The cloud computing ecosphere is a noisy neighborhood. How can CIOs cut through the hype and choose the provider for their needs? There are almost as many questions to be asked as there are cloud service providers fighting for survival. Here, we look at five top concerns, with advice from IT executives deep in the trenches, as well as from industry experts.
Many enterprise IT departments are just toying with the cloud, moving workloads, such as old emails, as a test. For the sake of your cloud strategy over the long term, however, it's important to consider features. Does the provider offer public, private or hybrid clouds? How will you integrate your back-end data with cloud services?
"The cloud used to mean that you take your functionality and put it elsewhere. Now, you can deploy clouds behind the firewall," said Jeff Kaplan, managing director of ThinkStrategies Inc., an online consultancy in Wellesley, Mass. "You need to make sure you have the flexibility to deploy them where, when and how you would like."
Most cloud service providers have an either-or approach. "Upstarts are focused on Web-based remote services, not deployable behind the firewall. Others are selling their traditional on-premises solution as a cloud service," Kaplan said. But businesses will want to choose a cloud service provider that offers both internal and external clouds and that integrates disparate systems in a data center with cloud applications.
Recognizing that need for integration, IBM this week purchased a niche player -- Cast Iron Systems Inc. -- which had made its name by blending data from on-premises applications at companies like Dow Jones and Time Warner with public and private cloud systems.
And the beat goes on …
More questions to ask a cloud computing provider:
Data protection: How does the provider segregate data? When at rest, where is data stored? What type of encryption is used to prevent it from being hacked? When the data is in motion, how is it travelling from one point to another?
Identity management: Are you able to integrate your existing identity scheme with the cloud vendor? Does the vendor support federation? What standards does it support?
Availability: What do they guarantee in the service-level agreement? Are they using other cloud providers? Are they transparent about downtime? What is their policy specifically around a data breach?
Privacy: Who has access to the data? -- L.S.
Another startup, Abiquo, recently announced a cloud management solution based on open standards that is hypervisor agnostic. The technology supports virtualization platforms simultaneously, with drag-and-drop conversion of virtual machines and seamless implementation into live environments.
Abiquo's strategy received kudos from attendees at the recent Cloud Expo in New York: "It's the right direction," said Kevin L. Jackson, an engineering fellow with NJVC LLC, a Vienna, Va., technology provider to the Department of Defense.
Compliance in the cloud
With increasing regulation -- particularly in the financial and health care industries -- it's essential to make sure a cloud provider is compliant with the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA) -- or any other regulation applicable to your industry. But don't be fooled into thinking that because the cloud provider is compliant, your business is too.
Because of HIPAA, "we have to notify patients if we suspect a breach in our data," said Tonya Hongsermeier, principal informatician at Partners HealthCare System Inc. in Boston, which is building a patient information database -- using cloud services. The database will lay the foundation for personalized medicine, resulting in "explosive growth of the rate of knowledge," she said, as physicians are able to access data currently located in unstructured silos around the country.
"I'm concerned about what kind of legal arrangements we need, and then what kind of technology we need," Hongsermeier said, ticking off the requirements: an audit trail, identity authentication, encryption and decryption of information, and de-identification and re-identification of patient data.
"At this point," Hongsermeier said, "we're still new at consuming data from a third-party system, and looking at how we partition security across the handshake."
In the relentless march to bring costs down, providers may scrimp on bandwidth. "Bandwidth is a hidden killer, and there is a huge difference in cost by the hour versus longer periods," said Carl Meadows, senior product manager for cloud services at The Planet, an Internet as a Service (IaaS) provider based in Houston.
"Every cloud will have a different methodology for allocating CPU and disk resources, leading to huge variances in performance characteristics. To choose a cloud service provider, it's important to do your own testing and ask for as much documentation as the vendor will provide. Sign [a nondisclosure agreement] to understand their network, power and storage systems. Bear in mind that network components break; look at the hardware and connectivity to be sure you're paying for quality," Meadows advised.
The contract is key -- not only to define exactly what the cloud service will provide, but to spell out an exit strategy should you decide to switch vendors.
Jessica Carrollmanaging director of IT, USGA
"I want to be able to pick up my toys and leave if I'm not happy with your cloud," said Mladen Vouk, associate vice provost for IT at North Carolina State University in Raleigh, N.C. Vouk has been supporting a broad range of cloud applications at the university since 2004: "We were cloud before cloud was cool," he said. Vouk's staff supports everything from IaaS to Platform as a Service, to Software as a Service, as well as Portability as a Service, "which is not something that [independent software vendors] and providers like to do," he said.
Vouk and analysts recommend that IT managers negotiate an exit strategy in the early stages of a cloud vendor relationship, and avoid long-term contracts, which work in favor of the vendor, not the customer. Don't enter into enterprise license agreements, but define specific service-level agreements.
To be sure, some cloud services are pretty lightweight, such as filling out a form to schedule an online meeting. But for mission-critical applications or storing data in the cloud, you need to ask tough questions:
"What does their data center look like? Are they willing to show you a diagram? Backup plans? Security documents?" asked Jessica Carroll, managing director of IT for the United States Golf Association, which uses the cloud for business continuity, as well as for collaboration with 1,500 golfing associations nationwide.
"Are the doors locked with special requirements for entry? If you're putting your most valuable data in someone else's hands, wouldn't you want to see that it's locked down? If they're willing to share that with you, they're probably OK. If not, I would be hesitant," Carroll said.
Let us know what you think about the story; email email@example.com.
Cloud archiving: Choosing the best cloud service provider
Cloud security best practices foster rapid deployments