When blade servers compromise security

Financial services company Veda Advantage has found blade servers' small size made it impossible to meet security policies that mandated physically separated networks.

Blade servers are often viewed as a critical element in data centre consolidation, but security issues can meant that rack-mounted systems made more sensefor the Australian operations of credit systems and analytics provider Veda Advantage.

The company is currently running a major virtualisation project to consolidate its data centres. But Infrastructure manager Ashley Sowter said that while he was personally comfortable with the notion of using blades during the consolidation project, which has already seen almost 80 servers switched off, the organisation's security policies meant the small servers were not practical.

"The main reason for us was because, being in the financial services industry, we needed physically separated network connections in some of our DMZs to satisfy my security guys," he said. "For my industry that was paramount." As such, a more traditional rack-mounted solution was used in the data centre, which ensured that the security policies could be maintained. Blade servers' inability to host more than a single network interface card made it impossible to consider their use in these situations.

Sowter, who has previously occupied similar roles at AGL and other organisations, said that the decision was very much driven by the security-centric financial services culture. "They're generally risk averse, and for the right reasons. It depends how to-the-letter your security guy is, but it's not an unusual decision."

"My original vision was to go blade, but the reality is you're going to have some servers you can't virtualise anyway. We still need a few standalone grunty boxes. And hardware prices aren't a major factor; the box is not that expensive."

That was particularly the case as the virtualisation wasn't sold purely as a cost reduction exercise. "I didn't sell it as cost saving; it was around capability and future expansion," Sowter said.

Even with that broad-ranging decision made and aligned with existing security policy, an additional challenge is convincing individual line of business units that they don't need a separate physical box, Sowter noted. "You just have to say to them: how do you think I'm going to pull this out?" he said.

Although dominated by Intel machines, Veda Advantage is running a wide range of platforms, in part because of external acquisitions. Solaris and Linux machines play prominent roles in some branches of the organisation, while core bureau activities are run on an outsourced mainframe.

In general, though, Veda Advantage has resisted outsourcing, in part because "I'm not an outsourcer," Sowder noted. That also made selling the project to the security team easier.

So far, Veda Advantage has almost halved its server workload, and the reaction from its 420-strong user base has been positive, with no interruptions to service reported. "Systems and availability are pretty important," Sowter said.

"It does work and it is worth doing. Frankly, I'm a little surprised when people haven't done it yet."

Read more on Network security strategy