In the haste to get the web store on-line, Businesses must ensure they’ve considered IT Service Delivery.
On June 25, 2009, Michael Jackson died.
And in one fell swoop, Sony Music Entertainment had its worse Information Technology nightmare on its hands. Sony’s web servers were bombarded by millions of Jackson fans – most who were wanting to research the highlights of the King of Pop’s career or post public messages of condolences/reflections.
And, some of the fans actually went to the site to purchase music of the star.
Greg Taylor, senior system engineer at Sony Music Entertainment, knew he had a massive problem on his hands – they were on the eve of the equivalent of a Denial-of-Service event never seen before the company. The company’s web servers would be inadequate to handle this unexpected level of demand and Taylor had the miserable task of coming up with the game plan to manage the expectations of Sony’s customers. What would he do?
Taylor’s situation is faced by IT systems managers every day. Many administrators would approach the problem the “old fashioned way” – quickly order more hardware and find a way to deploy it quickly. However, that approach introduces risk in that hastily-deployed servers may not be sufficiently hardened to protect the credit card information. Further, how can a company purchase and deploy multiple servers quickly?
Before doing any knee-jerk actions, somebody within the company has to define the needed service levels for any given system. This is usually the data owner – the person who is responsible for information collected and the processing that needs to happen.
The needs have to be expressed in some form of performance measurement: Usually, these are described as follows:
- The availability of the service: For example, “up for 99.9% of the time – essentially can only be out of action for .35 days a year”,
- The Reliability of the service : “must be able to support X number of transaction requests within a given time frame”; finally,
- The data owner should express other criteria of importance as well, such as:
o Is the web site collecting sensitive information, such as credit card numbers, expiry dates, CV2 codes? Or personal information of the customer?
o How is it protecting that information from “accidental disclosure”?
o What’s the acceptable timeframe for restoration of service if a systemic failure should happen?
Pending results of these specifications, the IT support teams can enter into formal Service Level Agreements (SLAs) with the data owners within the company. Based on these agreements, the IT department can then specify the required resources that are needed to fulfill the objectives.
So with precious little time to come up with an operating solution, what did Sony’s Taylor and his team do to fulfill the service delivery objectives of their eCommerce systems? Per the best practices above, the team stood back from the technology for a moment and studied the needs of the customers. Essentially, there are two types of customers:
Customers purchasing music: These customers need secure environments to collect and process credit card transactions. The Payment Card Industry (PCI) has very rigorous requirements for the handling of credit card information, including the length of time the information is stored, how it should be encrypted, and the nature of the security systems that must protect the data, amongst other things. There must be sufficient servers in place to allow prompt processing of all purchase requests. Because of the PCI requirements and Sony’s natural concern over availability and reliability of these servers, it would be near-impossible for Taylor’s team to quickly provide additional server equipment to handle the onslaught of transactions.
Customers who wish to research information: Specifically, people wanted to lookup elements of the performing artists’ lives, their discography, and the details of specific recordings. Further, Sony wanted to have people post information about local events – and in particular to Michael Jackson’s situation, the location and times for memorial services/gatherings and celebrations of the musician’s life. They wanted customers to be able to express their sorrow, pay tribute, and otherwise share their grief or thoughts. None of this information is terribly sensitive or needing of the PCI-level of data protection. Further, this type of information look-up and social postings were accounting for the majority of website traffic in the days following Jackson’s death. Taylor would be unable to deploy server resources to adequately cover this need and maintain adequate server delivery requirements to the customers purchasing music.
Further, both systems had to be readily available to the changing demands of both categories of customers.
Taylor’s solution to meet the service delivery requirements of Sony’s customers: Have all of Sony’s in-house public-facing server resources devote themselves to the handling of the music purchases. This decision meant that he could leverage all of their existing security and PCI-compliant technologies into delivery of orders and proper handling of the credit card processing.
For the customers who wanted to look up information about Jackson’s albums, life, etc., Taylor realised that the information was not sensitive in its handling. What he needed was a mechanism that could dynamically add/remove servers and replicate content as needed to meet the unpredictable levels of the consumer demand. To solve this, he turned to Cloud Computing for the answer; specifically, Amazon Web Services’ Elastic Compute Cloud (EC2). Inquires to the Sony web site would seamlessly be passed to the Amazon EC2 server farm, which would add servers automatically as needed to keep up with the demand for the look-up information. Information System auditors have raging debates as to how to properly govern/secure information within cloud environments, as much of the information passes out of the data owner’s direct control. However, Taylor didn’t have time to do proper diligence on this; nor, did he care: EC2 wasn’t being charged with sensitive information – that was happening back on Sony’s own managed servers. And the beauty is that Sony only has to pay for the server instances/hours that are actually needed.
Taylor’s quick thinking worked so well at providing for all aspects of the service delivery requirements that Sony is now using the strategy with several of its popular artists. By clearly understanding the IT service delivery needs of the customer, Sony Music Entertainment was able to come up with a very effective eCommerce site that could scale to handle dynamically changing needs.
