Cloud service offerings are like snowflakes no two are exactly alike.
Everybody loves the concept of clouds. Clouds will simplify IT and make life easy for end users and administrators. Amazon, Microsoft, Salesforce.com and others say they will handle business needs so that companies can focus on what is most important the business itself.
Don't get me wrong. I like clouds. But before one moves business- and mission-critical workloads to the cloud, one needs to understand the implications and impacts.
Cloud Shapes and Sizes
There are a myriad variety of clouds. Most small businesses take advantage of software as a service (SaaS) clouds business applications like CRM, ERP, and payroll but there are also platform as a service (PaaS) and infrastructure as a service (IaaS) offerings. To add to the confusion a number of firms have created new service types such as data as a service (DaaS) and disaster recovery as a service (DRaaS). For simplicity, let's just look at SaaS offerings.
Just like software, the SaaS offerings from competing vendors will vary according to functionality, look and feel, and the underlying software stacks, systems and data bases. They may appear to be commodities but they are not as interchangeable as cars. Thus, a decision to use a SaaS provider does not mean you can easily switch providers if unhappy with the outputs or service.
For example, if one were using Salesforce.com for CRM and decided to change providers to NetSuite, it could be a long involved effort to migrate over to the new service provider without losing any of one's data that is being stored on Salesforce.com's systems. It is analogous to changing banks and credit cards something you do not want to do often.
Current Cloud Challenges
Users would like to believe that when buying cloud services, you just pay for the service and all goes smoothly from there.
Not the case. Amazon, HBO Go, Microsoft, Twitter and other cloud service providers have almost all experienced extended outages some lasting for several hours. Most all providers offer no availability guarantees and if they do, it is in the form of a credit for time lost, not revenues lost.
Some cloud service providers (CSPs) have easy to understand contracts that clearly call out what one can expect of the service levels, downtime, maintenance, and outage credits. Others make it hard to determine what the real commitment is or what one needs to do to minimize potential outages and data loss.
Before one signs a cloud service provider contract, one should understand the following components:
- Security does the security provided satisfy corporate rules?
- Compliance does the CSP confirm to regulatory requirements (such as PII, PCI, HIPAA, or SOX) that the company must adhere to?
- Performance throughput (response time) and is it consistent under loads?
- Availability most offer at best 99.995% (250 minutes of outage a year, excluding the maintenance downtime window)
- Resiliency how quick can it recover and from what point in time (what data is lost?)
- Accountability what is the guarantee and what are the penalties?
- Data protection how is data protected in transit and at rest? Who has access to the data aside from the user? What happens to it when the contract is terminated?
- Portability can data or applications be ported to or shared with another cloud provider? If one terminates the contract, how long before the data can be retrieved and ported to a new provider? Will the CSP continue to provide service until one is live on the new provider site?
- Support will the CSP provide users the level of support they need when needed? If there are major issues, is there someone to escalate the problem to?
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.