Change in the business world is difficult. Change in the technologies utilized to operate businesses is overwhelming. It is not only the rate of change that is staggering. It is the massive quantities of new technologies that pose the biggest challenges. This has never been truer than when looking at the paradigm shift from physical to virtual servers.

Businesses are investing more than ever in the technology infrastructure necessary to stay competitive in an increasingly dynamic, fast-paced economic landscape. From server and compute resources to network architecture and cybersecurity defenses, these investments will differ from one company to the next based on their specific industry, budget, and company goals. Given this, one of the most critical decisions that businesses will make is determining whether a physical server, virtual server, or some combination of the two is best suited for their needs.

Physical servers are essentially giant computers. Usually stored at the company’s office (but could also be housed in a data center) and include resources such as RAM, CPUs, HDDs or SSDs, and network connectivity assets to run operating systems and business applications.

A virtual server is a software-based environment that emulates the processes of an actual computer. In other words, the same resources that support a physical server—RAM and CPUs, for example—all have software-based counterparts assigned to any given workload operating on a virtual server. Virtual servers are set up with something called a hypervisor, such as VMWare or HyperV, which is a type of software or operating system that creates and runs virtual machines.

Why server virtualization?

The question becomes which is the superior server type and of course, why? The answer is a virtual server for three primary reasons: management, scalability, costs, and recovery.

Improved management

Let’s start with day-to-day management of the servers. With a physical server environment, you must be physically present to make changes. IT may not perceive this hardship during business hours, but what happens if there is an urgent issue after hours or on a weekend? Someone inevitably must drive to your physical office location (or wherever the physical servers are located) to address the issue. In most cases, when you outsource your IT management to a Managed Service Provider (MSP), then business hours or not, you would need to wait for a technician to physically travel to the server location to remediate the issue. Additionally, proper patching of a physical server does require a reboot cycle at the hardware level. There are instances when the server is rebooting, it can become ‘stuck’ in the reboot cycle. If this happens, an onsite visit is required. Because of this, often times, onsite servers do not get patched because no one wants to run the risk of having to drive to a client’s location, typically late at night, to address this issue.

QPC Security is an exception to this in that we will not support any physical server that does not possess a hardware level remote control option. Having this does negate the requirement to have a technician travel onsite.

With a private virtual server environment (not to be confused with public cloud hosted servers), remote server tools eliminate the need for someone to be physically present to work on the server. The work can be done, in a matter of minutes, day or night. Virtual machines and the ability to provision them as needed is absolutely essential to keeping the environment secure, manageable, and costs low. The cost savings from reduced labor, downtime, and risk over the seven-to-nine-year life spans of a server is much greater than the cost of the proper server hardware. Traditional physical hardware server solutions merely present roadblocks when something needs to be fixed or restored because another server must be physically acquired to proceed.

Flexible recovery options

Not every recovery scenario will find it acceptable to restore to the same hardware. With virtualization, multiple viable versions of the same server can be retained. Server migrations are often just VM server moves rather than massive migration projects involving reinstallation because the entire VM can be picked up and moved. Deploying servers with iDRAC, Intel or AMD motherboard with full TPM 2.0 and security updates, full hardware level diagnostics and proactive alerting into the monitoring system are the standard for this new virtual server paradigm. This provides robust ways to maintain the integrity, security, and reliability of the drivers, firmware, and BIOS.

Flexible scaling and migrations

When it comes to scalability, physical servers do not scale the way a virtual machine can; they are designed to provide a set amount of resources. There are only two ways of scaling the compute or storage power of a physical server. The first is to add hardware during a risky change, or second add more servers to the environment. It may not be possible to balance the workload across multiple servers or to increase the resources on the dedicated physical server, so both approaches are not as good as a properly engineered server with the paradigm of server virtualization. Adding more servers or resources to existing servers results in unavoidable downtime. Conversely, adding resources to a virtual server takes a matter of minutes and is often done without any noticeable downtime.

