This document is intended to help organizations decide whether an appliance or a traditional server is an appropriate platform for hosting enterprise software applications. It is organized as follows:
A growing number of vendors are offering what would otherwise be software-only solutions in the form of dedicated appliances. Appliances may be physical, incorporating both hardware and software, or virtual, in the form of a pre-configured virtual machine with all required software, from the operating system up, pre-installed and configured.
In this section, terms and concepts relevant to appliances are introduced, so that the subsequent discussion can be more clear.
This document is concerned specifically with "enterprise software applications." That is, applications which:
At issue is whether it is preferable to host such applications on appliances or traditional servers, as defined below.
A traditional server consists of several components, possibly from different vendors, which are assembled into a unit at deployment time:
Servers are increasingly virtualized. This means that the OS image runs on a VM rather than directly on hardware. The VM runs on a hypervisor, which may be a part of a larger virtualization platform -- i.e., a private or public cloud.
Organizations typically run many servers, sometimes hosting multiple applications on each one.
An appliance server is one where all of the required functional components, including those identified in (_label_trad-server), plus the application software itself, are integrated and configured into a unit and purchased from a single vendor.
Appliances may be physical -- literally a device shipped from the vendor to the customer and installed on the customer's network.
Increasingly, appliances are virtual, including all the required components except the hardware in a single VM image, suitable for deployment on an existing customer hypervisor platform.
Users connect to applications from a client device. This may be a desktop or laptop PC, a telephone or smart phone, a tablet, etc.
Most modern applications present a web user interface. In this case, the user's device runs a web browser, which renders the UI.
Many home users are very familiar with appliances, if not with the terml, in the form of wireless routers, small hardware firewalls, print sharing devices, network attached storage, etc. These devices are small and inexpensive but are not generally scalable, secure, reliable or flexible enough to meet the needs of medium to large organizations.
Physical appliances intended for enterprise deployment have two basic types:
This means they run a standard type of CPU (Intel/AMD), an off-the-shelf OS (Windows or Linux) and common applications (IIS, Apache, MySQL, MSSQL, etc.).
This normally means inclusion of at least one application-specific integrated circuit (ASIC) to perform some specialized function at very high speeds. Commonly found on firewalls, load balancers, malware scanners, etc.
The commodity hardware approach serves mainly to reduce the initial setup and configuration effort for organizations deploying the product. "Inside the box" is just a traditional software server, assembled and supported by the vendor.
Specialized processing hardware is used mainly where the performance characteristics of the system cannot be easily reached with a conventional server. This is typically required in the context of specialized networking equipment, such as SSL processors, virus scanners, application firewalls and more, all of which must perform complex at "wire speeds" -- 1Gbps or more.
The main benefits promoted by vendors who sell solutions in the form of appliances are:
The operating system and application software are pre-installed, reducing initial installation effort. The application software is likewise pre-installed, and to the extent possible also pre-configured.
It should be noted that this is only a significant advantage for applications that require minimal integrations with existing infrastructure, and minimal process configuration. Where such integration and configuration is significant, removing several hours of effort to install the base OS, web server, database server and application software is inconsequential.
The simplified installation and configuration lead to scenarios where fewer IT skills are required to implement the solution. This is particularly true where the application is quite simple and requires little or no further configuration beyond initial activation.
Any questions about hardware compatibility or operating system patches are eliminated when a single vendor supports every "layer" of the solution, starting with hardware and ending with the application software.
In the case of specialized processing hardware, the additional and overriding benefit is increased performance. Note that this is not generally true for commodity hardware bundled as an appliance -- this advantage is only relevant where the appliance incorporates specialized hardware, most often to provide a specialized network infrastructure function.
Appliances provide some benefits, such as simpler initial installation of the platform and application, but they also have some drawbacks. These include:
Hardware appliances present specific challenges, as follows:
In order to reduce manufacturing costs, hardware appliances often incorporate previous-generation components. CPU capacity, memory cache, RAM and disk space are often significantly smaller in an appliance as compared to a contemporary general-purpose server. The result is that commodity-based appliances often have significantly lower performance than the same application software running on newly acquired commodity servers.
