Sept. 11 was a wake-up call, prompting companies worldwide to reevaluate their disaster recovery plans. Hurricane Katrina gave those thoughts another -- albeit unwelcome -- push. Now, with the potential for an avian flu (also known as bird flu) pandemic -- which could be the first true pandemic of the technological age -- it's time once again for enterprises to prepare their networks for catastrophe and for the possibility that government edicts could keep 100% of the nation's workforce quarantined at home.
This specter introduces a dilemma: If people can't go to work, how can they stay connected? What can be done to the network to ensure that business can continue?
A pandemic differs from other disaster situations in that the network infrastructure stays intact -- it is not destroyed. The trick is to keep everything running smoothly on that infrastructure for a worst-case scenario.
Change the culture
First, however, experts recommend taking a step back. Although changing the network infrastructure now -- instead of reacting to the outbreak -- is important, experts said the first step in preparing for a pandemic has nothing to do with technology.
"A lot of companies are starting to pre-plan," said Mitch Hershkowitz of Dimension Data, a Long Island, N.Y.-based IT services firm. "But you really have to actually change the culture in order for it to work."
Changing the culture means keeping everyone focused on business continuity. Odds are, not every single piece of the network will be necessary during a disaster. And instead of focusing solely on keeping everything up, enterprises must evaluate what they can do without. "What should stay up and what can we live without?" should be the first two questions enterprises ask themselves, Hershkowitz said.
Ken McGee, a group vice president and research fellow at Gartner Inc., pulled no punches in a recent webinar discussing what to do to prep the network in an avian flu pandemic. Simply put, McGee said, "The likelihood of avian influenza is real. It is a very real concern. It's not something that will go away tomorrow."
Gartner recommends that clients look at their companies' plans to address pandemic needs, McGee said. He estimated that it takes a mere 21 days for a pandemic to spread globally after it is announced. But companies shouldn't just be concerned with their own plans.
McGee suggests immediately obtaining and evaluating written copies of carriers' and service providers' influenza response plans to see where they stand. From there, assess a carrier's remote management strategies, pinpoint its emergency contacts, find out where its backup facility is, and ask about its flu rehearsal schedule and the plan to sustain its own business in a crisis.
Carriers' and service providers' plans make all the difference, McGee said, because without them, the network may not operate.
"We think the pandemic will introduce a very unfavorable effect on the network," McGee said. He cautioned network pros to assume that there will be network outages and travel restrictions, and that people will be working from home and will have their children home from school. That could last 18 months, with millions of people working from home, trying to use residential networks that aren't built to support such capacity.
Backup and collaboration
Companies need to install WAN facilities at employees' homes, according to McGee. If users don't have home broadband, network pros should make sure they get it. If users have broadband, it must be backed up somehow -- cable can be backed up with satellite, and satellite can be backed up with fiber.
Also, this is the time to start negotiating with Web, audio and videoconferencing providers, McGee said. "Do it now," he said. "Treat it like an insurance policy. Talk to vendors and carriers have dry runs; have rehearsals now."
To plan realistically, companies need to assume that 100% of the workforce will not report, so collaboration tools can be crucial. Hershkowitz said that adding collaboration technologies to the network helps keep everyone in touch.
Hershkowitz noted that Web conferencing, whiteboarding, videoconferencing and other collaboration suites need to be in place for times when "a phone call is not enough and an email is not enough."
Yankee Group analyst Zeus Kerravala agreed that collaboration technologies should be put into use now so that users are accustomed to them if the time comes to use them from home for an extended time. He warns that companies should be evaluating collaboration tools anyway, and that bird flu should not be used as an excuse.
Plans defuse multiple threats
Alan Shark, executive director of the Public Technology Institute (PTI) in Washington, D.C., said his company already has several safeguards in place to ensure the network is ready in the event of a pandemic. The plans were not sparked by a potential bird flu outbreak, however. PTI is a mere three blocks from the White House, where threat levels are high. Planning ahead for any kind of threat could also keep PTI operating in a pandemic.
PTI has devised a comprehensive plan of action if something prevents staff from physically going to work. PTI has rolled out VoIP, which connects all users with three-digit extensions from anywhere via PC-based softphones that work on a Web-based VPN connection.
PTI has also moved its file server off site and is doing the same with its email server. The network is distributed in such a way that if one part goes down or is overloaded, it shouldn't affect any other parts.
Similarly, the network is set up so that voicemail is sent to email and users can retrieve email via handhelds, meaning that staff would not need to be near an office phone to retrieve messages.
