Business Classifications for IT Management
SOHO, SMB, Enterprise—Which one describes your organization?
Individuals or families interested in entertainment or social connectivity, and looking for products with trendy features and low price over reliability, are referred to as Home/Consumer.
Products for these users will be tagged as "Home" or "Family". Vendors compete on price, although items with very fancy features can command a high price. Online services may be provided for free or cheaply, with the goal of collecting information about the customer to present targeted advertisements, or offer paid service upgrades. Technical support will tend to be available, but may be limited to minimally-trained phone representatives, or posting messages on a forum.
Small Office / Home Office (SOHO)
A SOHO is a single business location with a handful of users, where IT equipment is purchased, used, and managed the same as other office equipment such as the copy machine, fax, postage meter, or shredder. There is virtually no budgeting process or lifecycle planning; equipment gets replaced when it becomes outdated or breaks. IT equipment is configured by a non-technical employee, although often, without professional help, equipment may be misconfigured, or features may go unused. Because all users work in close quarters and know each other personally, and no systems are accessible by the public, security may be of minimal concern. Workers at this type of business will only use common, standard applications such as word processing, spreadsheets, basic accounting, printing, scanning, e-mail, web-based applications and services, Internet browsing, free chat services, and conventional phone lines or inexpensive but low-quality VOIP.
A business with these requirements will tend to purchase IT products available at office supply stores, which are not generally designed to interact with each other or generate logs, and will have only basic security functions. You won't often see a central network controller, such as an Active Directory domain (Microsoft Windows Server), in a SOHO. As a result, connectivity and sharing are manually configured on each device, either by connecting to an inexpensive shared network storage device or through free or low-cost cloud file storage services. The business can have a mix of Windows and Mac computers, and various tablets, without this being a problem. Wi-Fi usually consists of a single access point intended to cover everyone. Scanning is done directly to workstations or to e-mail. Data backups, if implemented, will consist of directly-attached USB drives, or cloud-based backup services.
Small/Medium Business (SMB)
There are two types of SMBs:
- A business that utilizes information technology to support conventional business processes, but with too many users, high uptime requirements, special security requirements, or other considerations (like special applications or multiple locations), to allow it to operate like a SOHO.
- A company in the business of information technology, with a staff of software developers and/or a data center for hosting customer-facing applications and storing customer data.
Depending on the number of users and size of the IT system, such businesses may require a full-time IT manager or contracted professional, but at the very least would need a part-time manager. This person or small team would recommend, acquire, install, and manage equipment, software, and services with required resilience capabilities, as well as logging for prompt and effective diagnostics, incident management, and security. The IT system will also typically be configured so that new users are able to easily access in-house network database applications, shared files, and shared printers and scanners in a uniform manner. You will also typically see centralized management of software licensing, software updates, security applications, and remote access. All of this requires something like a Windows Server or cloud-based system to manage device configuration, user accounts, permissions, and automation.
To classify a business as SMB, you can see the number of users isn't irrelevant, but it's not the only factor. A non-technical business might have only five users, but need a Windows Server hosting a SQL database for a custom application to manage their sales or billing, with a robust backup system to enable the capability to roll the data back-in-time in case of a mistake. That requirement alone moves the business away from serving its needs by having a non-technical employee set up hardware and software purchased from an office supply store or online retailer. And once a professional IT systems manager is on board, the company will gain access to the expertise required to implement a higher grade for other equipment (such as the firewall, Wi-Fi access points, and scanner), and system configuration (such as automation in Windows workstations).
And as for the company that develops software, if it were to employ the SOHO approach only, then it would have no capability to set up development servers, set up the application infrastructure, or acquire the necessary development software.
The amount of equipment is also of little import in designating a company as an SMB. One SMB might have its servers on a table in the corner, while another needs a separate room with racks of servers and network equipment. Even a software development company might have very little equipment, if all their development, staging, database, and customer-facing application servers are hosted in a cloud services provider like Amazon Web Services.
