We recently polled our Healthcare CIOs as part of our CHIME membership. Their top two priorities for 2016 align perfectly to our security and storage offerings: ‘Security and Compliance’ and ‘Reducing Costs/Financial Restraints’.
The pivot from traditional infrastructure to software-defined security and storage addresses the top two priorities exquisitely, allowing Healthcare providers to reduce the attack surfaces leveraged by modern phishing and malware attacks as well as dramatically reducing the TCO per application and solving a host of other storage challenges in the process.
Healthcare Infrastructure Needs
- Security: Patient Information and Systems
- Reliability: Consistently available, self-healing, continuous between sites
- Performance: Delays reduce productivity and affect satisfaction
- Value: Persistent pressure, flat budgets despite growth
Healthcare needs an application platform that addresses its most profound infrastructure challenges: security, reliability, continuity, and value. In order to deliver those outcomes, we need new capabilities that take full advantage of your virtual infrastructure as the hub of information in your environment and apply policies where they matter most: to the applications themselves.
VMware marshals your most sensitive Healthcare data all day long: on its way to and from storage and with other systems inside and outside of our environment. That makes VMware the most efficient place to implement security and storage policy, and in doing so, we can simultaneously reduce the risk of the modern breach, add reliability and performance to the storage on which all applications depend, and reduce the total cost per application. And as we look to a future where the boundaries of the datacenter become increasingly flexible, and we look to leverage compute from a variety of cloud providers, we need to apply the policies to the applications directly, to the VMs themselves, to ensure that wherever the applications and data move, the security and performance policies move with them.
Security and storage are the two critical infrastructure components most in need of overhaul, and the technologies necessary to address so many of the modern challenges are already available, delivering an application platform with better security, greater reliability and performance, and lower total cost on the order of 30-50%. It’s powerful, it’s simple, it’s affordable, and it’s in production right now.
Recent headlines tell intimidating stories about ransomware holding patient data and critical systems hostage with encryption until a fee is paid to obtain the decryption key. Prior to that, stories of high profile health record breaches dominated. Breaches are an outcome of present architecture limitations, and what is missing from the headlines are recommendations that point to architectural solutions to reduce the attack surface of applications and systems that house PHI.
Breaches are most often effected by phishing and malware that then exploits the typically absent internal boundaries between systems in an environment. An important element of any modern security strategy requires that we draw purposeful lines around our applications and systems to control what traffic is permitted on a very granular scale, but that requires that we have a new security capability, a new place to effect policy. VMware is already in the path of that data and is the most logical place to implement that policy.
Traditional policies are based on IP and Port, and defining a complete list of permissible traffic in an environment using IPs and Ports is simply infeasible to build and manage. As a result, no one does it – that is why phishing and malware work.
Securing the internal environment requires policy be applied to applications directly. Since nearly all applications run inside VMware VMs, that is the best place to apply those policies. And because we manage the VMs, we can apply new kinds of security policy: we can apply sophisticated policy to groups of VMs by naming convention, group membership, tags, OS versions, etc. It’s an entirely new way to implement internal Zero Trust where traffic can only flow when specifically permitted. We can also apply policy to AD users and groups so that only traffic by authenticated users will flow.
This outcome of Zero Trust is the result of using NSX Distributed Firewall, a core feature of the VMware ESXi hypervisor that runs almost all of your critical applications, and this is a key component of a modern comprehensive security policy.
Nearly all VMware infrastructure leverages shared storage, fibre channel.
Healthcare is one of the few industries that has lives at risk in the event of system failures, which makes the application platform absolutely critical to the delivery of care. With that in mind, we should focus on the elements of infrastructure most prone to issue and that can be simplified through innovation and transformation.
Almost all virtual infrastructure today leverages shared storage; it was an essential component of architecture that in itself has become a single point of failure whose risk requires significant capital to mitigate. The era of shared storage is rapidly coming to a close because it is complex and expensive: it accounts for roughly 50% of virtual infrastructure capital, and by its very nature, it is prone to failure with very high operating cost. The policies to manage storage are so distant from the applications themselves that when things go wrong, it takes three different skill-sets to fully surround the potential issues and resolve them.
With lives on the line, why would we allow that to continue if we have a better way?
By moving storage into the compute layer, we reduce complexity and cost.
VMware VSAN is the solution to the reliability. It’s a core capability of the VMware hypervisor, and by moving the storage into the compute layer and allowing VMware to manage it all directly, we gain new redundancy options, new business continuity options, reduced complexity, and we apply storage redundancy and QOS policies directly to the VMs. There is so much less to go wrong in this distributed storage model, and it is the way all virtual infrastructure will be built. Our customers who have transitioned to this design, some of whom have been operating this way for more than two years tell us they cannot imagine running their infrastructure any other way.
By moving the storage up into the compute, VMware can make critical decisions about how to cache it for rapid repeated retrieval. It still lands on the same spindles and flash as it would with a SAN, but by moving storage to the compute layer and giving VMware control, we get great performance benefits and gain scale benefits by distributing the Iops among the compute nodes.
A modern SAN is designed to scale, but the storage processors in a SAN become bottlenecks over time. Eventually, we reach a point where our applications are performing more transactions than our SAN can process, regardless of how much flash is present behind the processors. This creates significant growing pains as both capital spend and operating complexity.
Distributed storage, on the other hand, scales with you. A modern compute node using NVMe Flash as a cache drive can sustain ~120,000 Iops. As our applications grow and we add compute nodes, we are consistently adding additional Iops, up to 120,000 per node. This architecture by its very nature addresses the single greatest performance challenge of shared storage, and as flash become increasingly affordable, spindles are fading in favor of higher Iops infrastructure without the SAN bottlenecks that have plagued us for years, delivering three to ten times the Iops presently available in customer environments.
VMware VSAN alleviates so much of the performance challenges of storage architecture. The idea that there are no LUNs and no tiering is a radical concept for storage engineers, but it works so much better. My customers who run hybrid configurations using a combination of flash and spindles report no performance challenges for nearly two years.
Value and Cost Control
Did I mention this improvement in reliability and performance also costs less? By simplifying the entire stack, we eliminate capital infrastructure and commodity hardware markup. When we consider the total capital cost of virtual infrastructure, hosts with shared storage cost about 30-50% less per VM than using our distributed storage solution. This is leading to a rapid evolution of infrastructure architecture that began over two years ago but has accelerated dramatically in the last six months. With the ubiquity of commoditized compute and local storage that complies with Ready Nodes (from Cisco, Dell, Fujitsu, Hitachi, HP, Huawei, Inspur, Lenovo, Quanta, Sugon, and SuperMicro), and the launch of VxRail/VxRack HCI from VCE/EMC, there are so many excellent platform options to gain all of these benefits and realize substantial savings.
With these savings so very real and these benefits so very tangible, why would you build your infrastructure any other way?
The Solution: NSX and VSAN
VMware’s Security and Storage solutions are wonderful complements, addressing so many of the infrastructure challenges in Healthcare today. The savings versus your current model will fund the new capabilities, reduce the attack surface of applications, and resolve critical storage challenges all as part of a single transformation event. Healthcare applications have never had such a secure, reliable, performant, and cost effective platform.