Lower TCO

Then there is cost discussion. One of the questions I often get asked is why do I need to buy this server which can host these workloads on individual virtual servers instead of just hosting them all on one physical server? There are some that think they are saving money by purchasing a cheap server rather than investing in one that can run the workloads separately. What most do not realize is that the server hardware and software licensing will never be the most expensive component of the solution. The real expense is downtime (which means loss of productivity), increased risk, or in the additional labor required to patch or maintain something. To put the concept of risk into perspective, the risk of not having an effective back out plan because the workload was not virtualized is so high that QPC Security will not even support most workloads unless they are virtualized. We simply cannot provide clients with flat rate annual service contracts unless they are running fully supported configurations that are able to maximize efficiency and minimize risk.

It is also important to point out a problem with public cloud hosted servers as it relates to their perceived “lower cost”. Public cloud servers are perpetually under-resourced and as you add more RAM, CPU, faster disk, and more disk just to get decent performance, those additions cost you more and more. It’s like purchasing the “base model” car from the lot. The “lower cost” is appealing but by the time you add in all the things you want your car to have, you have now far exceeded your original “price”.

Reduced risk, increased business continuity

Finally, and probably most importantly when looking at this server paradigm shift, is the ability to quickly recover from business continuity and disaster recovery perspectives. Public cloud is vastly more expensive. We rarely recommend it. Click here to read our “Risks of Using Public Cloud” article. Private cloud is where an organization hosts their own server workloads in their own server virtualization space. While this does mean that there may be one to five larger servers, the workloads on those servers are able to flex and move.

The fact that these servers are virtualized creates flexible options in recovery and moving them between physical servers as needs arise. And because these are your servers, you are not paying monthly compute and data transfer costs in public cloud. When server hardware has been properly designed to have appropriate redundant components and paired with a proper onsite service hardware service contract (such as four-hour warranty), then the uptime requirements for the workloads can be met. I cannot stress enough the risk reduction from the flexible options that are available to server engineers throughout all of the maintenance, upgrade, migration, and recovery tasks when server virtualization has been employed properly.

Recovery options

Along these same lines, a back out plan for a server which involves restoring the server from a backup is not a true back out plan. It goes without saying that server restores are quite risky and extremely time consuming. It is also best practice to have a viable server change back out plan when performing an application upgrade. That plan cannot be executed if the entire server cannot be restored in an hour or less and a majority of server restores are likely to take longer than . These are just some of the reasons why IT staff hesitate and put off server maintenance. If they must action the back out plan, which takes a lot of time, they would rather not even touch the server in the first place.

There is an important distinction to make here when talking about restores of snapshots on redundant ESXi hosts with a SAN back end. In my experience, that entire paradigm is outside of the TCO financial and support viability of any company with less than 5000 users. ESXi and VMWare in general is a risk introduction point in itself unless the company using that technology has multiple dedicated and highly certified engineers coupled with expensive VMWare support contracts. For everyone else that does not deploy that technology, server virtualization technology that facilitates cold copies and fast restores of the prior exact state of the server without using snapshots is the viable approach. With that said, there are technologies such as Scale Computing which can do snapshots well, but the cost is 40% higher than a standard Dell PowerEdge solution. For organizations that have a driving business requirement for snapshots, they can then justify the additional 40% but most organizations do not have these types of requirements.

How business requirements relate to solution design

It is imperative that an organization work with their CISO and BCDR architect to establish required recovery times per workload and define a financial impact per workload when that workload is down. Only then will the business decision-makers be in a proper position to determine if paying 40% more for a solution such as Scale Computing makes financial sense. This is also why QPC Security is adamant about procurement policies being enacted at clients and enforced by CFOs. Servers and BCDR solutions should not be procured without these workload financial impact definitions, required RTOs defined by business leaders, and an engineering plan. Note that this is all pre-work before coming up with a project estimate. When an organization is operationally mature, they do not ask for a proposal that is disconnected from a paid engineering and design project.

If the ultimate goal is to control IT risk and costs while also increasing supportability, scalability and recovery options, this paradigm shift from physical to virtual servers must occur. For more information on what this may look like for your company and how QPC Security can help, contact us today at 262-553-6510 or by visiting