Appliances vs. Traditional Servers: Pros and Cons
This document is intended to help organizations decide whether an appliance or a traditional server is an appropriate platform for hosting enterprise software applications. It is organized as follows:
- Definitions: defining relevant concepts and terminology.
- Types of Appliances: differentiating between different types of appliances and what they are used for.
- Appliance Servers: Benefits: an overview of the advantages of hosting software on an appliance.
- Appliance Servers: Drawbacks: an overview of the drawbacks of hosting software on an appliance.
A growing number of vendors are offering what would otherwise be software-only solutions in the form of dedicated appliances, which incorporate both hardware and software. In this section, terms and concepts relevant to appliances are introduced, so that the subsequent discussion can be more clear.
Enterprise Software Application
This document is concerned specifically with "enterprise software applications." That is, applications which:
- Run on one or more centralized servers.
- Provide a service to many users, possibly distributed across multiple sites.
- Must be scalable and reliable, because many users would be adversely impacted by loss of access to the application.
At issue is whether it is preferable to host such applications on appliance servers or traditional servers, as defined below.
A traditional server consists of several components, possibly from different vendors, which may have to be assembled into a unit by the organization which wishes to run the enterprise software application:
- Hardware -- such as X86-style servers -- from vendors such as IBM, HP or Dell.
- An operating system, such as Windows or Linux.
- Possibly a web server, such as IIS or Apache.
- Possibly a database server, such as Oracle Database, Microsoft SQL Server or MySQL.
Normally, an organization will have many such servers, and deploy one or more applications on each one.
The above description is only approximate. For example, hardware may be virtualized, other operating systems are available and other components may be required.
An appliance server is one where all of the required functional components, including those identified in (_label_trad-server), plus the application software itself, are integrated and configured into a unit and purchased from a single vendor.
Users sign into applications using a client device. This may be a desktop or laptop PC, a telephone or smart phone, a PDA, etc.
Modern applications often use a web interface to interact with users, which means that the user's hardware runs a web browser, which presents a graphical user interface to the user.
Types of Appliances
Home vs. Enterprise Equipment
Many home users are very familiar with appliances, if not with the term "server appliance," in the form of wireless routers, small hardware firewalls, print sharing devices, network attached storage, etc. These devices are small, inexpensive and not really scalable or flexible enough to meet the needs of medium to large organizations.
Commodity Hardware vs. Specialized Processors
Server appliances intended for enterprise deployment have two basic types:
- Commodity server hardware, with pre-installed software.
- Specialized processing hardware.
The commodity hardware approach serves mainly to reduce the initial setup and configuration effort for organizations deploying the product. "Inside the box" is just a traditional software server, assembled and supported by the vendor.
Specialized processing hardware is used mainly where the performance characteristics of the system cannot be easily reached with a conventional server. This is typically required in the context of specialized networking equipment, such as SSL processors, virus scanners, application firewalls and more, all of which must perform complex at "wire speeds" -- 100Mbps or more.
Appliance Servers: Benefits
The main benefits promoted by vendors who sell solutions in the form of appliances are:
- Easy installation:
The operating system and application software are pre-installed on the hardware, which reduces installation time and effort. To the extent possible, the software is normally either pre-configured or self-configuring.
It should be noted that this is only a significant advantage for applications that require minimal integration with existing infrastructure, and minimal customization. Where such integration and customization is required, it normally takes up the bulk of configuration time, so the savings from faster initial setup is inconsequential.
- Fewer skills required:
The simplified installation and configuration lead to scenarios where fewer IT skills are required to implement the solution. This is particularly true where the application is quite simple and requires little or no further configuration beyond initial activation.
- Sole-source technical support:
Any questions about hardware compatibility or operating system patches are eliminated when a single vendor supports every "layer" of the solution, starting with hardware and ending with the application software.
