| 1.6.03 Architects Policies: | | Business Continuity is the one overriding mission for provision of application services. | | 1. Downtime has been minimized with high levels of equipment redundancy. | | 2. Program errors have been minimized with very little software and a data centric application design. | | 3. Backup has been replaced with real-time encrypted Data Replication to multiple data centers. |
| Culture: | | The ASP is not an in-house team doing their best with a limited budget, the ASP operate many hundreds of web applications for thousands of users. | | Since 1999, the ASP have continually evolved the most modern of web data center infrastructure. | | All design decisions are taken with a long term view of 10 to 20 years - any short term opportunities have no place in this business. | | While the rest of the world is rushing into Virtual Machines, the ASP has chosen to continue with a large number dedicated servers. While dedicated servers are more expensive to operate, they are also much easier to manage and much more reliable. | | No visitor is ever permitted to visit any one of our data centers that house the UK Internet backbone - these are very secure buildings with thousands of servers in a lights-out environment that does not have visitors. |
| Policies: | | Wireless is never used for anything - ever. | | Data is never transported on any kind of media - ever. | | System Administrators do not have access to operational data - ever. | | DNS IP address shipping is never made to an operational domain - ever. | | Data is never backed up - it is replicated to many secure locations. | | Asynchronous message switching is employed so transient Internet interruptions do not impact on the operation. |
| Data Centers: | | Multiple interconnected remote data centers have been nominated to be used. Other data centers are also available but these would take up to an hour to be made operational. | | By design, each data center is in a different part of the country so if a power or Internet connection failure should occue in one part of the country, then the possibility is that other data centers could continue to provide a service without any significant delay. | | By design, both BT and Virgin Internet connections are employed so if one supplier has an interuption to their service, the other is likely to be able to continue to continue their service. | | Multiple computers are provided that normally share the network load, but can continue on their own in the event of a single machine failure. Some loss of response may be experienced until a new machine can be powered up to replace the failed machine. |
| Backup: | | The ASP has not used 50-year old magnetic tape backup procedures since 2004 - data is continually replicated to many remote data centers. | | When more than 3 copies of any data have been stored in different remote data centers it is hard to imagine a disaster that would cause all copies to become unreadable. | | Message switch facilities using secure (encrypted) Internet tunnels ensure that each data center continually replicates its data with at least 2 other remote data centers. | | All data is stored in encrypted databases on spinning disks that ensure the data is always readable and available to continue the business at a moments notice. |
| Power Supply: | | The ASP dedicated server racks have their own dedicated Uninterruptable Power Supplies (UPS) batteries that will last between 20 and 60 minutes. Each tier-iv data center has at least two independent power supplies so in the event of a failure from one power line an alternative power line will be used. Each tier-iv data center has its own independent power generator with fuel for at least 12 hours and facilities to top up the fuel supply during that time. | | So in the event of any power failure, dedicated servers will simply continue to operate for at least 20 minutes using UPS battery power. The UPS is designed to be more than adequate time for the data center to switch to an alternative power supplier. In the event that the alternative power supply is also not available, then the data center will switch on its backup generators and carefully manage its fuel levels. | | In the event that all these precautions are not good enough, business can continue from a different data center in a totally different part of the country. |
| Data Replication: | | The ASP employ encrypted replicated database servers with encrypted message switching though virtual tunnels from one data center to another. As soon as data is securely saved in one data center that same data is replicated to other data centers. In a few moments many copies of all operational data is in remote secure data centers - it is hard to imagine how numerous copies of data could all be lost, corrupted or manually falsified. | | The ASP accept that data replication is not cheap, but the benefits of never loosing any data make it cost justified. |
| Disaster Recovery: | | In the event of any failure of one data center, traffic to redirected to a different data center that is all ready to take over at a moments notice. It will take some time to deduce that a data center has been lost and that it is not just a transient Internet connection failure, but as soon as a real disaster is identified, then business can continue from a different data center. Fire, flood, earthquake, tsunami, power failure, etc., are all planned for and resolved by employing multiple data centers. | | The ASP understand that IP redirection across multiple countries can take some hours, so alternative domain names are employed so people can instantly switch to a different data center without the delay of IP address changes having to be replicated by many DNS servers. It must be accepted that the transactions that were in progress at the instant of the failure may or may not have been lost. When people switch to the new data center, they must check that what they were doing last has been completed as expected - see "What Did I Do" report.. |
| Denial of Service: | | In the event of significant Distributed Denial of Service (DDoS) attack on one data center, the ASP is fully prepared and can switch business to another data center using a different domain name. DDOS attackers will have no reason to know the alternative domain names and the different data center IP addresses, so any DDOS attack can have very limited impact on the business. |
| | | Data Cache Policy: | | For performance reasons, certain reusable data files are cached for six months as: | | 1. {B>Tiles as formal 64 by 40 pixel cartouche images. | | 2. {B>Images as informal images and pictures. | | 3. {B>Script as reusable JavaScript library files. | | 4. {B>Style as reusable Cascade Style Sheet library files. |
| Search Engines: | | The cost of supporting many thousands of search engines in all parts of the world can place a significant burdon on the application service. With any business-to-business application service where search engine caching is not required, then every opportunity must be taken to minimise the cost of responding to search engine requests. In most cases, the firewall (intrusion protection service) will simply respond to each search engine with a "hello world" reply. Where the search engine gets past the firewall, the web server will respond with a "hello world" message. | | Where a user has installed a toolbar to continually monitor their browing history that is sent to the search engine, the search engine will be aware that certain people can see more than hello world when accessing the application service. Most search toolbars are secretly monitoring a users browing history and providing that information back to the vendor - including copies of private data. To minimise the impact of toolbar monitoring software, the date is included in the URL and any request using an out of date URL will be responded to with a hello world message. |
| 1. Tiles: | | For application consistency and ease of use, a reusable 64 by 40 pixel tile is deployed in all menus and navigation. Research has shown that the correct finger tip icon for a touch screen should be 40 pixels square - 64 by 40 pixels provides for a 12 character label to be shown below the tile. |
| 2. Images: | | Images and pictures come in many sizes with 1024 pixels being the maximum width that can be expected to work with most devices. A default device height is now 760 pixels but vertical scrolling is accepted and understood by all users. | | Images may be used on portable documents such as emails - the fully qualified address of such images must never change. |
| 3. Script: | | A small number of commercial JavaScript libraries may be used when and where applicable. As a generalization, JavaScript is not used for clever visual tricks that are better accomplished by style sheets. |
| 4. Style: | | A common set of reusable styles is employed for every form and every page. Each user has the right to select from a set of style sheets that all support the same class library. |
|