Remote access is key
Robert Whiteley, an analyst with Cambridge, Mass.-based Forrester Research, said the biggest hurdle companies will face in a pandemic is remote access.
Most remote access solutions are built to handle concurrent sessions from 10% of the staff, according to Whiteley. In a pandemic, he said, you need to "flip the ratio on its head" and be able to handle 90% concurrency. He said companies should be looking for a solid SSL VPN that can handle such a monstrous boost in traffic load.
"It's a lot more conceivable to focus on SSL VPNs," he said. "From a technological standpoint, SSL VPNs just make sense."
With SSL VPNs, Whiteley said, users can get onto the VPN through a Web portal on their home computers or PCs that the company sends out. Once logged on, they have the same access they would have in the office on the corporate LAN.
Also, most SSL VPN solutions can scale to meet the needs of many users. For some, one box may be adequate. For others, a daisy-chain of boxes could work to accommodate high loads. Higher capacity costs more money, however.
Along with remote access to reach email and other basic applications, many companies may also want to give users access to VoIP during some sort of disaster, Whiteley said. He suggests making sure that any SSL VPN deployed can handle voice traffic and is bi-directional friendly.
Some vendors have even devised an SSL VPN licensing plan where companies can continue to pay for the 10% usage, Whiteley said. If there were a period of time when usage spiked to 90%, however, the company would be responsible for paying for that spike only, similar to typical overage charges.
To ensure the network isn't overloaded with SSL VPN sessions, a load-balancer could be added, Whiteley said. However, with many SSL VPNs, if one box in the string is filled to capacity, it can automatically bounce incoming sessions to another appliance.
Train and test
Even the most concrete remote access solution could be useless, though, if end users don't know how to use it, according to Yankee Group's Kerravala. He recalled a New York-based company that had an emergency remote access plan in place before the Sept. 11 terrorist attacks, but when the day came, many users hadn't been trained or they had left their remote access instructions in the office.
"There's a fighting chance you might see it coming," he said. "You have to be prepared. Make it part of the process. The more you test, the more the users know. You don't want users having to try to figure things out on the fly."
Kerravala estimated that roughly 80% of pandemic planning is process, while only a minor portion is the tools a company needs to stay connected. He suggests that companies set a mandate under which everyone works remotely one day a month. That will give ample time to test the system and let IT determine where things could go wrong. It also gets users acquainted with new technologies.
"That takes all of the kinks out of the system early on," he said. "You want the user experience remotely to be as close as possible to the user experience in the office."
Most companies already have some sort of remote access plan in place, Kerravala said, but a hurdle is making sure it is of sufficient scale for higher-than-peak usage. Also, different remote access solutions suit different types of workers. SSL VPNs work for those who may need to access only a handful of applications, he said, but an IPsec solution is better for network administrators. The key to determining which remote access solution best suits which group is to understand work flow and work processes.
Still, planning for remote access through VPNs and training workers to use them may be futile if the broadband providers can't scale to meet the needs of specific companies. As a rule of thumb, service providers grossly oversubscribe bandwidth, meaning that if 90% of subscribers tried to use the network at once, the providers couldn't handle the load, and there would be no connectivity.
Most companies should look for a connectivity backup to broadband, Whiteley said, in case a pandemic clogs the pipes and no one can get online. Satellite may not be the best answer because, if VoIP is in use, the latency could be a hindrance. Simple dial-up may be adequate if users only need to dial in to download email, then sign off. Also, a wide-area wireless network could do the trick but would carry a high price tag.
Whiteley said it would be wise to approach Internet service providers to discuss Quality of Service and the amount of broadband you'll need in a pandemic.
"Approach them and say, 'I realize you can't squeeze blood from a stone, but what can you do to guarantee my traffic?'" he said.
Whiteley said vendors such as Aventail and Citrix have appliances suitable for planning for a pandemic.
Barry Phillips, senior director of product marketing in Citrix's advanced solutions group, quoted recent research that shows 88% of enterprises are prepared for a power outage, 70% are prepared for a data center outage, and only 13% are prepared for a major disruption in workforce operations. "Most people are just starting to look at pandemic planning," Phillips noted.
Citrix offers four distinct solutions to ensure business continuity in a pandemic, according to Phillips. The Citrix Presentation Server, which works with Citrix Access Gateway, an SSL VPN and Citrix Password Manager, is a single sign-on that virtualizes applications from the server to a user's PC. Citrix GotoMyPC is a remote-access tool through which users can securely connect to their desktop PCs from any computer. Citrix Streaming Server, which also works with the A