- High performance specialized hardware:
In the case of specialized processing hardware, the additional and overriding benefit is increased performance. Note that this is not generally true for commodity hardware bundled as an appliance -- this advantage is only relevant where the appliance incorporates specialized hardware, most often to provide a specialized network infrastructure function.
Appliance Servers: Drawbacks
Hardware appliances provide some benefits, such as somewhat simpler installation and configuration, but they also have some drawbacks. These include:
- Low performance commodity hardware:
In order to reduce manufacturing costs, hardware appliances often incorporate previous-generation components. CPU capacity, memory cache, RAM and disk space are often significantly smaller in an appliance as compared to a contemporary general-purpose server. The result is that commodity-based appliances often have significantly lower performance than the same application software running on newly acquired commodity servers.
- Poor hardware support:
Appliance servers are not developed, sold or supported by software vendors. Instead, this work is contracted out to a hardware vendor who simply images the software vendor's OS and application onto their standard hardware, which is then branded as an appliance for that software vendor. Since neither the software vendor nor the appliance hardware vendor (with few exceptions, such as Dell) is likely to have local support staff in many cities, technical support normally leads to customers mailing their appliance to a depot for repair or replacement.
The absence of a local support network, such as might be offered by a big-brand PC server manufacturer (IBM, HP, Dell, etc.). means that hardware repair takes at least 24 hours -- the time required to courier a replacement unit to a customer. This reduced SLA leads to the next problem:
- Difficult jurisdictions:
Delivery of hardware appliances to some jurisdictions may require import licenses, export licenses, payment of duties, invoicing in local currency and may present a range of other challenges related to physical delivery of advanced, cryptographic technology to far-away places. This leads to longer lead times to deliver hardware to some locations in the world, higher cost and the need for more locally deployed infrastructure, usually in precisely those locations that would not otherwise merit extra capacity.
- Expensive disaster recovery:
Because hardware repair cannot be provided promptly by either appliance software vendors or appliance hardware manufacturers, most vendors that sell appliance solutions encourage customers to buy redundant appliances. This means that where a customer might normally deploy a single conventional server, they must purchase and deploy two appliance servers for the same task, to get a comparable assurance of availability.
- Inability to virtualize:
Appliances are just that -- pre-packaged hardware. This means that they cannot be virtualized. Organizations seeking to migrate their systems and applications away from raw hardware, and onto virtual servers and perhaps private or public clouds, cannot do so with an appliance.
Virtualization offers some important benefits, so this can be a serious problem:
- Energy and space savings, from efficient use of hardware capacity.
- Flexible resource allocation, adding or removing CPU, memory and disk as required.
- High availability, with the ability to recover crashed applications in minutes or even seconds.
- Snapshot capability, so that bad configuration changes can be quickly rolled back.
Using an appliance negates all of these benefits.
- Not suitable for high density server environments:
For many of the same reasons that organizations are increasingly using virtualization technology, they are also using blade technology to increase the space and power efficiency of their server environments.
Appliances do not generally come in a blade form factor, so cannot contribute to a power and space saving server management strategy.
There are specific use cases where appliances are attractive:
- Deployment of simple applications, which require minimal customization and integration, into small to medium environments.
- Deployment of very high performance network devices, where specialized hardware provides a significant speed boost.
There are also use cases where appliances are unattractive:
- Deployment into high density IT environments.
- Deployment into IT environments where virtualization is widely used.
Appliance based solutions reduce initial setup time, but increase hardware cost (for redundancy) and where specialized hardware is not used, usually also reduce scalability.
Appendix: About Hitachi ID Systems
This white paper was produced by Hitachi ID Systems.
Hitachi ID Systems, Inc. delivers access governance and identity administration solutions to organizations globally, including many of the Fortune 500 companies. The Hitachi ID Identity and Access Management Suite is a fully integrated solution for managing identities, security entitlements and credentials, for both business users and shared/privileged accounts, on-premise and in the cloud.
