Cloud Provider Cost and TCO
This is probably what led you to this article in the first place. Amazon does best on the TCO and ROI scale that Info-Tech uses, and Computer Science Corp. comes in last. But the big-name vendors in the SMB cloud-provider market appear comparable from this point of view. It comes down to your needs verses what you're currently spending verses what you want to spend. Three-year TCO ranges from $10,000 on the low side to $250,000 and up.
"From a cost standpoint, there comes a time (based on volume, scale, performance) when it likely makes sense to move some apps on-premises," says Brian Reagan, vice president of product marketing at Actifio, a provider of production data storage and management solutions used by cloud providers. "You need to make inspecting TCO a part of the governance process. Bottom line -- it's vital to focus on and to negotiate the fine print, as it [aligns expectations and] creates a stronger partnership from the outset."
Essential Questions to Ask Cloud Providers
What are the service level agreements (SLAs) for availability, recoverability, access, and data retention? (Read this document carefully! Some of Amazon's customers got burned earlier this year by an outage and tried to go after Amazon for remediation -- until they read their contracts.)
What happens to my data if and when I leave? Who owns it?
How (and how frequently) will I be billed, and at what points -- in terms of usage -- do additional discounts kick in? Also, what are the implications of "overages" during peak demand periods?
What is the defined customer support process including escalations, contact names/numbers, and response time guarantees?
Proprietary Vs. Open Standards
Choosing an "open cloud" provider -- one that bases its platform on open standards like RackSpace's OpenStack or Linux KVM -- ensures the flexibility for whatever the future might hold for business, advises Tiffaney Fox Quintana, director of the Rackspace Startup Program. As a company grows, infrastructure needs inevitably change. Being locked in to one vendor (most likely VMware's vSphere platform) with the inability to move your applications or data to more applicable infrastructure can be costly and sometimes catastrophic for small businesses.
Addressing Cloud Security
Cloud security is a crucial issue. On the negative side, you are giving up responsibility for this task to a cloud provider who has other clients to worry about. On the plus side, it's generally accepted that cloud providers offer better security than you ever could. They stay up-to-date on best practices and employ the latest tools. They have to, because too many security breaches would cause the industry to founder very quickly.
Aside from the very nice pros and cons list, McAfee's Hamilton also provided a separate list focused, not surprisingly, just on security. We broke this out because security is a key concern. Hamilton recommends you ask potential IaaS providers these very important questions.
Do they encrypt the data during transport to the cloud as well as at rest on the cloud? Encryption prior to transport will ensure traffic intercepted on its way to the cloud is secure. Encryption at the service provider's data center will ensure the safety of the information when it's stored on the provider's server.
All data transferred and stored should be encrypted with the highest levels allowed: 256-bit Advanced Encryption Standard (AES) SSL for data in transit, and 256-bit AES for data at rest. Where are the encryption keys stored? There should be both physical and logical separation between the encryption keys and the encrypted data.
Can you control and monitor who has access to applications within your company's cloud? What level of password protection is available to you to deploy? Does the service provider employ strong passwords? Do they offer two-factor authentication?
How does the provider limit and/or prevent access to their facilities?
What happens if your data becomes corrupt? Does the service provider offer fully redundant backup systems? Can you fall back to a prior day's version of uncorrupted data? In today's world of inexpensive memory, companies should expect their files to be backed up in triplicate -- at a minimum -- in geographically dispersed data centers.
With the speed of processors and connectivity, backup should be instantaneous and should be synchronized at the same time between all backup centers. How do they handle co-location? If you and a competitor use the same service provider, what physical and logical protections do they have in place to ensure that your data is not copied, emailed, forwarded?
Must-Have Security Certifications
Here is a list of security certifications that Hamilton suggests you look for before you buy:
- PCI DSS – Payment Card Industry Data Security Standard (PCI DSS); an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM and POS cards
- ISO 27001 – A standard applying to Information technology, security techniques and information security management systems
- HIPAA – Health Insurance Portability and Accountability Act of 1996; national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers
- FIPS 140-2 – Federal Information Processing Standard; a U.S. government computer security standard used to accredit cryptographic modules
- SOX (Sarbanes–Oxley Act of 2002) – a U.S. federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms
- SAS 70 Type I or II – Statement on Auditing Standards (SAS) No. 70, Service Organizations; a widely recognized auditing standard developed by the American Institute of Certified Public Accountants
It's a lot to think about, but so is re-inventing in your current infrastructure as you try to stay current on best practices and advances in hardware. This list will help begin to get answers to these and other fundamental questions that will come up as you start your journey to the cloud.
The former managing editor of CIOUpdate.com, Allen Bernard is a freelance writer who has written for numerous other technology websites that focus IT management and its relationship with the business. You can contact him at abernie182 @ gmail.com and follow him on Twitter at @allen_bernard1.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|