Appliance servers are not developed, sold or supported by software vendors. Instead, this work is contracted out to a hardware vendor who simply images the software vendor's OS and application onto their standard hardware, which is then branded as an appliance for that software vendor. Since neither the software vendor nor the contracted hardware vendor (with few exceptions, such as Dell) is likely to have local support staff in many cities, technical usually degenerates to "mail us the appliance, we will mail you a replacement."
Since physically shipping goods takes time, organizations that must comply with high availability requirements are often forced to procure extra appliances -- so that a replacement is available on-site immediately, if required. This can easily double procurement costs.
Delivery of hardware to some jurisdictions may require import licenses, export licenses, payment of duties, invoicing in local currency and may present a range of other challenges related to physical delivery of advanced, cryptographic technology to far-away places. This leads to longer lead times to deliver hardware to some locations in the world, higher cost and the need for more locally deployed infrastructure, usually in precisely those locations that would not otherwise merit extra capacity.
Note that some of these problems can be addressed through virtualization (virtual appliance, rather than physical), in practice if not in law.
In today's IT environment, organizations are trying to move everything to either on-premise virtual machine platforms (private cloud) or off-site, to the cloud (IaaS or SaaS).
Virtualization offers important benefits:
Physical appliances are by definition not virtual, so run contrary to this trend and cannot support any of these benefits.
Moreover, even physical servers are increasingly deployed in a high density form factor, using blade systems or "data center in a box" racks. Physical appliances run counter to these trends.
All appliances, including hardware and virtual appliances, can have problems with patching, security and compatibility:
Most medium to large organizations have robust patch management, to apply at least security fixes and ideally all bug fixes to their conventional servers automatically. IaaS and SaaS vendors likewise keep their infrastructure up to date, automatically.
A serious risk with appliances is that they are on-premise, so do not get patched like IaaS or SaaS systems, but are not a normal part of the organization's centrally managed infrastructure, so do not get patches, anti-virus updates, etc. that way either. As a result, appliances can wind up running for years with no security patches or updates at all.
Without security patches, over time, any system becomes vulnerable to attack. Running critical, enterprise infrastructure on an un-patched platform is an unacceptable risk.
This is essentially the same problem as patch management, but at larger scale. Eventually old operating systems go out of support, and their vendors stop patching them. If an appliance is not upgradeable to a significantly newer runtime platform, then even if it was well patched in the past, it will stop getting patches eventually.
There are specific use cases where appliances are attractive:
Unfortunately, appliances carry both immediate and long-term drawbacks:
This white paper was produced by Hitachi ID Systems.
Hitachi ID Systems, Inc. delivers access governance and identity administration solutions to organizations globally, including many of the Fortune 500 companies. The Hitachi ID Identity and Access Management Suite is a fully integrated solution for managing identities, security entitlements and credentials, for both business users and shared/privileged accounts, on-premise and in the cloud.
The Hitachi ID Identity and Access Management Suite is well known in the marketplace for high scalability, fault tolerance, a pragmatic design and low total cost of ownership (TCO). Hitachi ID Systems is recognized by customers and analysts for industry leading customer service.
The Hitachi ID Identity and Access Management Suite is an integrated solution for identity administration and access governance. It streamlines and secures the management of identities, security entitlements and credentials across systems and applications. Organizations deploy the Hitachi ID Identity and Access Management Suite to strengthen controls, meet regulatory and audit requirements, improve IT service and reduce IT operating cost.
The Hitachi ID Identity and Access Management Suite includes:
The Hitachi ID Identity and Access Management Suite is designed as identity management and access governance middleware, in the sense that it presents a uniform user interface and a consolidated set of business processes to manage user objects, identity attributes, security rights and credentials across multiple systems and platforms. This is illustrated in Figure [link].
The Hitachi ID Identity and Access Management Suite includes several functional identity management and access governance modules:
Identity Manager includes the following additional features, at no extra charge:
Password Manager includes the following additional features, at no extra charge:
The relationships between the Hitachi ID Identity and Access Management Suite components is illustrated in Figure [link].