Budgeting may vary likewise. A small company with little change can make its budget decisions when its IT provider recommends upgrades to improve value or replace outdated or failing equipment. A fast-growing company, or one with a good-size data center that requires constant attention, will take a more methodical and forward-looking approach to budgeting.
Ideally, any SMB should have some sort of strategic plan. But, while risky, it is possible to build a sizeable and valuable IT system without having a long-term strategic plan—the IT department of such a business asks for funding to meet requirements when they come up, and if a short-term net benefit can be shown, management approves the expenditure, even up to tens of thousands of dollars.
Identity management cannot be ignored in an SMB. A given SOHO may get away with users sharing passwords and accounts. But, in an SMB, network applications cannot be competently managed centrally unless each user has his/her own login account, managed by some sort of login identity provider. Such applications include project management software, a multi-user accounting program, or a set of shared folders with documents that need to be access-restricted to certain groups depending on their job roles. And, of course, if the business wants to have any visibility or control of data confidentiality, then centralized account management is a must.
In addition, centralized provisioning and management of workstations and laptops requires equipment and software that is a grade above that designed for the SOHO. Particularly, you will need a Windows Server and/or a cloud-based management system, and the Professional edition of Windows on each workstation. This introduces new challenges, however, with integrating Macs and non-Windows tablets and mobile phones into the system, which are not necessarily designed for central management.
SMB-grade equipment and software generally comes with warranty and support options beyond what you can get with SOHO equipment, such as same-day component replacement in case of failure, easy access to competent technicians for diagnostics, and assistance with integrating the equipment or software into your network. This might apply to servers, a network switch, firewall, or network storage device.
Wi-Fi access points designed for SMB support deployment across a larger space, with multiple access points communicating with each other for contiguous roaming access and a consistent security policy, as opposed to SOHO access points that don't talk to each other at all. Similarly, an SMB-grade scanner will support scanning directly to network servers, avoiding the need to install scanning software on each workstation or scan to e-mail addresses.
As for data backups, a network-attached storage unit (NAS) is a typical SMB device that supports backups of workstations and data, and integrates with your central user directory to control user access. A higher-end NAS can also host virtual disks for virtual machines (servers), including support for advanced commands from the virtual machine host to manage the disks efficiently, as well as internal snapshots to support disaster recovery.
Finally, all SMB-grade devices should support logging and visibility, as mentioned above. As an example, the most basic SMB network switch, while more expensive than a SOHO switch, can give administrators an interface to view connected devices and view logs to diagnose problems, where a SOHO switch will not. Speaking of network switches, another advantage of an SMB switch over a SOHO switch is the ability to configure network segmentation as part of a security plan or traffic control, and for several switches to share a single configuration file to minimize configuration complexity.
At this point, you might be thinking, "How many users can this management model and equipment support?" The answer is, broadly, several hundred or maybe even a few thousand, depending on their work duties, reliance on the IT system, amount of data, type of applications in use, and uptime requirements. This is why you might consider yours a small business, but have been shocked at a price for a product with the same label—if you're evaluating a product with capacity and performance for 500 simultaneous users, it probably won't be a match for your 25-user office.
In IT, we are inclined to think of an enterprise as any business with thousands of employees. As mentioned in the previous section, though, the number of users is only one factor in classifying an organization for IT administration. In fact, your business should consider itself a full-fledged enterprise if any of the following apply:
- Your company has many separately managed small departments and/or locations, and you require uniform configuration, centralized equipment deployment, and centralized control and monitoring of operations and security.
- The IT system and users cannot be supported by a small IT team, either due to number of users, or the size or complexity of the IT system. Your company has, or should have, a broad department for managing IT operations, with separate teams (such as the help desk, user accounts, network/communications, storage, servers, and applications). This applies whether these users are your own employees, or customers who access services offered by your company (such as your custom-built cloud applications).
- Your information security risk assessments have determined that your company needs the highest level of technological capabilities to support your information security program.
