In part one of this series, we began our discussion of applying a risk-based approach to managing today’s data center in the financial services industry.
As a framework for our discussion, we aligned the topics with the IT Examination Handbook published by the FFIEC in 2021 titled “Architecture, Infrastructure, and Operations.” These published guidelines were established to replace the 2004 “Operations Management” handbook. In part one, the focus of the article was on data center management, also known as “Operations.” Today, our focus is on data center design, or “Architecture.”
In the IT handbook, Architecture is defined as “the manner in which the strategic design of the hardware and software infrastructure components (e.g., devices, systems, and networks) are organized and integrated to achieve and support the entity’s business objectives. Planning and designing an effective IT architecture facilitate management’s ability to implement infrastructure that aligns with the entity’s strategic goals and business objectives.”
In part three of this series, we’ll dive deeper into the data center build, or “Infrastructure.” But for now, we will dive deeper into the discipline of design.
Comparing the functions of a data center to a finely tuned orchestra
It may be helpful to think about the relationship of these three components inside the data center as the coordinated effort required of a finely tuned orchestra. If we consider the infrastructure to be the instruments and operations as the musicians that play the instruments, we can view the architecture or design as the conductor.
An effective conductor assembles the appropriate instruments (infrastructure) and skilled musicians (operations), guiding them in the execution at precisely the right time according to the desired musical score. Every detail is defined with focused attention to the intended design. The same is true inside today’s increasingly complex and integrated data center.
The design or architecture of the data center starts with strategic planning and refers to the selection, implementation, and integration of all components including hardware and software as well as processes performed by operations. The desired outcome should enable the organization to achieve the stated business goals and objectives, within the regulatory guidelines of the applicable industries it serves, while addressing the multiple facets of risk under the evolving threat landscape.
Threats to remediate are many, from climate-related physical risk to cyberattacks. Risks relative to the architecture of design include inadequate requirements planning, lack of documented architecture review, and insufficient planning for aging or ineffective architecture.
Management oversight and responsibilities
On a regular basis, the board and senior management should evaluate whether the existing IT strategic plan aligns with the corporate strategic plan, as well as establish short and long-term priorities. If necessary, management should take steps to adjust the architecture to meet those plan objectives.
Remaining flexible or agile, and capable of adapting to changes must be an objective of the design strategy. The rapid pace of innovation in technologies can render components obsolete, or at best “legacy” in a short order of time. Again, all components should be designed to work fluidly together in a balance of cost/benefit that is aligned with the short and long-term IT strategy.
IT management typically includes levels of roles and responsibilities with common titles like Chief Information Officer (CIO) or Chief Technology Officer (CTO). The FFIEC addresses these roles in their IT Examination handbook “Management.”
In general, these roles are responsible for overseeing the architecture function, implementing and maintaining the organization’s infrastructure, and managing operations in an integrated IT environment (aka, the “Conductor”). Depending on the size of the organization, a dedicated CIO or CTO role may not be feasible. Although, the responsibilities are still required, relative to the level of risk.
IT architecture and business continuity
One of the key roles in IT Architecture Management is that of “Chief Architect,” responsible for reviewing how IT functions can be centralized, allowing departments across the organization to work together seamlessly (aka, “the Orchestra”). This requires an understanding of the interrelationships between technology in the data center and the business functions across the organization.
The Business Impact Analysis provided with a comprehensive Business Continuity Management program helps to identify and prioritize the business functions as well as determine appropriate recovery time (RTO) and recovery point objectives (RPO).
Aligned with IT strategic planning objectives, IT architecture responsibilities include:
- Developing and maintaining the architectural model with a common understanding, vocabulary, and blueprint for all parties involved.
- Maintaining the IT architectural design to achieve the business and strategic plan objectives.
- Designing the IT architecture to accommodate changes that maximize value and minimize issues associated with the changes.
- Communicate to the board and senior management any challenges (resource constraints, changing technology trends, etc.) in meeting the objectives.
- Work with other management members from across all business units to determine capabilities needed by IT systems to ensure optimal integration and to deliver new products and services.
- Maintain process and technical expertise relative to security, storage, data management, and network service delivery in the data center.
Where this can have the greatest impact are those planned or unplanned scenarios that result in disruption(s) within the data center and/or upstream and downstream workflows with vendors and service providers. Having a robust Business Continuity Program with regular testing and training helps identify areas of weakness and exposure to disruptions for those areas that are most critical to business operations.
In today’s 24/7 global marketplace, expectations for always-on availability are extremely high. A deeper discussion will be included in the next article of this series on infrastructure.
IT architecture planning
Architecture and design are more than a description; they are indeed tangible. The documented IT Architecture Plan should be updated, reviewed, and approved on a regular basis to reflect changes to the corporate business and strategic plans.
Supporting policies and procedures must be developed and implemented as part of the governance process. As with most plans, the size and scope will depend on the complexity of the organization’s operations and technology. A repeatable process should be developed that assesses the current state, identifies new or changes to business function requirements, controls and monitors risks, and incorporates lessons learned over time.
IT architecture objectives
Identifying and selecting the appropriate solutions to implement to achieve the desired architectural plan requires clearly defined objectives and understanding between business and technology teams as well as prioritization of investments. A lack of clarity can lead to costly changes down the road.
The FFIEC IT handbook provides a list of aspects of architectural design that can assist in the decision-making process:
- Performance and reliability
- Integrity
- Availability and resilience
- Scalability
- Flexibility
- Security and Privacy
- Interoperability and integration (internal systems)
- Integration with third-party service providers
- Testing
- Auditability
- Advancement in technology
Additional factors to consider during the selection phase include obsolescence (pace of innovation), EOL (warranty and support), and the impact of decommissioning systems based on the expected life cycle. Maintaining the confidentiality, integrity, and availability of all systems throughout the workflow in the data center requires regular assessment and evaluation of controls in place, especially for systems that are at or near “legacy” status. A strategy for replacement should be part of the plan.
IT architecture design
Circling back to design, one final consideration is that of deployment environments. For decades, the data center was a fortress, protected by the organization with a layered security model. Today’s data center design is a mix of on-premises (internal or colocation), cloud-based (single or multiple CSPs), or a hybrid approach.
Systems are either physical or virtual with emerging technologies (ML, AI, etc.) introduced at a dizzying pace. Finding the best mix of all solutions available goes back to the definition of Architecture as stated earlier, “to achieve and support the entity’s business objectives.”
Looking ahead
In the first article on operations, we visited the processes that occur within the data center environment. In the article, we addressed the element of “Architecture Design.” With those two under our belt, we will next look at the physical elements, products, and services necessary for ongoing operations and support of business activities, or “Infrastructure.”
Before closing, let’s take another look at the analogy of the finely tuned orchestra where the conductor represents architecture/design, musicians are represented by operations, and the instruments make up the infrastructure. Three different perspectives of looking at the data center environment, three areas requiring unique skills and experience, and one overall objective of supporting the contributing to the entity that the data center supports.
In my 20+ years working in the data center environment from each of these three perspectives, I have observed both effective and poorly implemented architecture design plans. I have yet to work with an organization that would not benefit greatly by reviewing the FFIEC publication that this article series is based on.