Once you have decided to move one or more of your organisation’s services to the cloud, you need to choose your service provider. All the leading public cloud services are very capable. However, there are significant differences in their billing models, contractual terms and conditions, available SLAs and the recompense if these are not met, as well as the legal jurisdictions where data is held and data recovery terms. It is vital to know exactly what you are signing up for by asking your cloud provider the right questions. Remember that your chosen cloud provider(s) will be holding your corporate data in order to provide services which are fundamental to business operations – important considerations in ensuring that your services are GDPR (General Data Protection Regulation) compliant.
Create clear boundaries and definitions
To manage cloud effectively you must have clear definitions and ownership of the boundaries of the service levels. These should address computer power, operating system, server roles and their associated configurations, middleware such as JBOSS, BizTalk, SQL or Sharepoint, applications and interfaces, as well as responsibilities for testing and implementation of patching and supplier interdependencies. And whichever combination of cloud services is chosen, you still need to monitor performance against the SLAs yourself to ensure you receive the contracted service from your cloud provider.
Beware vendor lock-in
It is important to make sure that the interfaces used are as standard as possible e.g. XML, SOAP, REST, SAML, S3 etc. Standards are rarely in a vendor’s best interests, unless they are their own proprietary ones. You may also find that your choice of hypervisor effectively locks you into a particular public cloud provider. Smaller vendors may be better at developing services with standard interfaces as they have less market power to ‘enforce’ compliance with their own standards. If you do not want to be locked into a particular vendor it may be better to choose services from challenger vendors, rather than from the very large vendors who often use proprietary interfaces.
Questions to ask potential cloud providers
To help in modelling cloud services to enable evaluation and comparison between different suppliers, we have developed a checklist of key issues to consider.
- Availability – consider whether you require persistent (reserved), non-persistent (on demand) or metered instances. If the service is not required 24 x 7 x 365, what do you need and can the provider deliver this effectively?
- It doesn’t happen very often, but AWS’ terms and conditions allow them to shut down on-demand instances without any reference to a customer. Are there specific times that the service must be available and will the provider ensure these within a non-persistent service? Under metered services, what guarantees will the provider give that all capacity is available even if it is not being not used?
- What actually constitutes use? Several applications generate keep-alive packets to ensure availability, and these can be used by providers offering metered instances as the basis for charging even when services are not actually being used, which can increase costs significantly.
- Optimisation – will general purpose instances suffice or are computer, memory or storage optimised instances needed? Costs vary dramatically from individual suppliers and between providers.
- Granularity of the charging model – what is included or is everything an extra? If extra, how is it charged?
- Data held – what is the security classification/business impact level of the data within the service? Does this mandate physical location awareness and, if so, where will your data be stored? What security, access, audit and compliance controls need to be in place and can the provider guarantee them? If so, how – self certification or independent testing and validation?
- Resilience: what are the standard levels of resilience offered and do they meet your requirements? If not, what additional resilience is available and what are the costs? What service guarantees are offered, does the provider offer credits or other compensation if these are not met and is the compensation worthwhile?
- Service resilience – do you want both primary and recovery services, where applicable, hosted by the same supplier? Do you have or need an independent backup to restore from in extremis?
- Contractual and commercial relationship – what level of flexibility is offered? Are there exit or data transfer costs should you wish to switch suppliers? Is it an open-ended contract or for a specified period?
- Operational management of the service – is it all via a portal? If so, how does the provider handle escalation and service updates? What processes does the provider use for Problem Management or Major Incident Management, and do they have SLAs?
- Operational process integration – does the way the provider operates fit the way your organisation operates, and if not is one party prepared or able to change to meet the other? What are the cost and impact of making those changes, and do they provide business improvement or offer cost savings over the contract term?
- Cultural fit – this may seem trivial but do the provider’s mission and values reflect those of the customer and other providers being managed under the agreement? You are potentially entering into a multi-year agreement which will impact the services you offer your end users and it helps to ensure that all parties are aligned before committing to any agreements.
- Security standards – does the potential provider adhere to recognised security standards and can they prove they have the relevant controls in place? If not, how will they guarantee that their infrastructure is secure and patching is up to date? Providers that have to meet public sector requirements such as PSN, for example, will be regularly audited and tested by independent external auditors to ensure they meet the latest security standards and have tested and audited procedures for dealing with any security incidents that may occur.
Get your free copy of our White Paper :
Your Roadmap to the Cloud