The Hitachi ID Identity and Access Management Suite is well known in the marketplace for high scalability, fault tolerance, a pragmatic design and low total cost of ownership (TCO). Hitachi ID Systems is recognized by customers and analysts for industry leading customer service.
The Hitachi ID Identity and Access Management Suite is an integrated solution for identity administration and access governance. It streamlines and secures the management of identities, security entitlements and credentials across systems and applications. Organizations deploy the Hitachi ID Identity and Access Management Suite to strengthen controls, meet regulatory and audit requirements, improve IT service and reduce IT operating cost.
The Hitachi ID Identity and Access Management Suite is designed to efficiently create, manage and deactivate user objects, identity attributes and security entitlements across systems and applications in medium to large organizations. This is done using a combination of automation and self-service:
- Automation propagates changes from one system to another.
- Workflow invites business users to participate by completing their own profiles, authorizing changes and reviewing the current state of users and privileges.
- Consolidated management enables security staff to manage access with a user-centric, rather than application-centric view.
- Password synchronization and enterprise single sign-on reduce the number of passwords that users must remember and type.
- Reports enable auditors, security officers and system administrators to analyze current state and review historical changes.
A rich set of connectors are included, to easily integrate with most common systems and applications and to manage credentials including passwords, challenge/response profiles, biometric samples, OTP devices, PKI certificates and smart cards.
The Hitachi ID Identity and Access Management Suite is designed as identity management and access governance middleware, in the sense that it presents a uniform user interface and a consolidated set of business processes to manage user objects, identity attributes, security rights and credentials across multiple systems and platforms. This is illustrated in Figure [link].
Hitachi ID Identity and Access Management Suite Overview: Identity Middleware (2)
The Hitachi ID Identity and Access Management Suite includes several functional identity management and access governance modules:
- Hitachi ID Identity Manager
-- User provisioning, RBAC, SoD and access certification.
- Automated propagation of changes to user profiles, from systems of record to target systems.
- Workflow, to validate, authorize and log all security change requests.
- Automated, self-service and policy-driven user and entitlement management.
- Federated user administration, through a SOAP API to a user provisioning fulfillment engine.
- Consolidated access reporting.
Identity Manager includes the following additional features, at no extra charge:
- Hitachi ID Access Certifier
-- Periodic review and cleanup of security entitlements.
- Delegated audits of user entitlements, with certification by individual managers and application owners, roll-up of results to top management and cleanup of rejected security rights.
- Hitachi ID Group Manager
-- Self-service management of security group membership.
- Self-service and delegated management of user membership in Active Directory groups.
- Hitachi ID Org Manager
-- Delegated construction and maintenance of Orgchart data.
- Self-service construction and maintenance of data about lines of reporting in an organization.
- Hitachi ID Password Manager
-- Self service management of passwords, PINs and encryption keys.
- Password synchronization.
- Self-service and assisted password reset.
- Enrollment and management of other authentication factors, including security questions, hardware tokens, biometric samples and PKI certificates.
Password Manager includes the following additional features, at no extra charge:
- Hitachi ID Login Manager
-- Automated application logins.
- Automatically sign users into systems and applications.
- Eliminate the need to build and maintain a credential repository, using a combination of password synchronization and artificial intelligence.
- Hitachi ID Telephone Password Manager
-- Telephone self-service for passwords and tokens.
- Turn-key telephony-enabled password reset, including account unlock and RSA SecurID token management.
- Numeric challenge/response or voice print authentication.
- Support for multiple languages.
- Hitachi ID Privileged Access Manager
-- Secure administrator and service accounts.
- Periodically randomize privileged passwords.
- Ensure that IT staff access to privileged accounts is authenticated, authorized and logged.
- Group Manager is available both as a stand-alone product and as a component of Identity Manager.
The relationships between the Hitachi ID Identity and Access Management Suite components is illustrated in Figure [link].
Components of the Hitachi ID Identity and Access Management Suite (3)