]

Open Source.

The risk-tolerant SMB may look at the need for an in-house server because they have privacy concerns. They don't want anybody else holding their files, mail, or mission-critical data; they want to hold this stuff close to their chest and mistrust cloud or hosting options. On the other hand, this consumer isn't married to Microsoft: they just need a network appliance. Something that can perform backups and disaster recovery, centralize security, manage a database, file, and print services, and route email. Linux - particular the Ubuntu distribution - is a good choice here, either as an alternative to Windows with existing hardware, or an alternative o/s for a new machine. Up-front licensing costs would be much lower, and TCO (Total Cost of Ownership) would be comparable to a Windows Server. If the SMB is looking for a reliable appliance - just something that runs in the background and provides basic network services - and doesn't have a dependency upon Windows in their application portfolio, Open Source is a credible option in 2010.

Private Hosting.

Some companies just can't escape the need for a server - a Windows server or otherwise. They have mission-critical apps that are specific to their industry and they need to have that functionality. On the other hand, they don't want to be saddled with the cost and expense of owning a server; they want to get out of "ownership" and into "rental" or "leasing". They want to "rent" their capabilities, not "own" their capabilities, and cap their costs to a fixed-term, fixed-rate subscription expense that scales with their needs. Virtualization and terminal services make this option pretty attractive in terms of cost: some ROI projections see this as a 15-20% savings plus the added benefit of having your data and applications accessible anywhere you are, and, transferring the risk to a 2nd party.

Abandoning the Server - Cloud Computing.

Even more trendy is the fashionable idea of ditching the server entirely. Cloud computing is a more risk-tolerant model where we'd transfer your data and services to a 2nd party provider. Google, for example, could host and manage your email, your files, and information security and disaster recovery. The investment would be made in migrating the data away from servers to the 2nd party, then training and configuration expenses to get applications and devices to use the 2nd party. The ROI is fairly material: 30-50% savings as compared to owning your own server. Data is available anywhere, there are no licensing or up-front capital expenses (usage is billed by subscription, per-user), and the risk for managing your applications is transferred to the 2nd party provider. Again, instead of "owning" capability, the small business is "renting" capability, allowing for zero time to maturity and low barriers to entry - out of the gate, the small business can have the same technical capabilities as more mature competitors who paid a premium over the years developing their IT infrastructure.

So the small biz has a lot to consider over the next twelve months - especially if you tack on problems associated with workstation upgrades and Windows 7. Here's a real chance, I think, for competitive advantage: business can either stay the course and own their assets, and pay a premium for similar services that their competitors can acquire at costs up to 50-percent lower; or, businesses can strategically adopt open, hosted, or cloud solutions that take advantage of mobile computing, low licensing and maintenance expenses, and risk transfer; or, the small biz can do nothing - stay put and hope for the best. I think, in today's economy, staying put is exactly the opposite that somebody would want to do, and strategically-applying technology to dramatically reduce costs and liability... in some shape or fashion... would be the better option.

Russell Mickler 2/23/09 Russell Mickler 2/23/09

5 Tech Policies You Should Be Reviewing Right Now

Admittedly, we all have a little extra time on our hands this year. Hey, so now's the time to take care of those important management details that help govern the operation of your business!

Technology-related policies reflect management's intent to control their information system - the absence of policies usually reflects poorly in court of law and public opinion: if management never communicated a position on a technology governance to employees, customers, or vendors, then "Due Care" obligations could be considered ignored. Thus, it could be seen that management was negligent in their handling of an issue which extends liability, making it difficult to prove that "reasonable" precautions were taken in preserving customer data, securing network resources, or terminating an employee due to cause.

1. Write or revisit your Technology Plan (TP). The TP is a complementary document to your overall business plan and would traditionally be prepared by the executive responsible for technology strategy. It is usually 24 months in scope and identifies how tech spend complements your business strategy. It is an evolving document that lays down principles in how technology will be used and managed within your firm, and how tech relates to your success. This document should help guide your purchasing, management, and deployment of tech indefinitely, and should evolve over time as technology issues continue to shape the macro economy.

2. Write or revisit your Disaster Recovery and Business Continuity Plan (DR/BCP). Think about how critical software and hardware is to the execution of your business strategy. Think about how important the years of electronic data is to your ability to do your job. Now think about this stuff being wiped out in a flood, burned in a fire, or just the victim of bad luck - a hard drive failure. After Hurricane Katrina, more than 20,000 small businesses folded on the Gulf Coast because they didn't have a way to recover their electronic data to resume business operations. Now is precisely the time to revisit how data is stored, how it is backed up, how it is moved off-site, and services would be restored in the event of an emergency.

3. Write or revisit your Acceptable Use Policy (AUP). The AUP is the most critical policy in your Administrative arsenal. It outlines to employees and others who use your electronic resources what rights and obligations they have in using your resources. It is usually the principal document that is signed at the employee hire that outlines what is good and bad behavior in using your resources, and is the governing document allowing employers to terminate for cause. If an AUP doesn't exist, it's difficult to suggest that expectations of behavior was communicated to employees and a wrongful termination defense could be mounted. An AUP should be an evolving document as threats in IT change every 24 months. Now's the time to really take a look at this again.

4. Write or revisit your privacy policy and legal liability towards protecting personal private information (PPI). Your firm may be subject to federal or state regulations governing the security and privacy of electronic information - of patients, consumers, job applicants, or financial records. Fines are usually bestowed on a "per incident" basis, and if you have thousands of records outside of compliance, the liability is enormous. Further, it's best practice these days to communicate to stakeholders up front how you manage PPI and secure it. If you don't have a privacy policy, "Due Care" concerns could be raised that management was negligent in managing the private information of a party, which could result in civil tort for damages. Over 31 states have individual laws governing PPI; that in addition to the federal laws governing protected classes of information demands a thorough investigation in your compliance obligation.

5. Write or revisit your procedures governing employee terminations and audits. Finally, keep in mind the number one security risk for you during these economic times. It's not hackers, viruses, or malware. It's employees, and specifically, terminated employees who've still access to your confidential intellectual property. Now's the time - if any - to revisit those procedures and verify that employee access restrictions are performed, documented, and reviewed.

Policies, procedures, work instructions, and plans are Administrative Controls that reflect management's _intent_. If management's intent isn't communicated, and technology is governed by assumption and intuition, then management isn't "managing" technology - they are hoping for the best without taking on responsibility to effectively govern it. Now is your chance to reflect upon how your intent is reflected in the workplace and how well you've addressed technology "Best Practices" and regulatory compliance issues as a management team.