Office virtualisation and web-based applications are attractive for a number of reasons, not least because of the scalability of the hybrid cloud, the reduction in burden on IT staff and the fact that it should save time and money. With the advent of flexible working practices and remote working, it is not hard to recognise the value of adopting a cloud approach to IT infrastructure and applications. But how should enterprises address the myriad of cloud options and what questions should they ask their provider before taking this important step? Here we have outlined some of the most important questions.
1. Are they audited?
ISO 27001 is the information security standard that most customers will look for.
There are numerous other auditing and accreditation measures that indicate whether the provider meets high levels of physical security and internal control, as well as having a strong commitment to data security. Ask the provider what accreditation it holds and how this matches against other well-established vendors. Customers should also consider having independent penetration tests for additional peace of mind.
2. Are they financially healthy?
Naturally it’s important to choose a cloud provider that is financially stable and not likely to go out of business. IT contractor 2e2 went bankrupt in January leaving its data centres in jeopardy and many of its customers in a state of anguish. With proper due diligence, a customer can ensure that a cloud provider’s financial health is secure and that its services will not be interrupted or fail entirely.
3. Where is my data?
Customers should consider the location of data centres and whether they may be at risk of flood, earthquake or other natural disaster. Data centres should also be located in a politically stable jurisdiction. Customers should think carefully about where their data is being stored. America’s PATRIOT Act has led some cloud customers to avoid using data centres on US soil for fear of US law enforcement’s attempts to intercept communications. Data centres outside of the US that are owned by US-based cloud providers may also fall under the reach of the PATRIOT Act. The UK’s Regulation of Investigatory Powers Act (RIPA) has also raised similar concerns, although many commentators suggest that fears concerning UK and US legislation have been over-inflated. If either of these Acts are a concern, ask your provider if they have offshore hosting in other jurisdictions that may not be subject to the same regulations.
4. What happens if their servers fail?
Deploying cloud components in different locations should prevent customers from suffering from an outage at one specific facility. Any enterprise-grade cloud vendor should also have full data centre failover and disaster recovery in place to prevent any failure of one centre taking out the entire service. Amazon Web Services suffered an outage at its Northern Virginia data centre in December 2012, but customers that had adopted a cloud model involving multiple data centres suffered little or no ill effects. Customers may decide to store files in multiple locations at geographically dispersed data centres and copies of these files should be updated and synchronised automatically. If one data centre suffers an outage, this should not be a major problem for the customer.
Customers might consider a data centre site visit. They should estimate the true impact on the business in the event of a failure and identify what the vendor’s likely recovery time would be. There should be an opportunity to test the disaster recovery plan and to iron out any obvious deficiencies.
Customers should ask the provider about how clients are prioritised when attempting to bring them back online and whether a premium could be paid to ensure that they are given precedence. Customers will want to think about whether a contract can be terminated in the event that the provider is not fulfilling its contractual obligations and how easy it will be to transfer to an alternative provider.
5. How is my data secured?
Discover how many security personnel are involved in monitoring the data centre and who is actually allowed into the data centre. What security processes exist to ensure that access is only provided to authorised individuals? What sort of firewalls and detection systems are in operation to guard against malicious network activity or system attacks? What is the response plan in the event that security or firewalls are breached?
6. How are connections secured?
Customers will want to employ high-grade encryption technology to ensure that data is not compromised in transit between device and data centre. They should discuss with the cloud provider how to revoke access to files and folders and whether a user’s account can be disabled instantly in the event that a device is lost or stolen. They will want to ensure that firewalls are constantly preserved and are not compromised by non-authenticated sources or unencrypted data.
7. Do they guarantee uptime?
According to the International Working Group on Cloud Computing Resiliency (IWGCR), the average downtime is 7.5 hours a year. The group suggests that since 2007 there has been 568 hours of downtime at 13 major cloud providers, which it estimates as having an economic impact of $71.7m.
Customers should ask about the uptime guarantees and the service level agreements (SLAs) offered by the vendor. You will want to know what the exclusions to uptime guarantees are in the SLA and what happens if the system is running too slowly and workers are not able to perform their daily tasks as normal. Customers should ask their provider what constitutes an act of God or “force majeure”. A narrow definition would be preferable.
SLAs will often provide for credits in the event that service levels have been missed, but often this does not compensate for actual business losses. Customers should check whether the provider is satisfactorily insured so that they can be properly compensated in the event of downtime.
8. Who can access the data?
While it is commonplace for SaaS providers to retain some access to your data to assist with support when required, there are others who may have access to your data. Do support staff at the data centre have direct access to the data processing hardware and if so, are these accesses audited by the provider? Is support staff access to your data audited and can you access these logs easily along with the audits of your own users access to the system?
9. Will I be sharing servers?
If a client is adopting a shared facility they should ask how their data is isolated from other customers’ data. Is the service single-tenancy or multi-tenancy? Is it hosted in a private or public cloud? It is advisable to have a detailed description of the virtualisation process and how data is segregated from other clients. If customers do choose dedicated infrastructure, they should still ask their cloud provider whether there might be less sensitive elements of their systems that might be better suited to a less-expensive multi-tenanted platform. Customers may also have the option of owning the infrastructure and this could be recovered in the event that the cloud provider goes into bankruptcy or does not fulfil its contractual obligations.
10. Can the platform grow with me?
The cloud model is supposed to be elastic. It should allow for business growth or contraction as well as spikes in business activity. Customers should ensure that the provider is able to accommodate these likely events and be transparent about the associated costs.
A final suggestion
Customers should take up references and understand the processes that other clients have gone through to achieve a satisfactory cloud solution. Often an existing customer can better answer these questions or concerns.
