|The hierarchy of storage policies|
Although some policies are unique to an organization, there are often many commonalities between policies in different organizations. We find it helpful to divide policies into three categories: strategic, tactical and operational. (See "The hierarchy of storage policies")
Time to strategize
Strategic policies define the overall business imperatives. Think of the U.S. Constitution: Strategic policies are analogous to the Bill of Rights. There should be just a few, and all other policies should be assessed in light of them. Strategic policies are going to vary less from company to company. Here are some common examples:
- Standardization. Storage services shall conform to a defined set of offerings, except in extraordinary circumstances.
- Centralization. All storage shall be provisioned and managed by the centralized storage management group. No business may run its own storage infrastructure.
- Service level agreements (SLAs). Storage shall be provided to internal customers according to negotiated SLAs.
- Cost accounting. Business units shall be responsible for their portion of the cost of delivering storage services.
Strategic policies like these result in the alignment of the perspectives of the various parties at the negotiating table. IT managers often fear that if they offer solutions that are too costly, users might walk away and create their own infrastructure. We call this the CompUSA argument: "If I can buy a Pentium 4 PC at CompUSA with a terabyte of storage, why shouldn't I?" This is a red herring, but tends to be rehashed. Strategic policies let everyone focus on negotiating the right level of service from the perspective of the provider and the consumer.
Without alignment at the strategic level, efforts to create and enforce tactical and operational policies likely will fail. Without setting ground rules, tactical and operational policies can exacerbate any misalignment by forcing the IT organization and business units into a straightjacket of rules that are not in the best interest of either party.
Time for tactics
Tactical policies put the strategy into practice, governing the management of the storage infrastructure. They must be set within the framework of the strategic policies. Strategic policies are likely to look similar regardless of your business, but tactical policies will often look different. The following policies would support the goal of standard service levels:
- Data classification. Data will be classified into four tiers based on business value and risk.
- Data identification. Weekly reports will be developed to expose new or substantially modified data.
- Data protection. Data will be protected with a combination of tape backup, interarray mirroring and off-site replication, creating four levels of protection.
The key to success is to make tactical policies as specific as possible. We've spent hours in meetings listening to storage administrators and application owners discussing whether or not to use a certain tool. These discussions can be preempted if the specific tools have been determined and documented ahead of time.
Time to operate
Operational policies govern the process of managing the infrastructure on an ongoing basis. Once tactical policies have been developed to implement the intent of the strategic policies, operational policies dictate how to keep the environment running.
One reason to call these out separately is that many organizations only have operational policies. Those are usually classic knee-jerk laws developed in response to specific operational failings. For instance, we know of a CIO who decreed that all changes to the environment (even minor ones) must be approved by a change control committee. This froze all environmental changes and eventually forced administrators "underground," performing secret configurations. This led to another failure like the one that precipitated the policy in the first place.
Operational policies don't support specific strategic policies like tactical ones do. Rather, they tend to support the implementation of the tactical policies--the "spirit of the law." Good operational policies tend to have exceptions to keep them within the realm of reality. Some normal operational policies include the following:
- Design. Fabrics will provide dual paths to storage targets with automated failover, requiring dual host bus adapters (HBAs). Each path to storage will reside in a discrete zone consisting of a single HBA port and a single storage array port.
- Provisioning. Storage provisioning requests must be made on the requisitions form and will be acknowledged within one business day. Conforming requests will be fulfilled within five business days.
- Monitoring. Operators will respond to pages immediately, and will manually review operational status every five minutes.
- Escalation. All faults will be escalated according to the escalation standard operating procedure (SOP). The development of operational policies often leads to a need for SOPs (for more on SOPs, see "Time to get organized," in the February 2004 issue of Storage). Remember, procedures are the steps taken to perform a task. SOPs can be a step-by-step expression of operational policies, and are often the only written record.
The highest ranking people of an organization must set the strategic policies. They decide on issues such as whether an internal utility-provider model will be used and whether costs will be charged back to users. And they're also the ones who lay down the law on standardization. These policies should be documented and distributed for all to see. This way, no one can claim ignorance of the law.
Next, the managers of the storage infrastructure can decide on how to implement these strategic edicts. They decide on the type of architecture to deliver a tiered utility or how to model costs for billing. While these policies should be documented, they don't need to be as widely distributed as their strategic counterparts.
Finally, individual area managers can determine how to operate the environment. They can write SOPs for monitoring and escalation, and will be defining operational policies in the process. If a complete, documented set of strategic and tactical policies is in place, there's little worry that their decisions won't align with the overall framework. Each manager can be deputized and empowered to set policies in their own areas.