[LINK] IT can lead to big savings: Tanner

Marghanita da Cruz marghanita at ramin.com.au
Tue Apr 15 09:41:56 AEST 2008


Richard Chirgwin wrote:
> Chipping in late...
> 
> There's also a gap between how systems are presented (particularly 
> through the press), and the realities you outline below. When someone 
> says "here's our new application" in a media case study, they rarely 
> talk about the multiplication of servers that you've outlined.
> 
> I note that Cisco is now pitching the idea of "run your application 
> server inside the routers":
> http://newsroom.cisco.com/dlls/2008/prod_041008.html
> 
> The security implications of such an implementation would worry me to 
> death ... the idea, even in the branch network (or especially so) of 
> putting the apps in the router, is only good for Cisco, not for the 
> users. IMO anyway...

Depends on the application, alternative application servers/architecture and 
where in the network it was located. There is a chance the operating system on 
the Cisco box is inherrently more secure.


> 
> Richard Chirgwin
> chirgwin.blogspot.com
> (Now that I'm freelancing again, I've revived the blog!)
> 
> Bernard Robertson-Dunn wrote:
>> Tom Worthington wrote:
>>
>>>  As an example, ABS issued a request for tender for a recruitment
>>>  system a few weeks ago
>>>  <http://www.tomw.net.au/blog/2008/03/e-recruitment-system.html>. This
>>>  will have a web based interface and can work over the Internet.
>>>  There should not be anything different about how ABS does recruitment
>>>  to most federal government agencies (apart from some in law
>>>  enforcement and security). There doesn't seem any good reason why
>>>  most government agencies couldn't use the same system as ABS. The
>>>  system would just need a few extra features and more userids issued.
>>>  The hardware to run the system for the entire public service would
>>>  fit on a desktop server costing a few thousand dollars.
>>>
>>>  Rather than create a huge project for a recruitment system, the
>>>  Finance Department could simply identify this as a potential
>>>  corporate application and give ABS a few extra resources to take
>>>  wider needs into account. ABS would implement the system for
>>>  themselves and if that worked okay, the system could then be made
>>>  available to others. Along the way the sums could be done to see if
>>>  it is worth having the system open source.
>>
>>
>> Oh dear, the naivety.
>>
>> When I was the IT architect at Finance and then Health and Ageing, we 
>> used to get all sorts of simplistic requests like Tom's suggestion of 
>> "a desktop server costing a few thousand dollars" to run an enterprise 
>> class application.
>>
>> Without commenting or addressing the functional requirements of the 
>> recruitment system, the infrastructure requirements go way beyond a 
>> couple of servers.
>>
>> The reality is that any system that is to go into a government data 
>> centre has to comply with the department's operational and security 
>> requirements - and we are talking DSD ACSI33 here.
>>
>> The first requirement will be that there will need to be at least two 
>> if not three versions of the infrastructure - 
>> production/dev-test/acceptance (as its an off the shelf system dev and 
>> test can probably be combined with acceptance). If it has a serious 
>> database as well as an application server and web server then that is 
>> at least two, if not three servers per application. In addition there 
>> will need to be some form of archiving/audit/logging - preferably on 
>> another server, but maybe only for the production environment. Yet 
>> another server might be required for analysing and accessing the 
>> archiving/audit/logging data.
>>
>> As its a web facing system then the prod web server will probably be 
>> in the DMZ with some mechanism to work across the internal firewall, 
>> probably a proxy server.
>>
>> Then there is back-up and restore, but that would probably use 
>> existing infrastructure, but there would still be a cost.
>>
>> Then there is DR. Depending on the agency's approach, it might be 
>> possible to ustilise the dev-test/acceptance environment, but there 
>> would still be a cost.
>>
>> And maybe also Business Continuity (which is different from DR), 
>> possibly more cost.
>>
>> And redundant network connections, and redundant power supplies, and a 
>> SAN with RAID discs for the data.
>>
>> So we are actually talking about significantly more than a single 
>> server. My educated guess is 15-20, depending on the complexity and 
>> performance and other NFRs.
>>
>> And let's not talk about virtualised servers. The experience in many 
>> data centres is that there are limits to what you can virtualise on to 
>> the same server (eg you don't combine prod with non-prod or prod with 
>> DR and you don't cross security boundaries.) and the cost of 
>> supporting a virtual instance is more than that for a server with a 
>> dedicated OS.
>>
>> The suggestion that "ABS would implement the system for themselves and 
>> if that worked okay, the system could then be made available to 
>> others" does not take into account the additional complexity and 
>> security requirements of a system that can be accessed by multiple 
>> agencies from within their security zones.
>>
>> My experience of trying to get people from one agency to access an 
>> application in another agency, both within the same portfolio, tells 
>> me that this would either not be possible or is downright impossible. 
>> This is for many reasons, not the least of which is that agencies 
>> cannot have legally binding agreements with each other.
>>
>> Enterprise IT systems are very complex and vastly different from 
>> personal computing.
>>
>> And all this is not because it is government IT. Banks and airlines 
>> have just the same requirements.
>>
>> And it there really were cheaper ways of meeting the NFRs then someone 
>> would be out there doing it.
>>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
> 


-- 
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202




More information about the Link mailing list