Tuesday, March 10, 2009

Outsourcing your E-Business Suite environment - Part V

In my previous articles in this series I explained what the key areas of focus would have to be when you consider outsourcing your Oracle E-Business Suite environment(s). This last article in this series covers some of the questions you could or should ask to your potential partners.

Now that you have a rough idea about the issues to bear in mind when outsourcing your E-Business Suite environment(s), it is time to look for a partner that you can do business with. In order to make a proper judgement, it is essential to know which details are important to your business. Ask questions on those details. They are important to you, so you must find the answers with your partner, and weigh them on the scale of importance.

Criteria

Here you can find a list of criteria you might find useful:

  • Every customer should be logically separated from other customers
  • Possibility to filter traffic between systems of the same customer
  • In case of an attack/intrusion it should be possible to quickly block traffic
  • Detection by means of a network intrusion detection system should lead to action in less than 3 minutes
  • Possibility to guarantee bandwidth
  • Possibility to regulate bandwidth
  • Possibility to deliver connections, by fixed lines as well as VPN via Internet
  • Data Center has more than 1 public exchange utilizing multiple carriers
  • Multiple access paths to the public exchange are possible, physically as well as logically, so in case of interruption of service altenate paths could provide required service
  • Termination is separated from the server room, so physical access is not required for assembly
  • Separated LANs for different purposes (backup/recovery, management, public, cluster heartbeat)
  • Failover datacenter at least 5 miles away
  • Support for QoS (Quality of Service)
  • Trunking Technology should be supported
  • Local LAN is redundant, including switches, SAN switches, cables, power supplies
  • Redundant Airconditioning with sufficient capacity
  • ISO27001 compliancy/certification
  • Availability of No-Break
  • External Power Generators are available, are tested monthly and meet capacity requirements
  • Growth of XXX% can be facilitated
  • Hardware defects can be solved within SLA times
  • Near Real-Time information about systems, load and amount of traffic available online or can be made available online, included in regular pricing
  • Monitoring is taking place for intrusion, fire, power failure, high/low voltage, external power generator failure, UPS/No-Break failure, temperature, humidity, breaker trips and leakage
  • 24x7 security available on the premises
  • 24x7 access for authorized personell of customer
  • Backup facilities available and optionally availability to take backups to multiple tape units
  • E-mail facilities are available for outbound mail from specified servers
  • Physical access to hardware is separated from possible other customers to prevent other customers having access to our hardware
  • Capacity planning should be in place, for at least 12 months
  • Operations Staff should be adequately trained
  • Credentials should not be stored human readable, i.e. no hard coded credentials in scripts etc.
  • Cleaning and Archiving procedures in place for log files etc.
  • All access to systems must be logged and should be tracable to a personal account
  • Availability of centralized authentication system with LDAP or NIS
  • Servers should be addressed through a servername using Fully Qualified Domain Names
  • OS Storage needs to be mirrored
  • Remote Console Access should be possible
  • A representation of current configuration and hardware as well as Operating System should be delivered when asked (CMDB report)
  • Following Operating Systems and distributions should be supported: (fill in your required Operating Systems)
  • All machines are configured with swap space according to best practices
  • All File Systems are configured with either RAID5, RAID1 or RAID1+0
  • All provided slices of storage can be resized dynamically
  • Availability of a supported platform for backups
  • Every Unix machine is provided with ping, traceroute, lsof, top, truss, strace, sar or applicable equivalences for the OS in place
  • Telnet services are disabled, ssh access should be possible
  • A Network Time Protocol Server is available for every system and is redundant
  • An authorization and maintenance process is in place for all privileges
  • Security audits are taking place on a regular basis, conform ISO27001
  • Gigabit Ethernet is standard
  • Relevant information on all layers is stored onto which trend-analysis can be performed
  • On at least a monthly basis, investigation is done regarding patches to be applied and proposed as change to customer
  • Weekly SLA Meetings
  • Weekly Service Level Reports
  • NIS and FTP services are disabled
  • UIDs and GIDs of non-system OS users and groups should always be identical across systems
  • Possibility to perform routine maintenance by means of sudo
  • Availability and Performance Management should be in place
  • Architecture needs to be provided with a flexible storage solution for allocation, deallocation and copying of data and efficient backups
  • Backup data should be kept online on a remote location, at least 5 miles away from the primary data center
  • It should be possible to put backups on tape, to deliver at customer site
  • Internet connected machines should be placed in a DMZ
  • The meeting structure being used, by means of communication and consultation on strategical, tactical and operational level is formatted by a governance model
  • Support needs to be provided in the … language
  • A situation is designated as a crisis at initiative of customer; in such a situation supervision will be accepted from the by customer assigned crisis manager
  • At least 1FTE with knowledge of the environment is available at all times to support and investigate opon request
  • Customer can take backups to disk and optionally to tape at a later time, facilitated by hosting provider
  • It should be possible to house or host optional “external” hardware, like customer owned systems

Key Performance Indicators

Next, you should have a set of Key Performance Indicators (KPIs), that will have to be mapped to the criteria. You should have at least the following areas:

  • General
    Availability
  • Incident Management
    Reaction Time, Resolution Time, Down Time, etc.
  • Change Management
    Maintenance Windows, Change Qualification Time, etc.
  • Configuration Management
    CMDB, Monitoring, etc.
  • Operations Management
    Backup, Maintenance, etc.
  • Service Management
    Reports, meetings, etc.

Questions

Based on the above, you could ask your party

  • what their vision is on separation of responsibilities and how they would realize this vision,
  • which risks they identify and how they would minimize these,
  • their ability to meet the criteria as stated,
  • their ability to meet service levels mentioned in the key performance indicators outlined by you,
  • to share a transition plan and approach for application management takeover and / or migration of current to new infrastructure,
  • to identify cost drivers for accounting services and products, based on the separation of responsibilities and conform the given criteria,
  • identify the monthly cost per cost driver,
  • how they detect intrusions,
  • how they guarantee bandwidth,
  • how they guarantee connection availability,
  • what time they need to establish a system,
  • what possibilities there are to customize environments in terms of:
    kernel parameters,
    operating system limits,
    startup scripts,
    disks and partitions,
    mountpoints
  • which security certifications they have,
  • whether they have multiple datacenters,
  • what their vision is on capacity, availability and performance management and how that translates to practice,
  • if they can provide an example of an incident report, if possible for multiple priorities/severities,
  • if they can provide an example of a change report,
  • what their definition is of a problem,
  • whether they have experience managing/hosting
    Oracle Database environments and for which versions,
    Oracle E-Business Suite environments and for which versions,
    Oracle Application Server environments and for which versions,
  • If they can provide any references for any of the above with information about:
    Version Size
    Number of users
    Number of transactions
    Availability.

This list is not complete, but it can give you a start to identify the kind of questions you might want to be answered, in order to make a proper judgement.

I hope this series has given you some clearer view on the topic of outsourcing your environment. If you have any questions left, you can always drop me a comment.