Given the above, one business with a hundred users could need an enterprise IT system management team and high-end products, while another with over a thousand users and a simple IT system might be fine with a small management team and SMB products.
To properly manage an enterprise IT system, you must have a strategic plan and a budgeting process that includes rigorous planning for new system rollouts and expansions, a plan for handling incidents and problems, a plan for correlating and acting on performance monitoring data, and a lifecycle management plan that looks ahead for anticipated obsolesence or other necessary upcoming upgrades.
Additionally, while a skilled and attentive individual or small team can handle configuration and documentation for even a large network, if your enterprise has separate teams in its IT department, or any kind of decentralized management, then a robust change control program and formal documentation management plan are essential. Failure to have all departments assess each planned change for its effects on their areas of responsibility, or any failure to maintain accurate and up-to-date documentation for all members of the IT department to use for reference, can lead to a disaster, such as a system outage or lost data, that otherwise shouldn't have happened.
Enterprise equipment, software, and services offer the highest level of capability for the following functions of IT operations and security:
- Operations: Resilience, scalability, mobility, manageability (status monitoring and configuration control), automation, and performance monitoring.
- Security: User account management and authentication, network access control, monitoring and alerts, intrusion detection and prevention, data loss prevention, data archiving, log correlation and analysis, and encryption.
The details of enterprise capabilities—such as what aspect of resilience might be found in an enterprise product that's not available with SMB—are beyond the scope of this article. Not just because of the technical details, but because IT hardware and software vendors carefully try to segment their products according to market conditions, and may move features and capabilities between their SMB and enterprise products from time-to-time. For example, a function available only in an enterprise product might be moved to that vendor's existing SMB offering in response to competitive pressure. Conversely, a function available for SMB might be made available only in the much more expensive enterprise product if market research has determined that only high-budget customers need that function.
Enterprise-grade equipment comes at a price—often three or more times as much as the equivalent product without the added enterprise features. There are two reasons for this:
- The factors that drive a business to go enterprise are generally correlated with a high-priority budget to enable high-revenue operations or mitigate significant security risks.
- Once a business has entered the enterprise realm, they're essentially stuck there, because of interoperability requirements. Equipment and software replacements and upgrades need to be enterprise-grade for the foreseeable future. For example, if you've built a network of enterprise equipment that is managed as a single unit from a central console, then an SMB device may not have the capability to integrate into your management system. Similarly, for some cloud services, if you want to upgrade the data archiving and encryption capabilities for some users, you have to upgrade all current and future users on the account to the same level.
As mentioned above, going enterprise restricts the ability to integrate SOHO or SMB equipment or software, although in some cases a high-end SMB device might work just fine. But it's not just the equipment that must be elevated; it's the project planning and overall strategy for integration of new products as well. See, it's much harder to implement what are known as point solutions into an enterprise-grade system. Point solutions are defined as products inserted to solve a specific problem, or perform a narrow function, without regard to the adjacent IT system operations and the system as a whole. Point solutions are less expensive to implement, but can cause complications on an enterprise system that you won't see in an SMB system comprised entirely of point solutions.
Similarly, with an enterprise approach, allowing employees to use personally-owned devices for their work will raise new considerations. This is quite common in small businesses, and, while a high security risk, it is frequently assessed as valuable given the cost savings and flexibility it offers. But when you've invested in an enterprise system, for this to even happen, you have to deliberately disable some functions of the security structure you've invested in, or plan for how to replace the flexibility of relying on personally-owned devices, which can get complicated and expensive.
One last thought. In some cases, an enterprise doesn't always require the highest-quality components. For example, when building a storage solution, you might find the enterprise-grade hard drive from one manufacturer comes at a higher price and a five-year warranty, compared to a one-year warranty for essentially the same drive offered at a lower price. But, if the overall solution, based on enterprise-grade storage chassis and storage management systems, will have such robust resiliency built-in that hard drive failures will be easy to handle, you might find that purchasing the cheaper hard drives is the right choice.